iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
CEN

prEN ISO/IEC 29146

(Main)

Information technology - Security techniques - A framework for access management (ISO/IEC 29146:2016)

Information technology - Security techniques - A framework for access management (ISO/IEC 29146:2016)

ISO/IEC 29146 defines and establishes a framework for access management (AM) and the secure management of the process to access information and Information and Communications Technologies (ICT) resources, associated with the accountability of a subject within some context. ISO/IEC 29146 provides explanations about related architecture, components and management functions and concepts, terms and definitions applicable to distributed access management. The subjects involved in access management might be uniquely recognized to access information systems, as defined in ISO/IEC 24760.

Informationstechnologie - Sicherheitstechniken - Ein Rahmen für die Zugangsverwaltung (ISO/IEC 29146:2016)

Technologies de l'information - Techniques de sécurité - Cadre pour gestion d'accès (ISO/IEC 29146:2016)

Informacijska tehnologija - Varnostne tehnike - Ogrodje za upravljanje dostopa (ISO/IEC 29146:2016)

General Information

Status
Not Published
Publication Date
13-Jul-2025
ICS
35.030 - IT Security
Technical Committee
CEN/CLC/TC 13 - Cybersecurity and Data Protection
Drafting Committee
CEN/CLC/TC 13 - Cybersecurity and Data Protection
Current Stage
4060 - Closure of enquiry - Enquiry
Start Date
23-Feb-2023
Due Date
08-Oct-2023
Completion Date
23-Feb-2023
Ref Project
oSIST prEN ISO/IEC 29146:2023 - Information technology - Security techniques - A framework for access management (ISO/IEC 29146:2016)

Buy Standard

prEN ISO/IEC 29146:2023 - BARVEprEN ISO/IEC 29146:2023 - BARVE
PreviousNext
Draft
prEN ISO/IEC 29146:2023 - BARVE
English language
41 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)

SLOVENSKI STANDARD
oSIST prEN ISO/IEC 29146:2023
01-februar-2023
Informacijska tehnologija - Varnostne tehnike - Ogrodje za upravljanje dostopa
(ISO/IEC 29146:2016)
Information technology - Security techniques - A framework for access management
(ISO/IEC 29146:2016)

Informationstechnologie - Sicherheitstechniken - Ein Rahmen für die Zugangsverwaltung

(ISO/IEC 29146:2016)

Technologies de l'information - Techniques de sécurité - Cadre pour gestion d'accès

(ISO/IEC 29146:2016)
Ta slovenski standard je istoveten z: prEN ISO/IEC 29146
ICS:
35.030 Informacijska varnost IT Security
oSIST prEN ISO/IEC 29146:2023 en,fr,de

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
oSIST prEN ISO/IEC 29146:2023
---------------------- Page: 2 ----------------------
oSIST prEN ISO/IEC 29146:2023
INTERNATIONAL ISO/IEC
STANDARD 29146
First edition
2016-06-01
Information technology — Security
techniques — A framework for access
management
Technologies de l’information — Techniques de sécurité — Cadre
pour gestion d’accès
Reference number
ISO/IEC 29146:2016(E)
ISO/IEC 2016
---------------------- Page: 3 ----------------------
oSIST prEN ISO/IEC 29146:2023
ISO/IEC 29146:2016(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2016, Published in Switzerland

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form

or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior

written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of

the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2016 – All rights reserved
---------------------- Page: 4 ----------------------
oSIST prEN ISO/IEC 29146:2023
ISO/IEC 29146:2016(E)
Contents Page

Foreword ..........................................................................................................................................................................................................................................v

Introduction ................................................................................................................................................................................................................................vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Abbreviated terms .............................................................................................................................................................................................. 4

5 Concepts ........................................................................................................................................................................................................................ 5

5.1 A model for controlling access to resources .................................................................................................................. 5

5.1.1 Overview ................................................................................................................................................................................. 5

5.1.2 Relationship between identity management system and access

management system ..................................................................................................................................................... 6

5.1.3 Security characteristics of the access method........................................................................................ 7

5.2 Relationships between logical and physical access control ............................................................................. 8

5.3 Access management system functions and processes .......................................................................................... 8

5.3.1 Overview ................................................................................................................................................................................. 8

5.3.2 Access control policy .................................................................................................................................................... 9

5.3.3 Privilege management .............................................................................................................................................10

5.3.4 Policy-related attribute information management .........................................................................11

5.3.5 Authorization ...................................................................................................................................................................12

5.3.6 Monitoring management .......................................................................................................................................12

5.3.7 Alarm management ....................................................................................................................................................13

5.3.8 Federated access control........................................................................................................................................13

6 Reference architecture ................................................................................................................................................................................14

6.1 Overview ...................................................................................................................................................................................................14

6.2 Basic components of an access management system .........................................................................................15

6.2.1 Authentication endpoint ........................................................................................................................................15

6.2.2 Policy decision point (PDP) .................................................................................................................................15

6.2.3 Policy information point (PIP) ..........................................................................................................................15

6.2.4 Policy administration point (PAP) .................................................................................................................15

6.2.5 Policy enforcement point (PEP) ......................................................................................................................16

6.3 Additional service components .............................................................................................................................................16

6.3.1 General...................................................................................................................................................................................16

6.3.2 Subject centric implementation .................. .....................................................................................................16

6.3.3 Enterprise centric implementation ..............................................................................................................18

7 Additional requirements and concerns .....................................................................................................................................19

7.1 Access to administrative information ..............................................................................................................................19

7.2 AMS models and policy issues ................................................................................................................................................19

7.2.1 Access control models ..............................................................................................................................................19

7.2.2 Policies in access management ........................................................................................................................20

7.3 Legal and regulatory requirements ...................................................................................................................................20

8 Practice ........................................................................................................................................................................................................................20

8.1 Processes ...................................................................................................................................................................................................20

8.1.1 Authorization process ..............................................................................................................................................20

8.1.2 Privilege management process ........................................................................................................................21

8.2 Threats ........................................................................................................................................................................................................21

8.3 Control objectives ..............................................................................................................................................................................22

8.3.1 General...................................................................................................................................................................................22

8.3.2 Validating the access management framework ..................................................................................22

8.3.3 Validating the access management system ............................................................................................25

8.3.4 Validating the maintenance of an implemented AMS ...................................................................29

Annex A (informative) Current access models ........................................................................................................................................31

© ISO/IEC 2016 – All rights reserved iii
---------------------- Page: 5 ----------------------
oSIST prEN ISO/IEC 29146:2023
ISO/IEC 29146:2016(E)

Bibliography .............................................................................................................................................................................................................................35

iv © ISO/IEC 2016 – All rights reserved
---------------------- Page: 6 ----------------------
oSIST prEN ISO/IEC 29146:2023
ISO/IEC 29146:2016(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are

members of ISO or IEC participate in the development of International Standards through technical

committees established by the respective organization to deal with particular fields of technical

activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international

organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the

work. In the field of information technology, ISO and IEC have established a joint technical committee,

ISO/IEC JTC 1.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for

the different types of document should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject

of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent

rights. Details of any patent rights identified during the development of the document will be in the

Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation on the meaning of ISO specific terms and expressions related to conformity

assessment, as well as information about ISO’s adherence to the WTO principles in the Technical

Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information

The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommittee

SC 27, IT Security techniques.
© ISO/IEC 2016 – All rights reserved v
---------------------- Page: 7 ----------------------
oSIST prEN ISO/IEC 29146:2023
ISO/IEC 29146:2016(E)
Introduction

Management of information security is a complex task that is based primarily on risk-based approach

and that is supported by several security techniques. The complexity is handled by several supporting

systems that can automatically apply a set of rules or policies consistently.

Within the management of information security, access management plays a key role in the

administration of the relationships between the accessing party (subjects that can be human or non-

human entities) and the information technology resources. With the development of the Internet,

information technology resources can be located over distributed networks and the access to them

needs to be managed in conformity under a policy and is expected to have common terms and models

as a framework on access management.

Identity management is also an important part of access management. Access management is mediated

through the identification and authentication of subjects that seek to access information technology

resources. This International Standard depends on the existence of an underlying identity management

system or an identity management infrastructure (see references in Clause 2).

The framework for access management is one part of an overall identity and access management

framework. The other part is the framework for identity management, which is defined in ISO/IEC 24760.

This International Standard describes the concepts, actors, components, reference architecture,

functional requirements and practices for access control. Example access control models are included.

It focuses mainly on access control for a single organization, but adds other considerations for access

control in collaborative arrangements across multiple organizations.
vi © ISO/IEC 2016 – All rights reserved
---------------------- Page: 8 ----------------------
oSIST prEN ISO/IEC 29146:2023
INTERNATIONAL STANDARD ISO/IEC 29146:2016(E)
Information technology — Security techniques — A
framework for access management
1 Scope

This International Standard defines and establishes a framework for access management (AM) and

the secure management of the process to access information and Information and Communications

Technologies (ICT) resources, associated with the accountability of a subject within some context.

This International Standard provides concepts, terms and definitions applicable to distributed access

management techniques in network environments.

This International Standard also provides explanations about related architecture, components and

management functions.

The subjects involved in access management might be uniquely recognized to access information

systems, as defined in ISO/IEC 24760.

The nature and qualities of physical access control involved in access management systems are outside

the scope of this International Standard.
2 Normative references

The following documents, in whole or in part, are normatively referenced in this document and are

indispensable for its application. For dated references, only the edition cited applies. For undated

references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 24760-1:2011, Information technology — Security techniques — A framework for identity

management — Part 1: Terminology and concepts

ISO/IEC 24760-2:2015, Information technology — Security techniques — A framework for identity

management — Part 2: Reference architecture and requirements

ISO/IEC 29115:2013, Information technology — Security techniques — Entity authentication assurance

framework

ISO/IEC 27002:2013, Information technology — Security techniques — Code of practice for information

security controls
3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO/IEC 24760-1, ISO/IEC 29115,

and the following apply.
3.1
access control
granting or denying an operation to be performed on a resource (3.14)

Note 1 to entry: A primary purpose of access control is to prevent unauthorized access to information or use of

ICT resources based on the business and security requirements; that is, the application of authorization policies

to particular access requests.

Note 2 to entry: When an authenticated subject (3.15) makes a request, the resource owner will authorize (or

not) access in accordance with access policy and subject privileges.
© ISO/IEC 2016 – All rights reserved 1
---------------------- Page: 9 ----------------------
oSIST prEN ISO/IEC 29146:2023
ISO/IEC 29146:2016(E)
3.2
access management
set of processes to manage access control (3.1) for a set of resources (3.14)
3.3
access token

trusted object encapsulating the authority for a subject (3.15) to access a resource (3.14)

Note 1 to entry: An access token is issued by the policy decision point (PDP) and consumed by the policy

enforcement point (PEP) for the resource.

Note 2 to entry: An access token may contain access permission information for a subject to access the resource

and identifying information for the authority of the authorization decision.

Note 3 to entry: An access token may contain information that enables its integrity to be validated.

Note 4 to entry: An access token may take a physical or a virtual form.
3.4
attribute

characteristic or property used to describe and to control access to a resource (3.14)

Note 1 to entry: The rules for accessing a resource are defined in an access control (3.1) policy which specifies the

attributes required for the granting of access by a subject (3.15) to a resource for a specific operation.

Note 2 to entry: Attributes can include subject attributes, resource attributes, environmental attributes and

other attributes used to control access as specified in the access control policy.

3.5
endpoint

location in an access management (3.2) system where an access control (3.1) function is performed

Note 1 to entry: There can be the following different types of endpoints:
— authentication endpoint, where subject (3.15) authentication is performed;
— authorization endpoint, where subject authorization is performed;
— endpoint discovery service, that searches for and locates endpoints;

— initial endpoint discovery service, used at the start of subject interactions with an access management system.

Note 2 to entry: Endpoint discovery services are commonly used in distributed and networked systems.

3.6
enterprise centric implementation
access management (3.2) conducted under the control of a policy decision point
3.7
need-to-know

security objective of keeping the subject’s (3.15) access to data resources (3.14) to the minimum

necessary for a requesting user to perform their functions

Note 1 to entry: Need-to-know is authorized at the discretion of the resource owner.

Note 2 to entry: Need-to-have is the security objective of the requester for the fulfilment of specific tasks that

may be limited at the resource owner’s discretion.
2 © ISO/IEC 2016 – All rights reserved
---------------------- Page: 10 ----------------------
oSIST prEN ISO/IEC 29146:2023
ISO/IEC 29146:2016(E)
3.8
privilege
access right
permission
authorization to a subject (3.15) to access a resource (3.14)

Note 1 to entry: Privilege is a necessary but not sufficient condition for access. Access occurs when the access

request is granted according to its access control policy. The access control policy is based on privileges and may

include other environmental factors (e.g. time-of-day, location, etc.)

Note 2 to entry: Privileges take the form of data presented by a subject or obtained for a subject that is used by

a Policy Decision Point in order to grant or deny an operation that a subject is willing to perform on a resource.

Note 3 to entry: A resource may have multiple distinct privileges associated with it which correspond to various

defined levels of access. For example, a data resource could have read, write, execute and delete privileges

available for assignment to subjects. A request by a subject for access to the resource might be allowed for

some levels of access request but disallowed for other levels depending on the level of access requested and the

resource privileges that have been assigned to the subject.
3.9
role

name given to a defined set of system functions that may be performed by multiple entities

Note 1 to entry: The name is usually descriptive of the functionality.
Note 2 to entry: Entities can be but are not necessarily human subjects.

Note 3 to entry: Roles are implemented by a set of privilege (3.8) attributes to provide the necessary access to

data resources or objects.

Note 4 to entry: Subjects assigned to a role inherit the access privileges associated with the role. In operational

use, subjects will need to be authenticated as members of the role group before being allowed to perform the

functions of the role.
3.10
policy decision point
PDP

service that implements an access control policy to adjudicate requests from entities to access resources

(3.14) and provide authorization decisions for use by a policy enforcement point (3.11)

Note 1 to entry: Authorization decisions are used by a policy enforcement point to control access to a resource.

An authorization decision may be communicated through the use of an access token (3.3).

Note 2 to entry: PDP also audits the decisions in an audit trail and is able to trigger alarms.

Note 3 to entry: The term corresponds to Access Decision Function (ADF) in ISO 10181-3. It is presumed that

this function is located over a network from the subject (3.15), and may be located over a network from the

corresponding PEP (3.11).
3.11
policy enforcement point
PEP
service that enforces the access decision by the policy decision point (3.10)

Note 1 to entry: The PEP receives authorization decisions made by the PDP and implements them in order to

control access by entities to resources (3.14). An authorization decision may be received in the form of an access

token (3.3) presented by a subject (3.15) when an access request is made.

Note 2 to entry: The term corresponds to Access Enforcement Function (AEF) in ISO 10181-3. It is presumed

that this function is located over a network from the subject and may be located over a network from the

corresponding PDP (3.10).
© ISO/IEC 2016 – All rights reserved 3
---------------------- Page: 11 ----------------------
oSIST prEN ISO/IEC 29146:2023
ISO/IEC 29146:2016(E)
3.12
policy administration point
PAP
service that administers access authorization policy
3.13
policy information point
PIP

service that acts as the source of attributes (3.4) that are used by a policy decision point (3.10) to make

authorization decisions

Note 1 to entry: Attributes can include resource (3.14), subject (3.15) and environment privileges (3.8)/

permissions.
3.14
resource
object

physical, network, or any information asset that can be accessed for use by a subject (3.15)

3.15
subject

entity requesting access to a resource (3.14) controlled by an access control (3.1) system

3.16
security token service
STS

service that builds, signs, exchanges and issues access tokens (3.3) based on decision made by a policy

decision point (3.10)
Note 1 to entry: This service may be split into separate components.
3.17
subject centric implementation

access management (3.2) implemented as component services that are called by a subject (3.15) to

acquire the means recognized by the policy enforcement point (3.11) for accessing a resource (3.14)

Note 1 to entry: Component services may include policy decision point service, policy enforcement point service

and associated discovery services that enable the subject to locate and contact the access control (3.1) services.

4 Abbreviated terms
AA attribute authority
ABAC attribute-based access control
ACL access control list
AM access management
AMS access management system
CBAC capabilities-based access control
DAC discretionary access control
IBAC identity-based access control
ICT information and communication technology
IMS identity management system
4 © ISO/IEC 2016 – All rights reserved
---------------------- Page: 12 ----------------------
oSIST prEN ISO/IEC 29146:2023
ISO/IEC 29146:2016(E)
IT information technology
MAC mandatory access control
PBAC pseudonym-based access control
PAP policy administration point
PEP policy enforcement point
PDP policy decision point
PII personally identifiable information
PIP policy information point
RBAC role-based access control
REDS resource endpoint discovery service
STS security token service
TLS transport layer security
XACML extensible access control markup language
5 Concepts
5.1 A model for controlling access to resources
5.1.1 Overview
The conceptual sequence in giving access to a resource is as follows.

a) Subject authentication is needed before giving access to a resource. However, authentication is

a separate function that is typically implemented on a session basis rather than for each access

request.

b) Authorization decision to allow or deny access to the resource is made based on a policy, and an

access token is issued to convey the result of the decision.

c) Authorization enforcement is conducted on the resource based on the decision result and resource

access will be given.
Figure 1 shows this decision sequence.
Figure 1 — Access control model sequence

Subject and resource are depicted as balloons while conceptual functions are depicted as rectangles.

© ISO/IEC 2016 – All rights reserved 5
---------------------- Page: 13 ----------------------
oSIST prEN ISO/IEC 29146:2023
ISO/IEC 29146:2016(E)
For the purpose of being accessed, a resource is characterized by the following:
— an identifier, either for a specific resource or for a resource class;
— one or more modes of access;

— a set of attributes associated with the modes of access and other access criteria as specified in the

access control policy.

An access management system is responsible for the administration and operation of authorizations to

access. Authorizations are supported by administrative activity which assigns and maintains resource

attributes and subject privileges in accordance with the access management policy.

Resources in IT systems are typically dynamic. They run a lifecycle from creation to destruction and

this is a continuous process.
a) Resources have a life-cycle which runs from creation to destruction.
b) Resources are continually being created, updated and destroyed.

c) Resources need to be assigned access attributes (usually at the time of creation) which will be

used by the access management system to control access by subjects to the resources. [Typically

this is done by pre-defining recognized resource types with associated access attribute templates.

When a resource of a known type is created, it inherits the access attributes of the corresponding

template].

d) Resources are owned by a party which might be a person or an organization. The owner is often

the creator of the resource but not always and the ownership may change during the life of the

resource.

5.1.2 Relationship between identity management system and access management system

In the model described here, the subject is authenticated using an identity management system (IMS),

as described in ISO/IEC 24760-2. The authenticated subject then requests access using the access

management system (AMS). The access management system determines whether or not to authorize

the subject request to access the resource. Subject authorization comprises two distinct activities,

— the pre-assignment of resource access privileges to subjects, and
— the granting of access to resources by subjects in operational use.

Figure 2 shows the relationship between an identity management system (IMS) and an access

management system (AMS).
6 © ISO/IEC 2016 – All rights reserved
---------------------- Page: 14 ----------------------
oSIST prEN ISO/IEC 29146:2023
ISO/IEC 29146:2016(E)
Figure 2 — Identity management system and access management system relationship
Authentication is supported by an identity management system (IM
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

CEN
EN ISO/IEC 19896-2:2023(Main)
IT security techniques - Competence requirements for information security testers and evaluators - Part 2: Knowledge, skills and effectiveness requirements for ISO/IEC 19790 testers (ISO/IEC 19896-2:2018)
oSIST prEN ISO/IEC 19896-2:2022

This document provides the minimum requirements for the knowledge, skills and effectiveness requirements of individuals performing testing activities for a conformance scheme using ISO/IEC 19790 and ISO/IEC 24759.

  • Draft
    39 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 19896-3:2023(Main)
IT security techniques - Competence requirements for information security testers and evaluators - Part 3: Knowledge, skills and effectiveness requirements for ISO/IEC 15408 evaluators (ISO/IEC 19896-3:2018)
oSIST prEN ISO/IEC 19896-3:2022

This document provides the specialized requirements to demonstrate competence of individuals in performing IT product security evaluations in accordance with ISO/IEC 15408 (all parts) and  ISO/IEC 18045.

  • Draft
    39 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 19896-1:2023(Main)
IT security techniques - Competence requirements for information security testers and evaluators - Part 1: Introduction, concepts and general requirements (ISO/IEC 19896-1:2018)
oSIST prEN ISO/IEC 19896-1:2022

ISO/IEC 19896-1:2018 defines terms and establishes an organized set of concepts and relationships to understand the competency requirements for information security assurance conformance-testing and evaluation specialists, thereby establishing a basis for shared understanding of the concepts and principles central to the ISO/IEC 19896 series across its user communities. It provides fundamental information to users of the ISO/IEC 19896 series.

  • Draft
    16 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 24760-2:2022(Main)
Information technology - Security techniques - A framework for identity management - Part 2: Reference architecture and requirements (ISO/IEC 24760-2:2015)
SIST EN ISO/IEC 24760-2:2023

ISO/IEC 24760-2:2015 provides guidelines for the implementation of systems for the management of identity information, and specifies requirements for the implementation and operation of a framework for identity management.
ISO/IEC 24760-2:2015 is applicable to any information system where information relating to identity is processed or stored.

  • Standard
    55 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Draft
    52 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN ISO/IEC/TS 27006-2:2022(Main)
Requirements for bodies providing audit and certification of information security management systems - Part 2: Privacy information management systems (ISO/IEC TS 27006-2:2021)
SIST-TS CEN ISO/IEC/TS 27006-2:2023

This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.
The requirements contained in this document need to be demonstrated in terms of competence and reliability by anybody providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification.
NOTE     This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

  • Technical specification
    18 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 27002:2022(Main)
Information security, cybersecurity and privacy protection - Information security controls (ISO/IEC 27002:2022)
SIST EN ISO/IEC 27002:2022

This document provides a reference set of generic information security controls including implementation guidance. This document is designed to be used by organizations:
a) within the context of an information security management system (ISMS) based on ISO/IEC27001;
b) for implementing information security controls based on internationally recognized best practices;
c) for developing organization-specific information security management guidelines.

  • Standard
    164 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Draft
    161 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 17640:2022(Main)
Fixed-time cybersecurity evaluation methodology for ICT products
SIST EN 17640:2023

This document describes a cybersecurity evaluation methodology that can be implemented using pre-defined time and workload resources, for ICT products. It is intended to be applicable for all three assurance levels defined in the CSA (i.e. basic, substantial and high).
The methodology comprises different evaluation blocks including assessment activities that comply with the evaluation requirements of the CSA for the mentioned three assurance levels. Where appropriate, it can be applied both to third-party evaluation and self-assessment.

  • Standard
    54 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Draft
    56 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 24760-1:2022(Main)
IT Security and Privacy - A framework for identity management - Part 1: Terminology and concepts (ISO/IEC 24760-1:2019)
SIST EN ISO/IEC 24760-1:2022

ISO/IEC 24760-1:2019 defines terms for identity management, and •specifies core concepts of identity and identity management and their relationships.
It is applicable to any information system that processes identity information.
A bibliography of documents describing various aspects of identity information management is provided.

  • Standard
    32 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Draft
    29 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 24760-3:2022(Main)
Information technology - Security techniques - A framework for identity management - Part 3: Practice (ISO/IEC 24760-3:2016)
SIST EN ISO/IEC 24760-3:2023

ISO/IEC 24760-3:2016 provides guidance for the management of identity information and for ensuring that an identity management system conforms to ISO/IEC 24760-1 and ISO/IEC 24760-2.
ISO/IEC 24760-3:2016 is applicable to an identity management system where identifiers or PII relating to entities are acquired, processed, stored, transferred or used for the purposes of identifying or authenticating entities and/or for the purpose of decision making using attributes of entities. Practices for identity management can also be addressed in other standards.

  • Standard
    39 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Draft
    36 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 17529:2022(Main)
Data protection and privacy by design and by default
SIST EN 17529:2022

This document provides requirements for manufacturers and/or service providers to implement Data protection and Privacy by Design and by Default (DPbDD) early in their development of their products and services, i.e. before (or independently of) any specific application integration, to make sure that they are as privacy ready as possible. The document will be applicable to all business sectors, including the security industry.

  • Standard
    62 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Draft
    58 pages
    English language
    sale 10% off
    e-Library read for
    1 day