EN ISO/IEC 24760-3:2022

SLOVENSKI STANDARD
01-januar-2023
Informacijska tehnologija - Varnostne tehnike - Okvir za upravljanje identitete - 3.
del: Izvajanje (ISO/IEC 24760-3:2016)
Information technology - Security techniques - A framework for identity management -
Part 3: Practice (ISO/IEC 24760-3:2016)
Informationstechnik - Sicherheitsverfahren - Rahmenwerk für Identitätsmanagement -
Teil 3: Umsetzung (ISO/IEC 24760-3:2016)
Technologies de l'information - Techniques de sécurité - Cadre pour la gestion de
l'identité - Partie 3: Mise en oeuvre (ISO/IEC 24760-3:2016)
Ta slovenski standard je istoveten z: EN ISO/IEC 24760-3:2022
ICS:
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD EN ISO/IEC 24760-3

NORME EUROPÉENNE
EUROPÄISCHE NORM
September 2022
ICS 35.030
English version
Information technology - Security techniques - A
framework for identity management - Part 3: Practice
(ISO/IEC 24760-3:2016)
Technologies de l'information - Techniques de sécurité Informationstechnik - Sicherheitsverfahren -
- Cadre pour la gestion de l'identité - Partie 3: Mise en Rahmenwerk für Identitätsmanagement - Teil 3:
oeuvre (ISO/IEC 24760-3:2016) Umsetzung (ISO/IEC 24760-3:2016)
This European Standard was approved by CEN on 5 September 2022.

CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.

CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2022 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. EN ISO/IEC 24760-3:2022 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 3

European foreword
The text of ISO/IEC 24760-3:2016 has been prepared by Technical Committee ISO/IEC JTC 1
"Information technology” of the International Organization for Standardization (ISO) and has been
taken over as EN ISO/IEC 24760-3:2022 by Technical Committee CEN-CENELEC/ JTC 13 “Cybersecurity
and Data Protection” the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by March 2023, and conflicting national standards shall
be withdrawn at the latest by March 2023.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN-CENELEC shall not be held responsible for identifying any or all such patent rights.
Any feedback and questions on this document should be directed to the users’ national standards body.
A complete listing of these bodies can be found on the CEN and CENELEC websites.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 24760-3:2016 has been approved by CEN-CENELEC as EN ISO/IEC 24760-3:2022
without any modification.
INTERNATIONAL ISO/IEC
STANDARD 24760-3
First edition
2016-08-01
Information technology — Security
techniques — A framework for
identity management —
Part 3:
Practice
Technologies de l’information — Techniques de sécurité — Cadre
pour la gestion de l’identité —
Partie 3: Mise en oeuvre
Reference number
ISO/IEC 24760-3:2016(E)
©
ISO/IEC 2016
ISO/IEC 24760-3:2016(E)
© ISO/IEC 2016, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2016 – All rights reserved

ISO/IEC 24760-3:2016(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and abbreviated terms . 2
5 Mitigating identity related risk in managing identity information . 2
5.1 Overview . 2
5.2 Risk assessment . 2
5.3 Assurance in identity information . 3
5.3.1 General. 3
5.3.2 Identity proofing . 3
5.3.3 Credentials . 3
5.3.4 Identity profile . 3
6 Identity information and identifiers . 4
6.1 Overview . 4
6.2 Policy on accessing identity information . 4
6.3 Identifiers . 4
6.3.1 General. 4
6.3.2 Categorization of identifier by the type of entity to which the identifier is linked 4
6.3.3 Categorization of identifier by the nature of linking . 5
6.3.4 Categorization of identifier by the grouping of entities . 6
6.3.5 Management of identifiers . 6
7 Auditing identity information usage . 6
8 Control objectives and controls . 6
8.1 General . 6
8.2 Contextual components for control . 7
8.2.1 Establishing an identity management system . 7
8.2.2 Establishing identity information . 9
8.2.3 Managing identity information .10
8.3 Architectural components for control .11
8.3.1 Establishing an identity management system .11
8.3.2 Controlling an identity management system .13
Annex A (normative) Practice of managing identity information in a federation of identity
management systems .15
Annex B (normative) Identity management practice using attribute-based credentials to
enhance privacy protection .24
Bibliography .31
© ISO/IEC 2016 – All rights reserved iii

ISO/IEC 24760-3:2016(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical
Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information
The committee responsible for this document is ISO/IEC JTC 1, Information technology, SC 27, IT Security
techniques.
ISO/IEC 24760 consists of the following parts, under the general title Information technology — Security
techniques — A framework for identity management
— Part 1: Terminology and concepts
— Part 2: Reference architecture and requirements
— Part 3: Practice
iv © ISO/IEC 2016 – All rights reserved

ISO/IEC 24760-3:2016(E)
Introduction
Data processing systems commonly gather a range of information on their users, be it a person, piece of
equipment, or piece of software connected to it and make decisions based on the gathered information.
Such identity-based decisions may concern access to applications or other resources.
To address the need to efficiently and effectively implement systems that make identity-based decisions,
ISO/IEC 24760 specifies a framework for the issuance, administration, and use of data that serves to
characterize individuals, organizations or information technology components, which operate on
behalf of individuals or organizations.
For many organizations, the proper management of identity information is crucial to maintain security
of the organizational processes. For individuals, correct identity management is important to protect
privacy.
This part of ISO/IEC 24760 specifies fundamental concepts and operational structures of identity
management with the purpose to realize information system management, so that information systems
can meet business, contractual, regulatory and legal obligations.
This part of ISO/IEC 24760 presents practices for identity management. These practices cover
assurance in controlling identity information use, controlling the access to identity information and
other resources based on identity information, and controlling objectives that should be implemented
when establishing and maintaining an identity management system.
This part of ISO/IEC 24760 consists of the following parts:
— ISO/IEC 24760-1: Terminology and concepts;
— ISO/IEC 24760-2: Reference architecture and requirements;
— ISO/IEC 24760-3: Practice.
ISO/IEC 24760 is intended to provide foundations for other identity management related International
Standards including the following:
— ISO/IEC 29100, Privacy framework;
— ISO/IEC 29101, Privacy reference architecture;
— ISO/IEC 29115, Entity authentication assurance framework;
— ISO/IEC 29146, A framework for access management.
© ISO/IEC 2016 – All rights reserved v

INTERNATIONAL STANDARD ISO/IEC 24760-3:2016(E)
Information technology — Security techniques — A
framework for identity management —
Part 3:
Practice
1 Scope
This part of ISO/IEC 24760 provides guidance for the management of identity information and for
ensuring that an identity management system conforms to ISO/IEC 24760-1 and ISO/IEC 24760-2.
This part of ISO/IEC 24760 is applicable to an identity management system where identifiers or PII
relating to entities are acquired, processed, stored, transferred or used for the purposes of identifying
or authenticating entities and/or for the purpose of decision making using attributes of entities.
Practices for identity management can also be addressed in other standards.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 24760-1, Information technology — Security techniques — A framework for identity
management — Part 1: Terminology and concepts
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 24760-1 and the
following apply.
3.1
identity management system
system comprising of policies, procedures, technology and other resources for maintaining identity
information including meta data
[SOURCE: ISO/IEC 24760-2:2015, 3.3]
3.2
identity profile
identity containing attributes specified by an identity template
3.3
identity template
definition of a specific set of attributes
Note 1 to entry: Typically, the attributes in a profile are to support a particular technical or business purpose as
needed by relying parties.
3.4
identity theft
result of a successful false claim of identity
© ISO/IEC 2016 – All rights reserved 1

ISO/IEC 24760-3:2016(E)
3.5
federation manager
actor in a federation responsible for managing the issues arising from the operation of the federation
Note 1 to entry: An existing federation member or an independent third party can carry out the role of federation
manager.
3.6
principal
entity to which identity information in an identity management system pertains
[SOURCE: ISO/IEC 24760-2:2015, 3.4]
4 Symbols and abbreviated terms
For the purposes of this document, the following symbols and abbreviated terms apply.
ICT Information and Communication Technology
IIP Identity Information Provider
IIA Identity Information Authority
PII Personally Identifiable Information
RP Relying Party
5 Mitigating identity related risk in managing identity information
5.1 Overview
Clause 5 presents practices to address identity related risk when operating an identity management
system conforming to ISO/IEC 24760-1, ISO/IEC 24760-2 and ISO/IEC 29115.
5.2 Risk assessment
One function of an identity management system is to manage the risk of identity errors, and the
confidentiality, integrity and availability of identity information that it stores, processes and
communicates. It is necessary to understand the level of risk, which will depend on the application.
The owner of the application should conduct a risk assessment to determine the level of risk. The result
will provide information, which can be used to determine the necessary risk management criteria and
processes for the identity management system. The information an identity management system needs
includes the level of assurance in identity information required and the requirements for confidentiality,
integrity and availability of this information.
ISO/IEC 24760-2 specifies tools to manage risks as policies, regulation, design and architecture. In some
contexts involving consumers, protecting personally identifiable information and giving principals
control over the use of their personally identifiable information is paramount. ISO/IEC 29100,
ISO/IEC 29101, ISO/IEC 29134 and ISO/IEC 29151 (to be published) specify requirements and provide
guidance for the protection of privacy.
Identity information managed by an identity management system may also be managed by reference to
identity information providers in another domain. For example, identity proofing may be undertaken
by a service provider, which operates in a different domain to that of the identity management system.
When identity information is collected and stored, risk management measures shall be implemented by
the identity management service to mitigate the risks identified by a risk assessment carried out in the
2 © ISO/IEC 2016 – All rights reserved

ISO/IEC 24760-3:2016(E)
application domain by the relying party. Levels of assurance in regard to identity information and access
services shall be determined and specified by the relying party according to assessed levels of risk.
5.3 Assurance in identity information
5.3.1 General
Confidence in identity information provided by an identity management system comes from processes
that assure the validity of the information from its collection through its subsequent storage and
maintenance by the system. Assurance is typically quantified in terms of assurance levels with higher
levels corresponding to greater assurance. The level of assurance achieved depends on the quality of
the identity information and the rigour of the identity validation processes. Levels of assurance are
described in ISO/IEC 29115.
5.3.2 Identity proofing
Identity proofing, i.e. validating identity information for enrolment of an entity in a domain, shall meet
a defined level of assurance. The level of assurance of identity proofing achievable depends on the type
and characteristics of information and, in some case, the scope of this information, e.g. the number of
independent identity information providers used as sources of the information.
An increased level of assurance in identity verification may be achieved
— with verification of additional credentials issued from multiple sources, and
— using a trusted external party that knows the entity to validate claimed identity information.
NOTE 1 ISO/IEC 29003 provides requirements for identity proofing.
NOTE 2 ISO/IEC 29115 specifies how to achieve different levels of assurance.
5.3.3 Credentials
An identity management system may issue multiple types of credential differing in the level of assurance
of the identity information represented by the credential.
An identity management system issuing credentials with a high level of assurance supported by
a cryptographic mechanism should provide a service for relying parties to actively support the
cryptographic validation process.
5.3.4 Identity profile
An identity management system may use one or more identity profiles for gathering, structuring, or
presenting identity information.
NOTE Although a profile can contain identity information, it is not intended for identification. Its purpose is
to provide identity information about an entity to system processes that need the information for their processes.
An entity may have multiple identity profiles, each containing a different set of attributes for the entity.
For instance, a language preference may be present in a profile for an access interface and not in a
profile for book interests.
An identity template may be established as an international or industry standard. The use of a
standardised identity template to record identity attributes would facilitate the usage of identity
profiles across domains.
An identity profile may be used in access management to determine the required identity attributes for
being authorized for a role or privilege in accessing information. An identity profile may be used as a
pre-configured subset of identity information to be presented when interacting with a service.
© ISO/IEC 2016 – All rights reserved 3

ISO/IEC 24760-3:2016(E)
An attribute in an identity profile may be associated with a level of assurance. Using an identity
profile with associated levels of assurance to present identity information shall imply that each item
of information has been validated at minimally its associated level of assurance. An identity profile
specifying requirements for access to services or resources may be associated with a specific additional
entity identifier that may indicate the activities linked to the specific privileges.
6 Identity information and identifiers
6.1 Overview
Organizations should understand the information security concerns for their business and for
compliance with relevant legislation and should provide management support to meet the business
needs. In regard to identity management, organizations should understand their liabilities and ensure
that adequate controls are implemented to mitigate the risks and consequences of identity information
leakage, corruption and loss of availability when collecting, storing, using, transmitting and disposing
of identity information. Organizations should specify control objectives and controls to ensure that
information security requirements are met.
6.2 Policy on accessing identity information
The identity information pertaining to an entity should be managed to ensure that the following:
— identity information remains accurate and up-to-date over time;
— only authorized entities have access to the identity information and are accountable for all uses and
changes in identity information, guaranteeing traceability of any processing of identity information
by any entity, whether a person, a process or a system;
— the organization fulfils its obligations with respect to regulations and contractual agreements;
— principals are protected against the risk of identity-related theft and other identity related crime.
NOTE Typically, an information security policy highlights the necessity to securely manage identity
information. The preservation and protection of any entities identity information is also required when dealing
with third parties as typically documented within the operational procedures.
6.3 Identifiers
6.3.1 General
An identifier allows distinguishing unambiguously one entity from another entity in a domain of
applicability. An entity may have multiple, different identifiers in the same domain. This may facilitate
the representation of the entity in some situations, e.g. hiding the entity’s identity when providing the
entity’s identity information for use in some processes or within some systems. An identifier created in
one domain may be reused intentionally in another domain provided the reused identifier continues to
provide uniqueness of identity within the other domain.
6.3.2 Categorization of identifier by the type of entity to which the identifier is linked
6.3.2.1 Person identifiers
A person identifier may be, e.g. a full name, a date of birth, a place of birth, or various pseudonyms, such
as a number assigned by an authority as a reference, e.g. a passport number, a national identity number
or an identity-card number.
4 © ISO/IEC 2016 – All rights reserved

ISO/IEC 24760-3:2016(E)
The use of pseudonyms as identifiers is frequent for person identifiers; see.6.3.3.2.
NOTE A pseudonym can enhance the privacy of persons in an identity-authentication exchange with a
relying party as a pseudonym may reveal less personally identifiable information than if a real name is used as
an identifier.
6.3.2.2 Identifier assigned to a non-person entity
Non-person entities, e.g. devices or other information objects, may have their activities identified and
recorded as for persons.
Device identifiers allow distinction between devices in the domain in which they operate.
NOTE 1 Example: The International Mobile Equipment Identity (IMEI) is an identifier of the mobile telephone
handset in the domain of GSM mobile telephone services.
NOTE 2 Example 2: The GSM SIM card number (ICCID) is a unique device identifier in the domain of a mobile
telephone service. A SIM card also contains other identifiers including that of the user who registered the SIM card.
Information object identifiers may also need to be distinguished in their domains. One of their attributes
of a combination of their attributes is usually used as identifier.
NOTE 3 Example: Process name, session name, path name, uniform resource names (URN),
uniform resource identifier (URI) are examples of information-object identifiers.
NOTE 4 Example: URI is an example of identifier for a location, but the object at that location
may change at any time.
6.3.3 Categorization of identifier by the nature of linking
6.3.3.1 Verinymous identifier
A verinymous identifier is an identifier, persistent in its domain of applicability that may be used within
and across domains and allows a relying party to obtain further identity information for the entity
associated with the identifier. Commonly observed verinimous identifiers includes email address,
mobile phone number, passport number, driving license number, social security number and the name-
date of birth pair.
A verynimous identifier may allow identity information for entities known in different domains to be
correlated. While it is fine to correlate the identities if so desired by the person, unexpected correlation,
e.g. profiling, has a negative privacy impact. By the nature of the veronymous identifier, if information
leakage incident happens, it allows adversaries to perform such correlation and create threats, e.g. of
generating any privacy-related information that the principal did not intend to disclose.
6.3.3.2 Pseudonymous identifier
A pseudonymous identifier is an identifier, persistent in its domain that does not disclose additional
identity information. As long as no other identifying information is available in the domain, identities
from different domain cannot be correlated using a pseudonymous identifier. A pseudonymous identifier
may be used to prevent unwanted correlation of identity information for entities across domains.
NOTE The mere use of pseudonymous identifiers does not equate with identity data being pseudonymous.
Other attributes combined at one point in time or across multiple points in time may be enough to derive
verinymous identifiers.
© ISO/IEC 2016 – All rights reserved 5

ISO/IEC 24760-3:2016(E)
6.3.3.3 Ephemeral identifier
An ephemeral identifier is an identifier that is used only for a short period of time and only within a
single domain. It may change for multiple uses to the same service or resource.
NOTE 1 If used correctly, an ephemeral identifier will make it very difficult for two visits by an entity to be
correlated.
NOTE 2 An ephemeral identifier is often used in the context of attribute based access control where access
to a resource is granted if the entity has a particular attribute. For example, if the resource access is granted
for a person because they are a member of a particular group, the identity would be composed of an ephemeral
identifier and a group identifier. These would serve the access control purpose while minimizing the data
disclosed or the possibility of linking multiple accesses, while still differentiating each entity.
6.3.4 Categorization of identifier by the grouping of entities
6.3.4.1 Individual identifier
An individual identifier is an identifier that is associated with only one entity within a domain of
applicability.
6.3.4.2 Group identifiers
Entities are sometimes grouped in a group entity when the need exists to execute activities in a group.
A distinct group identity will represent the group entity and group identifiers will help unambiguously
identifying the group entity and recording activities of the group entity in their domains. Group
identifiers serve the need for a person entity of performing activities in a group or on behalf of a group;
they may hide the action originator of an activity in a group. Additional techniques may therefore be
required to unambiguously identify a single entity as member of a group entity.
6.3.5 Management of identifiers
When updating identity information for a known entity an identity management system may assign a
new identifier to the changed identity; it also may remove the association of the old identifier with the
identity. Changed identity information may be proactively communicated to subsystems that rely on it.
7 Auditing identity information usage
Managing and processing identity information by authorized entities in a domain may be subject to
various legal, regulatory and industry business requirements that necessitate some level of monitoring
and traceability.
NOTE These requirements can be wide ranging, including everything from log-files and other measures
for the protection of personally identifiable information, to maintaining required time-stamp accuracy and
traceability; see ISO/IEC 18014.
An entity providing services associated with identity management should provide mechanisms
assuring auditability.
8 Control objectives and controls
8.1 General
Clause 8 summarizes security objectives and associated controls to be verified when setting up or
reviewing an identity management system.
The structure of the controls follows the structure presented in ISO/IEC 27002.
6 © ISO/IEC 2016 – All rights reserved

ISO/IEC 24760-3:2016(E)
8.2 Contextual components for control
8.2.1 Establishing an identity management system
8.2.1.1 Objective
To establish a management system to initiate and control the implementation of managing identity
information for entities.
8.2.1.2 Defining and documenting the domain of applicability
Control
The relying parties for which an entity, or a group of entities, is enabled to apply its identity and
which may use the identity for identification and for other purposes shall be documented to be clearly
understood both by the operators and the entities involved.
Implementation guidance
Documentation that describes the boundaries of the domain of a system for identity management
should be made available to all interested parties. This documentation should specify the limits where
the identity information can be verified. Any potential extensions to other domains or groups of entities
should also be documented.
The documentation should clarify constraints, legally, or otherwise, and associated liabilities, on the
control of identity information in a domain.
Other information
A domain of an identity is well defined in relation to a particular set of attributes defining groups of
entities.
An IT system within an organization that allows a group of entities to login is a sub-domain in that
organization.
8.2.1.3 Identifying identity information providers (IIP), identity information authorities (IIA),
identity management authorities, and regulatory bodies
Control
Identity information authorities for identity information managed by an identity management system
shall be specified for the domain of an identity management system.
Entities endorsing management and regulator responsibilities for the protection of identity information
shall also be identified.
Implementation guidance
Entities associated with an identity management system as source of identity information (IIP),
authoritative statement on available information (IIA), the identity management authority and any
relevant regulatory bodies, government or otherwise, should be clearly identified.
The operations performed by an identity information provider are to create, maintain and make
accessible identity information for entities known in a particular domain. The methods to access
information or obtain services provided by these operational entities should also be provided.
Any changes in availability and methods for access and to obtain services should be actively
communicated to interested parties.
© ISO/IEC 2016 – All rights reserved 7

ISO/IEC 24760-3:2016(E)
Other information
An entity may combine the functions of identity information provider and identity information
authority.
8.2.1.4 Identifying relying parties (RP)
Control
Relying parties shall be made known for the domain of the identity management system.
Implementation guidance
Relying parties have trust relationships with one or more identity information authorities. Relying
parties related with an identity information authority may be known at the design stage. RPs may
change over time, joining, or leaving a relationship with one or more identity information authorities in
the domain.
Other information
A relying party is exposed to risk caused by incorrect or invalid identity information.
8.2.1.5 Maintaining an identity management system
Control
A process shall be described to ensure the maintenance of the important operational entities in an
identity management system.
Implementation guidance
Over time, domains of an identity management system may use different identity information
authorities, identity information providers and relying parties to support their interactions with
entities. Domains may also be created and terminated or their conditions of applicability may change.
Important entities for use of an identity management system, e.g. IIA, IIP and RP, may also cease to
exist after being replaced, being archived, or deleted. An identity management system should document
policies and processes that ensure the control of these important entities and should ensure that
valuable information of the identity management system is not lost.
8.2.1.6 Privacy assurance
Control
When human entities interact within an identity management system that manages identity information
of them, it shall have documented policies and have established controls that assure the protection of
their privacy.
Implementation guidance
A basic objective of establishing an identity management system is to ensure the privacy of entities is
preserved at any time.
An identity management system shall document any sensitive information it processes about human
entities to conform to ISO/IEC 24760-1.
8 © ISO/IEC 2016 – All rights reserved

ISO/IEC 24760-3:2016(E)
Other information
Requirements for the handling of sensitive identity information are given in
— ISO/IEC 29100, and
— ISO/IEC 29101.
8.2.2 Establishing identity information
8.2.2.1 Objective
To define, document and communicate identity information.
8.2.2.2 Identity representation
Control
References of an entity in an identity management system, which remains the same for the duration
the entity remains known in the domain(s) of the system, may be referred to as “reference identifier.”
The identity management system shall document controls for the identity management systems to
guarantee the unique distinguishability of any entity in any domain of the identity management system.
Implementation guidance
A reference identifier should persist at least for the existence of the entity in an identity management
system and may exist longer than the entity, e.g. for archiving purposes or authorities’ needs.
Identity management system documentation should describe the use and reuse of identifiers. A
reference identifier for an entity should not be reused while any identity information relating to that
entity, including archived information, is recorded on the system.
A reference identifier generator is a tool that may help to provide unique values for reference identifiers.
Other information
To facilitate maintaining the recorded information for a specific identity, the identity management system
may use a reference identifier generator to assign a unique record number to an identity being added.
8.2.2.3 Identity information
Control
The set of values of attributes required to compose identity information pertaining to an entity in
domains of an identity management system shall be fixed, validated by the verifiers, and communicated,
as requested, to relying parties.
Implementation guidance
Verification of the values of required attributes from an identity results in an authenticated identity for
an entity.
The authentication process involves tests by a verifier of one or more identity attributes provided by an
entity to determine, with the required level of assurance, their correctness.
© ISO/IEC 2016 – All rights reserved 9

ISO/IEC 24760-3:2016(E)
8.2.2.4 Distinguishing different types of entity
Control
The number of distinct entity types in the domains of an identity management system shall be
recognized and described with distinct attributes values composing their identity.
Implementation guidance
Items inside or outside an ICT system, such as a person, an organization, a device, a subsystem, or a
group of such items that has recognizably distinct existence in domains of an identity management
system, are distinct entity types that may be described with different attribute values.
Each entity type should be documented covering semantic and syntax with the list of required attribute
values for their identity being validated.
8.2.2.5 Authenticating an identity
Control
A process shall be documented that verifies the identity information for an entity.
Implementation guidance
An authentication process involves operations by a verifier that should establish that identity information
for an entity is correct to a level of assurance required by the service to be rendered to the entity.
Verifiers may be the same as, or act on behalf of, the identity information authority for a particular domain.
8.2.3 Managing identity information
8.2.3.1 Objective
To ensure that identity information is maintained and protected in all domains of an identity
management system, from initial enrolment until archiving or deletion.
8.2.3.2 Assurance in collecting and managing identity information
Control
All information security responsibilities for the collection and the management of identity information
shall be defined and allocated.
Implementation guidance
Allocation of information security
...