ISO/IEC 29146:2016/Amd 1:2022

Overview

ISO/IEC 29146:2016/Amd 1:2022 is the latest amendment to the international standard titled Information technology - Security techniques - A framework for access management. Developed by ISO and IEC, this amendment enhances the original 2016 edition by updating components critical to access management frameworks in information security. The standard provides a structured approach to managing access control, ensuring secure, reliable, and efficient handling of identifier-based permissions within various IT environments.

Key Topics

• Updated Reference Standards: The amendment updates the referenced standard ISO/IEC 24760-1:2011 to the 2019 edition, reflecting the latest best practices and terminology related to identity management.

• Common Access Control Models: Annex A of the amendment refines definitions and structures for access control, including updated terminologies and models.

• Identifier-Based Access Control (IBAC):

  • Identity-Based Security: This model centers on using authenticated identifiers to govern access rights.
  • Access Control Lists (ACLs): IBAC employs ACLs that map subject identifiers (such as users or devices) to allowed or denied operations on resources.
  • Policy Decision Point (PDP) and Policy Enforcement Point (PEP): These functional components are configured to utilize ACLs, enabling the system to enforce access rights effectively.
  • Authentication and Authorization Flow: Subjects must register and authenticate themselves to receive an authentication token. Post-authentication, the system associates this verified identity with the ACL to provide authorized access for a defined session.

• Deletion of Deprecated Models: Certain outdated models or clauses have been removed to streamline the framework and focus on current, practical methodologies.

Applications

• Enterprise Security Management: Organizations can implement ISO/IEC 29146 frameworks to manage user and device access rights effectively, reducing risk of unauthorized data access.

• Identity and Access Management (IAM) Solutions: Vendors and IT departments can align their IAM tools and processes with the standardized IBAC model, improving interoperability and compliance.

• Regulatory Compliance: Organizations in regulated industries can demonstrate adherence to recognized international security frameworks for access management.

• Cloud and Network Security: The standard’s guidelines support secure access control in distributed and cloud environments where authenticated identity mapping is critical.

• Systems and Software Development: Developers can design access control mechanisms in applications according to the IBAC model, ensuring robust security features aligned with international standards.

Related Standards

• ISO/IEC 24760-1:2019 - Information technology - Security techniques - A framework for identity management - Part 1: Terminology and concepts. This serves as a foundational reference for identity terms and concepts used in access management.

• ISO/IEC 27001 - Information security management systems requirements, providing overall guidelines for information security best practices.

• ISO/IEC 29115 - Entity authentication assurance framework, related to practices for strong authentication mechanisms.

• ISO/IEC 30141 - Internet of Things Reference Architecture, which may leverage access management frameworks for device identity and security.

By adopting ISO/IEC 29146:2016/Amd 1:2022, organizations reinforce their information security posture through a precise, updated framework for access management based on authenticated identities. This facilitates secure, manageable, and compliant access control systems suitable for modern IT landscapes.