ISO/IEC TR 29196:2015

TECHNICAL ISO/IEC TR
REPORT 29196
First edition
2015-08-15
Guidance for biometric enrolment
Directives pour l’inscription biométrique
Reference number
©
ISO/IEC 2015
© ISO/IEC 2015, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2015 – All rights reserved

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Terms and definitions . 1
3 Abbreviated terms . 2
4 Role of Enrolment in a Biometric System . 3
5 Stakeholders and approaches for enrolment . 5
5.1 Enrolment Stakeholders . 5
5.2 Enrolment Approaches . 8
6 Key Stakeholder perspectives. 9
6.1 Summary of key observations. 9
6.2 Meeting the requirements of Stakeholders .10
6.2.1 Supporting the interests of the Subject .10
6.2.2 Information provided to the Applicant.11
6.2.3 Legal implications of the enrolment service .11
6.2.4 Issues related to inclusivity .12
6.2.5 Usability .12
6.2.6 Usability aspects — Effectiveness .12
6.2.7 Usability aspects — Efficiency .12
6.2.8 Usability aspects — Satisfaction with the enrolment process .12
6.2.9 Supporting the interests of the Enrolment Authority.13
6.2.10 Establishing the legal framework for enrolment .13
6.2.11 Independent review of the operation of the Service .14
6.2.12 Metrics of a successful biometric enrolment .14
6.2.13 Failure to Enrol and related failure rates .15
6.2.14 Analysis of enrolment failures .16
6.2.15 Analysis of poor quality enrolments .18
6.2.16 Strategy for corrective actions .19
6.2.17 Use of data for research .19
6.2.18 End-of-contract or contract reassignment actions.19
6.2.19 Supporting the interests of the Operator of the enrolment service .19
6.2.20 Development and maintenance of training programmes for personnel .20
6.2.21 System performance monitoring and correction actions .21
6.2.22 Service Improvement Actions .21
6.2.24 Participation in end-of-service or contract reassignment activities .22
6.2.25 Supporting the interests of Relying Parties .22
6.2.26 System Design and Developer’s perspective.23
6.2.27 Pre-enrolment and scheduling processes .23
6.2.28 Confirmation of the biographic identity of the Applicant .24
6.2.29 Requirements of the verification system(s) which will depend on
this enrolment .24
6.2.30 Selection of enrolment system .24
6.2.31 Physical design of the enrolment environment .24
6.2.32 Interfacing with the Applicant .24
6.2.33 Appropriate training of the Enrolment Officer and Attendants .25
6.2.34 Support Staff Training .25
6.2.35 Security .25
6.2.36 Number of attempts at collection of a biometric feature or maximum
duration of collection time before timeout .26
6.2.37 Exception handling: enrolment and/or registration procedure for secure
and effective fallback .26
6.2.38 Post enrolment verification session .27
© ISO/IEC 2015 – All rights reserved iii

6.2.39 System maintenance procedures .27
6.2.40 Token production and secure delivery .27
6.2.41 System performance monitoring .27
6.2.42 Effective system level performance through testing and piloting .28
6.3 Regulator’s perspective .28
6.3.1 Regulation .28
6.3.2 Completeness of the governance processes .28
6.3.3 Integrity of the logging and audit processes .28
6.4 Auditor’s perspective .29
7 Process for the development of biometric enrolment capability .29
7.1 General .29
7.2 Architectural considerations in enrolment station design .29
7.3 System definition .30
8 Guidance relating to specific modalities .30
8.1 General .30
8.2 Facial Biometrics .31
8.3 Fingerprint biometric systems .32
8.3.1 General.32
8.3.2 Fingerprint image optimization .33
8.3.3 Single finger systems .33
8.3.4 Tenprint systems .34
8.4 Vascular (Vein) authentication systems .36
8.4.1 General.36
8.4.2 Palm vein technology .36
8.4.3 Finger Vein technology .37
9 Guidance relating to enrolment for mobile biometric applications .37
9.1 Best practice guidelines .37
9.2 Fingerprint systems .38
9.3 Facial image Systems .39
9.4 Iris systems .40
Annex A (informative) Checklist of Activities related to biometric enrolment .42
Bibliography .46
iv © ISO/IEC 2015 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical
Barriers to Trade (TBT), see the following URL: Foreword — Supplementary information.
The committee responsible for this document is ISO/IEC JTC 1, Information technology, Subcommitee
SC 37, Biometrics.
© ISO/IEC 2015 – All rights reserved v

Introduction
One of the most important contributions to a successful biometric-based recognition system is a
consistent enrolment service that generates the biometric data required for subsequent recognition
of individuals. Subsequent verifications or identifications will be compared with the biometric
data collected at enrolment. If the quality of capture at enrolment is not maintained consistently,
the operators of a recognition system which depends on a good enrolment are likely to experience
unreliable performance. For those who are enrolled in a verification system, a poor quality enrolment
will result in inconvenience should they fail to be recognized. (Readers of this report should note that
quality has a specific meaning when applied to biometric systems; a high quality capture is one that
results in biometric data that provides good match scores when compared with other high quality
images from the same biometric feature.)
By analysing the requirements for a good enrolment from the perspectives of a range of stakeholders,
it is possible to derive a set of principles to guide the development of a biometric enrolment policy and
the deployment of a service. Where enrolment is outsourced to a third party, it is extremely important
to be able to measure quality metrics rather than quantity metrics, since the technical and business
objectives of the two organisations (the Relying Party and the Enrolment Authority as defined in this
document) may, in general, not be aligned.
Although the recommendations and guidelines in this report are directed in the main at the parties
responsible for the enrolment itself and for management of the enrolment service (noting that these
two entities may be one and the same), they will also be of value to the designers and developers of
enrolment systems.
vi © ISO/IEC 2015 – All rights reserved

TECHNICAL REPORT ISO/IEC TR 29196:2015(E)
Guidance for biometric enrolment
1 Scope
This report consolidates information relating to successful, secure and usable implementation of
biometric enrolment processes, while indicating areas of uncertainty that organisations proposing to
use biometric technologies will need to address during procurement, design, deployment and operation.
Much of the information is generic to many types of application e.g. from national scale commercial
and government applications, through to closed user group systems for in-house operations, and to
consumer applications where convenience rather than security is the primary driver for adoption of
biometric technologies.
The report points out the differences in operation relating to specific types of application, e.g. where
self-enrolment is more appropriate than attended operation. This report will focus in the main
on fixed location enrolments at a number of sites in an organization, where there is an attendant
who supports the biometric applicant in effecting a successful enrolment, and where enrolment is a
mandatory requirement. In summary, this report consolidates information relating to better practice
implementation of biometric enrolment capability in various business contexts including considerations
of legislation, policy, process, function (system) and technology.
The report provides guidance as to the collection and storage of biometric enrolment data and the
impact on dependent processes of verification and identification. This report will not aim to include
material specific to forensic and law enforcement applications.
The recommendations contained in the report are not mandatory.
2 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 2382-37 and the
following apply.
2.1
biometric applicant
individual seeking to be enrolled in a biometric enrolment database
2.2
designers and developers
organization or individuals responsible for the design, development, (and deployment, if applicable) of
the enrolment system
2.3
duty officer
individual acting on behalf of either the enrolment authority or operator either present in the vicinity
of one or more enrolment stations, or available on line or by telephone, trained to provide advice and
guidance to an enrolment officer in case of difficulty
Note 1 to entry: The duty officer may also have a role in determining exception handling routines.
2.4
enrolment authority
organisation (or other entity) with legal and contractual responsibilities for the completion of
enrolment processes
© ISO/IEC 2015 – All rights reserved 1

2.5
enrolment officer
agent of the operator responsible for the secure and effective enrolment service at one or more
enrolment points
2.6
identity provider
entity storing and managing the biometric data obtained directly or indirectly from the biometric
enrolment
2.7
operator
organization (or other entity) responsible for delivering the enrolment service on behalf of the
enrolment authority
2.8
performance manager
person responsible for managing the enrolment service to ensure it meets its specified enrolment
performance criteria
Note 1 to entry: This will typically include actions such as monitoring enrolment performance (quality as well
as quantity metrics), applying corrective measures where necessary and reporting enrolment performance
achievement to the enrolment authority.
2.9
personal assistant
individual accompanying the biometric applicant at the enrolment session for one or more purposes
Note 1 to entry: Such purposes might include: translation of instructions from the enrolment officer into the
native language of the applicant; support for a disabled applicant to enable the applicant to undertake an
enrolment successfully; to fulfil a legal requirement such as a parent present at the enrolment of a child.
2.10
relying party
entity operating a biometrically-enabled application for which the enrolment process provides
biometric references
2.11
specialist support staff
trained attendant(s) present at the enrolment session on behalf of the enrolment authority or operator
to assist with the enrolment of applicants with disabilities, or to fulfil service or legal requirements in
respect of gender, religious observance, or age of the applicant
2.12
vendor
entity providing hardware and/or software biometric functionality
3 Abbreviated terms
KPI Key Performance Indicator. A metric quantifying one or more aspects of the successful operation
of a process
NFIQ NIST Fingerprint Image Quality
SLA Service Level Agreement. An agreement between a service provider and a customer defining a
target level of service, mutual responsibilities of service provider and customer, together with
other requirements for the delivery of a service
2 © ISO/IEC 2015 – All rights reserved

4 Role of Enrolment in a Biometric System
Given the variety of applications and technologies, it might seem difficult to draw any generalizations
about biometric systems. All such systems, however, have many elements in common. Captured
biometric samples are acquired from a subject by a sensor. The sensor output is sent to a processor
that extracts the distinctive but repeatable measures of the sample (the biometric features), discarding
all other components. The resulting features can be stored in the biometric enrolment database as a
biometric reference or (in this case) a biometric template. In other cases the sample itself (without
feature extraction) may be stored as the reference. A subsequent probe biometric sample can be
compared to a specific reference, to many references or to all references already in the database to
determine if there is a match. A decision regarding the biometric claim is made based upon the
similarities or dissimilarities between the features of the biometric probe and those of the reference or
references compared.
Figure 1 — Components of general biometric system
Figure 1 (which is functional in nature and has no implications for physical location) illustrates the
information flow within a general biometric system, showing a general biometric system consisting
of data capture, signal processing, data storage, comparison and decision subsystems. This diagram
illustrates both enrolment, and the operation of verification and identification systems. The following
subclauses describe each of these subsystems in more detail. However, it should be noted that in any
implemented system, some of these conceptual components may be absent, or may not have a direct
correspondence with a physical or software entity.
The data capture subsystem collects an image or signal of a subject’s biometric characteristics that they
have presented to the biometric sensor, and outputs this image/signal as a captured biometric sample.
The transmission subsystem (not portrayed in the diagram and not always present or visibly present in
a biometric system) will transmit samples, features, probes and references between different subsystems.
The captured biometric sample may be compressed and/or encrypted before transmission, and
expanded and/or decrypted before use. A captured biometric sample may be altered in transmission
due to noise in the transmission channel as well as losses in the compression/expansion process. Data
may be transmitted using standard biometric data interchange formats, and cryptographic techniques
© ISO/IEC 2015 – All rights reserved 3

may be used to protect the authenticity, integrity, and confidentiality of stored and transmitted
biometric data.
Signal processing may include processes such as:
— enhancement, i.e. improving the quality and clarity of the captured biometric sample,
— segmentation, i.e. locating the signal of the subject’s biometric characteristics within the captured
biometric sample,
— feature extraction, i.e. deriving the subject’s repeatable and distinctive measures from the captured
biometric sample, and
— quality control, i.e. assessing the suitability of samples, features, references, etc. and possibly
affecting other processes, such as returning control to the data capture subsystem to collect further
samples; or modifying parameters for segmentation, feature extraction, or comparison.
In the case of enrolment, the signal processing subsystem creates a biometric reference. Sometimes
the enrolment process requires features from several presentations of the individual’s biometric
characteristics. Sometimes the reference comprises just the features, in which case the reference
may be called a “template”. Sometimes the reference comprises just the sample, in which case feature
extraction from the reference occurs immediately before comparison.
In the case of verification and identification, the signal processing subsystem creates a biometric probe.
Sequencing and iteration of the above-mentioned processes are determined by the specifics of each
system.
References are stored within an enrolment database held in the data storage subsystem. Each reference
might be associated with some details of the enrolled subject or the enrolment process. It should
be noted that prior to being stored in the enrolment database, references may be reformatted into a
biometric data interchange format. References may be stored within a biometric capture device, on a
portable medium such as a smart card, locally such as on a personal computer or local server, or in a
central database.
In the comparison subsystem, probes are compared against one or more references and comparison
scores are passed to the decision subsystem. The comparison scores indicate the similarities or
dissimilarities between the features and reference/s compared. In some cases, the features may take the
same form as the stored reference. For verification, a single specific claim of subject enrolment would
lead to a single comparison score. For identification, many or all references may be compared with the
features, and output a comparison score for each comparison.
The decision subsystem uses the comparison scores generated from one or more attempts to provide
the decision outcome for a verification or identification transaction.
In the case of verification, the features are considered to match a compared reference when (assuming
that higher scores correspond to greater similarity) the comparison score exceeds a specified threshold.
A biometric claim can then be verified on the basis of the decision policy, which may allow or require
multiple attempts.
In the case of identification, the enrolee reference is a potential candidate for the subject when (assuming
that higher scores correspond to greater similarity) the comparison score exceeds a specified threshold,
and/or when the comparison score is among the highest ranked values generated during comparisons
across the entire database. The decision policy may allow or require multiple attempts before making
an identification decision.
NOTE Conceptually, it is possible to treat multibiometric systems in the same manner as unibiometric
systems, by treating the combined captured biometric samples/references/scores as if they were a single
sample/reference/score and allowing the decision subsystem to operate score fusion or decision fusion as and if
appropriate. (See also ISO/IEC/TR 24722:2007.)
4 © ISO/IEC 2015 – All rights reserved

The administration subsystem (not portrayed in the diagram) governs the overall policy, implementation
and usage of the biometric system, in accordance with the relevant legal, jurisdictional and societal
constraints and requirements. Illustrative examples include
— providing feedback to the subject during and/or after data capture,
— requesting additional information from the subject,
— storing and formatting of the biometric references and/or biometric interchange data,
— providing final arbitration on output from decision and/or scores,
— setting threshold values,
— setting biometric system acquisition settings,
— controlling the operational environment and non-biometric data storage,
— providing appropriate safeguards for subject privacy, and
— interacting with the application that utilizes the biometric system.
The biometric system may or may not interface to an external application or system via an Application
Programming Interface, a Hardware Interface or a Protocol Interface.
In enrolment, a transaction by a Biometric Capture Subject is processed by the system in order to
generate and store an enrolment reference for that individual.
Enrolment typically involves
— sample acquisition,
— sample restoration or enhancement,
— segmentation,
— feature extraction,
— quality checks (which may reject the sample/features as being unsuitable for creating a reference,
and require acquisition of further samples),
— reference creation (which may require features from multiple samples), possible conversion into a
biometric data interchange format,
— storage,
— test verification or identification attempts to ensure that the resulting enrolment is usable, and
— allowing repeat enrolment attempts, should the initial enrolment be deemed unsatisfactory
(dependent on the enrolment policy).
A Biometric Capture Subject can also be required to present additional data specific to the enrolment.
This additional data might be a legal name, contact information, credentials, identity documents and the
like, although there are some biometric applications that may require no additional data whatsoever to
be collected at the time of enrolment beyond the biological and behavioural characteristics.
5 Stakeholders and approaches for enrolment
5.1 Enrolment Stakeholders
The successful operation of a biometric enrolment service depends on the co-operation of a large
number of stakeholders as listed in Table 1. (See also Figure 2 below showing that Enrolment Officers
© ISO/IEC 2015 – All rights reserved 5

work on behalf of the Operator, which has a relationship with the Enrolment Authority; Personal
Assistants support the Biometric Capture Subject of the enrolment).Note that systems may be far
simpler than illustrated, for example, the Enrolment Authority may also be the Operator of the service,
as well as being the Relying Party in an enterprise access control system.
Figure 2 — Stakeholders at Enrolment
Table 1 — Functional Description of Stakeholder roles
Stakeholder Function description
Enrolment Authority Responsibility for ensuring the quality of biometric enrol-
ment samples and other KPIs are in accordance with SLA
agreements or contractual requirements.
Instigating appropriate action if these fall outside the
agreed targets.
Ensuring compliance with legal requirements.
Ensuring that the cultural implications of operating an
enrolment service are taken into consideration.
6 © ISO/IEC 2015 – All rights reserved

Table 1 (continued)
Operator Organization delivering enrolment service on a day-to-
day basis.
Responsible to the Enrolment Authority for quality and
security of the enrolment service.
Taking remedial measures if KPIs, including quality and
performance metrics, fall outside the agreed targets.
Performance Manager Monitoring the performance of the enrolment service.
Proposing corrective actions.
Reporting back on the results of corrective actions.
Enrolment Officer Agent of the Operator responsible for the secure and effec-
tive enrolment service at one or more enrolment points.
Ensures the day-to-day maintenance of equipment used
in enrolment.
Interfaces with the subjects/Applicants and provides any
relevant information to them.
Enters any biographical/contextual data (although some
of these details may already be pre-populated).
Ensures that the quality of the enrolment feature collected
by the sensor/camera meets the enrolment standards
(usually through requesting the subject to re-enrol if the
standard is not achieved).
Providing advice and support to the subject to achieve a
high standard of enrolment.
Notes any exceptional circumstances.
Duty Officer Provide technical and/or operational advice and guid-
ance to an Enrolment Officer.
Attendant Assist the Enrolment Officer in obtaining the best availa-
ble quality biometric sample through following proce-
dures set for subjects with accessibility needs or who
have special requirements (in respect of age, gender,
religious observance, etc).
The Biometric Capture Subject / Biometric Enrollee, Provide biometric sample to the system.
hereafter termed subject and Enrollee respectively
Personal Assistant Provide support for the Applicant/Enrollee, e.g. transla-
tion of instructions from the Enrolment Officer, support
for a disabled Applicant or to fulfil a legal requirement
such as a parent present at the enrolment of a child.
Designers and Developers Designing the enrolment system as part of the enrolment
service using systems engineering principles wherever
possible.
Developing enrolment system, service and process.
Specifically developing an interaction protocol for
enrolee.
Specifically, developing the service for production and
distribution of any token used as storage for biometric
reference(s), or a pointer to where biometric reference(s)
is/are stored.
© ISO/IEC 2015 – All rights reserved 7

Table 1 (continued)
Vendor Providing hardware and software.
Providing (either directly or through an agent) techni-
cal support e.g. for upgrades or rectification of faults, if
under contract to do so.
Regulators and other Governance Bodies Assuring the enrolment process is operated according to
laws, regulations, codes of practice, contracts, etc.
Auditor Audit enrolment protocol.
Identity Provider Processing the biometric features into references,
performing any quality and de-duplication checks and
storing references and images.
Relying Party Using the biometric data obtained from the enrolment
service in a biometric recognition service as part of a
business-oriented application.
5.2 Enrolment Approaches
Enrolment for biometric services can take the form of many differing approaches depending upon
context, complexity, requirements of the Relying Party, etc.
— In-house or outsourced.
— Multiple or single location.
— Fixed, mobile or remote.
— Attended, semi-attended (one enrolment officer overseeing a number of enrolments in parallel) or
1)
unattended (e.g. self-enrolment ).
— Mandatory, optional (opt-in), or unaware (e.g. for surveillance/tracking).
— Using a single modality or multiple biometric modalities.
— Designed to provide enrolments for either multiple applications or for a specific application.
Enrolment is an expensive part of a biometric service thus in order to reduce costs enrolment
may at times be undertaken for multiple Relying Parties, each with differing business, technical
and functional requirements. For example the enrolled facial image for a passport may be re-used
for a driving licence application. Other enrolment processes may be required to be more specific
in design – e.g. access control ‘Offline’ or ‘batch’ enrolment where the biometric sample capture
process is separate from the enrolment stage, or an integrated credential proofing/acquisition/
enrolment process.
— Duration/complexity of the enrolment process, from a simple single modality process (against pre-
assigned identity), to a complex process consisting of checks on identity using breeder documents,
followed by collection of features relating to multiple modalities and a verification check on the
effective operation of the collected features.
Based upon how the system is influenced by the above factors, there will be different requirements and
operational guidance.
1) Self-enrolment may be with the active participation of the subject, or can even be acquired with stand-off
systems not requiring direct interaction with the subject.
8 © ISO/IEC 2015 – All rights reserved

6 Key Stakeholder perspectives
6.1 Summary of key observations
A reproducible biometric enrolment process is a prerequisite for the successful use of biometric
recognition in one or more applications at a subsequent time. A poor quality enrolment, e.g. one in
which the Biometric Applicant’s biometric features have not been collected in line with best practice,
will present difficulties when the reference derived from these features is compared with biometric
data collected in the context of the application. (Biometric Applicant is termed Applicant hereafter.)
For instance, if a thumb is presented and registered in an enrolment for access control, and the
Biometric Capture Subject (hereafter termed subject) uses one of the index fingers as instructed by a
biometric verification unit at a door, the biometric comparison will fail. The subject will therefore be
inconvenienced, in having to use an exception-handling process provided by the Operator of the access
control system.
Such problems are likely to occur more often when the Enrolment Authority (and/or operator) for the
enrolment service is not the same as that managing the subsequent application that uses biometric
recognition (the Relying Party). In this case, the Enrolment Authority bears the costs of ensuring that
the quality of enrolments is maintained while the benefits of good quality enrolments accrue to the
Relying Party (or Parties). Rather than setting this cost/benefit pivot at the interface between the two
organizations, a better strategy is to move it to the enrolment service, incentivizing the Enrolment
Authority to deliver high quality enrolments. This will usually entail clear and correct specification
of metrics for the enrolment performance in any contracts or agreements between these two
organizations.
In setting the requirements for an enrolment service, the Enrolment Authority should take account of
the requirements of the Relying Party as well as other stakeholders as listed in Table 1 and represented
schematically in 5.1. (When these requirements are not known in full, e.g. because the recognition
system of the Relying Party is still under development, designers of enrolment services should take
appropriate measures to mitigate any risks.) The SLA between the Enrolment Authority and the
Operator of the enrolment service should include KPIs that relate to the business objectives of the
Enrolment Authority as well as those of the Relying Party. Requirements should include quantitative
performance measures capable of being tested either by the Enrolment Authority or by an independent
testing organization during the acceptance phase of the project, as well as periodically afterwards.
The designers and developers of the enrolment system will use the requirements to source suitable
vendors of the biometric components, such as the hardware to collect biometric features, software to
process these features and assess their quality, and - if required - verification software to check that
the enrolment has been completed satisfactorily.
The security of the biometric enrolment process is also an essential aspect of its success. In preparing
for a robust process design, all stakeholders are responsible for addressing security requirements, from
the design of the logical technical architecture to the functional components, as well as procedures and
checks that directly involve interaction with the Applicant and the Subject.
The Enrolment Authority’s designers and developers need to address these requirements, as early as
possible in the design, such as the ability to check the identity credentials presented by the Applicant
and taking measures to counter spoofing attacks. Note that catering to the needs of Applicants with
language difficulties and disabilities will also feature in the design but may impact on the security
procedures. These aspects of the enrolment process – and any requirements placed by regulators –
should be developed into training materials for Enrolment Officers, attendants, duty officers and the
Performance Manager.
After completion of the high level design, and prior to deployment, marketing and other awareness-
raising activities should be started, so that representatives of the Applicant population, mass media,
regulators and special interest groups have time to comment on the proposals for the enrolment service
and for changes in the details of the design of the system to be incorporated.
© ISO/IEC 2015 – All rights reserved 9

The enrolment service should be piloted with a representative sample of the user population, both of
Applicants as well as Enrolment Officers. The Performance Manager should ensure that acceptance
testing has been carried out and that the provisions of the SLA with the designers and developers have
been met. Comments and observations collected from the users should be examined. If changes are
made to the system or procedures in the light of these tests and comments, a further round of testing
may be required.
At some time after the system is deployed, representatives of the Relying Party and the Enrolment
Authority should review the performance of the enrolment service,
...