ISO/IEC 24760-3:2025

International
Standard
ISO/IEC 24760-3
Second edition
Information security, cybersecurity
2025-09
and privacy protection —
A framework for identity
management —
Part 3:
Practice
Sécurité de l'information, cybersécurité et protection de la vie
privée — Cadre pour la gestion de l'identité —
Partie 3: Mise en œuvre
Horizontal document
Reference number
© ISO/IEC 2025
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO/IEC 2025 – All rights reserved
ii
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 2
5 Mitigating identity related risk in managing identity information . 2
5.1 Overview .2
5.2 Risk assessment .3
5.3 Assurance in identity information .3
5.3.1 General .3
5.3.2 Identity proofing .3
5.3.3 Credentials .3
5.3.4 Identity profile .4
6 Identity information and identifiers . 4
6.1 Overview .4
6.2 Policy on accessing identity information .4
6.3 Identifiers .5
6.3.1 General .5
6.3.2 Categorization of identifier by the type of entity to which the identifier is linked .5
6.3.3 Categorization of identifier by the nature of linking .5
6.3.4 Categorization of identifier by the grouping of entities .6
6.3.5 Management of identifiers .6
6.3.6 Categorization of identifier by method of value creation .6
7 Auditing identity information usage . 7
8 Control objectives and controls . 7
8.1 General .7
8.2 Contextual components for control .8
8.2.1 Establishing an identity management system .8
8.2.2 Establishing identity information .10
8.2.3 Managing identity information .11
8.3 Architectural components for control . 12
8.3.1 Establishing an identity management system . 12
8.3.2 Controlling an identity management system . 13
Annex A (informative) Practice of managing identity information in a federation of identity
management systems .15
Annex B (informative) Identity management practice using attribute-based credentials to
enhance privacy protection .24
Bibliography .31

© ISO/IEC 2025 – All rights reserved
iii
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations,
governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/
IEC Directives, Part 2 (see www.iso.org/directives or www.iec.ch/members_experts/refdocs).
ISO and IEC draw attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of any
claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC had not
received notice of (a) patent(s) which may be required to implement this document. However, implementers
are cautioned that this may not represent the latest information, which may be obtained from the patent
database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall not be held
responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www.iso.org/iso/foreword.html.
In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
This second edition cancels and replaces the first edition (ISO/IEC 24760-3:2016), which has been technically
revised. It also incorporates the Amendment ISO/IEC 24760-3:2016/Amd 1:2023.
The main changes are as follows:
— title has been updated;
— the document has been editorially revised.
A list of all parts in the ISO/IEC 24760 series can be found on the ISO website.
This document has been given the status of a horizontal document in accordance with the ISO/IEC
Directives, Part 1.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.

© ISO/IEC 2025 – All rights reserved
iv
Introduction
Data processing systems commonly gather a range of information on their users, be it a person, piece of
equipment, or piece of software connected to them, and make decisions based on the gathered information.
Such identity-based decisions can concern access to applications or other resources.
To address the need to efficiently and effectively implement systems that make identity-based decisions, the
ISO/IEC 24760 series specifies a framework for the issuance, administration, and use of data that serves to
characterize individuals, organizations or information technology components, which operate on behalf of
individuals or organizations.
For many organizations, the proper management of identity information is crucial for maintaining security
within organizational processes. For individuals, correct identity management is important for protecting
privacy.
The ISO/IEC 24760 series specifies fundamental concepts and operational structures for identity
management and provides a framework on which information systems can meet business, contractual,
regulatory, and legal obligations.
This document specifies practices for identity management. These practices cover assurance in controlling
identity information use, controlling the access to identity information and other resources based on identity
information, and controlling objectives that should be implemented when establishing and maintaining an
identity management system.
This document is intended to provide a foundation for the practices for identity management in other
international standards related to identity information processing including other parts of the ISO/IEC 24760
series, ISO/IEC 29100, ISO/IEC 29101, ISO/IEC 29115, and ISO/IEC 29146.

© ISO/IEC 2025 – All rights reserved
v
International Standard ISO/IEC 24760-3:2025(en)
Information security, cybersecurity and privacy protection —
A framework for identity management —
Part 3:
Practice
1 Scope
This document:
— provides requirements and guidance for the management of identity information and for ensuring that
an identity management system conforms to ISO/IEC 24760-1 and ISO/IEC 24760-2;
— is applicable to any information system where information relating to identity is processed or stored;
— is considered to be a horizontal document for the following reasons:
— it applies concepts such as distinguishing the term “identity” from the term “identifier” on the
implementation of systems for the management of identity information and on the requirements for
the implementation and operation of a framework for identity management,
— it provides an important contribution to assess identity management systems with regard to their
privacy-friendliness and their ability to assure the relevant attributes of an identity, and consequently
it provides a foundation and a common understanding for any other standard addressing identity,
identity information, and identity management.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 24760-1:2025, Information security, cybersecurity and privacy protection — A framework for identity
management — Part 1: Core concepts and terminology
ISO/IEC 24760-2, Information security, cybersecurity and privacy protection — A framework for identity
management — Part 2: Reference architecture and requirements
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 24760-1 and the following apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
identity profile
identity containing attributes specified by an identity template

© ISO/IEC 2025 – All rights reserved
3.2
identity template
definition of a specific set of attributes
Note 1 to entry: Typically, the attributes in a profile are intended to support a particular technical or business purpose
as needed by relying parties.
3.3
identity theft
result of a successful false claim of identity
4 Abbreviated terms
For the purposes of this document, the following abbreviated terms apply.
ICT Information and communication technology
IIP Identity information provider
IIA Identity information authority
PII Personally identifiable information
RP Relying party
5 Mitigating identity related risk in managing identity information
5.1 Overview
This clause presents practices to address identity related risk when operating an identity management
system conforming to ISO/IEC 24760-1 and ISO/IEC 24760-2.
Figure 1 shows the operational scope of an identity management system. The arrows in the figure identify
processes that affect the recorded identity information. Details of these processes are presented in
ISO/IEC 24760-1:2025, Clause 7. These processes are the prime areas of concern in assessing risks in the
implementation of an identity management system.
NOTE ISO/IEC 24760-1:2025, Figure 1 shows that when an identity is registered, it can be in different stages:
unknown, established, active, suspended or archived. Authentication of an entity typically can only be successful if its
identity is active.
Figure 1 — Operational scope of an identity management system

© ISO/IEC 2025 – All rights reserved
5.2 Risk assessment
A function of an identity management system is managing identity as data; secure operation of this data
management system involves managing the risk of identity errors while protecting the confidentiality,
integrity and availability of identity information that is stored, processed and communicated. A risk
assessment should be conducted to determine the level of risk of the identity management system. The risk
management should take into account the lifecycle of identity and identity information that evolve over
time and can impact consumers of this information. The result provides information, which the identity
management system can use to determine the necessary risk management criteria and processes. The sort
of information the identity management system requires includes the level of assurance of identity required
and the requirements for confidentiality, integrity and availability of identity information.
ISO/IEC 24760-2 specifies tools to manage risks as policies, regulation, design and architecture. In some
contexts, involving consumers, protecting personally identifiable information and giving principals control
over the use of their personally identifiable information is paramount. ISO/IEC 29100, ISO/IEC 29101,
ISO/IEC 29134 and ISO/IEC 29151 specify requirements and provide guidance for the protection of privacy.
Identity information managed by an identity management system may also be managed by reference to
identity information providers in another domain. For example, identity proofing may be undertaken by a
service provider, which operates in a different domain to that of the identity management system.
When identity information is collected and stored, risk management measures shall be implemented by the
identity management service. These measures mitigate the risks identified by a risk assessment carried
out in the application domain by the relying party. Levels of assurance concerning identity information and
access services shall be determined and specified by the relying party according to assessed levels of risk.
5.3 Assurance in identity information
5.3.1 General
Confidence in identity information provided by an identity management system comes from processes that
ensure the validity of the information from its collection through its subsequent storage and maintenance by
the system. Assurance is typically quantified in terms of assurance levels with higher levels corresponding
to greater assurance. The level of assurance achieved depends on the quality of the identity information and
the rigour of the identity validation processes. Levels of assurance are described in ISO/IEC 29115.
5.3.2 Identity proofing
Identity proofing, i.e. validating identity information for enrolment of an entity in a domain, shall meet a
defined level of assurance. The level of assurance of identity proofing achievable depends on the type
and characteristics of information and, in some cases, the scope of this information, e.g. the number of
independent identity information providers used as sources of the information.
An increased level of assurance in identity verification may be achieved:
— with verification of additional credentials issued from multiple sources, and
— using a trusted external party that knows the entity to validate claimed identity information.
NOTE 1 ISO/IEC TS 29003 provides requirements for identity proofing.
NOTE 2 ISO/IEC 29115 specifies how to achieve different levels of assurance.
5.3.3 Credentials
An identity management system may issue multiple types of credential, differing in the level of assurance of
the identity information represented by the credential.

© ISO/IEC 2025 – All rights reserved
An identity management system issuing credentials with a high level of assurance supported by a
cryptographic mechanism should provide a service for relying parties to actively support the cryptographic
validation process.
An issuer of a credential in physical form shall implement an identity management system to process the
identity of the credential device in accordance with ISO/IEC 24760-1 and ISO/IEC 24760-2.
5.3.4 Identity profile
An identity management system may use one or more identity profiles for gathering, structuring, or
presenting identity information.
NOTE Although a profile can contain identity information, it is not intended for identification. Its purpose is to
provide identity information about an entity to system processes that need the information for their processes.
An entity may have multiple identity profiles, each containing a different set of attributes for the entity. For
instance, a language preference may be present in a profile for an access interface and not in a profile for
book interests.
An identity template may be established as an international or industry standard. The use of a standardized
identity template to record identity attributes would facilitate the usage of identity profiles across domains.
An identity profile may be used in access management to determine the required identity attributes for
being authorized for a role or privilege in accessing information. An identity profile may be used as a pre-
configured subset of identity information to be presented when interacting with a service.
An attribute in an identity profile may be associated with a level of assurance. Using an identity profile with
associated levels of assurance to present identity information shall imply that each item of information has
been validated at a minimum its associated level of assurance. An identity profile specifying requirements
for access to services or resources may be associated with a specific additional entity identifier that may
indicate the activities linked to the specific privileges.
6 Identity information and identifiers
6.1 Overview
Organizations should understand the information security concerns for their business and should provide
management support to meet the business needs including additional requirements.
In regard to identity management, organizations should understand their liabilities and ensure that
adequate controls are implemented to mitigate the risks and consequences of identity information leakage,
corruption and loss of availability when collecting, storing, using, transmitting and disposing of identity
information. Organizations should specify control objectives and controls to ensure that information
security requirements are met.
6.2 Policy on accessing identity information
The identity information pertaining to an entity should be managed to ensure the following:
— identity information remains accurate and up-to-date over time;
— only authorized entities have access to the identity information and are accountable for all uses and
changes in identity information, guaranteeing traceability of any processing of identity information by
any entity, whether a person, a process or a system;
— the organization fulfils its obligations with respect to regulations and contractual agreements;
— principals are protected against the risk of identity-related theft and other identity related crime.

© ISO/IEC 2025 – All rights reserved
NOTE Typically, an information security policy highlights the necessity to securely manage identity information.
The preservation and protection of any entities identity information is also required when dealing with third parties
as typically documented within the operational procedures.
6.3 Identifiers
6.3.1 General
An identifier allows distinguishing unambiguously one entity from another entity in a domain of applicability.
An entity may have multiple, different identifiers in the same domain. This can facilitate the representation
of the entity in some situations, e.g. hiding the entity’s identity when providing the entity’s identity
information for use in some processes or within some systems. An identifier created in one domain may be
reused intentionally in another domain provided the reused identifier continues to provide uniqueness of
identity within the other domain.
6.3.2 Categorization of identifier by the type of entity to which the identifier is linked
6.3.2.1 Person identifiers
A person identifier can include a full name, date of birth, place of birth, or various pseudonyms, such as a
number assigned by an authority as a reference, e.g. passport number, national identity number or identity-
card number.
The use of pseudonyms as identifiers is frequent for person identifiers (see 6.3.3.2).
NOTE A pseudonym can enhance the privacy of persons in an identity-authentication exchange with a relying
party, as a pseudonym can reveal less personally identifiable information than if a real name is used as an identifier.
6.3.2.2 Identifier assigned to a non-person entity
Non-person entities, e.g. devices or other information objects, can have their activities identified and
recorded as for persons.
Device identifiers allow distinction between devices in the domain in which they operate.
EXAMPLE 1 The International Mobile Equipment Identity (IMEI) is an identifier of the mobile telephone handset
in the domain of a mobile telephone services.
EXAMPLE 2 The GSM SIM card number (ICCID) is a unique device identifier in the domain of a mobile telephone
service. A SIM card also contains other identifiers including that of the user who registered the SIM card.
It can also be necessary to distinguish information object identifiers in their domains. One of their attributes
that compromise a combination of their attributes is usually used as identifier.
EXAMPLE 3 Process name, session name, path name, uniform resource names (URN), uniform resource identifier
(URI) are examples of information object identifiers.
EXAMPLE 4 URI is an example of identifier for a location, but the object at that location can change at any time.
6.3.3 Categorization of identifier by the nature of linking
6.3.3.1 Verinymous identifier
A verinymous identifier is an identifier, persistent in its domain of applicability that may be used within and
across domains and allows a relying party to obtain further identity information for the entity associated
with the identifier. Commonly observed verinimous identifiers includes email address, mobile phone
number, passport number, driving license number, social security number and the name-date of birth pair.
A verynimous identifier can allow identity information for entities known in different domains to be
correlated. While it is fine to correlate the identities if so desired by the person, unexpected correlation, e.g.

© ISO/IEC 2025 – All rights reserved
profiling, has a negative privacy impact. By the nature of the veronymous identifier, if information leakage
incident happens, it allows adversaries to perform such correlation and create threats, e.g. of generating any
privacy-related information that the principal did not intend to disclose.
6.3.3.2 Pseudonymous identifier
A pseudonymous identifier is an identifier, persistent in its domain that does not disclose additional identity
information. As long as no other identifying information is available in the domain, identities from different
domain cannot be correlated using a pseudonymous identifier. A pseudonymous identifier may be used to
prevent unwanted correlation of identity information for entities across domains.
NOTE The mere use of pseudonymous identifiers does not equate with identity data being pseudonymous.
Other attributes combined at one point in time or across multiple points in time can be enough to derive verinymous
identifiers.
6.3.3.3 Ephemeral identifier
An ephemeral identifier is an identifier that is used only for a short period of time and only within a single
domain. It may change for multiple uses to the same service or resource.
NOTE 1 If used correctly, an ephemeral identifier will make it very difficult for two visits by an entity to be
correlated.
NOTE 2 An ephemeral identifier is often used in the context of attribute-based access control where access to a
resource is granted if the entity has a particular attribute. For example, if the resource access is granted for a person
because they are a member of a particular group, the identity would be composed of an ephemeral identifier and a
group identifier. These would serve the access control purpose while minimizing the data disclosed or the possibility
of linking multiple accesses, while still differentiating each entity.
6.3.4 Categorization of identifier by the grouping of entities
6.3.4.1 Individual identifier
An individual identifier is an identifier that is associated with only one entity within a domain of applicability.
6.3.4.2 Group identifiers
Entities are sometimes grouped in a group entity when the need exists to execute activities in a group. A
distinct group identity will represent the group entity and group identifiers will help unambiguously
identifying the group entity and recording activities of the group entity in their domains. Group identifiers
serve the need for a person entity of performing activities in a group or on behalf of a group; they may
hide the action originator of an activity in a group. Additional techniques can therefore be required to
unambiguously identify a single entity as member of a group entity.
6.3.5 Management of identifiers
When updating identity information for a known entity, an identity management system may assign a new
identifier to the changed identity; it also may remove the association of the old identifier with the identity.
Changed identity information may be proactively communicated to subsystems that rely on it.
6.3.6 Categorization of identifier by method of value creation
6.3.6.1 As combination of attributes
A particular combination of attributes may have a unique value over all registered identities. Such a
combination of attribute values may serve as an identifier.
NOTE An identifier derived from a combination of attributes can be referred to as a “quasi-identifier”.

© ISO/IEC 2025 – All rights reserved
A combination of attributes of which the combined values are not unique over all registered identities may
be defined to function as a shared identifier for a group of entities.
The value of such an identifier intended or expected to be used outside the domain of origin should be
transformed into an identifier with a generated unique value by applying a cryptographic hash function to
the combined attribute values.
6.3.6.2 Generated with a unique value
An identifier may be generated to have a unique value for all registered identities.
NOTE 1 Typically, at registration one such identifier can be generated to be used as a reference identifier.
NOTE 2 A timestamp with sufficient granularity of time can be used as such an identifier for each subject that
simultaneously uses a service in a domain of applications.
6.3.6.3 Assigned from an externally generated unique value
A unique value generated by a third party as associated with a principal may be used as identifier in an
identity management system. Guarantees of the uniqueness of the values shall be obtained before deciding
to use such an identifier in the registered identities. Such an identifier may be used as reference identifier.
EXAMPLE An externally generated unique value can be the identifier of a state issued identification document,
e.g. the document number of a passport or driver licence, the identifier of a credential in physical form, including a
hardware token, or a citizen administration number.
NOTE 1 An external unique value can be referred to as an “authoritative identifier”, in particular where that
identifier can be used to refer to identity information held in the domain of origin of the external identifier value.
To improve privacy protection, the value of such an identifier should be transformed before being registered
into an identifier with generated unique value by applying a cryptographic hash function to the externally
provided value.
NOTE 2 In case the external identifier is transformed by applying a cryptographic hash function, it can still be used
in authentication. In that case, its use as authoritative identifier, e.g. to retrieve additional identity information from
the domain of origin of the external identifier, is only possible during authentication after the entity has presented
the original value. Typically, in this case, such additional identity information is intended to be included in the
authenticated identity, as possibly requested by a relying party.
7 Auditing identity information usage
An identity management system can support the auditing of processes where identity information is
accessed. Auditing shall record which information is accessed, the operator initiating the process and
any parties outside the system with which information may be shared or from which new information is
obtained. In case de-identification is applied when sharing information, auditing shall be performed in a way
to assert its correctness.
NOTE 1 Auditing is usually required by law and regulations. Auditing also facilitates business practices when data
are being shared between parties as part of their business operations.
NOTE 2 Requirements for auditing can include measures to protect personally identifiable information, to
maintaining required time-stamp accuracy and traceability (see the ISO/IEC 18014 series).
8 Control objectives and controls
8.1 General
This clause summarizes security objectives and associated controls to be verified when setting up or
reviewing an identity management system.

© ISO/IEC 2025 – All rights reserved
The controls presented in ISO/IEC 27002 are also relevant for this document.
Annex A specifies further practices for managing identity information in a federation of identity management
systems.
Annex B specifies further practices for using attribute-based credentials to enhance privacy protection.
8.2 Contextual components for control
8.2.1 Establishing an identity management system
8.2.1.1 Objective
The objective is to establish a management system to initiate and control the implementation of managing
identity information for entities.
8.2.1.2 Defining and documenting the domain of applicability
a) Control
The relying parties for which an entity, or a group of entities, is enabled to apply its identity and which may
use the identity for identification and for other purposes, shall be documented to be clearly understood both
by the operators and the entities involved.
b) Implementation guidance
Documentation that describes the boundaries of the domain of a system for identity management should
be made available to all interested parties. This documentation should specify the limits where the identity
information can be verified. Any potential extensions to other domains or groups of entities should also be
documented.
The documentation should clarify constraints, legally, or otherwise, and associated liabilities, on the control
of identity information in a domain.
c) Other information
A domain of an identity is well defined in relation to a particular set of attributes defining groups of entities.
An IT system within an organization that allows a group of entities to login is a sub-domain in that
organization.
8.2.1.3 Identifying identity information providers, identity information authorities, identity
management authorities, and regulatory bodies
a) Control
Identity information authorities for identity information managed by an identity management system shall
be specified for the domain of an identity management system.
Entities endorsing management and regulator responsibilities for the protection of identity information
shall also be identified.
b) Implementation guidance
Entities associated with an identity management system as the source of identity information (an IIP),
authoritative statement on available information (an IIA), the identity management authority, and any
relevant regulatory bodies, government or otherwise, should be clearly identified.
The operations performed by an identity information provider are to create, maintain and make accessible
identity information for entities known in a particular domain. The methods to access information or obtain
services provided by these operational entities should also be provided.

© ISO/IEC 2025 – All rights reserved
Any changes in availability and methods for access and to obtain services should be actively communicated
to interested parties.
c) Other information
An entity may combine the functions of identity information provider and identity information authority.
8.2.1.4 Identifying relying parties
a) Control
Relying parties shall be made known for the domain of the identity management system.
b) Implementation guidance
Relying parties have trust relationships with one or more identity information authorities. Relying parties
related with an identity information authority may be known at the design stage. Relying parties may change
over time, joining, or leaving a relationship with one or more identity information authorities in the domain.
c) Other information
A relying party is exposed to risk caused by incorrect or invalid identity information.
8.2.1.5 Maintaining an identity management system
a) Control
A process shall be described to ensure the maintenance of the important operational entities in an identity
management system.
b) Implementation guidance
Over time, domains of an identity management system may use different identity information authorities,
identity information providers and relying parties to support their interactions with entities. Domains may
also be created and terminated, or their conditions of applicability may change.
Important entities for use of an identity management system, e.g. IIA, IIP and RP, may also cease to exist
after being replaced, archived, or deleted. An identity management system should document policies and
processes that ensure the control of these important entities and should ensure that valuable information of
the identity management system is not lost.
8.2.1.6 Privacy assurance
a) Control
When human entities interact within an identity management system that manages identity information
of them, it shall have documented policies and have established controls that ensure the protection of their
privacy.
b) Implementation guidance
A basic objective of establishing an identity management system is to ensure the privacy of entities is
preserved at any time.
An identity management system shall document any sensitive information it processes about human entities
in accordance with ISO/IEC 24760-1.
c) Other information
Requirements for the handling of sensitive identity information are given in:
— ISO/IEC 29100, and
© ISO/IEC 2025 – All rights reserved
— ISO/IEC 29101.
8.2.2 Establishing identity information
8.2.2.1 Objective
The objective is to define, document and communicate identity information.
8.2.2.2 Identity representation
a) Control
References of an entity in an identity management system, which remains the same for the duration the
entity remains known in the domain(s) of the system, may be referred to as “reference identifier.” The
identity management system shall document controls for the identity management systems to guarantee
the unique distinguishability of any entity in any domain of the identity management system.
b) Implementation guidance
A reference identifier should persist at least for the existence of the entity in an identity management system
and may exist longer than the entity, e.g. for archiving purposes or authorities’ needs.
Identity management system documentation should describe the use and reuse of identifiers. A reference
identifier for an entity should not be reused while any identity information relating to that entity, including
archived information, is recorded on the system.
A reference identifier generator is a tool that may help to provide unique values for reference identifiers.
c) Other information
To facilitate maintaining the recorded information for a specific identity, the identity management system
can use a reference identifier generator to assign a unique record number to an identity being added.
8.2.2.3 Identity information
a) Control
The set of values of attributes required to compose identity information pertaining to an entity in domains
of an identity management system shall be fixed, validated by the verifiers, and communicated, as requested,
to relying parties.
b) Implementation guidance
Verification of the values of required attributes from an identity results in an authenticated identity for an entity.
The authentication process involves tests by a verifier of one or more identity attributes provided by an
entity to determine, with the required level of assurance, their correctness.
8.2.2.4 Distinguishing different types of entity
a) Control
The number of distinct entity types in the domains of an identity management system shall be recognized
and described with distinct attributes values composing their identity.
b) Implementation guidance
Items inside or outside an ICT system, such as a person, an organization, a device, a subsystem, or a group
of such items that has recognizably distinct existence in domains of an identity management system, are
distinct entity types that may be described with different attribute values.

© ISO/IEC 2025 – All rights reserved
Each entity type should be documented covering semantic and syntax with the list of required attribute
values for their identity being validated.
8.2.2.5 Authenticating an identity
a) Control
A process shall be documented that verifies the identity information for an entity.
b) Implementation guidance
An authentication process involves operations by a verifier that should establish that identity information
for an entity is correct, meeting the level of assurance required by the service to be rendered to the entity.
Verifiers may be the same as, or act on behalf of, the identity information authority for a particular domain.
8.2.3 Managing identity information
8.2.3.1 Objective
The objective is to ensure that identity information is maintained and protected in all domains of an identity
management system, from initial enrolment until archiving or deletion.
...