BS ISO/IEC 29115:2013

What is this standard about?

Many electronic transactions within ICT systems have security requirements which depend on an understood or specified level of confidence in the identities of the entities involved. Such requirements may include the protection of assets and resources against unauthorized access.

This usually involves an access control mechanism which might be used to enforce accountability through the maintenance of audit logs of relevant events, as well as for accounting and charging purposes.

This standard provides a framework for entity authentication assurance. Assurance within this International standard refers to the confidence placed in all of the processes, management activities, and technologies used to establish and effectively manage the identity of an entity for use in authentication transactions.

Who is this standard for?

Principally it’s for credential service providers (CSPs) and others having an interest in their services e.g. relying parties, assessors and auditors of those services.

Why should you use this standard? 

It offers crucial guidance for managing entity authentication assurance in a given context.In particular, it focuses on the:

• Four levels of entity authentication assurance (LoAs)
• Criteria and guidelines for achieving each of the four levels of entity authentication assurance
• Guidance for mapping other authentication assurance schemes to the four LoAs
• Guidance for exchanging the results of authentication that are based on the four LoAs
• Guidance concerning controls that should be used to mitigate authentication threats

Using four specified Levels of Assurance (LoAs), the document presents direction concerning control technologies, processes and management activities, as well as assurance criteria that should be used to mitigate authentication threats in order to implement the four LoAs.