Topic-specific policies
ISO/IEC 27554

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27554 Application of ISO 31000 for assessment of identity-related risk [DRAFT]





This standard is intended to ease application of the ISO 31000 risk management guidelines specifically to identity management, supporting/supplementing various identity management standards.

It will use the ISO 31000 process to establish the context and assess risk, with risk scenarios for processes and implementations involving identity-related risk.


Scope of the standard

The standard will apply to the assessment, specifically, of risks associated with processes and services that rely on or are related to identity management.  It will not include risks arising generally from delivery, technology or security. It will be used in conjunction with other standards concerning controls for identity information.

The standard will explain identity-related risk definition, context and impacts, in a standardized manner, plugging gaps in other identity-management standards.


Content of the standard

Main sections:

  1. Principles - refers to the ISO 31000 principles
  2. Framework - refers to the ISO 31000 approach
  3. Process - refers to the ISO 31000 risk management process
  4. Identity-related risk assessment
  5. Identity-related context establishment
  6. Identity-related risk identification
  7. Identity-related risk analysis
  8. Identity-related risk evaluation
  9. Identity-related risk treatment

... with appendices on impact assessment (more info) and related standards.



The project started in 2018.

The standard is due to be published at the end of 2023.

January status update It is at 2nd Draft International Standard stage.


Personal notes

January status update Although the remaining grammatical and readability issues with the DIS version can hopefully be resolved before publication, technical issues (such as the dubious use of arithmetic on numeric category labels to calculate ‘risk levels’) and general concerns (such as whether the standard adds sufficient value to the field) present more of a challenge for the project team at this late stage.

In my personal opinion, ISO 31000 is more useful with ISO/IEC 27005 running a close second.



< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2023 IsecT Ltd.