Topic-specific policies
ISO/IEC 27554

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27554 Application of ISO 31000 for assessment of identity management-related risk [DRAFT]



“This document defines identity management-related risk for the purposes of applying ISO 31000 risk management guidelines to this field. It also uses the process outlined in ISO 31000 risk management guidelines to give guidelines for establishing context and assessing risk, including providing risk scenarios for processes and implementations that are exposed to identity management-related risk.”
[Source: SC 27 Standing Document 11 (2021)]


This standard will outline the associated risks to ease application of the ISO 31000 risk management guidelines to identity management.

It will use the ISO 31000 process to establish the context and assess risk, with risk scenarios for processes and implementations that are subject to identity management-related risk.


Scope of the standard

The standard will apply to the assessment, specifically, of risks associated with processes and services that rely on or are related to identity management.  It will not include risks arising generally from delivery, technology or security.  It will be used in conjunction with other standards concerning controls for identity information.

The standard will explain identity-related risk definition, context and impacts, in a standardized manner, plugging gaps in other standards. 


Content of the standard

The main sections of the standard will cover:

  • An overview
  • Context establishment for risks relating to identity management e.g. defining the scope and criteria for treating risks.
  • Risk assessment: identifying, analysing and evaluating risks.
  • Risk treatment: dealing appropriately with the risks.

with appendices on impact levels and related standards.



The project started in 2018. 

The standard is due to be published at the end of 2023.

It is at Committee Draft stage.


Personal notes

A narrow scope, coupled with language/readability concerns (e.g. ‘transactions provided by organisations’) and technical issues (notably the use of arbitrary impact and likelihood ‘levels’ to quantify risks and a patently false assertion that there are only two risks associated with identity management), may limit the utility and value of this standard unless they are resolved prior to publication.

Frankly, in my personal opinion, ISO 31000 alone does a better job, with ISO/IEC 27005 running a close second.



< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2022 IsecT Ltd.