Topic-specific policies
ISO/IEC 27554

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27554 Application of ISO 31000 for assessment of identity-related risk [DRAFT]





This standard is intended to ease application of the ISO 31000 risk management guidelines specifically to identity management, supporting/supplementing various identity management standards.

It will use the ISO 31000 process to establish the context and assess risk, with risk scenarios for processes and implementations involving identity-related risk.


Scope of the standard

The standard will apply to the assessment, specifically, of risks associated with processes and services that rely on or are related to identity management.  It will not include risks arising generally from delivery, technology or security. It will be used in conjunction with other standards concerning controls for identity information.

The standard will explain identity-related risk definition, context and impacts, in a standardized manner, plugging gaps in other identity-management standards.


Content of the standard

Main sections:

  • An overview.
  • Context establishment for risks relating to identity management e.g. defining the scope and criteria for treating risks.
  • Risk assessment: identifying, analysing and evaluating the risks.
  • Risk treatment: brief notes on dealing appropriately with the risks.

... with appendices on ‘impact levels’ and related standards.



The project started in 2018.

The standard is due to be published at the end of 2023.

Status updated July It is at 2nd Committee Draft stage.


Personal notes

A narrow scope, coupled with language/readability concerns (e.g. ‘transactions provided by organisations’ and ‘Regarding privileged administrator, it is a special entity not only from privilege viewpoint, but also it is quite different player responsible on whole the identity management lifecycle process’), little typos (e.g. ‘Applying this to this’ instead of ‘Applying this to risk’) and technical issues (notably the use of arbitrary impact and likelihood ‘levels’ to quantify risks and a patently false assertion that there are only two specific risks associated with identity management ‘Identity-related risk is very specific and is expressed by the following two risks ...’), may limit the utility and value of this standard unless they are resolved prior to publication. There’s time yet.

Frankly, in my personal opinion, ISO 31000 is more useful with ISO/IEC 27005 running a close second. However, the succinct bullet-point lists of possible controls near the end are quite stimulating and potentially of value in other contexts (e.g. ‘Profiling - selecting certain types of transaction/user for closer examination’).



< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2022 IsecT Ltd.