Topic-specific policies
ISO/IEC 27554

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27554 Application of ISO 31000 for assessment of identity-related risk [DRAFT]





This standard is intended to facilitate the application of the ISO 31000 risk management guidelines to identity management, supporting or supplementing various identity management standards.

It will apply the ISO 31000 risk management process to establish the context and assess risk, suggesting some risk scenarios for the processes and implementations involving identity-related risk.


Scope of the standard

The standard will apply to the assessment, specifically, of risks associated with processes and services that rely on or are related to identity management.  It will not include risks arising generally from delivery, technology or security. It will be used in conjunction with other standards concerning controls for identity information.

The standard will explain identity-related risk definition, context and impacts, in a standardized manner, plugging gaps in other identity-management standards.


Content of the standard

Main sections:

  1. Principles - refers to the ISO 31000 principles
  2. Framework - refers to the ISO 31000 approach
  3. Process - refers to the ISO 31000 risk management process
  4. Identity-related risk assessment
  5. Identity-related context establishment
  6. Identity-related risk identification
  7. Identity-related risk analysis
  8. Identity-related risk evaluation
  9. Identity-related risk treatment

... with appendices on impact assessment (more details) and related standards for risk and identity management.



The project started in 2018.

April status update It is at 2nd Draft International Standard stage, hopefully still on track for publication early in 2024.


Personal notes

Although the remaining grammatical and readability issues with the DIS version should be resolved in time for publication, technical issues (such as the dubious use of arithmetic on numeric category labels to calculate ‘risk levels’) and general concerns (such as whether the standard adds sufficient value to the field) present more of a challenge for the project team at this late stage.

Also I see that the DIS title omits the committee name.

In my personal opinion, ISO 31000 is more useful with ISO/IEC 27005 running a close second.



< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2023 IsecT Ltd.