ISO/IEC 27566-1
ISO/IEC 27566-1:2025 — Information security, cybersecurity and privacy protection — Age assurance systems — Part 1: Framework
[First edition]
Abstract
ISO/IEC 27566 part 1 "establishes a framework for age assurance systems and describes their core characteristics, including privacy and security, for enabling age-related eligibility decisions."
[Source: ISO/IEC 27566-1:2025]
Introduction
This standard lays out the core principles and a framework for determining someone’s age or age-range independently of their identity, for use in age-related eligibility decisions.
Scope
Age assurance framework
Structure
Main clauses:
4: Overview of age assurance
5: Functional characteristics - functional requirements
6: Performance characteristics - assurance and metrics
7: Privacy characteristics - privacy requirements
8: Security characteristics - cybersecurity requirements
9: Acceptability characteristics - nondiscrimination requirements
10: Practice statements - documenting the arrangements
Status
The standard development project set out in 2022.
The current first edition was published in 2025.
Commentary
Whereas self-assertion (e.g. “Click here if you are an adult”) is a simple and commonplace but clearly pathetically weak control, the standard aims to standardise and where necessary strengthen the process of determining someone’s age or age-range without (necessarily) requiring them to disclose their identity and thereby risk compromising their privacy.
The cunning grand plan is to develop and incorporate appropriate assurance controls systematically into the framework indicating confidence in the determined age or age-range, giving policy- and law-makers options when defining age-related criteria for various purposes. In situations where age is particularly important, additional confidence in the age determination is warranted, even if that implies completing a more involved and lengthy process of age verification, perhaps utilising a third party age-verification service or aggregating multiple age indicators (PII clustering?) taking account of any contraindications, inconsistencies or doubts. Conversely, if age verification is relatively unimportant, simpler, quicker, cruder approaches may suffice.
Spoofing (e.g. where an older person pretends or claims to be, and completes the age-verification process on behalf of, a youngster, or a child simply presents a fake credential) is just one of the challenges relevant to users of this standard. There are also identities, credentials, tokens and age-verification subsystems and services, plus individual rights and freedoms to protect (such as privacy, of course, and inclusivity, prejudice and entitlement), in a framework that allows or encourages communication and collaboration between age-verifiers.
