Conforming with the Identification Standards

Use this guidance to learn the types of conformance and the process for getting assessed. Use the tools to gather the evidence needed for assessment.

Types of conformance

Conformance with standards brings consistency and good practice to products and services. It’s a key element to building consumers’ trust in the use of products and services.

There are 3 types of conformance:

Self-assessment

An accountable party, such as a Relying Party, Credential Provider, or Facilitation Provider, can assess themselves against the relevant Identification Standard controls to see if they can meet the requirements. This can be completed without having to commit to a full conformance process.

Qualified assessment

A qualified assessment is useful where there’s no obligation to conform with the Identification Standards or the accountable party is on a journey to conforming and would like to know how close they are.

Qualified assessment is a lighter process than an audited assessment and does not result in a conformance statement being issued. The assessor will provide an opinion about the degree to which conformance may be achieved and to what Levels of Assurance.

Audited assessment

An audited assessment is a robust process where evidence, such as documentation and demonstration, shows how each of the relevant controls is being complied with.

The length of this assessment process will depend on the degree to which the Identification Standards have already been embedded into the processes being undertaken.

Mandated conformance

Mandated conformance with the Identification Standards is specified though such mechanisms as contracts, cabinet mandates and legislation. The following mandate currently applies:

Conformance with 1 or more of the Identification Standards is a requirement for Digital Identity Services Trust Framework (DISTF) accreditation.

For more information about applying for Trust Framework Accreditation, visit Trust Framework for Digital Identity.

The conformance process

The formal conformance process occurs in 3 key stages

For help at any point throughout these stages contact the Department of Internal Affairs Identification Team at identity@dia.govt.nz.

Stage 1 – Introduction and scoping

The first stage of applying the Identification Standards or seeking conformance is to understand which role and standards are relevant.

Understanding identification roles

There are 3 roles when applying the Identification Standards – Relying Party (RP), Credential Provider (CP) and Facilitation Provider (FP).

Most organisations will be a Relying Party at some point in what they do.

Anyone who enrols Entities (people or otherwise) and creates records or accounts for them is a Relying Party.

Diagram 1: Identification roles and their relationship

Diagram depicting the roles, artefacts and processes that make up identification management.

Detailed description of diagram

This diagram depicts how the elements in identification management work together.

An Entity (for example, a person) wants to get a Credential that they can use to get a service from a Relying Party (for example, an organisation). The Entity goes to a Credential Provider to get an applicable Credential and then either presents their Credential directly to the Relying Party or the Credential Provider presents it to the Relying Party for them, sometimes via a Facilitation Provider.

View larger image (73KB)
Descriptions of the roles, artefacts and their relationships
Entity
An Entity can be a person or machine that presents a Credential to a Relying Party, during enrolment, providing them with assurance that certain identification management processes have been previously carried out.
Credential
A Credential is an artefact that’s established for an Entity. It contains an Authenticator and may also have specific information that’s bound to the Entity.
Relying Party
A Relying Party provides services to an Entity and requires 1 or more of the Entity’s credentials to establish information about the Entity, to enable provision of the service.
Credential Provider
A Credential Provider establishes Credentials for an Entity to present when enrolling with a Relying Party.
Facilitation Provider
A Facilitation Provider provides mechanisms for facilitating the presentation of 1 or more Credentials to Relying Parties.

It’s common to hold more than 1 identification role.

Examples of multiple roles
  • A Credential Provider will also be a Relying Party when they’re enrolling Credential Holders.
  • A Credential Provider will also be a Facilitation Provider if they’re involved in the presentation of their Credentials.
  • A Facilitation Provider can become a Credential Provider if they create their own Credential.

Understand which standards apply

The identification role and the processes being carried out indicate which of the 4 Identification Standards should be applied.

Identification Standards

Table 1 describes the broad identification processes undertaken by each accountable party and the applicable Identification Standards.

Table 1: Which standards to apply when
Accountable parties and processes Applicable standard

Relying Parties enrol Entities by:

  • collecting and verifying information
  • linking the information to the Entities
  • establishing Authenticators to recognise them when they return.

Credential Providers:

  • enrol Entities as a Relying Party
  • issue Credentials for use across multiple contexts
  • establish Authenticators for Credentials.

Federation Providers present credentials by:

  • establishing facilitation mechanisms with Authenticators
  • passing information through these to Relying Parties.

Authentication Providers:

  • provide Authenticators and Authentication services to Relying Parties, Credential Providers and Facilitation Providers.

Stage 2 – Apply controls and prepare evidence

The second stage involves applying the individual controls in each relevant standard and gathering the evidence of this.

Risk Assessment

Assessing risk is integral to being able to apply the Identification Standards correctly. Risk assessment determines which Levels of Assurance to apply for certain controls.

While any risk assessment process can be used, more information is available in the following guidance:

Assessing identification risk

Applying the relevant standard controls

Applying the controls in each of the relevant standards is the main part of the journey to conformance.

Meeting certain Levels of Assurance can mean changes need to be made to some systems and processes. These may not be easy or fast to implement. If the planned Levels of Assurance cannot be met, decisions will need to be made about the impact of meeting a lower level of assurance.

Levels of Assurance

If the target Levels of Assurance are unable to be met, options include:

  • carrying out additional work to reach the target Levels of Assurance; or
  • electing to operate at lower Levels of Assurance.

The latter option does not prevent continuing to work on the aspects that need improvement and seeking reassessment later.

Contact the Identification Team for advice at identity@dia.govt.nz on different options.

Each of the Identification Standards has an implementation guide which provides more information about how to apply the controls and examples.

Identification Management Guidance

Documenting evidence for assessment

Identification processes are usually well documented. This documentation can be used as evidence for assessment if it’s cross referenced to the relevant controls.

Any information that’s not disclosed for the conformance process can be redacted or removed. Alternatively, organisations may wish to extract the relevant information into new documents.

A series of checklists are available to help with collating evidence. They outline the type of evidence that’s needed for each of the relevant controls.

Documenting conformance with controls that have Levels of Assurance is potentially a new concept. 2 additional templates are available to help with documenting Levels of Assurance.

Stage 3 – Assessment and statement issuance

The third stage involves the steps to get assessed and the outcomes from this process.

If a self-assessment is being undertaken, this stage is not needed.

Deciding on a qualified or audited assessment

The type of assessment being undertaken impacts both the duration of the assessment phase and what’s produced at the end of it. The options are:

  • qualified assessment — lighter process that results in an opinion about the degree to which conformance may be achieved and to what Levels of Assurance
  • audited assessment — robust process that includes a demonstration and results in an Identification Standards Conformance Statement.

Schedule an assessment

Contact the Identification Team at identity@dia.govt.nz to schedule the assessment.

The assessment process involves:

Submitting evidence for review

This evidence will include the completed checklists and associated documents that describe how the controls are being met. The assessor will review the evidence.

Responding to requests for additional information

The assessor may require additional information about the identification service or services being assessed or may need further evidence about the controls and levels of assurance.

Doing a demonstration

To confirm that the identification processes within a product or service operate according to the documentation provided the assessor will request a physical demonstration.

Assessment outcome

At the end of the assessment process the organisation being assessed will have an opportunity to discuss the assessment before 1 of the following final documents is issued.

Opinion

For a Qualified assessment, the Identification Team will provide a written opinion. The opinion is not evidence that the identification service or services conform with the standards, but it will indicate how close they’re to conforming, and to what Level of Assurance.

Statement

Following a successful Audited assessment, an Identification Standards Conformance Statement will be issued. The conformance statement will describe:

  • the organisation
  • the identification service or services provided
  • the standards conformed with
  • the Levels of Assurance expressions for any assured information or authenticators
  • the expiry date of the statement.

With permission, aspects of the statement may be published on a public register for others seeking to verify the statement.

Re-conformance

Both opinions and conformance statements are issued at a point in time. There are several things that may make it necessary to apply for re-conformance:

Statement expiry

Statements are only issued for a maximum of 3 years. The Identification Team will advise when expiry is due and arrange for re-conformance. The size of the assessment will depend on whether any changes have been made since the original statement was issued.

Change made to a product or service

If a change is made to the product or service that was assessed, it may no longer be conformant. A new assessment can be carried out on the aspects that have changed.

Changes to the Identification Standards

The Identification Standards will change from time to time to remain relevant. In some cases, a change may result in the need for re-conformation before the expiry of a statement. Conforming parties will be consulted well in advance should this occur.

Outcome of a complaint

If the Identification Team receives a complaint about a service or product that brings into question whether it’s conformant, an investigation will be carried out. Should the outcome of the investigation impact the status of a statement, re-conformance may be required to retain a valid statement.

We’re here to help

For all enquiries, requests, and assessment booking, please contact the Identification Team at the Department of Internal Affairs at identity@dia.govt.nz.

In addition to advice on conformance we can also help with the following aspects:

  • Reviewing identification risk assessments and suggesting improvements
  • Interpreting and applying the Identification Standard controls
  • Suggesting alternative ways to design processes
  • Advising on options if controls cannot be met.

The Identification Team also provides training and clinics to help develop identification capability.

Training and clinics

Utility links and page information

Was this page helpful?
Thanks, do you want to tell us more?

Do not enter personal information. All fields are optional.

Last updated