Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
ISO/IEC 27070:2021 — Trust Framework Requirements
Requirements for establishing trust frameworks for identity management and digital services
ISO/IEC 27070:2021 specifies requirements for establishing trust frameworks that enable interoperable identity management and secure digital services across organizational and national boundaries. A trust framework is a standardized set of rules, policies, and technical specifications that defines how parties in a digital ecosystem establish and maintain trust relationships — covering identity proofing, authentication, authorization, and non-repudiation.
Trust frameworks are the invisible infrastructure of the digital economy. Every time you use a digital ID to access government services, authenticate with a federated identity (e.g., “Login with Google”), or sign a document electronically, a trust framework is operating behind the scenes. ISO/IEC 27070 provides the blueprint for building these frameworks in a secure, interoperable, and auditable manner.
1. Trust Framework Components and Architecture
ISO/IEC 27070 defines a trust framework as comprising four essential components: the trust anchor, trust policies, trust mechanisms, and trust assessment procedures. These components work together to create a coherent trust environment.
| Component | Description | Implementation Example |
|---|---|---|
| Trust Anchor | The root of trust from which all trust relationships derive | Root CA certificate, government-issued trust anchor registry, blockchain-based trust root |
| Trust Policies | Rules and criteria for establishing, maintaining, and terminating trust | Certificate policy (CP), certification practice statement (CPS), identity assurance framework |
| Trust Mechanisms | Technical protocols and procedures that implement trust policies | PKI/X.509 certificates, SAML assertions, OIDC tokens, FIDO2 authentication, digital signatures |
| Trust Assessment | Audit and evaluation procedures to verify compliance with trust policies | WebTrust for CAs, ISO/IEC 27001 certification, scheme-specific conformity assessment |
The architecture is hierarchical by design. The trust anchor is established by the framework authority (typically a government agency or industry consortium), which defines policies that participants must comply with. Trust mechanisms implement these policies at the technical level, and assessment procedures ensure ongoing compliance. Participants in the framework rely on the trust anchor to verify the authenticity and integrity of all interactions.
The most successful trust frameworks — such as Estonia’s eID scheme, India’s Aadhaar authentication framework, and the EU eIDAS regulation — all follow the architectural pattern defined in ISO/IEC 27070: a strong trust anchor, clearly defined assurance levels, auditable participant requirements, and technical interoperability standards.
2. Identity Assurance Levels and Proofing Requirements
ISO/IEC 27070 defines multiple levels of identity assurance, each corresponding to different types of digital services and risk profiles. The assurance level determines the rigor of identity proofing, the strength of authentication, and the level of ongoing monitoring required.
| Assurance Level | Identity Proofing Requirements | Typical Use Cases | Authentication Method |
|---|---|---|---|
| Level 1 — Low | Self-asserted identity; no verification of real-world identity | Public forum registration, newsletter subscriptions, low-value e-commerce | Single-factor (password or PIN) |
| Level 2 — Medium | Remote identity verification using government-issued ID; automated document validation | Online banking, e-government services, professional licensing portals | Two-factor authentication (password + OTP/SMS) |
| Level 3 — High | In-person or supervised remote identity proofing with biometric verification; background check against national databases | Healthcare provider access, legal document signing, high-value financial transactions | Multi-factor with hardware token or biometric (FIDO2, smart card) |
| Level 4 — Very High | In-person identity proofing by authorized officers; biometric enrollment; continuous background checks | National security systems, critical infrastructure access, classified information handling | Multi-factor with hardware cryptographic module; in-person verification for critical operations |
For engineering teams designing identity systems, the assurance level framework provides clear requirements for system design. A Level 2 system, for example, requires document verification capabilities (automated validation of passports, driver’s licenses, or national ID cards), liveness detection for biometric capture, and integration with national identity registries. A Level 3 system additionally requires in-person or supervised remote enrollment with trained operators.
A common engineering pitfall in trust framework design is defining assurance levels without considering the user experience impact. High-assurance identity proofing that requires in-person visits creates friction that drives users away from the system. ISO/IEC 27070 encourages designing gradient assurance — allowing users to start at a lower level and upgrade over time as their relationship with the service deepens.
3. Interoperability and Cross-Framework Trust
A key objective of ISO/IEC 27070 is enabling interoperability between different trust frameworks. The standard provides requirements for trust framework discovery, policy mapping, and mutual recognition. This is essential for cross-border digital services, where a user authenticated under one framework must be recognized by services operating under a different framework.
The standard addresses several interoperability mechanisms:
- Policy mapping: A process by which two trust frameworks compare their assurance levels, identity proofing requirements, and technical standards to establish equivalence. For example, mapping EU eIDAS “Substantial” level to an ISO/IEC 27070 Level 2.
- Trust anchor exchange: The technical mechanism by which trust anchors (typically root CA certificates) are exchanged and cross-certified between frameworks, enabling chain-of-trust across domain boundaries.
- Attribute federation: The ability for identity attributes (name, date of birth, authorized roles) to be securely transferred between trust domains using standardized protocols such as SAML, OIDC, or OAuth.
- Audit mutual recognition: Agreement between frameworks to accept each other’s audit results, avoiding duplicative assessments for organizations operating in multiple jurisdictions.
The standard emphasizes that trust framework interoperability is as much a legal and governance challenge as it is a technical one. Agreements between framework authorities must address liability allocation, data protection compliance, dispute resolution, and termination conditions. ISO/IEC 27070 provides template requirements for these agreements.
4. Frequently Asked Questions
Q: What is the relationship between ISO/IEC 27070 and the eIDAS regulation?
A: ISO/IEC 27070 provides the generic trust framework requirements, while eIDAS is a specific EU regulation that implements a trust framework for electronic identification and trust services in the European Single Market. eIDAS can be seen as a concrete instantiation of the principles defined in ISO/IEC 27070.
A: ISO/IEC 27070 provides the generic trust framework requirements, while eIDAS is a specific EU regulation that implements a trust framework for electronic identification and trust services in the European Single Market. eIDAS can be seen as a concrete instantiation of the principles defined in ISO/IEC 27070.
Q: Is ISO/IEC 27070 related to blockchain or decentralized identity?
A: The standard is technology-neutral and can accommodate both centralized and decentralized trust models. For decentralized identity (DID/Verifiable Credentials), the trust anchor may be a decentralized ledger rather than a traditional CA. ISO/IEC 27070’s framework requirements — including governance, assurance levels, and audit — apply regardless of the underlying trust mechanism.
A: The standard is technology-neutral and can accommodate both centralized and decentralized trust models. For decentralized identity (DID/Verifiable Credentials), the trust anchor may be a decentralized ledger rather than a traditional CA. ISO/IEC 27070’s framework requirements — including governance, assurance levels, and audit — apply regardless of the underlying trust mechanism.
Q: Do organizations need separate trust frameworks for different digital services?
A: Not necessarily. A well-designed trust framework can support multiple services through tiered assurance levels. For example, a national e-ID framework can provide Level 2 authentication for tax filing, Level 3 for healthcare access, and Level 4 for notarization — all within the same trust framework. This is more efficient than operating separate frameworks for each use case.
A: Not necessarily. A well-designed trust framework can support multiple services through tiered assurance levels. For example, a national e-ID framework can provide Level 2 authentication for tax filing, Level 3 for healthcare access, and Level 4 for notarization — all within the same trust framework. This is more efficient than operating separate frameworks for each use case.
Q: How does ISO/IEC 27070 address privacy by design?
A: The standard includes requirements for data minimization (only collecting identity attributes necessary for the transaction), purpose limitation (using attributes only for the stated purpose), user consent mechanisms, and transparency obligations. It also recommends supporting pseudonymous authentication where full identity is not required, balancing trust with privacy protection.
A: The standard includes requirements for data minimization (only collecting identity attributes necessary for the transaction), purpose limitation (using attributes only for the stated purpose), user consent mechanisms, and transparency obligations. It also recommends supporting pseudonymous authentication where full identity is not required, balancing trust with privacy protection.
