For Kantara, ISO 17065 means more clarity, flexibility in certification

Kantara Initiative is transitioning its U.S. operations to the ISO/IEC 17065 standard for conformity assessment. In a video presentation, Kantara’s Chief Technology Officer Dr. Carol Buttle provides a brief primer on how the change will benefit digital identity service providers (IDSP) and other companies undergoing identity assurance assessments, what it means for Kantara – and why, exactly, Kantara is making the change.

Larger shifts in digital identity ecosystem drive change

For identity verification providers, the benefits of a trustmark include increased customer confidence, proof of regulatory compliance, and the contribution to a level, unbiased playing field across the digital ID industry internationally.

But none of that matters if the certifying body can’t be trusted. ISO/IEC 17065 codifies trust, ensuring that the organization bestowing it is legitimate and qualified to do so.

Buttle says Kantara is adopting it in the U.S. (it already applies in the UK) to line up with shifts in the larger digital ecosystem – “digital identity, AI, wallets, you name it, that whole industry.” As the ecosystem grows, risks proliferate, and gaps in legislation become apparent. Hence the demand for increased governance in the form of internationally recognized certification schemes, which help organizations like Kantara set boundaries and draw clear lines.

ISO/IEC 17065 provides “requirements for bodies that perform certification of products, processes and services.” In effect, it accredits those who certify others, laying down a clear framework for robust certification processes grounded in the principles of integrity, impartiality, competence, consistency, reliability, transparency, accountability and confidentiality.

‘Quite stringent, quite harsh’: standard demands genuine expertise

Providing a detailed breakdown of Kantara’s certification process under 17065, from testing and evaluation through the issuance of a trustmark, Buttle says the standard sets “a very high bar in terms of what Kantara needs to prove.”

Requirements listed in 17065 are divided into five categories: general requirements, structural requirements, resource requirements, process requirements and management systems requirements. Buttle emphasizes the stringency of the standard, and how that reflects on Kantara and its team.

“17065 is quite dictatorial in the fact that anybody who’s actually operating under this must have people who can prove their competence, and must be specialists in their areas,” she says. “That means that they’ve got to be specialist certification people, specialist auditors and people who actually understand what it is that they’re evaluating.”

Standard allows blended teams for expertise across competencies

Shifting to ISO/IEC 17065 means Kantara’s processes will be more transferable and adaptable to change. (It works in concert with a network of interrelated standards on conformity assessment, including ISO/IEC 17025, which accredits biometric labs.)

The breadth of the standard will put the organization in a better position to offer clear projections on cost, duration and scope of certification. And there is more flexibility in the composition of audit and certification teams, “so that if somebody is an absolute expert in GDPR, for instance, and somebody else is an absolute expert in biometrics, you can put a team together based on those competencies.”

Finally, says Buttle, “the difference is that as we move to this process we will be acting as a qualified accredited conformity assessment body (CAB), which means that we will be able to issue actual certificates” in the U.S.

Article Topics

certification  |  digital ID  |  digital identity  |  identity assurance  |  Identity Service Providers (IDSP)  |  identity verification  |  ISO standards  |  ISO/IEC 17065  |  Kantara  |  standards