Conforming with the Identification Standards
Use this guidance to learn the types of conformance and the process for getting assessed. Use the tools to gather the evidence needed for assessment.
Types of conformance
Conformance with standards brings consistency and good practice to products and services. It’s a key element to building consumers’ trust in the use of products and services.
There are 3 types of conformance:
Mandated conformance
Mandated conformance with the Identification Standards is specified though such mechanisms as contracts, cabinet mandates and legislation. The following mandate currently applies:
Conformance with 1 or more of the Identification Standards is a requirement for Digital Identity Services Trust Framework (DISTF) accreditation.
For more information about applying for Trust Framework Accreditation, visit Trust Framework for Digital Identity.
The conformance process
The formal conformance process occurs in 3 key stages
For help at any point throughout these stages contact the Department of Internal Affairs Identification Team at identity@dia.govt.nz.
Stage 1 – Introduction and scoping
The first stage of applying the Identification Standards or seeking conformance is to understand which role and standards are relevant.
Understanding identification roles
There are 3 roles when applying the Identification Standards – Relying Party (RP), Credential Provider (CP) and Facilitation Provider (FP).
Most organisations will be a Relying Party at some point in what they do.
Anyone who enrols Entities (people or otherwise) and creates records or accounts for them is a Relying Party.
Detailed description of diagram
This diagram depicts how the elements in identification management work together.
An Entity (for example, a person) wants to get a Credential that they can use to get a service from a Relying Party (for example, an organisation). The Entity goes to a Credential Provider to get an applicable Credential and then either presents their Credential directly to the Relying Party or the Credential Provider presents it to the Relying Party for them, sometimes via a Facilitation Provider.
It’s common to hold more than 1 identification role.
- A Credential Provider will also be a Relying Party when they’re enrolling Credential Holders.
- A Credential Provider will also be a Facilitation Provider if they’re involved in the presentation of their Credentials.
- A Facilitation Provider can become a Credential Provider if they create their own Credential.
Understand which standards apply
The identification role and the processes being carried out indicate which of the 4 Identification Standards should be applied.
Table 1 describes the broad identification processes undertaken by each accountable party and the applicable Identification Standards.
| Accountable parties and processes | Applicable standard |
|---|---|
|
Relying Parties enrol Entities by:
|
|
|
Credential Providers:
|
|
|
Facilitation Providers present credentials by:
|
|
|
Authentication Providers:
|
Stage 2 – Apply controls and prepare evidence
The second stage involves applying the individual controls in each relevant standard and gathering the evidence of this.
Risk Assessment
Assessing risk is integral to being able to apply the Identification Standards correctly. Risk assessment determines which Levels of Assurance to apply for certain controls.
While any risk assessment process can be used, more information is available in the following guidance:
Applying the relevant standard controls
Applying the controls in each of the relevant standards is the main part of the journey to conformance.
Meeting certain Levels of Assurance can mean changes need to be made to some systems and processes. These may not be easy or fast to implement. If the planned Levels of Assurance cannot be met, decisions will need to be made about the impact of meeting a lower level of assurance.
If the target Levels of Assurance are unable to be met, options include:
- carrying out additional work to reach the target Levels of Assurance; or
- electing to operate at lower Levels of Assurance.
The latter option does not prevent continuing to work on the aspects that need improvement and seeking reassessment later.
Contact the Identification Team for advice at identity@dia.govt.nz on different options.
Each of the Identification Standards has an implementation guide which provides more information about how to apply the controls and examples.
Identification Management Guidance
Documenting evidence for assessment
Identification processes are usually well documented. This documentation can be used as evidence for assessment if it’s cross referenced to the relevant controls.
Any information that’s not disclosed for the conformance process can be redacted or removed. Alternatively, organisations may wish to extract the relevant information into new documents.
A series of checklists are available to help with collating evidence. They outline the type of evidence that’s needed for each of the relevant controls.
- Information & Binding Assurance (DOCX, 48KB)
- Authentication Assurance (DOCX, 46KB)
- Credential Establishment (DOCX, 45KB)
- Facilitation Mechanisms (DOCX, 49KB)
Documenting conformance with controls that have Levels of Assurance is potentially a new concept. 2 additional templates are available to help with documenting Levels of Assurance.
- Levels of Assurance Table — Information & Binding (DOCX, 48KB)
- Authentication Factor Level Table (DOCX, 43KB)
Stage 3 – Assessment and statement issuance
The third stage involves the steps to get assessed and the outcomes from this process.
If a self-assessment is being undertaken, this stage is not needed.
Deciding on a qualified or audited assessment
The type of assessment being undertaken impacts both the duration of the assessment phase and what’s produced at the end of it. The options are:
- qualified assessment — lighter process that results in an opinion about the degree to which conformance may be achieved and to what Levels of Assurance
- audited assessment — robust process that includes a demonstration and results in an Identification Standards Conformance Statement.
Schedule an assessment
Contact the Identification Team at identity@dia.govt.nz to schedule the assessment.
The assessment process involves:
Assessment outcome
At the end of the assessment process the organisation being assessed will have an opportunity to discuss the assessment before 1 of the following final documents is issued.
Re-conformance
Both opinions and conformance statements are issued at a point in time. There are several things that may make it necessary to apply for re-conformance:
We’re here to help
For all enquiries, requests, and assessment booking, please contact the Identification Team at the Department of Internal Affairs at identity@dia.govt.nz.
In addition to advice on conformance we can also help with the following aspects:
- Reviewing identification risk assessments and suggesting improvements
- Interpreting and applying the Identification Standard controls
- Suggesting alternative ways to design processes
- Advising on options if controls cannot be met.
The Identification Team also provides training and clinics to help develop identification capability.
Utility links and page information
Last updated
