Biometric IT security standards are published by ISO and IEC. They cover Security evaluation of biometrics, Authentication context for biometrics, and Biometric information protection.

ISO/IEC 19792:2009

Information technology - Security techniques - Security evaluation of biometrics

ISO/IEC 19792:2009 specifies the subjects to be addressed during a security evaluation of a biometric system. It covers the biometric-specific aspects and principles to be considered during the security evaluation of a biometric system. It does not address the non-biometric aspects which might form part of the overall security evaluation of a system using biometric technology (e.g. requirements on databases or communication channels). ISO/IEC 19792:2009 does not aim to define any concrete methodology for the security evaluation of biometric systems but instead focuses on the principal requirements. As such, the requirements in ISO/IEC 19792:2009 are independent of any evaluation or certification scheme and will need to be incorporated into and adapted before being used in the context of a concrete scheme. ISO/IEC 19792:2009 defines various areas that are important to be considered during a security evaluation of a biometric system. ISO/IEC 19792:2009 is relevant to both evaluator and developer communities. It specifies requirements for evaluators and provides guidance on performing a security evaluation of a biometric system. It serves to inform developers of the requirements for biometric security evaluations to help them prepare for security evaluations. Although ISO/IEC 19792:2009 is independent of any specific evaluation scheme it could serve as a framework for the development of concrete evaluation and testing methodologies to integrate the requirements for biometric evaluations into existing evaluation and certification schemes.

ISO/IEC 24761:2019

Information technology - Security techniques - Authentication context for biometrics

This document defines the structure and the data elements of Authentication Context for Biometrics (ACBio), which is used for checking the validity of the result of a biometric enrolment and verification process executed at a remote site. This document allows any ACBio instance to accompany any biometric processes related to enrolment and verification. The specification of ACBio is applicable not only to single modal biometric enrolment and verification but also to multimodal fusion. The real-time information of presentation attack detection is not provided in this document. Only the assurance information of presentation attack detection (PAD) mechanism can be contained in the BPU report. Biometric identification is out of the scope of this document. This document specifies the cryptographic syntax of an ACBio instance. The cryptographic syntax of an ACBio instance is defined in this document applying a data structure specified in Cryptographic Message Syntax (CMS) schema whose concrete values can be represented using a compact binary encoding. This document does not define protocols to be used between entities such as BPUs, claimant, and validator. Its concern is entirely with the content and encoding of the ACBio instances for the various processing activities.

ISO/IEC 24745:2011

Information technology - Security techniques - Biometric information protection

ISO/IEC 24745:2011 provides guidance for the protection of biometric information under various requirements for confidentiality, integrity and renewability/revocability during storage and transfer. Additionally, ISO/IEC 24745:2011 provides requirements and guidelines for the secure and privacy-compliant management and processing of biometric information. ISO/IEC 24745:2011 specifies the following: analysis of the threats to and countermeasures inherent in a biometric and biometric system application models; security requirements for secure binding between a biometric reference and an identity reference; biometric system application models with different scenarios for the storage of biometric references and comparison; and guidance on the protection of an individual's privacy during the processing of biometric information. ISO/IEC 24745:2011 does not include general management issues related to physical security, environmental security and key management for cryptographic techniques.