ISO/IEC FDIS 9868

Information technology — Design, development, use and maintenance of biometric identification systems involving passive capture subjects ISO/IEC FDIS 9868

General information

50.20 Proof sent to secretariat or FDIS ballot initiated: 8 weeks   Nov 13, 2024

ISO/IEC

ISO/IEC JTC 1/SC 37 Biometrics

International Standard

35.240.15   Identification cards. Chip cards. Biometrics

Scope

This standard establishes recommendations and requirements for remote biometric identification systems including both real-time and ex-post, including AI-based systems:

1. Technical solutions to be implemented in the design and development phases in relation to the following:
o appropriateness of training and testing datasets and data management practices for the intended purpose;
o logging capabilities enabling the automatic recording of events (‘logs’) while the system is operating;
o provision of information to instruct the operator of the system and information for appropriate use;
o human oversight measures, enabling the system to be effectively overseen and managed during the period of use;
o accuracy, robustness and cybersecurity.

2. The standard also establishes requirements on development practices:
o Risk management process to be implemented by the provider when designing and developing the system, notably in relation to the identification and implementation of solutions described under point (1)
o Quality management systems to be implemented by the provider in its organisation, including a system for post-market monitoring

3. The standard also establishes requirements on post-deployment tests and audit of the systems, including:
o Verification and testing procedures to assess whether the deployed system is proportionate and fit-for-purpose against the requirements given in point (1);
o Verification and testing procedures to assess the biometric recognition components are fit-for-purpose against the requirements given in point (1);
o Verification procedure to control the appropriateness of the quality management system measures and processes, as described under point (2).

While the emphasis is on surveillance systems, other types of remote biometric identification systems are in scope, regardless of biometric modality or sensing technology. Not in scope are personal authentication systems, and other types of voluntary, opt-in, systems.

Note: This scope includes both technical biometric aspects and management systems aspects, as discussed on page 7. The latter will be developed as a sector-specific extension of ISO/IEC 42001 AI - Management System.



Life cycle

NOW

IN_DEVELOPMENT
ISO/IEC FDIS 9868
50.20 Proof sent to secretariat or FDIS ballot initiated: 8 weeks
Nov 13, 2024