ISO 22388:2023 セキュリティと復元力 | ページ 2

Foreword

ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.

The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types of ISO document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives ).

ISO draws attention to the possibility that the implementation of this document may involve the use of (a) patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed patent rights in respect thereof. As of the date of publication of this document, ISO had not received notice of (a) patent(s) which may be required to implement this document. However, implementers are cautioned that this may not represent the latest information, which may be obtained from the patent database available at www.iso.org/patents . ISO shall not be held responsible for identifying any or all such patent rights.

Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISO's adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html .

This document was prepared by Technical Committee ISO/TC 292, Security and resilience.

Introduction

Documents perform key functions in economic, legal and social transactions, including but not limited to financial interactions, ownership titles, title transfers, transportation, identity verification, customs transactions, academic records, professional licences and gun permits. These roles make them a target for counterfeiting, alteration and other forms of fraud, thereby potentially reducing the reliability of such transactions and creating economic, human and social hazards.

This document is intended to support the review of physical documents used in all kinds of usage contexts and to enable evaluation of physical document designation. Such evaluation also involves assessment to determine risk levels from the most common forms of attack, with consideration of the type and number of security features to be incorporated into documents for authentication. Based on such review and evaluation, these guidelines are expected to serve as guidelines for securing all designated security documents (SDs).

It is important to consider the usage of physical documents for threat and risk assessment and for determining their classification. Common documents can carry a high level of risk when used for critical functions. These guidelines assist in performing risk assessment for various document categories, but they are not intended to identify all potential uses of the documents.

This document is intended to support users and producers in determining security recommendations for documents produced or procured, to establish a relative classification of their documents and to enhance the reliability of transactions supported by such documents.

It should be acknowledged that these guidelines provide guidance on common risks, threats and mitigation treatments at the time of publication. As the security risks to physical documents are constantly changing, so are the mitigating security technologies. Therefore, it is important that users of these guidelines recognize that the risk and mitigation rates are relative and can change based upon a change in risk and the evolution of security technologies to mitigate that risk. It is recommended that the user of these guidelines understands the concepts used in developing a security risk assessment and performs an evaluation of any appropriate newly developed security technologies to establish the most effective solution.

Examples of risks that are not addressed in this document:

• technical risks arising, for example, when applicable security tools are applied improperly;
• management risks relating to document examination from inadequate or no supervision, or lack of training of personnel assigned to examine documents;
• organizational risks, including illegal collection of data from examined documents or insiders who deliberately overlook counterfeit documents in exchange for economic gain or as a part of a criminal enterprise [e.g. security staff allowing under-age entry based on counterfeit identification (ID), internal fraud at licensing agencies where personnel consciously overlook counterfeit ID to issue valid ID];
• external risks meaning impacts outside the control of affected organizations (e.g. power outages or short-term equipment failure);
• compliance risks occurring when a company fails to comply with mandated laws or regulations, which can result in fines or legal actions.

This document has been developed on the basis of concepts and methodologies adapted from Reference [7].

1 Scope

This document gives guidance on how to secure physical documents for specifying entities of physical documents. It establishes a procedure for security design, which includes:

• risk assessment;
• determination of document classes;
• introduction of security features;
• security evaluation;
• document risk mitigation.

This document is applicable to secure physical documents that are used for important actions such as validating value transactions, providing access, demonstrating compliance and securing products.

This document does not apply to banknotes, machine-readable travel documents, driving licences, postage stamps, tax stamps, health cards or national identity cards covered by existing standards and regulations.

2 Normative references

The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.

3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO 22300 and the following apply.

ISO and IEC maintain terminology databases for use in standardization at the following addresses:

Bibliography