Like them or loathe them, mutually recognised standards are the cornerstone of international trade. The recent release of a new ISO standard for product and document authentication (ISO 22383:2020 1) adds to a library of ISO standards that are reviewed in this edition of ID & Secure Document News™ and June’s edition of its sister publication, Authentication News®.
ISO standards for document authentication are grouped together with those for product authentication under the ISO 22300 family of standards. The nature of the categorisation sometimes results in the mixing together of documents and products, which is reflected in this review. The standards are prepared by a dedicated working group called ‘Authenticity, integrity and trust for products and documents’, which resides within ISO’s Security and resilience technical committee (TC 292).
This article provides a summary of the main ISO standards of interest to those involved in authentication, divided according to their general theme. It should be noted that these are guidance standards, providing recommendations and advice on best practices, as opposed to compliance standards, which are more prescriptive, and which are accompanied by an auditing and certification process for those parties wishing to comply with them.
ISO 22380:2018 – General principles for product fraud risk and countermeasures – this standard establishes general principles for an organisation to identify the risks related to various types of fraud. It provides guidance on how organisations can establish strategic, business countermeasures to prevent or reduce the harm, tangible or intangible loss and cost of fraudulent attacks.
22380 is applicable to all organisations, both public and private, regardless of size or nature.
ISO 22384:2020 – Guidelines to establish and monitor a protection plan and its implementation – this standard offers guidelines for assessing product security-related threats, risks and countermeasures by developing a suitable protection plan, supporting its implementation and monitoring its effectiveness once implemented.
The standard considers the impact of a protection plan on, for example, product life cycles, supply chains, manufacturing, data management, brand perception and costs, so that the plan may be adapted accordingly.
ISO 22383:2020 – Guidelines for the selection and performance evaluation of authentication solutions for material goods – this is a technical revision of this standard, first published as ISO 12931 in 2012. It provides guidelines for performance criteria and an evaluation methodology for authentication solutions used to unambiguously establish a product or document’s authenticity and integrity throughout its life cycle.
The standard helps organisations determine the categories of authentication elements they need in order to combat counterfeiting-related risks, and the criteria for selecting those elements.
The standard does not, however, specify economic criteria for correlating performance and cost of authentication solutions. Nor does it make any reference to particular trademarks, nor even to particular groups of authentication elements (such as holograms).
Let’s stay a moment with ISO 22383 and look a bit more in detail at its recommendations, some of which are as follows:
An authentication feature is more robust when it consists of a layered solution, where individual authentication elements are used in combination. In this respect, the standard refers to the use of a combination of overt, covert and forensic-level elements, working together to provide proof.
The standard provides a clear warning that track and trace systems, when used alone, cannot be considered as authentication solutions.
An authentication solution for a product must consist of a creation process followed by an inspection process.
‘The creation process consists of defining, generating and manufacturing the authentication elements and integrating them with the material good or its packaging. The inspection process includes verifying the authentication elements along the distribution chain by trained people using human senses, tools or references… The level of performance of an authentication solution should therefore be assessed as a whole, including all the components and interfaces involved,’ advises the standard.
Providers of authentication elements and tools should be registered and independently audited, particularly with respect to the measures they have in place to ensure a secure environment (see also reference to the ISO 14298:2013 compliance standard for security printers below).
The design, production and distribution of authentication elements should be protected against knowledge transfer with regard to their composition and manufacturing process.
Several performance criteria for authentication solutions may be considered under the categories: ability to provide information feedback or analytical results; attack resistance; field/ environmental function; implementation process; integration process; physical characteristics; user friendliness.
Authentication elements should be resistant to, among other things, reverse engineering, tampering, alteration and non-controlled reuse.
With regard to reverse engineering, the standard advises: ‘it should be extremely unlikely to acquire enough information to be able to successfully create/generate/ manufacture an authentication element and to use this element to circumvent the protection. It should require an extraordinary level of effort to accurately copy authentication elements. If an authentication element were to be copied, the authentication element should contain copy-evident features apparent in the authentication process’.
And with regard to tampering: ‘a tangible or intangible form of interdependence between the authentication element and the item it protects should be developed.
An authentication element displays tangible interdependence if it is destroyed or displays some form of visible or recognisable alteration when an attempt is made to remove the authentication element from the material good. Intangible interdependence occurs where the authentication element has a logical link to the item or a reference that cannot be erased or duplicated’.
Whereas ISO 22383 is focused on product security, a new standard, currently at preparatory stage, is intended for physical documents. This is called ISO/AWI 22388 – Guidelines for securing physical documents 2 (where AWI stands for Approved new Work Item).
ISO 22381:2018 – Guidelines for establishing interoperability among object identification systems to deter counterfeiting and illicit trade – this gives guidelines for establishing interoperability among independently functioning product identification and related authentication systems, as described in ISO 16678. The permanent transfer of data from one system to another is out of the scope of this document.
22381 also gives guidance on how to specify an environment that is open to existing or new methods of identification and authentication of objects, and that is accessible for legacy systems that may need to remain active.
ISO/CD 22385 – Guidelines for establishing a framework for trust and interoperability – this is under development, and is currently at the stage of review by the technical committee.
ISO 22382:2018 – Guidelines for the content, security, issuance and examination of excise tax stamps – this standard gives guidance to tax authorities on: defining the functions of a tax stamp; identifying and consulting with stakeholders; planning the procurement process and selection of suppliers; design and construction of tax stamps; overt and covert security features; finishing and application processes; security of the tax stamp supply chain; serialisation and unique identifier codes; examination of tax stamps; monitoring and assessing tax stamp performance.
The standard is applicable only to tax stamps that are physical in nature and apparent to the human senses of sight or touch, that are applied to a consumer product or its packaging, and that allow material authentication. When the term ‘authentication’ is used in this standard, it refers only to the authentication of the tax stamp, not to the product on which the stamp is affixed.
In addition to the aforementioned standards, there is another standard of interest to the ID and secure document community, called ISO 14298:2013 – Management of security printing processes. This standard is issued by the Graphic technology technical committee, as opposed to the Security and resilience committee, which issues the 22300 standards.
Rather than being a guidance standard that gives advice and recommendations, ISO 14298 is a compliance standard, which is much more prescriptive and supported by an auditing and certification process.
14298 is directed specifically to security printers. It specifies a minimum set of requirements for the management of security printing and hologram manufacturing processes. The certifying organisation behind 14298 is Intergraf.
All ISO standards are available to buy and download from the ISO online store, at www.iso.org/store.html. They are also available from every national standards body that is a member of ISO.