ISO IEC 19792-2025 PDF

Full title and description

ISO/IEC 19792:2025 — Information security, cybersecurity and privacy protection — General principles, requirements and guidance for security evaluation of biometric systems. This International Standard provides principles and guidance for carrying out security evaluations of biometric systems, focusing on biometric-specific aspects such as recognition performance, presentation-attack detection and privacy considerations.

Abstract

This document specifies general principles, requirements and guidance for a security evaluation of a biometric system. It gives an overview of the main biometric-specific aspects to be considered (recognition performance, presentation attack detection and privacy) and sets out principles to guide the security evaluation process. The standard explicitly excludes non-biometric aspects that can form part of an overall security evaluation (for example, requirements on databases or communication channels).

General information

• Status: Published
• Publication date: 25 June 2025
• Publisher: ISO/IEC (International Organization for Standardization / International Electrotechnical Commission)
• ICS / categories: 35.030 — Information security
• Edition / version: Edition 2 (2025)
• Number of pages: 25

Scope

ISO/IEC 19792:2025 defines general principles, requirements and guidance to perform a security evaluation of biometric systems. It addresses biometric-specific evaluation topics (recognition performance, presentation-attack detection (PAD), and privacy) and provides guidance on defining evaluation boundaries, test conditions, metrics and reporting. The standard does not prescribe a single evaluation methodology or certification scheme and does not cover non-biometric system components such as databases, communication channels or wider system architectures, which should be evaluated separately where relevant. This edition replaces the 2009 edition.

Key topics and requirements

• Principles for planning and scoping a security evaluation of a biometric system.
• Assessment of recognition performance (metrics, test conditions and reporting).
• Evaluation guidance for presentation-attack detection (PAD) and attack categorization.
• Privacy considerations and requirements for protection of biometric data during evaluation and in operational use.
• Specification of evaluation boundaries and explicit exclusion of non-biometric system elements (databases, channels).
• Requirements for test data, test subject selection, environmental conditions and repeatability.
• Guidance on reporting, documenting assumptions, limitations and residual risks.
• Advice for integrating biometric-specific evaluation outcomes into broader security and certification schemes.

Typical use and users

Intended users include security evaluators and testing laboratories, biometric system developers and integrators, certification and conformity-assessment bodies, procurement officers specifying biometric system requirements, privacy officers, regulators and risk managers. The standard is used to define evaluation scope, design test programs, interpret biometric-specific security results, and inform procurement, certification and risk-mitigation decisions.

Related standards

Important related standards and families to consult alongside ISO/IEC 19792:2025 include: ISO/IEC 19792:2009 (previous edition, withdrawn and replaced), the ISO/IEC 30107 series on biometric presentation-attack detection (PAD), the ISO/IEC 19795 series on biometric performance testing and reporting, the ISO/IEC 19794 family of biometric data interchange formats, and ISO/IEC 24745 on biometric information protection. Depending on the evaluated system, cryptographic and general security standards (for example ISO/IEC 19790 and other JTC 1/SC 27 outputs) and SC 37 biometric standards may also be relevant.

Keywords

biometric security, security evaluation, recognition performance, presentation-attack detection, PAD, privacy, biometric data protection, biometric testing, evaluation framework, ISO/IEC 19792

FAQ

Q: What is this standard?

A: ISO/IEC 19792:2025 is an international standard that sets out general principles, requirements and guidance for performing security evaluations of biometric systems, with emphasis on biometric-specific issues (performance, PAD and privacy).

Q: What does it cover?

A: It covers the planning, scoping and execution principles for biometric security evaluations, including guidance on recognition performance assessment, presentation-attack detection evaluation and privacy considerations. It does not cover non-biometric system components such as databases or communications channels.

Q: Who typically uses it?

A: Security evaluators, test laboratories, biometric system developers and integrators, certification bodies, procurement specialists, privacy officers, regulators and risk managers use this standard to design and interpret biometric security evaluations and to inform procurement and certification decisions.

Q: Is it current or superseded?

A: ISO/IEC 19792:2025 is the current (published) edition. It supersedes and replaces ISO/IEC 19792:2009.

Q: Is it part of a series?

A: It is part of the broader ecosystem of biometric and security standards produced by ISO/IEC JTC 1 (notably SC 27 and SC 37 outputs). Complementary series include ISO/IEC 30107 (PAD), ISO/IEC 19795 (performance testing) and ISO/IEC 19794 (data formats), among others.

Q: What are the key keywords?

A: Biometric security, biometric evaluation, recognition performance, presentation-attack detection (PAD), privacy, biometric data protection, evaluation framework.