ISO IEC 29146-2024 PDF

Full title and description

Information technology — Security techniques — A framework for access management. This International Standard defines and establishes a framework for access management (AM) and the secure management of the process to access information and ICT resources, including concepts, terms, architecture, components and management functions for distributed access management in networked environments. The standard clarifies responsibilities and accountability of subjects in access processes and explicitly excludes the nature and qualities of physical access control from its scope.

Abstract

ISO/IEC 29146:2024 provides a concise, vendor-neutral framework for access management across distributed and networked systems. It defines core concepts and terminology, describes architectural components and management functions for access decisions and enforcement, and addresses subject recognition and accountability in ways aligned with identity management standards. Physical access control is not covered. The document is intended to guide architects, implementers and policy owners in structuring AM capabilities consistently.

General information

• Status: Published.
• Publication date: 19 January 2024 (Edition 2).
• Publisher: ISO/IEC (ISO/IEC JTC 1/SC 27).
• ICS / categories: 35.030 (IT security).
• Edition / version: Edition 2 (2024).
• Number of pages: 34 pages.

Scope

ISO/IEC 29146:2024 establishes a framework for access management (AM) that covers concepts, terminology, and guidance on architectures, components and management functions needed to manage access to information and ICT resources in distributed network environments. The standard addresses subject recognition and accountability as they relate to access decisions and aligns with identity management concepts found in the ISO/IEC 24760 series. It does not cover the physical access control aspects of facilities or the detailed mechanics of physical locks, readers or gates.

Key topics and requirements

• Definitions and core concepts for access management (AM) in networked/distributed environments.
• Reference architecture and typical AM components (policy decision/enforcement, attribute providers, identity/credential sources, audit/logging).
• Management functions for secure handling of access requests, lifecycle of access rights, and accountability of subjects.
• Guidance for integrating subject recognition and identity attributes with access decision processes (aligned with ISO/IEC 24760 identity management concepts).
• Applicability to distributed and networked systems, including considerations for interoperability, federation and delegated access.
• Explicit exclusion: physical access control and its specific qualities are outside the standard’s scope.

Typical use and users

Security architects, IAM (identity and access management) engineers, platform and cloud architects, compliance officers, product designers and integrators use this standard to design, evaluate or document access-management architectures and processes. Organizations adopt it for aligning AM capabilities across systems, specifying interfaces between identity providers and access-control components, and for procurement or policy development related to access governance.

Related standards

ISO/IEC 29146 is part of the broader SC 27 family and is commonly referenced alongside identity and privacy standards such as the ISO/IEC 24760 identity management series (core concepts and terminology), ISO/IEC 29100 (privacy framework) and entity-authentication assurance guidance like ISO/IEC 29115. It also complements management and information-security standards in the ISO/IEC 27000 series when specifying access-control objectives and controls.

Keywords

Access management, AM framework, access control, identity management, authorization, distributed systems, accountability, ICT security, policy enforcement, subject recognition.

FAQ

Q: What is this standard?

A: ISO/IEC 29146:2024 is an international standard that defines a framework for access management—covering concepts, terminology, architecture and management functions for securely managing access to information and ICT resources in distributed environments.

Q: What does it cover?

A: It covers the conceptual framework for access management, recommended architectural components and management functions, and how subject recognition and accountability fit into access processes. It explicitly excludes the specifics of physical access control.

Q: Who typically uses it?

A: IAM engineers, security and platform architects, auditors, compliance and policy teams, product managers and vendors use it to design, specify and evaluate access-management solutions.

Q: Is it current or superseded?

A: ISO/IEC 29146:2024 (Edition 2) is the current published edition (January 2024). It replaces ISO/IEC 29146:2016 and its 2022 amendment. The standard is published and active.

Q: Is it part of a series?

A: Yes — it sits within the SC 27 family of information security, cybersecurity and privacy protection standards and is closely related to identity-management and privacy standards such as ISO/IEC 24760 (identity management series), ISO/IEC 29100 (privacy framework) and ISO/IEC 29115 (entity authentication assurance).

Q: What are the key keywords?

A: Access management, access control, IAM, authorization, identity management, distributed systems, accountability, AM framework.