ISO IEC 24745-2022 PDF

Full title and description

ISO/IEC 24745:2022 — Information security, cybersecurity and privacy protection — Biometric information protection. This international standard specifies security and privacy requirements and guidance for the protection of biometric information (biometric references and derived data) during storage, processing and transfer, and addresses confidentiality, integrity and renewability/revocability concerns for biometric systems.

Abstract

ISO/IEC 24745:2022 provides an analysis of threats to biometric information, countermeasures, security requirements for binding biometric references (BR) to identity references (IR), application models for storage and comparison of biometric references, and guidance on privacy-preserving processing of biometric information. The document explicitly excludes general physical/environmental security and cryptographic key-management details.

General information

• Status: Published / Current international standard.
• Publication date: 8 February 2022 (effective date of the 2022 edition).
• Publisher: Joint ISO/IEC publication; developed under ISO/IEC JTC 1, SC 27 (Information security, cybersecurity and privacy protection).
• ICS / categories: 35.030 (IT security / information security).
• Edition / version: 2nd edition (2022).
• Number of pages: 63 pages in the ISO/IEC publication (pagination may vary in national/adopted formats where some distributors list 70–74 pages).

Scope

ISO/IEC 24745:2022 covers requirements and recommendations to protect biometric information with respect to confidentiality, integrity and renewability/revocability during storage and transfer. It addresses threat analysis and countermeasures specific to biometric systems, secure binding between biometric and identity references, application models for where and how biometric references are stored and compared, and guidance for protecting individuals' privacy in biometric processing. The standard does not cover general physical security, environmental security, or detailed cryptographic key-management practices.

Key topics and requirements

• Threat analysis for biometric systems and recommended countermeasures.
• Security requirements for binding biometric references (BR) to identity references (IR).
• Application models for storage and comparison of biometric references (local, remote, template-on-card, etc.).
• Requirements and guidance for confidentiality, integrity and renewability/revocability of biometric templates.
• Privacy guidance for collection, processing and retention of biometric data (minimization, purpose limitation, unlinkability/irreversibility considerations).
• Recommendations for protecting biometric data in transit and at rest (architectural and procedural controls; not a replacement for detailed cryptographic key-management).

Typical use and users

Primary users are biometric system designers and integrators, security architects, product vendors (hardware and software), evaluators and testing laboratories, certification bodies, data protection officers, and regulatory or procurement teams assessing biometric deployments. The standard is used to specify contractual and technical requirements, guide secure system architecture, and inform privacy impact assessments and compliance activities. It is also referenced by other biometrics-related standards and profiles (for example, in mobile biometric authentication profiles).

Related standards

Relevant standards and families that commonly interact with or complement ISO/IEC 24745 include: ISO/IEC 30107 (Biometric presentation attack detection series), ISO/IEC 19792 (security evaluation of biometric systems), ISO/IEC 27553 (security and privacy requirements for authentication using biometrics on mobile devices — which references 24745), and information-security management standards such as ISO/IEC 27001 for broader organisational controls. These standards cover complementary aspects like PAD, evaluation methodology and device/mobile-specific profiles.

Keywords

Biometric information protection; biometric reference (BR); identity reference (IR); template protection; unlinkability; irreversibility; revocability/renewability; privacy; confidentiality; integrity; biometric system application models; biometric template security.

FAQ

Q: What is this standard?

A: ISO/IEC 24745:2022 is an international standard that specifies security and privacy requirements and guidance for protecting biometric information (templates and derived data) in biometric systems.

Q: What does it cover?

A: It covers threat analysis and countermeasures for biometric systems, security requirements for binding biometric and identity references, application models for storage/comparison of biometric references, and privacy guidance for processing biometric information; it excludes general physical/environmental security and detailed cryptographic key-management.

Q: Who typically uses it?

A: System designers, integrators and vendors of biometric solutions; security architects and auditors; testing/evaluation laboratories; certification bodies; data protection officers and procurers/regulators who need to specify or assess biometric security and privacy controls.

Q: Is it current or superseded?

A: Current — the 2nd edition (ISO/IEC 24745:2022) was published 8 February 2022 and supersedes the 2011 edition. Organisations should reference the 2022 edition for up-to-date requirements.

Q: Is it part of a series?

A: It is part of the body of ISO/IEC standards for biometric security and privacy maintained within JTC 1 (not a numbered consecutive series, but related to other biometrics standards such as the ISO/IEC 30107 PAD series, ISO/IEC 19792 (security evaluation), and mobile-authentication profiles like ISO/IEC 27553).

Q: What are the key keywords?

A: Biometric information protection, template protection, unlinkability, irreversibility, revocability/renewability, biometric reference (BR), identity reference (IR), privacy, confidentiality, integrity.