UK Digital Identity and Attributes Trust Framework
NQA is part of the Pilot Certification Process being undertaken in parallel with the development of the UK Digital Identity and Attributes Trust Framework.
Digital identity products or services providing digital Disclosure and Barring Service checking services are required to be certified.
Digital identity products or services supporting companies to meet regulatory or legal obligations in the Right to Rent, Right to Work schemes are being encouraged to achieve certification.
What is the UK Digital Identity and Attributes Trust Framework?
The UK Digital Identity and Attributes Trust Framework is a set of interoperable standards and working practices designed to facilitate the creation and use of digital identities for a wide variety of applications. The goal of the trust framework is to ensure that an individual’s digital identity or attributes can be trusted by entities who know nothing about the individual.
This is a key tenet of the UK Government’s digital strategy and seeks to foster innovation, competition and transparency.
To achieve this, the trust framework is expected to require that products or services become independently certified.
The UK Digital Identity and Attributes Trust Framework itself is in an early launch (alpha) phase. The trust framework is being piloted on a number of specific applications (schemes) including the Home Office Right to Work and Right to Rent schemes as well as by the Disclosure and Barring Service (DBS).
Disclosure and Barring Service (DBS) digital vetting – certification is required
Right to Work – certification encouraged
Right to Rent – certification encouraged
The Department for Digital, Culture, Media & Sport are the lead body for the UK Digital Identity and Attributes Trust Framework. They have already specified certain requirements for framework participants, and they include:
Technical security standards, such as encryption
Operating a Quality Management System, such as ISO 9001
Operating an Information Security Management System, such as ISO 27001
Operating a Privacy Information Management System, such as ISO 27701
Within the framework products or services can fulfil one or many roles:
Identity Service Provider (ISP). Identity Service Provider’s prove and verify users’ identities. Users register with and authorise their ISP to share their verified Digital Identity with relying parties e.g. a mortgage provider.
Attribute Service Providers (ASP). Attribute Service Providers collect, check and create user attributes within digital IDs. Users authorise the ASP to share their attributes with Identity Service Provider’s (ISPs) and with relying parties e.g. a landlord carrying out a right to rent check.
Orchestration Service Providers (OSP). Orchestration Service Providers ensure that data is securely shared between ISPs, ASPs and relying parties.
Relying Parties. Relying Parties consume services provided by the trust framework. As an organisation you could fulfill one or more of the provider roles. Participants in the framework will be certified against a set of government-approved rules (as set out in the framework consultation).
Helps you with
- Mandatory for DBS checking using IDVT
- Opens up the opportunity to verify data against government-held attributes
- Builds trust at industry level in emerging technology and develops the commercial market place for all players
- Demonstrates to relying parties (customers) that your product is of high enough quality that it will meet the business and regulatory requirements
- Facilitates the development of reusable digital identities – which have greater value to users across different sectors and use cases
- Provides certainty for relying parties (customers) in the face of evolving legislative and regulatory environment
- Signals to people that your product can be trusted and is secure. Government endorsed certification process
Other risk management standards:
How to Get Certified to the UK Digital Identity and Attributes Trust Framework
- Complete a Quote Request Form so that we can understand your company and your product or service. You can do this by downloading our quote request form. We will also ask you to provide a service specification to enable us to understand how we would approach our assessment. We will use this information to accurately define your scope of assessment and provide you with a proposal for certification.
- Complete our pre-assessment checklist to ensure you are ready for your initial assessments
- Stage 1 assessment conducted. This is an offsite document review assessment to determine compliance with the requirements of the framework and relevant schemes (such as DBS, Right to Work).
- Stage 2 assessment conducted. This is an assessment of your product or services to ensure it complies with the requirements of the framework and scheme(s) as well as your processes and procedures. This requires you to show us how your organisation, product or service operates in practice. * Please note that your stage 1 and stage 2 assessment can be reduced in duration if your organisation already has accredited certification in place for ISO 9001, ISO 27001 or ISO 27701.
- Certification is granted and your product is registered with the framework.
- Ongoing surveillance assessments take place periodically to ensure ongoing compliance with the requirements of the framework
NQA have been selected as a certification body to participate in the certification pilot.
Certification is provided to organisations by accredited certification bodies. Certification bodies must become accredited by UKAS to certify against the Framework. Accreditation will be granted by UKAS when the Pilot Process has been completed.
Accredited certification will be issued against ISO 17065. ISO 17065 is the international standard for assessing conformance. This delivers a high level of assurance to the framework. Ensuring the steps in the certification process are impartial, transparent and competently delivered.
DCMS have stated that the pilot process will initially focus on Right to Work, Right to Rent and DBS schemes.
The Certification Pilot is expected to run until November 2022 after which successful certification bodies are expected be accredited and certification will operate in normal conditions.
NQA is now seeking a limited number of customers to work with through the pilot. The benefits of working with NQA on this pilot project are:
Collaborate in the development of the scheme and support each organisations’ approach
Positioning as an early adopter and ability to influence the development of this Framework
Engage with the regulatory environment in a more collaborative environment than after the certification process is out of the pilot phase
Steps to Certification
Complete a Quote Request Form so that we can understand your company and requirements. You can do this by completing either the online quick quote or the online formal quote request form. We will use this information to accurately define your scope of assessment and provide you with a proposal for certification.
Once you’ve agreed your proposal, we will contact you to book your assessment with an NQA Assessor. This assessment consists of two mandatory visits that form the Initial Certification Audit. Please note that you must be able to demonstrate that your management system has been fully operational for a minimum of three months and has been subject to a management review and full cycle of internal audits.
Following a successful two stage audit, a certification decision is made and if positive, then certification to the required standard is issued by NQA. You will receive both a hard and soft copy of the certificate. Certification is valid for three years and is maintained through a programme of annual surveillance audits and a three yearly recertification audit.
Information Security Toolkit
ISO 27001 FAQs
ISO 27001 Implementation Guide
ISO 27701 Implementation Guide
ISO 27001 Information Security Checklist
ISO 27001 27017 27018 27701 Mapping
Risk Assurance Brochure
Integrated Quote Request Form
Information Security Management Training
Measuring Operational Resilience Method
ISO 27001 in relation to GDPR video
ISO 9001 to ISO 27001 Gap Guide
Annex SL Comparison Tool
CityFibre Case Study
Is Your Management System Integrated?
Need a Consultant?
Download Certification Logos