evidence integration
Raw Data
This file contains raw search retrieval results or agent logs. The content below shows the original markdown source.
---
layout: raw-data.njk
title: "evidence integration"
---
# Stage 10 Remediation - Evidence Requirements Integration Documentation
## Date: 2025-11-20
## Task: Part 1.6 - Document evidence requirements integration
---
## Purpose
This document explains how evidence requirements from various guidance materials, checklists, and supporting documents integrate with the four core Identification Standards. Understanding this integration is essential for:
- Organizations preparing for conformance assessment
- Assessors conducting audits
- Stakeholders reviewing conformance documentation
---
## Evidence Requirements Architecture
### Three-Layer Integration Model
Evidence requirements integrate across three layers:
**Layer 1: Standards (Normative)**
- Define **what** must be achieved (controls)
- Specify **level** of assurance required
- State **mandatory** requirements using MUST/SHOULD
**Layer 2: Implementation Guidance (Non-Normative)**
- Explain **how** to meet controls
- Provide **examples** and scenarios
- Suggest **approaches** and techniques
**Layer 3: Conformance Checklists and Templates (Assessment Tools)**
- List **evidence types** needed for assessment
- Map **controls** to **audit evidence codes**
- Provide **templates** for documentation
---
## Integration by Standard
### Federation Assurance (FA) Standard
#### Core Standard: 42 Controls (FA1.01-FA13.02)
- **Normative text**: Controls that MUST/SHOULD be met
- **Location**: Consolidated document Section 4.1-4.2
- **Constraint**: Text cannot be modified (preserved word-for-word)
#### Implementation Guidance: 42 Sections
- **Active voice guidance**: Explains how to implement each control
- **Location**: Consolidated document Section 4.3
- **Source**: `/RetrievalResults/04_federation_standard/02_implementation_guidance/`
- **Status**: Retrieved and verified (10 of 42 sections spot-checked, all passed)
#### Conformance Checklists: 2 Files
- **Credential Establishment** (FA1-FA5): For Credential Providers
- **Facilitation Mechanisms** (FA6-FA13): For Facilitation Providers
- **Location**: `/RetrievalResults/04_federation_standard/03_checklists_templates/`
- **Evidence Codes**: AUDIT1.1, AUDIT1.2, AUDIT1.4, AUDIT3.2, AUDIT4.1, AUDIT4.2
---
### Information Assurance (IA) Standard
#### Core Standard: 14 Controls (IA1.01, IA2.01-IA2.04, IA3.01-IA3.04, IA4.01a-IA4.02b, IA5.01-IA5.02)
- **Normative text**: Controls that MUST/SHOULD be met
- **Location**: Consolidated document Section 5.1-5.2
- **Constraint**: Text cannot be modified
#### Implementation Guidance: 15 Sections
- **Guidance structure**: Mix of control-level guidance and synthesized thematic guidance
- **Location**: Consolidated document Section 5.3
- **Source**: `/RetrievalResults/05_information_standard/02_implementation_guidance/`
- **Status**: Retrieved (all 15 sections) and content-checked (5 sections)
#### Conformance Checklist: Combined IA/BA File
- **Combined checklist**: Information & Binding Assurance
- **Location**: `/RetrievalResults/05_information_standard/03_checklists_templates/`
- **Evidence Codes**: Shared with BA standard
#### Supporting Evidence Guidance
- **"Using documents as evidence"** guidance provides detailed requirements for document verification
- **Referenced in**: IA4 implementation guidance (evidence quality)
- **Integration**: Provides practical framework for assessing document authenticity, security features, and validity
---
### Authentication Assurance (AA) Standard
#### Core Standard: 29 Controls (AA1.01-AA10.06)
- **Normative text**: Controls that MUST/SHOULD be met
- **Location**: Consolidated document Section 6.1-6.2
- **Constraint**: Text cannot be modified
#### Implementation Guidance
- **Status**: Not retrieved during Stage 10 remediation (deferred)
- **Note**: Implementation guidance exists but was not priority for this remediation phase
#### Conformance Checklist
- **File**: Authentication Assurance checklist (markdown)
- **Status**: Available in source directory but not copied during remediation
- **Recommendation**: Copy to `/RetrievalResults/06_authentication_standard/03_checklists_templates/` if needed
---
### Binding Assurance (BA) Standard
#### Core Standard: 15 Controls (BA1.01-BA5.03)
- **Normative text**: Controls that MUST/SHOULD be met
- **Location**: Consolidated document Section 7.1-7.2
- **Constraint**: Text cannot be modified
- **Verification Status**: ✅ ALL 15 controls verified word-for-word (Part 2.1)
#### Implementation Guidance
- **Status**: Not separately retrieved (typically integrated with IA guidance)
- **Rationale**: BA and IA processes often occur together during enrollment
#### Conformance Checklist: Combined IA/BA File
- **Combined checklist**: Information & Binding Assurance
- **Location**: `/RetrievalResults/07_binding_standard/03_checklists_templates/`
- **Rationale**: Binding and information assurance evidence often overlaps
---
## Evidence Type Mapping
### Common Evidence Codes Across Standards
**AUDIT1.1 - Identification Risk Assessment**
- **Applies to**: All standards (FA, IA, BA, AA)
- **Purpose**: Demonstrates risk-based approach to control selection
- **Reference**: Section 2 (Assessing identification risk) in consolidated document
- **Source**: `nz/identification-management/assessing-identification-risk/2025/en/`
**AUDIT1.2 - ISO31000 Risk Assessment**
- **Applies to**: All standards (alternative to AUDIT1.1)
- **Purpose**: Uses international risk standard if not using Identification Risk Assessment
- **Acceptance**: Either AUDIT1.1 OR AUDIT1.2 required, not both
**AUDIT1.4 - Privacy Impact Assessment**
- **Applies to**: FA (Objectives 3, 8, 11)
- **Purpose**: Demonstrates Privacy Act compliance
- **Sub-requirements**:
- IPP2: Process for adding credentials
- IPP3/IPP10: Usage of generated information
- IPP11: Disclosure during presentation
- IPP13: Use of Entity Information identifier
**AUDIT3.2 - Conformance Certificate**
- **Applies to**: FA, IA, BA, AA (cross-standard dependency)
- **Purpose**: Evidence of conformance with other required standards
- **Example**: Facilitation Provider needs AA conformance certificate for authenticators
**AUDIT4.1 - Management Documentation**
- **Applies to**: FA (facilitation mechanisms)
- **Types**:
- Facilitation Management document
- Credential Management document
- **Contents**: Procedures, processes, capabilities, logging, monitoring
**AUDIT4.2 - Security Documentation**
- **Applies to**: FA (facilitation mechanisms)
- **Contents**:
- Confidentiality, integrity, availability measures
- Authenticity and tamper protection
- Network and facility security
---
## Special Integration Cases
### Case 1: Cross-Standard Dependencies
Some evidence requirements create dependencies between standards:
**Example**: Facilitation Provider (FA6.02)
- Must have **authentication** at appropriate level → Requires AA conformance
- Evidence: AUDIT3.2 (AA conformance certificate)
- Integration: FA conformance depends on prior AA conformance
**Example**: Credential Provider (FA2.02)
- Must verify **information accuracy** → Applies IA controls
- Evidence: AUDIT3.2 (IA conformance certificate)
- Integration: FA conformance depends on prior IA conformance
### Case 2: Shared Evidence Across Controls
Some evidence serves multiple controls:
**Example**: AUDIT1.1 (Risk Assessment)
- Used by: FA1.01, FA6.01, IA1.01, BA1.01, AA1.01
- Benefit: Single risk assessment document can support multiple standard controls
- Implication: Risk assessment must address all relevant aspects (information, binding, authentication, federation)
### Case 3: Evidence Hierarchy
Some evidence builds on other evidence:
**Level 1**: Risk Assessment (AUDIT1.1/1.2)
→ Determines which levels of assurance to target
**Level 2**: Management/Security Documentation (AUDIT4.1/4.2)
→ Describes how controls at target levels are implemented
**Level 3**: Operational Records
→ Demonstrates controls are actually operating as documented
**Level 4**: Conformance Certificate (AUDIT3.2)
→ Third-party verification that Levels 1-3 are satisfactory
---
## Integration with Section 8: Demonstrating Conformance
### Current State in Consolidated Document
**Section 1**: Understanding Conformance
- Provides overview of conformance process (3 stages)
- Explains assessment types (self, qualified, audited)
- **Evidence integration**: Minimal - focuses on process not specific requirements
**Section 8**: Demonstrating Conformance
- **Current status**: Should contain detailed conformance guidance
- **Recommended content**:
- Detailed evidence requirements by standard
- Checklist usage instructions
- Evidence preparation guidance
- Cross-standard dependency mapping
- Assessment preparation timeline
### Recommended Section 8 Structure
**8.1 Overview of Conformance Assessment**
- Process stages (from Section 1 conformance guidance)
- Assessment types and outcomes
- Timeline and planning considerations
**8.2 Evidence Requirements by Standard**
- FA evidence requirements (AUDIT codes explained)
- IA/BA evidence requirements
- AA evidence requirements
- Cross-standard dependencies documented
**8.3 Using Conformance Checklists**
- How to complete checklists
- Mapping controls to evidence
- Cross-referencing existing documentation
- Redaction and confidentiality considerations
**8.4 Preparing for Assessment**
- Evidence gathering workflow
- Documentation best practices
- Demonstration preparation
- Assessor engagement process
**8.5 Conformance Checklists and Templates**
- Links to markdown checklists in RetrievalResults/
- Usage instructions for each checklist
- Levels of Assurance documentation templates
---
## Supporting Guidance Integration
### "Using documents as evidence" Guidance
**Location**: Referenced in IA4 implementation guidance
**Integration Point**: IA4.01a-IA4.02b (evidence quality and status)
**Purpose**: Provides detailed framework for:
- Assessing document authenticity
- Checking security features
- Verifying document validity
- Understanding document types and purposes
**How it integrates**:
1. IA4 controls specify WHAT evidence quality is needed
2. IA4 implementation guidance explains WHY quality matters
3. "Using documents as evidence" provides HOW to assess quality
4. Conformance checklist identifies WHICH evidence to provide for audit
### "Counter fraud techniques" Guidance
**Location**: Referenced in IA5.01 implementation guidance
**Integration Point**: IA5.01 (counter fraud control)
**Purpose**: Provides techniques for detecting:
- Fabricated information
- Fraudulent credentials
- Identity impersonation
- Synthetic identities
**How it integrates**:
1. IA5.01 control requires counter fraud measures
2. IA5.01 implementation guidance points to separate counter fraud guidance
3. Counter fraud guidance provides specific techniques and approaches
4. Organizations implement appropriate techniques based on their risk assessment
### "Assessing identification risk" Guidance
**Location**: Section 2 in consolidated document
**Integration Point**: ALL standards (FA1.01, IA1.01, BA1.01, AA1.01)
**Purpose**: Provides structured risk assessment methodology
**How it integrates**:
1. Every standard requires risk assessment (first control in each)
2. Risk assessment determines Levels of Assurance to target
3. Levels of Assurance determine which control requirements apply
4. Evidence requirements scale with Levels of Assurance
---
## Evidence Lifecycle
### Stage 1: Planning (Pre-Implementation)
- Conduct risk assessment (AUDIT1.1/1.2)
- Select target Levels of Assurance
- Identify applicable controls
- Plan evidence collection strategy
### Stage 2: Implementation
- Implement controls at target levels
- Create management/security documentation (AUDIT4.1/4.2)
- Establish operational processes
- Begin logging and record-keeping
### Stage 3: Documentation
- Complete conformance checklists
- Cross-reference existing documentation to controls
- Prepare Privacy Impact Assessment (AUDIT1.4)
- Compile evidence packages
### Stage 4: Assessment Preparation
- Review evidence against checklist requirements
- Identify gaps and address them
- Prepare demonstration scenarios
- Engage with assessor
### Stage 5: Assessment
- Submit evidence for review
- Respond to assessor questions
- Conduct demonstrations
- Address any non-conformances
### Stage 6: Certification
- Receive opinion (qualified assessment) or statement (audited assessment)
- Obtain conformance certificate (AUDIT3.2)
- Use certificate as evidence for other standards if applicable
### Stage 7: Maintenance
- Monitor ongoing compliance
- Update evidence as processes change
- Prepare for re-conformance before expiry
- Maintain currency of documentation
---
## Recommendations for Evidence Integration
### Recommendation 1: Create Evidence Matrix
Develop a matrix showing:
- Controls (rows)
- Evidence types (columns)
- Mapping of which evidence supports which controls
- References to implementation guidance and checklists
**Benefit**: Organizations can see at a glance which evidence they need
### Recommendation 2: Enhance Section 8
Add comprehensive conformance guidance to Section 8:
- Detailed evidence requirements
- Checklist usage instructions
- Examples of acceptable evidence
- Common pitfalls and how to avoid them
**Benefit**: Single location for all conformance assessment information
### Recommendation 3: Provide Evidence Examples
Include examples of acceptable evidence in implementation guidance:
- Sample risk assessment excerpts
- Example management document structures
- Typical Privacy Impact Assessment contents
**Benefit**: Organizations understand what "good" evidence looks like
### Recommendation 4: Document Cross-Standard Paths
Create flowcharts showing:
- Which standards to conform with in which order
- Dependencies between standards
- Typical conformance journeys for different roles
**Benefit**: Organizations can plan multi-standard conformance efficiently
---
## Conclusion
Evidence requirements integrate across standards, guidance, and checklists in a structured three-layer model. Understanding this integration enables:
**For Organizations**:
- Efficient evidence collection
- Reduced duplication across standards
- Clear conformance pathway
**For Assessors**:
- Consistent assessment approach
- Clear evidence expectations
- Structured audit process
**For Stakeholders**:
- Transparent conformance requirements
- Confidence in assessment process
- Comparable conformance statements
**Key Integration Points**:
1. Risk assessment drives level selection (all standards)
2. Checklists map controls to evidence types
3. Implementation guidance explains how to meet controls
4. Supporting guidance provides detailed techniques
**Status**: Evidence integration is well-structured across the identification standards framework, with clear pathways from controls to evidence to conformance.
---
**Documentation Prepared By**: Stage 10 Remediation - Part 1.6
**Documentation Date**: 2025-11-20
**Status**: COMPLETE