user guide

Raw Data

This file contains raw search retrieval results or agent logs. The content below shows the original markdown source. 

---
layout: raw-data.njk
title: "user guide"
---

# Stage 13: User Guide for New Consolidated Structure

## Guide to Using the Identification Standards

**Audience**: All users of the New Zealand Identification Management Standards
**Purpose**: Help you navigate and use the new consolidated structure effectively
**Document**: `identification_standards_consolidated.md`

---

## Welcome to the New Identification Standards

The Identification Management Standards have been restructured into a single, workflow-based resource designed to make your work easier. This guide will help you get the most out of the new structure.

### What's Changed?

**Before**: 30 separate documents scattered across multiple locations
**Now**: 1 consolidated resource organized around your workflow

**Key improvements**:
- **Easier navigation**: Follow a clear path from understanding to implementation
- **Conformance is central**: No longer hiddenβ€”it's prominent throughout
- **Standards and guidance together**: Everything you need in one place
- **Clearer language**: Active voice makes instructions actionable
- **All content visible**: No more hidden content behind expanders
- **Better findability**: Clear section structure with role-based entry points

---

## Quick Start: Finding Your Entry Point

### Which Type of User Are You?

The document provides different entry points based on your role. Choose the pathway that matches your needs:

#### πŸ”§ Implementers and Developers
**Your goal**: Build or configure systems that conform with the standards

**Start here**:
1. **Section 2**: Understand your identification risks
2. **Section 3**: Determine which assurance levels you need
3. **Sections 4-7**: Implement the relevant standard controls
4. **Section 8**: Prepare for conformance assessment

**What you'll use most**:
- Implementation guidance sections (integrated with controls)
- Practical examples throughout Sections 4-7
- Risk assessment methodology (Section 2)
- Technical specifications (Section 9)

#### βœ… Conformance Assessors and Auditors
**Your goal**: Assess whether systems conform with the standards

**Start here**:
1. **Section 8**: Understand the assessment process and checklists
2. **Section 8.3**: Use the conformance checklists
3. **Sections 4-7**: Review the standards being assessed
4. **Section 8.4**: Understand evidence requirements

**What you'll use most**:
- Conformance checklists (Section 8.3)
- Evidence Code Reference (Section 8.3.5)
- Control statements (Sections 4-7)
- Assessment process guidance (Section 8.1-8.2)

#### πŸ“‹ Policy Makers and Executives
**Your goal**: Understand strategic implications and organizational readiness

**Start here**:
1. **Section 1**: Understand why conformance matters
2. **Section 8.1**: Assess organizational readiness
3. **Sections 4-7** (objectives only): Understand scope of requirements
4. **Section 2**: Understand risk assessment requirements

**What you'll use most**:
- Conformance benefits (Section 1.1)
- Threshold considerations (Section 8.1.1)
- Team requirements (Section 8.1.2)
- Objective summaries (in Sections 4-7)

#### πŸ—οΈ Technical Architects and Designers
**Your goal**: Design systems that will meet conformance requirements

**Start here**:
1. **Section 3**: Understand assurance level framework
2. **Sections 4-7**: Review technical controls by standard
3. **Section 9**: Review authenticator specifications and technical details
4. **Section 2**: Understand risk-based decision making

**What you'll use most**:
- Control statements (Sections 4-7)
- Authenticator specifications (Section 9.2)
- Level-specific requirements (throughout Sections 4-7)
- Risk-to-assurance mapping (Section 2.5)

---

## Understanding the Document Structure

### The 9 Major Sections

The document follows a workflow from understanding to implementation to demonstration:

#### **Foundation** (Understand and Plan)

**Section 1: Understanding Conformance**
- Why conform? Is this relevant to you?
- Types of conformance (self, qualified, audited)
- DISTF relationship
- How to use this document

**Section 2: Assessing Identification Risk**
- 8-step risk assessment process
- Threat actor analysis
- Counter-fraud techniques
- Risk-to-assurance mapping

**Section 3: Selecting Assurance Levels**
- LoIA (Information Assurance)
- LoBA (Binding Assurance)
- LoAA (Authentication Assurance)
- LoFA (Federation Assurance)
- Decision criteria and mapping

#### **Implementation** (Apply the Standards)

**Section 4: Federation Assurance Standard & Implementation**
- 13 objectives, 42 controls
- Integrated implementation guidance
- Applies to Credential Providers and Facilitation Providers

**Section 5: Information Assurance Standard & Implementation**
- 5 objectives, 14 controls
- Integrated implementation guidance
- Plus: NCSC cybersecurity requirements (Section 5.4)

**Section 6: Authentication Assurance Standard & Implementation**
- 10 objectives, 38 controls
- Integrated implementation guidance
- Plus: Biometric privacy requirements (Section 6.4)

**Section 7: Binding Assurance Standard & Implementation**
- 5 objectives, 15 controls
- Integrated implementation guidance

#### **Demonstration** (Prove Conformance)

**Section 8: Demonstrating Conformance**
- Preparing for assessment (8.1)
- Understanding assessment types (8.2)
- Conformance checklists by standard (8.3)
- Evidence documentation (8.4)

#### **Reference** (Look Up Details)

**Section 9: Reference Materials**
- Terminology and definitions (9.1)
- Authenticator types and specifications (9.2)
- Templates and forms (9.3)
- Related standards (9.4)
- EIVA clarification (9.5)
- Document history (9.6)

---

## How to Navigate Effectively

### Finding Specific Information

#### Use Section Numbers
All sections are numbered for easy reference:
- **Section 5**: Information Assurance Standard
- **Section 5.4**: Cybersecurity Requirements
- **Section 8.3.2**: FA Facilitation Checklist

#### Use Control IDs
All 109 controls have unique IDs you can search:
- **FA1.01**: Credential risk assessment
- **IA2.01**: Information accuracy verification
- **AA5.03**: Authenticator protection
- **BA3.02**: Binding evidence capture

#### Use Search (Ctrl+F / Cmd+F)
The document is designed for text search:
- Search for control IDs (e.g., "FA1.01")
- Search for terms (e.g., "biometric", "risk assessment")
- Search for standards (e.g., "NCSC", "Privacy Code")
- Search for section numbers (e.g., "Section 8.1")

#### Follow Cross-References
Throughout the document, you'll find links like:
- "See Section 2 for risk assessment methodology"
- "Refer to Section 8.3 for conformance checklists"
- "Review Section 9.1 for terminology definitions"

These links help you navigate between related content.

### Understanding the Table of Contents

Your markdown viewer will auto-generate a table of contents from the headings. Use this to:
- See the overall structure at a glance
- Jump to specific sections quickly
- Understand where you are in the document
- Navigate back to major sections

---

## How Standards and Guidance Work Together

### The Integrated Format

In Sections 4-7, standards and implementation guidance are integrated using a consistent pattern:

#### Standard Control (What You Must Do)

```
### Objective 1 β€” Credential risk is understood

#### FA1.01 Credential risk assessment

At all credential assurance levels, Credential Providers MUST conduct an
identification risk assessment using a risk assessment methodology based on
ISO 31000:2018, or an equivalent, and document the risks and mitigations adopted.

([DocRef](URL/))

Additional information: Counter-fraud controls are part of identification risk
assessment. Refer to Section 2 for risk assessment methodology.
```

**This is normative** (you must comply):
- Uses MUST/SHOULD/MAY language
- States requirements clearly
- Cannot be changed (authoritative standard text)
- Has DocRef citation for traceability

#### Implementation Guidance (How to Do It)

```
### Implementing FA1.01 β€” Conduct an identification risk assessment

Conduct an identification risk assessment to understand what identification risks
your service faces and what counter-fraud techniques are appropriate...

Use the methodology described in Section 2 to:
* Identify potential threat actors
* Assess likelihood and impact
* Select counter-fraud techniques
* Document your assessment

([DocRef](URL/))

> **Example**: A credential provider offering credentials for government services
> should assess:
> * Threat: External attackers attempting synthetic identity fraud
> * Likelihood: Medium (based on service value)
> * Impact: High (access to government entitlements)
> * Mitigation: Implement document verification and biometric binding
```

**This is advisory** (guidance to help you):
- Uses active voice ("Conduct", "Assess", "Consider")
- Provides practical steps
- Includes examples and context
- Has DocRef citation for traceability

### How to Use This Format

**When implementing**:
1. Read the **control statement** first (the MUST/SHOULD requirement)
2. Then read the **implementation guidance** (how to achieve it)
3. Review the **example** if provided (practical illustration)
4. Check the **Additional information** for cross-references

**When assessing conformance**:
1. Check the **control statement** (what's required)
2. Use the **checklist** in Section 8.3 (structured assessment)
3. Refer to **implementation guidance** for evidence expectations
4. Check **Additional information** for dependencies

### Visual Cues

Learn to recognize these patterns:

**Control headings** use `####`:
- `#### FA1.01 Credential risk assessment`

**Guidance headings** use `###` with "Implementing":
- `### Implementing FA1.01 β€” Conduct an identification risk assessment`

**Examples** use blockquote format:
- `> **Example**: Description of scenario...`

**Additional information** uses bold:
- `**Additional information**: Cross-reference details...`

---

## Using the Conformance Section (Section 8)

### Section 8 Is Your Implementation Roadmap

Section 8 is the largest section (47 pages) and provides everything you need for conformance.

### Before You Start: Section 8.1

**Read Section 8.1 first** to prepare:

**8.1.1: Threshold Considerations**
- Is conformance mandatory or voluntary for you?
- What resources do you need?
- How long will it take?
- What's the right conformance approach (self, qualified, audited)?

**8.1.2: Assembling Your Team**
- What roles do you need? (Project Sponsor, Technical Lead, Compliance Lead)
- What skills are required?
- Internal vs external resources?

**8.1.3: Key Topics Before Starting**
- Understanding your service scope
- Identifying which standards apply
- Determining appropriate assurance levels
- Planning evidence collection

### During Implementation: Sections 8.2-8.3

**8.2: Understanding Assessment**
- Types of conformance assessment
- How the assessment process works
- What assessors look for
- Re-conformance requirements

**8.3: Conformance Requirements**
Use the checklists:
- **8.3.1**: FA Credential Establishment (FA1-FA5)
- **8.3.2**: FA Facilitation Mechanisms (FA6-FA13)
- **8.3.3**: IA and BA Combined (all IA + all BA)
- **8.3.4**: AA Authentication (all AA controls)

Each checklist shows:
- Control ID and description
- Evidence required
- Where to document evidence
- Yes/No/N/A checkboxes

### Organizing Evidence: Sections 8.3.5 and 8.4

**8.3.5: Downloadable Checklists and Evidence Codes**
- Descriptions of available checklists
- Evidence Code Reference (AUDIT1.1, AUDIT1.2, etc.)
- Cross-standard dependencies
- Evidence organization best practices

**8.4: Evidence Documentation**
- How to document evidence effectively
- Evidence types by control
- Documentation standards
- Submission requirements

### Evidence Organization Recommendation

Use this folder structure (from Section 8.3.5):

```
/conformance_evidence/
β”œβ”€β”€ /risk_assessments/
β”‚   β”œβ”€β”€ identification_risk_assessment_2024.pdf (AUDIT1.1)
β”‚   └── privacy_impact_assessment_2024.pdf (AUDIT1.4)
β”œβ”€β”€ /policies_procedures/
β”‚   β”œβ”€β”€ credential_issuance_policy.pdf
β”‚   └── information_security_policy.pdf
β”œβ”€β”€ /technical_specifications/
β”‚   β”œβ”€β”€ system_architecture.pdf
β”‚   └── authentication_mechanisms.pdf
β”œβ”€β”€ /operational_records/
β”‚   β”œβ”€β”€ binding_ceremony_logs.csv
β”‚   └── verification_transaction_logs.csv
└── /checklists_completed/
    β”œβ”€β”€ FA_credential_checklist_completed.md
    └── IA_BA_checklist_completed.md
```

---

## Understanding Key Concepts

### Assurance Levels

The standards use four types of assurance levels:

**LoIA (Level of Information Assurance)**: 1-4
- How sure you are that information is accurate
- LoIA1 (basic) β†’ LoIA4 (very high)

**LoBA (Level of Binding Assurance)**: 1-4
- How sure you are that a credential belongs to the claimed person
- LoBA1 (basic) β†’ LoBA4 (very high)

**LoAA (Level of Authentication Assurance)**: 1-4
- How sure you are that the person authenticating is the credential holder
- LoAA1 (basic) β†’ LoAA4 (very high)

**LoFA (Level of Federation Assurance)**: 1-4
- How sure you are that federated assertions are trustworthy
- LoFA1 (basic) β†’ LoFA4 (very high)

See Section 3 for detailed level descriptions and selection criteria.

### The Four Core Standards

**Federation Assurance (FA)**: 42 controls
- For Credential Providers (issue credentials)
- For Facilitation Providers (enable federation between services)
- Covers credential establishment and facilitation mechanisms

**Information Assurance (IA)**: 14 controls
- For all providers
- Covers information accuracy, security, retention, recovery

**Authentication Assurance (AA)**: 38 controls
- For all providers
- Covers authenticator types, lifecycle, strength, management
- Plus biometric privacy requirements

**Binding Assurance (BA)**: 15 controls
- For Credential Providers
- Covers binding credentials to people
- Evidence of binding ceremonies

### Conformance Types

**Self-assessment**:
- You assess yourself against the standards
- Suitable for low-risk, voluntary conformance
- Less rigorous, but quickest approach

**Qualified assessment**:
- Independent assessor reviews your implementation
- Suitable for medium-risk scenarios
- More rigorous than self-assessment

**Audited assessment**:
- Formal audit with evidence review and testing
- Required for DISTF and high-risk scenarios
- Most rigorous, provides highest confidence

See Section 1.2 and Section 8.2 for details.

---

## Special Content Sections

### Biometric Privacy Requirements (Section 6.4)

**When to read**: If you're implementing or assessing biometric authentication

**What's covered**:
- Privacy Commissioner's Biometric Processing Privacy Code 2025
- 13 mandatory privacy rules for biometric systems
- How privacy rules map to AA controls
- Privacy compliance checklist
- Legal compliance obligations

**Why it matters**: Mandatory law effective 3 November 2025. Biometric implementations must comply.

### NCSC Cybersecurity Requirements (Section 5.4)

**When to read**: If you're implementing information security for authentication systems

**What's covered**:
- NCSC 10 Minimum Cybersecurity Standards
- How NCSC standards complement identification standards
- Specific mappings to IA controls
- Implementation scenarios

**Why it matters**: Public service agencies must apply NCSC standards. This section shows how they integrate with identification standards.

### EIVA Clarification (Section 9.5)

**When to read**: If you're confused about EIVA's relationship to these standards

**What's covered**:
- Electronic Identity Verification Act 2012 (EIVA) established EIVA Service
- These Identification Standards are separate from EIVA
- Standards apply whether you use EIVA Service or not
- DISTF Act separates these frameworks

**Why it matters**: Clarifies that standards are technology-neutral and apply beyond EIVA.

---

## Tips for Effective Use

### For First-Time Readers

1. **Start with Section 1**: Get oriented before diving into technical content
2. **Understand your role**: Choose the right entry pathway (Section 1.4)
3. **Don't read linearly**: Jump to sections relevant to your immediate needs
4. **Use cross-references**: Follow links to related content
5. **Bookmark key sections**: Use your reader's bookmarking features

### For Implementers

1. **Risk assessment first**: Section 2 helps you understand what you're protecting against
2. **Know your levels**: Section 3 helps you determine appropriate assurance levels
3. **Read controls AND guidance**: Don't skip the implementation guidanceβ€”it provides context
4. **Look for examples**: Practical examples help clarify abstract requirements
5. **Plan for evidence early**: Section 8.3.5 shows what evidence you'll need

### For Assessors

1. **Use the checklists**: Section 8.3 provides structured assessment tools
2. **Understand evidence codes**: Section 8.3.5 explains AUDIT codes
3. **Check cross-standard dependencies**: Some controls depend on others (documented in Section 8.3.5)
4. **Read additional information**: Control "Additional information" notes dependencies
5. **Reference implementation guidance**: Helps understand evidence expectations

### For Everyone

1. **Use search liberally**: Control IDs, section numbers, and terms are all searchable
2. **Check Section 9 for definitions**: Don't assume you know what terms mean
3. **Follow DocRef citations**: Trace content back to official source documents
4. **Note the date**: Standards evolveβ€”check Section 9.6 for version history
5. **Ask for help**: Contact the Identification Team if you need clarification

---

## Common Questions

### Q: Where did all the separate documents go?

**A**: They've been consolidated into this single document. The content is still here, just better organized. If you were used to a specific document, here's where to find it now:

- "Conforming with the Standards" β†’ Sections 1 and 8
- "Assessing Your Identification Risk" β†’ Section 2
- "Levels of Assurance" β†’ Section 3
- "Federation Assurance Standard" β†’ Section 4
- "Implementation Guidance" documents β†’ Integrated in Sections 4-7
- Checklists β†’ Section 8.3
- "Terms and Definitions" β†’ Section 9.1
- "Authenticator Types" β†’ Section 9.2

### Q: Can I print out just one section?

**A**: Yes. Copy the section you need to a new file, or use your reader's print function to print specific page ranges.

### Q: Are the checklists still available as separate files?

**A**: Yes. Section 8.3.5 describes the downloadable checklist files and where to find them. The checklists are also embedded in Section 8.3 for convenience.

### Q: What if I only need to conform with one standard (e.g., FA)?

**A**: You'll still need to read:
- Section 1 (conformance overview)
- Section 2 (risk assessment)
- Section 3 (assurance levels)
- Section 4 (FA standard and guidance)
- Section 8 (conformance assessment)
- Section 9 (reference materials as needed)

Note: Information Assurance (IA) applies to all providers, so you may need Section 5 too.

### Q: Where are the worked examples?

**A**: Practical examples appear throughout Sections 2-8, integrated where relevant. Look for blockquote format starting with "> **Example**:".

### Q: How do I know which controls apply to me?

**A**:
1. Section 1.2 "Is This Relevant to You?" helps determine if you need to conform
2. Section 2 risk assessment determines your risk level
3. Section 3 maps risk to required assurance levels
4. Controls in Sections 4-7 specify which levels they apply to (e.g., "At LoIA2 and above")

### Q: What's changed from the previous version?

**A**: See Section 9.6 for document history and the separate `13_changes_and_transformations.md` document for comprehensive change log.

---

## Getting Help

### Need Clarification?

**Contact the Identification Team**:
- For conformance questions
- For assessment scheduling
- For technical interpretation
- For stakeholder consultation

**Check Related Standards**:
- Section 9.4 lists related standards (NCSC, Privacy Code, ISO/NIST)
- These may provide additional context

### Providing Feedback

Your feedback on this new structure is valuable:
- What's working well?
- What's confusing?
- What's missing?
- What could be improved?

Contact the Identification Team or the GCDO office with feedback.

---

## Document Maintenance

### Staying Current

**Check for updates**: Section 9.6 documents version history and changes

**Subscribe to notifications**: Ask the Identification Team about update notifications

**Review periodically**: Standards evolveβ€”review annually or when planning new implementations

### When Standards Change

When standards are updated:
- Control text may change (check DocRef citations for latest)
- New controls may be added
- Guidance may be enhanced
- Section 9.6 will document changes

---

## Summary: Getting the Most from This Document

βœ… **Use the right entry point** for your role (Section 1.4)

βœ… **Don't read linearly** unless you're new to identification management

βœ… **Follow the workflow** when implementing (Section 1 β†’ 2 β†’ 3 β†’ 4-7 β†’ 8)

βœ… **Use search and section numbers** to find specific information quickly

βœ… **Read controls AND guidance** together in Sections 4-7

βœ… **Start with Section 8.1** before beginning conformance work

βœ… **Use the checklists** in Section 8.3 for structured assessment

βœ… **Organize evidence early** using guidance in Section 8.3.5

βœ… **Check Section 9** for definitions and specifications

βœ… **Follow cross-references** to understand relationships between topics

This consolidated structure is designed to make your work easier. Take time to explore and familiarize yourself with the layoutβ€”it will pay off in improved efficiency and understanding.

**Welcome to the new Identification Standards. We hope this structure serves you well.**

---

**Guide Prepared**: 2025-11-20
**For Document**: identification_standards_consolidated.md
**Stage 13 Task**: User Guide for New Structure
**Status**: COMPLETE