Trust framework certification
Updated 26 January 2023
© Crown copyright 2023
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/uk-digital-identity-attributes-trust-framework-updated-version/trust-framework-certification
This is guidance on how organisations can become certified against the UK digital identity and attributes trust framework.
Overview
Any organisation who wants to participate in the UK digital identity and attributes trust framework (henceforth the ‘UK DIATF’) must be certified. An approved certification body will manage the certification process on behalf of the UK DIATF under UKAS accreditation.
The UK DIATF is currently in its third version, and a wide-ranging testing programme is underway to further improve it. Our programme page provides more details on our broader policy approach.
Organisations can already undergo certification against the UK DIATF.
The certification process will follow the standard ISO 17065 Conformity assessment — Requirements for bodies certifying products, processes and services, which outlines how an organisation is certified by a certification body and the certification body’s role in certification.
Before certification starts
Before contacting a certification body, you should:
- read and familiarise yourself with the UK DIATF document
- understand the UK DIATF rules as detailed in the document
- decide on the role you want to play in the UK DIATF
- decide on the schemes you wish to certify against (such as the right to work, right to rent and Disclosure and Barring Service schemes)
- contact the DCMS certification team to conduct a pre-assessment, providing a high-level measure that you meet minimum requirements
- selected a certification body from the approved list
Undergoing certification
Step 1: Starting to work with a certification body
First, you should make contact with one of the certification bodies that are approved by DCMS to provide auditing and assessment for the UK DIATF.
You should then agree to the relationship and normal terms and conditions. The engagement and contract for certification is between yourselves and the certification body.
If there is any chance that a conflict of interest may arise from your choice of certification body, the certification body in question will notify you of this and suggest you make alternative arrangements. This is to ensure that all parties are protected.
Some scenarios where a conflict of interest could arise are:
- the director of an organisation having a commercial relationship with an employee (or any of that employee’s family members) at a certification body auditing the financial accounts of an organisation
- the people providing certification activities for an organisation having been involved in delivering any kind of consultancy for that organisation
- Any staff member of a certification body holding shares in a client’s organisation or vice versa
- A member of a certification body holding a position on the board of the potential client’s company
Please note that this list is non-exhaustive.
Using a certification body that already certifies you against a standard, such as ISO 27001, is not considered problematic, and may in fact be beneficial.
You should answer any questions the certification body has at this stage, and throughout the certification process.
Step 2: Being asked for evidence
If you decide to work together, you may find the certification body asks you to complete a statement of conformity so that they can see what existing certifications are in place. This is to help with the scoping of evaluations later on and provides evidence of the certificates you hold and how long before they expire.
Rather than ask for a statement of conformity, a certification body may supply you with their own scoping document.
Step 3: Assessment of the application
The certification body will assess your application and decide if you can continue with the application for certification immediately or whether you need to consider increasing maturity in some area. Please note, this does not constitute a gap analysis. It is to avoid you incurring unnecessary costs and effort.
To help them decide, they may use:
- the pre-assessment criteria (if you have decided to complete)
- the application form
- the statement of conformity (or certification body’s scoping document)
- any additional evidence you have provided
It may be the case that you have alternative certifications, which may still meet the UK DIATF’s rules and standards. There will be a list of alternative standards that are acceptable to the certification process. The certification body will be aware of these and take these into consideration.
The certification body should now let you know how to proceed with your certification application. If they feel you are not ready, they will advise you on what to do next.
Step 4: Starting the assessment
If you can continue, you will need to:
- provide a description of your service, this is one of the certification documents
- complete the ‘Requirements for all UK DIATF Participants’ criteria and the other criteria documents that are relevant to you and must be met
The certification body should provide you with guidance on:
- the level of detail you need to provide
- any specific areas to focus on in your application
They will ask you for any evidence you need to provide at this stage.
Step 5: Assessment of the evidence
The certification body will assess the information you have provided.
They will contact you and:
- discuss the evidence provided
- ask for any further evidence if needed
- answer any questions you may have
- discuss the next steps in your certification journey
The certification body will undertake a documentation review and assessment. For full certification, this is a Stage 1 assessment.
They will then carry out a Stage 2 assessment. This will be scoped and arranged in keeping with standard evaluation and assessment practices.
The certification body will contact you to let you know:
- how long they expect the assessment to take
- possible dates for the evaluation/assessment
- what they will need to see during the evaluation/assessment process
- who they need to see
- what they will be testing
You should find a date that suits you both, when you can be certain that everyone who needs to participate will be available and the auditor has everything they need.
Step 6: The result of the assessment
After the above steps, the auditor(s) working for the certification body will make an independent assessment and provide you with feedback. This is generally done during a close out meeting. They will complete a certification feedback report.
They will check that your organisation meets:
- the UK DIATF’s standards and rules
- the base criteria and any other criteria relevant to you
The feedback report will list:
- when and how the evaluation(s) was performed
- the participants
- the areas, controls and assets assessed
Findings will be categorised as either issues, minor non-conformities, major non-conformities and corrective actions. If any of these need further action, the report should provide a timescale for when these need to be fixed.
For some organisations the next step will be to address any actions before the certification body will confirm their final decision. Otherwise, the decision to grant certification will be made and you will be informed of this as the outcome of the assessment.
Step 7: Publication of the certificate
When the decision is made that you have met the requirements and may be awarded a certificate, the certification body will contact DCMS and the certification will be uploaded to the GOV.UK webpage.
Step 8: Ongoing surveillance assessments
It is expected that surveillance assessments will be carried out annually and that these will require a completed recertification feedback report by the certification body.
Step 9: Regular Assurance
DCMS will carry out regular assurance on certifications awarded to ensure that all certifying bodies are applying fair and equal criteria.
Step 10: Governance with DCMS
At regular times throughout the year, probably quarterly, the certification bodies will submit a report to DCMS that provides information on the number of certification assessments carried out and the outcomes. This is to ensure that all organisations going through certification can have confidence that all certifications are carried out to the same level of quality, fairness and integrity.
Contact us
Please contact the certification team at digitalidentity-certification@dcms.gov.uk if you are looking to become certified or if you have any other questions.
If you are interested in our broader policy programme, you can find more information at our programme page.