Making Sense of ISO, IEC, and the Standards Maze
“If you’ve followed me for any length of time, you know I’m a huge fan of open standards organizations… even as I challenge what ‘open’ actually means.”
(Yes, there’s a blog post about that, too.) But as much as I love standards efforts that don’t gate participation or the free use of their standards, you can’t ignore the big players in the standards space.
Which brings us to today’s topic: the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
And if you work in digital identity, wallets, or credential formats, you are going to run into ISO and ISO/IEC work whether you intend to or not.
You can Subscribe and Listen to the Podcast on Apple Podcasts, or wherever you listen to Podcasts.
And be sure to leave me a Rating and Review!
Why it’s called “ISO”
Quick trivia break.
The three official names of the organization—in English, French, and Russian—do not produce the acronym “ISO.” According to ISO itself, the founders chose the short name from the Greek word isos, meaning equal, specifically to avoid privileging any one language.
Neutrality taken a bit too far? Maybe. Maybe not. Either way, we all just call it ISO and move on.
What ISO actually is
ISO was formed in 1946, right after World War II. Today, it includes 175 national members, has published more than 26,000 standards, and coordinates the work of hundreds of technical committees and subcommittees. That scale alone tells you something important: ISO is less a single organization and more a global coordination mechanism.
The key line—the one that explains most of the confusion about participation—is that the International Organization for Standardization is a network of national standards bodies. That structure shapes almost everything about how ISO works.
Participation in ISO does not typically happen at the individual level. Instead, engagement usually flows through your country’s national standards body. Depending on where you live, that might be relatively straightforward… or it might involve a surprising amount of administrative gravity. In some countries, participation pathways are well documented and accessible. In others, the process can feel opaque or slow-moving.
Your mileage will vary.
The astonishing breadth of ISO work
One of the more fascinating things about ISO is just how wide the scope is. They cover everything from fire classification to cleanroom particle measurements to quality management systems. It’s a reminder that ISO is fundamentally industry infrastructure, not just a tech standards body.
But if you work in technology, and especially digital identity, you’ve probably noticed something else:
You rarely see just “ISO.”
You see ISO/IEC.
Enter the IEC
To understand that slash, it helps to look at ISO’s long-standing partner, the International Electrotechnical Commission.
IEC is actually older than ISO. It was founded in 1906, back when electricity was still very much in its experimental era, and global coordination was becoming urgently necessary. Early IEC work focused on terminology, symbols, and machine ratings—the kind of foundational work that quietly enables global interoperability.
If you’ve ever appreciated that electrical measurements and symbols are broadly consistent worldwide, you can thank IEC for much of that stability.
At a high level, the division of labor is fairly clean. ISO covers an enormous range of industries and domains, many of which have nothing to do with electronics. IEC, by contrast, focuses specifically on electrical and electronic technologies and tends to operate at a deeper technical level within that space.
Formal joint work between the two organizations dates back to the mid-1970s and is documented today in Annex B of ISO/IEC Directives, Part 1 Procedures for the technical work — Consolidated ISO Supplement — Procedures specific to ISO. Today, their collaboration is most visible through shared technical structures that underpin much of modern IT standardization.
From a practitioner’s point of view, participating in IEC is broadly similar to ISO. IEC also works through national structures. (ISO formally refers to these as Member Bodies; IEC uses the term National Committees. In joint work, the ISO/IEC Directives generally use National Body as the neutral term.) If you want to contribute, the official guidance is to contact your country’s IEC National Committee, which appoints experts to participate in the technical work. (In the U.S., ANSI serves as the ISO member body and administers the U.S. National Committee to the IEC.)
In other words, IEC is not a shortcut around the national-body model. The governance details differ, but the practical experience of getting involved is often more alike than different.
The committee maze (because of course there’s a maze)
Once you get inside the ISO and IEC ecosystem, the structure gets… intricate.
Technical committees are formally established through each organization’s governance processes, typically in response to proposals from national bodies or other parts of the system. From there, committees can spin up subcommittees, working groups, and various supporting bodies to carry specific pieces of work forward. Some of these groups are long-lived; others are intentionally temporary and dissolve once their task is complete.
If you want a sense of just how structured the ISO environment can be, the ISO participant training guide (“My ISO job”) is worth a look. It walks through the formal lifecycle of technical committees, subcommittees, and working groups in considerable detail. While IEC and joint ISO/IEC work follow their own directive sets, the document gives a useful feel for the level of procedural rigor these environments typically expect.
The details vary across ISO, IEC, and joint ISO/IEC work, but the overall pattern is consistent: the system is deliberately layered and highly structured. If these environments sometimes feel procedurally dense compared to open standards bodies, this architecture is a big part of the reason.
This layered structure is not just background context: It directly shapes how joint bodies like JTC 1 operate.
Where most IT work actually happens: JTC 1
If you work in digital identity or broader IT standards, there is one structure you need to know about: ISO/IEC JTC 1 — the Joint Technical Committee for Information Technology.
This is where most of the ISO/IEC technology work lives, including many identity-relevant efforts. Under JTC 1 sit numerous subcommittees, each focused on specific domains.
One important nuance: when work is published jointly as ISO/IEC—particularly through JTC 1—it does not exactly follow ISO-only procedures (though it’s fairly close). Instead, the work is governed by the ISO/IEC Joint Technical Committee directives, which harmonize processes between the two organizations.
In practice, this means many of the structural concepts discussed here still apply, but the detailed mechanics, especially around balloting and submission pathways, operate under the joint ISO/IEC ruleset. (See ISO/IEC Directives, Part 1, Consolidated JTC 1 Supplement 2022 — Procedures specific to JTC 1 if you would like the full, gory details. )
For identity practitioners, some of the most relevant work has historically appeared in areas like SC 17 (cards and personal identification), SC 27 (IT security techniques), and SC 37 (biometrics). This is also where work such as ISO/IEC 18013-5 and 18013-7 (mobile driver’s licenses), ISO/IEC 29115 (identity assurance), and ISO/IEC 23220 (digital wallets, or more accurately, ISO/IEC 23220-1:2023 Cards and security devices for personal identification – Building blocks for identity management via mobile devices – Part 1: Generic system architectures of mobile eID systems) enters the global standards ecosystem. (I’ve never been more grateful for generic standards labels than when referring to ISO and ISO/IEC specifications.)
If your product roadmap touches government identity, wallets, biometrics, or regulated credentials, odds are good that JTC 1 work will matter to you eventually.
How other SDOs end up publishing with ISO/IEC
One additional wrinkle that surprises many practitioners, especially those coming from consortium or open-source environments, is how work from outside ISO/IEC sometimes appears under the ISO/IEC banner. If you’ve ever wondered why a specification from your favorite SDO suddenly shows up as an ISO/IEC standard, you are not imagining things. There is a formal pathway for that.
Within JTC 1, one of the key mechanisms is the Publicly Available Specification (PAS) transposition process, described in JTC 1 Standing Document 9 (SD-9).
At a high level, the PAS process is designed to provide a faster path for externally developed specifications to become ISO/IEC International Standards. Instead of starting from scratch inside JTC 1, an approved external organization can submit an existing specification for ballot and potential adoption.
This is not a free-for-all. Organizations must first be approved as PAS submitters, and the submission package includes not just the specification text but also an explanatory report intended to help national bodies evaluate what is being proposed. The submitted work then goes through the JTC 1 ballot process at the DIS (Draft International Standard) level for approval.
In practical terms, PAS transposition serves several purposes at once:
- It gives externally developed work the formal weight of an ISO/IEC International Standard.
- It allows fast-moving technical communities to avoid the full ISO development timeline.
- It creates a bridge between consortium/open-source specifications and national-body standardization.
But—and this will not surprise anyone who has spent time in standards land—the tradeoffs are real.
PAS submissions still have to survive national body review. Editorial alignment requirements are strict. And once transposed, the maintenance expectations and governance model can look quite different from the originating community.
For readers who have watched their SDO “go ISO,” SD-9 is often the missing piece of the story and describes what you can expect going forward.
PAS vs Fast Track vs Transposition, what’s the difference?
If you’ve seen work from another standards body suddenly appear as an ISO/IEC standard, you’re likely looking at some form of transposition.
In JTC 1 land, transposition is the umbrella concept: it refers to adopting a specification developed outside ISO/IEC and progressing it through the ISO/IEC approval process.
Two of the most common pathways are PAS and Fast Track.
- PAS (Publicly Available Specification) is a structured mechanism for approved external organizations to submit mature specifications directly into the JTC 1 ballot process. It is commonly used by industry consortia and forums that maintain ongoing relationships with ISO/IEC.
- Fast Track is a broader acceleration procedure that allows an existing standard from a recognized body to move quickly into ISO/IEC balloting. It is less tightly coupled to the PAS submitter framework.
Both routes aim to avoid re-developing mature work from scratch, but they differ in governance expectations, eligibility, and how the submitting organization interfaces with JTC 1.
Like most things in the ISO ecosystem, the mechanics matter, but so do the institutional relationships behind them.
How ISO/IEC decides what to standardize
Both ISO and IEC are very explicit about one thing: they do not wake up one morning and decide to invent a standard for funsies.
In theory, new work begins when a market need is identified. Typically, an industry sector or stakeholder community approaches its national standards body, which then brings the proposal forward. Technical committees composed of global experts develop the work, and the resulting standard must ultimately reach consensus.
ISO, in particular, emphasizes that its standards are market-driven, developed by global experts, and developed through a multi-stakeholder process. All of that is directionally true.
It is also worth remembering that, in practice, consensus tends to reflect who is able to show up consistently and sustain participation over time. That is not unique to ISO, but the national delegation model makes the participation dynamics more visible.
The business reality (because every SDO has one)
One thing that becomes clear fairly quickly when you spend time around standards bodies is that every SDO has to answer the same practical question: how does the work get funded?
ISO is no exception, and neither is the IEC. While both organizations emphasize consensus and global expert participation (which are real), there is also an underlying economic model that shapes behavior across the ecosystem.
Different standards organizations solve the funding question in different ways. Some lean heavily on membership dues. Others build around open participation but monetize certification programs or events. ISO and IEC both place significant weight on the value of their published standards and the conformity or certification ecosystems that form around them, particularly in regulated and industrial sectors.
Even when work is developed jointly as ISO/IEC, the institutional economics do not disappear. The standards still sit within systems designed for global adoption, formal recognition, and, yes, paid distribution.
That financial gravity subtly influences things like document access, participation patterns, and how quickly different communities can engage. None of this is unique to ISO or IEC, but it is an important piece of context that often goes unspoken in technical conversations.
What participation actually feels like
From everyone I’ve spoken with—and to be clear, I have not personally sat inside a JTC 1 sub-committee or working group—the working culture tends to be notably formal and delegation-driven.
Participants are typically present as representatives of their national bodies or affiliated organizations. That framing matters. It creates a different tone in the room compared to environments where individual contribution is the primary cultural norm.
This stands in sharp contrast to the IETF’s long-standing, useful fiction that participants show up purely as individuals. I call it a useful fiction because, in practice, most people involved in standards work have some form of institutional backing. Travel, time, and sustained engagement rarely happen without it. Even those of us who operate independently often have sponsors or client relationships somewhere in the background, even if we’re contractually neutral parties (like me). And yet, it’s an important distinction between “Jane Doe said” and “Big Tech Org or Government Representative said.”
Still, the cultural distinction is real. In ISO/IEC environments, the delegation model is explicit. In the IETF, it is deliberately deemphasized. That difference alone can significantly shape how discussions unfold, how consensus is measured, and how quickly work moves.
Why participation can feel harder than it looks
On paper, ISO and IEC both provide pathways for engagement through national standards bodies. In practice, the experience can vary significantly depending on how a given national body structures its mirror committees and delegation processes.
ISO and IEC intentionally delegate the mechanics of participation to their national members. Some national bodies publicly encourage broad expert involvement, while others rely more heavily on formal membership, nomination, or delegation structures. The result is that on-ramps are not uniform across countries and are not always obvious from the outside.
This variability is one of the least understood features of the ISO/IEC ecosystem. It also helps explain why networking often becomes the most effective entry point. Finding someone already active in the work and understanding the national process usually produces better results than sending a cold inquiry into the void.
None of this makes participation impossible. But compared to open standards environments, it is rarely easy.
Quick comparison: ISO vs IEC vs IETF
For readers coming from the Internet standards world, the cultural differences are often easiest to see side by side:
| Feature | ISO | IEC | IETF |
|---|---|---|---|
| Participation model | National delegation | National delegation | Individual (nominally) |
| Scope | Broad industry | Electrical/electronic | Internet protocols |
| Meeting culture | Formal | Formal | Informal / rough consensus |
| Access path | Via national body | Via national body | Open mailing lists |
| Typical output style | Structured, formal | Highly technical (domain) | Running code + drafts |
None of these models is inherently better. But they do produce very different dynamics.
Why this matters more right now
For many years, teams working in digital identity could comfortably focus most of their attention on open standards bodies. That’s no longer true.
As digital wallets, mobile credentials, and regulated identity systems move toward national and cross-border deployment, ISO and ISO/IEC work is showing up more directly in product roadmaps. At the same time, browser changes, platform controls, and regulatory pressure are reshaping the technical and policy environment around identity systems.
The result is a convergence moment. Identity architects and product leaders are increasingly operating at the intersection of multiple standards cultures, each with its own expectations, timelines, and participation models.
Understanding how ISO and IEC work—not just in theory, but in practice—is becoming table stakes for anyone building identity infrastructure intended to operate at very large scale.
Final thought
ISO and IEC, both individually and through their joint work, are cornerstones of global standardization. But they operate on participation and governance models that look very different from many internet-native standards bodies.
Understanding those distinctions matters, especially as digital identity, wallets, and credential formats increasingly intersect with both worlds.
The real question is not simply whether these systems are open. It is who can realistically participate, how decisions accumulate over time, and where institutional gravity ultimately sits.
That’s where things start to get interesting.
📩 If you’d rather receive an email than hope you catch the social media announcement when a new post is live, I have an option for you! Subscribe to get a notification when new blog posts go live. No spam, just announcements of new posts. [Subscribe here]
Transcript
Introduction to the Standards Maze
00:00:00
Welcome to the Digital Identity Digest, the audio companion to the blog at Spherical Cow Consulting. I’m Heather Flanagan, and each week I explore important topics across the digital identity landscape.
Specifically, we dive into areas such as:
- Credentials and authentication frameworks
- Internet and identity standards
- Browser behavior and technical quirks
- Policy and governance developments
If you work in digital identity but don’t have time to track every new specification or hype cycle, you’re in the right place.
00:00:26
Let’s get into it.
Why ISO and IEC Matter
00:00:30
Welcome back. If you’ve followed my work for a while, you know that I’m a big supporter of open standards organizations—even while questioning what “open” actually means. I explored that topic in a blog post last year.
However, even if you prefer open standards bodies, it’s impossible to ignore the major institutional players in the global standards ecosystem.
That brings us to today’s topic:
- ISO – the International Organization for Standardization
- IEC – the International Electrotechnical Commission
00:01:00
If you work on digital identity wallets, credential formats, or government identity systems, you will almost certainly encounter ISO or ISO/IEC standards.
Therefore, it’s worth understanding:
- What these organizations actually are
- Why they operate the way they do
- Why their processes often feel different from more open standards communities
A Quick Bit of ISO Trivia
00:01:23
Before we dive deeper, here’s a quick bit of trivia—because standards communities love trivia.
00:01:28
The acronym ISO doesn’t actually come from the English, French, or Russian versions of the organization’s name.
Instead, the founders deliberately chose “ISO” from the Greek word isos, meaning equal.
The goal was simple:
- Avoid privileging one language over another
- Maintain neutrality in a global organization
00:01:47
Neutrality taken a bit far? Perhaps.
But it does reveal something about the mindset behind the organization’s creation.
What ISO Actually Is
00:01:57
ISO was founded in the late 1940s, shortly after World War II. At that time, global coordination on industrial standards was becoming increasingly important.
Today, ISO includes:
- 175 national member bodies
- 26,000+ published standards and documents
- Hundreds of technical committees and subcommittees
00:02:19
That scale is important to understand.
ISO isn’t really a single centralized organization. Instead, it functions as a network of national standards bodies.
This structure explains much about how ISO operates.
The National Body Model
00:02:36
Participation in ISO does not typically happen:
- At the individual level
- Directly through companies
Instead, engagement usually happens through your country’s national standards body.
ISO refers to these as member bodies, while IEC often calls them national committees.
In simple terms:
Your country acts as the gatekeeper.
00:03:03
Depending on where you live, engaging with this system can feel either:
- Straightforward and accessible
- Bureaucratic and politically complex
In other words, your mileage will vary depending on the country.
The Enormous Scope of ISO
00:03:20
One of the most fascinating aspects of ISO is the sheer breadth of its work.
ISO standards cover everything from:
- Fire classifications in building codes
- Clean room particle measurements
- Screw thread measurements
Yes—even the exact shape of a screw thread can be standardized globally.
00:03:43
Technology standards are only one part of ISO’s work.
At its core, ISO provides industrial infrastructure for global interoperability.
Enter the IEC
00:04:01
In technology discussions, you often see ISO/IEC referenced together.
To understand why, we need to look at ISO’s long-standing partner:
The International Electrotechnical Commission (IEC).
00:04:07
Interestingly, the IEC is older than ISO.
It was founded in 1906, during a time when electricity was rapidly expanding worldwide.
Its early work focused on foundational concepts such as:
- Electrical terminology
- Symbols
- Machine ratings
These may sound mundane, but they enabled global interoperability.
00:04:31
If you’ve ever noticed that electrical measurements are consistent around the world, the IEC deserves much of the credit.
After all:
A volt is a volt everywhere.
How ISO and IEC Divide Their Work
00:04:41
The division of responsibilities between the two organizations is relatively clear.
ISO focuses on:
- A broad range of industries
- Cross-sector standards
IEC focuses on:
- Electrical technologies
- Electronic systems
- Deep technical work in those areas
00:05:00
Formal collaboration between the two organizations began in the mid-1970s.
Today, their cooperation appears primarily through joint technical structures, especially in IT standardization.
Participating in ISO or IEC
00:05:14
From a practitioner’s perspective, participation in the IEC is very similar to participation in ISO.
Both rely on national structures.
To contribute, the official process is to contact your country’s national committee.
That committee then appoints experts to technical work.
00:05:35
For example, in the United States:
- ANSI serves as the ISO member body
- ANSI also administers the U.S. National Committee to the IEC
Therefore, IEC participation is not a shortcut around the national body model.
Inside the ISO and IEC Structure
00:05:56
Once you enter the ISO/IEC ecosystem, the structure becomes quite layered.
The hierarchy typically includes:
- Technical committees
- Subcommittees
- Working groups
- Supporting bodies
00:06:13
Some groups operate for decades, while others are temporary and dissolve once their work is complete.
This complexity is intentional.
The system is designed to support:
- Long-term coordination
- Formal governance
- Global consensus processes
The Role of JTC1 in Technology Standards
00:07:20
If you work in digital identity or IT standards, there is one structure you absolutely need to know about:
ISO/IEC Joint Technical Committee 1 (JTC1).
This committee is responsible for most information technology standardization within ISO and IEC.
00:07:36
Under JTC1 are multiple subcommittees, including several highly relevant to digital identity.
Examples include:
- SC17 – Cards and security devices
- SC27 – Information security
- SC37 – Biometrics
These committees manage key standards such as:
- ISO/IEC 18013-5 – Mobile driver’s licenses
- ISO/IEC 29115 – Identity assurance
- ISO/IEC 23220 – Digital wallets
00:08:18
And yes—the specification titles can be extremely long.
Sometimes the number is easier than the title.
The PAS Fast-Track Process
00:08:41
One surprising aspect of the ISO/IEC ecosystem is how work from external organizations can appear within JTC1.
One major mechanism is the Publicly Available Specification (PAS) process.
00:09:15
PAS provides an accelerated path for externally developed specifications to become ISO/IEC standards.
Key points include:
- Approved organizations can submit existing specifications
- National bodies review the proposal through ballots
- The specification may then become an international standard
However, this process is not open to everyone.
Organizations must first be approved as PAS submitters.
00:10:04
Once adopted into ISO/IEC, the specification becomes subject to ISO governance and maintenance models, which may differ significantly from its original community.
The Economic Reality of Standards
00:10:16
Every standards organization faces the same fundamental question:
How is the work funded?
ISO and IEC are no exception.
00:10:34
Their economic model relies heavily on:
- Selling standards documents
- Certification and conformity ecosystems
These revenue streams support the large secretariats required to coordinate global standards development.
00:11:04
This financial structure affects several aspects of participation:
- Document access
- Participation models
- Community engagement speed
Why Identity Professionals Should Pay Attention
00:11:28
Historically, many digital identity teams focused primarily on open standards organizations, including:
- IETF
- W3C
- OpenID Foundation
These groups produced technologies such as:
- OAuth
- Verifiable credentials
- OpenID for verifiable presentations
00:12:37
However, as digital wallets and mobile credentials move toward government and cross-border deployment, ISO and IEC standards are increasingly shaping product roadmaps.
As a result, identity architects now operate across multiple standards cultures, each with different:
- Governance models
- Participation expectations
- Development timelines
Final Thoughts on ISO, IEC, and Global Standards
00:13:22
ISO and IEC remain cornerstones of global standardization.
However, their governance and participation models can feel unfamiliar to those used to open standards environments.
00:13:42
International politics also play a larger role than many engineers expect.
Understanding this landscape is essential if you plan to engage with:
- Government identity initiatives
- Regulated digital credential systems
- International interoperability frameworks
00:14:05
Above all, patience is required.
Standards development at this scale is:
- Complex
- Slow
- Deeply procedural
But it is also foundational to global interoperability.
Closing
00:14:29
That’s it for this week’s episode of the Digital Identity Digest.
If this episode helped clarify the standards maze, consider sharing it with a colleague.
You can also connect with me on LinkedIn @hlflanagan.
And if you enjoy the show:
- Subscribe to the podcast
- Leave a rating or review
- Visit sphericalcowconsulting.com for the full written post
Stay curious, stay engaged, and let’s keep the conversation going.
