ISO/IEC 30107: A certification scheme for biometric products and services

May 2023 is marked by the official launch of our ISO/IEC 30107 standard certification scheme, made in partnership with CLR Labs, and our first certificate was issued for the VideoIdent, a product from IDnow.

What is the ISO/IEC 30107 standard? How does the LSTI/CLR Labs partnership work on this certification scheme? Who is concerned about this certification? Here are some answers.

The standard

Published in 2017, the ISO/IEC 30107 standard defines the security measures and the tests that need to be carried out to prevent attacks and protect remote identity verification systems.

It defines the possible attacks during the capture of biometric data during the process of identity verification. These attacks are called “Presentation attacks” and the mechanisms to detect them are called “Presentation Attacks Detection” or PAD. This is the reason why the standard covers both the security measures to be put in place and the tests to be carried out to assess their safety.

The certification

The certification scheme on this standard is possible thanks to the partnership between CLR Labs and LSTI.

All tests and evaluation work are carried out by CLR Labs, which includes testing with presenting attacks (type 1 attacks) but also by injecting biometric data (type 2 attacks).

LSTI then steps in to assess the conformity of these evaluations and issue the ISO/IEC 30107 certificate for the product or service assessed.

To this date, the only certification scheme available was from the United States. In Europe, only compliance projects have been carried out so far. A certification offer made in Europe is therefore now on the market to certify and guarantee remote identity verification offers.

The products and services concerned

This certification scheme can apply to many products and services such as:

  • Identity enrollment stations and booths
  • Automatic border crossing gates,
  • Biometric readers,
  • “Entry-exit” systems,
  • Digital wallets,
  • Trust service providers
  • And all other products with biometric technologies.

This certification is therefore aimed at any company in the field of remote identity verification that wishes to offer an additional guarantee of the security of its products and services.

For more information, contact us.

The press release

IPSP certification: one year later

A year ago, we added the remote ID proofing provider qualification to our offers for companies « PVID », according to the standard created by the ANSSI, the French Cybersecurity Agency, and at the same time the certification according to the technical specification of ETSI TS 119 461 for Identity Proofing Service Provider (IPSP).

In Europe, being certified according the ETSI TS 119 461 standard enables a company to declare that the remote identity verification service provided is equivalent to being there in person in terms of reliability (article 24 1 d).

To offer a complete service (conformity assessment but also computer and physical tests of biometric effectiveness), LSTI is working in collaboration with STELAU and CLR Labs.

Focus on LSTI business since we added this new feature to our company service catalog:

  • On the French level

LSTI SAS and its partners STELAU and CLR Labs have carried out several PVID assessments. Qualification decisions should be published soon.

  • On the European level

LSTI Worldwide has also started conformity assessment to the ETSI 119 461 standard for several service providers in various European countries, some of which have legislated on the subject. The first ETSI 119 461 certificate was issued by LSTI in early July 2022.

ISO/IEC 27001: focus on this international standard

ISO/IEC 27001 is an international standard on how to manage information security. Originally it was published jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) in 2005, then revised in 2013. In Europe, an update was published in 2017.

The official title of this standard is “Information technology — Security techniques — Information security management systems — Requirements”

This standard precises requirements for establishing, implementing, maintaining and continually improving an information security management system (ISMS). The purpose of an ISMS is to help organizations make their information assets (i.e., financial information, intellectual property, employee details or information entrusted by third parties) more secure.

Organizations that meet these requirements can choose to be assessed through an audit then certified by an accredited certification body, such as LSTI Worldwide.

ISO/IEC 27001:2013 has ten short clauses and a long annex, which cover:

  1. Scope of the standard
  2. How the document is referenced
  3. Reuse of the terms and definitions in ISO/IEC 27000
  4. Organizational context and stakeholders
  5. Information security leadership and high-level support for policy
  6. Planning an information security management system; risk assessment; risk treatment
  7. Supporting an information security management system
  8. Making an information security management system operational
  9. Reviewing the system’s performance
  10. Corrective action
    Annex A: List of controls and their objectives

Like any other management system standards, being certified to ISO/IEC 27001 is possible but not mandatory. Some organizations choose to implement the standard to benefit from the best practice it contains, whilst others decide they want to get certified to reassure customers.

Historically, LSTI Worldwide second main service is ISO/IEC 27001 audit and certification. If you would like to get your company certified, contact us.

eIDAS: what is this European regulation about?

The main activity of LSTI Worldwide is eIDAS certification assessment. But what is the eIDAS regulations?

“eIDAS” is the abbreviation for “electronic IDentification And trust Services”. It refers to a range of specific services that include verifying the identity of individuals and businesses online and verifying the authenticity of electronic documents. To simplify, it ensures secure cross-border transactions.

This standard was established in EU Regulation 910/2014 of July, 23rd 2014 on electronic identification and revokes the 1999/93/EC regulation from December, 13th 1999. The eIDAS regulation has been enforceable across the EU since July, 1st 2016.

The trust services covered by eIDAS include:

eIDAS qualified services

  • Advanced and Qualified electronic Signatures associated to a legal or natural person;
  • Advanced and Qualified electronic Seals associated to a legal person;
  • Qualified validation for Qualified Electronic Signatures and seals;
  • Qualified preservation of Qualified Electronic Signatures and seals;
  • Time stamping;
  • Electronic delivery services;
  • Website authentication.

The purpose to have qualified and trust services is to increase confidence in the use of electronic transactions through mechanisms – such as verifying the identity of individuals and businesses online or verifying the authenticity of electronic data – which are more present in our activities nowadays.

Companies which have been qualified according the eIDAS standards for their services are called Trust Service Providers (TSPs).

LSTI Worldwide activity is to audit and assess companies which provide the services mentioned above. Based on the result of their audit, a company could be qualified as a Trust Service Provider and is granted a certificate to prove their trustworthiness and the quality of their services.

All LSTI Worldwide customers assessed and qualified as TSP can be found on our online register, or on demand through the contact form (select Communications as subject).

More info on our dedicated page and on the EU websites:

2021: let’s summarize what happened

The beginning of the year is the time dedicated to assessments and resolutions, let’s take a look at LSTI’s activity in 2021.

A New Service Offer Added

A service has been added to our catalog:

PVID* company certification, the latest qualification set up by the ANSSI, the French agency for cybersecurity, for Remote Identity Verification Service Providers. We offer this service for our French customers but also international ones, believing that such certification can benefit any company worldwide.

*PVID: French Acronym for Prestataires de services de Vérification d’Identité à Distance, meaning Remote Identity Verification Service Providers.

New Members Joined Our Team

2021 was also marked by the strengthening of the LSTI team. In the French team, a full-time auditor has joined us, who works specifically on the PASSI qualification, but also a management assistant dedicated to company certifications. A new member has also joined us to manage the activity of LSTI Worldwide.
Despite the ongoing health crisis, the group has a constant and growing activity which makes it possible to hire additional people.

We are also always opened for partnerships, as partner training organizations (for French-speaking countries only) or partner auditors.

The LSTI Group Joined an International Group

The end of 2021 marked a turning point for LSTI: the group joined Apave, a French group specialized in professional risk management, with a global influence and market.

What does this actually change for our customers? Nothing. Our philosophy, our activity and our integrity remain unchanged.

And for our partners? It does not change anything either, because we are still dealing directly with them.

Being part of the Apave Group allows us to benefit from the support and reputation of a international company and with long-standing experience in the management of professional risks.

And for 2022?

This year trend is the PVID certification:

  • After the first customer requests last year, audits and qualifications are progressing;
  • The European counterpart to the ANSSI standard, the ETSI TS 119 461 standard, will contribute to the growing demand in Europe.

Check our social networks and our news section regularly not to miss any new feature happening in 2022!

LSTI has joined Apave

As the cybersecurity market in France, but also in Europe, is fast growing, 17 years after its founding, LSTI SAS strengthens its leading position by joining the Apave Group.

LSTI is a conformity assessment body (CAB) specializing in cybersecurity and data protection. Created in 2004, LSTI has developed a real expertise in information security assessment, and is recognized as one of the major CABs in Europe for the assessment of Trust Service Providers regarding the eIDAS regulation and the French ANSSI standards. Today, LSTI is joining the Apave Group to boost its growth and contribute to the development of the Group cyber offer.

The Apave cybersecurity platform offers standard and tailor-made approaches to help organisations control their digital risks, to test the vulnerability of their systems, to label or certify the quality of their protection, or to train their employees to anticipate and/or manage those risks.


About Apave
Apave is an French group specialized in risk management for more than 150 years, known globally. As an independent company with a €881M turnover in 2019, Apave currently has 12,400 employees, 130 agencies in France, 170 training sites throughout the globe, and 18 test centers. Apave is present internationally in more than 45 countries, with almost 500,000 trusting customers around the world.
Apave website

Download the press release

Scroll to top