Skip to content

Generic Organizational Assurance

Organizational assurability is anchored on identity management and Know Your Customer (KYC) processes. The levels also add good data governance practices and are aligned with the Icebreaker Principles.

This specification defines generic Organization Assurance Levels, identified by URLs in the IB1 Root Registry with the https://registry.trust.ib1.org/organization-assurance-level/ prefix.

Note: This document uses US English. To align with W3C and other prevalent standards, IB1 uses US English in its technical specifications and technical documentation.

Dependencies

A Scheme using this specification must also adopt the following specifications:

Organizational Assurance Level 1

https://registry.trust.ib1.org/organization-assurance-level/Level1

This is the minimum requirement for organizations to join an IB1 Trust Framework. At this level, organizations have:

  • O1.1. Signed the Icebreaker One Membership Agreement
  • O1.2. Endorsed the Icebreaker Principles for data sharing
  • O1.3. Paid their membership fees
  • O1.4. Demonstrated a current entity legal registration (GLEIF or Companies House) that matches their website and their Icebreaker One membership information
  • O1.5. Registered with the Information Commissioner’s Office (ICO) if they are a UK entity, or their organisation’s head-quartered national equivalent
  • O1.6. Executed the agreement to join the Trust Framework under which they wish to provide assurability
    • O1.6.1. On joining the Trust Framework, member organizations are listed on an openly published Directory of members, with organizational assurance level also shown
  • O1.7. Have named individual(s) within their organization registered as "Trust Framework License Officers" and "Trust Framework Data Officers" with roles and responsibilities as defined by the Trust Framework

Organizational Assurance Level 2

https://registry.trust.ib1.org/organization-assurance-level/Level2

The organization meets all the requirements of Level 1, plus they have:

  • O2.1. Published at least one dataset with Level 1 Dataset Assurance
  • O2.2. Made available proof of dataset compliance on request, following processes set by Trust Framework and Scheme rules
  • O2.3. Published a data strategy that commits, within a defined time period, to increasing the number of datasets with Level 1 Dataset Assurance and publishing at least one dataset with Level 2 Dataset Assurance
  • O2.4. Implemented corporate communications to be used for the promotion of the data being shared
  • O2.5. Provided evidence of compliance with commercially and contextually reasonable national or international cybersecurity standards for data processing. Where the Scheme does not specify requirements, acceptable standards include ISO27001, PAS 555, PCI DSS, SOC 2, and Cyber Essentials.

Organizational Assurance Level 3

https://registry.trust.ib1.org/organization-assurance-level/Level3

The organization meets all the requirements of Level 2, plus they have:

  • O3.1. Published at least one dataset with Level 2 Dataset Assurance
  • O3.2. Published a data strategy that commits, within a defined time period, to increasing the number of datasets with Level 2 Dataset Assurance and publishing at least one dataset with Level 3 Dataset Assurance
  • O3.3. Published a policy for their employees’ engagement with the user community as data users or publishers
  • O3.4. Participated in the Scheme governance process

Organizational Assurance Level 4

https://registry.trust.ib1.org/organization-assurance-level/Level4

The organization meets all the requirements of Level 3, plus they have:

  • O4.1. Published at least one dataset with Level 3 Dataset Assurance
  • O4.2. Published a data strategy that commits, within a defined time period, to increasing the number of datasets with Level 3 Dataset Assurance and publishing at least one dataset with Level 4 Dataset Assurance
  • O4.3. Assigned responsibility, or created a role, team, position or service to build or contribute to a user community, resourced at a level which enables responses to good faith questions within 5 working days