The tScheme Approval process
Any organisation that is a legal entity can apply for tScheme Approval of its Service. The whole process, from start to finish, can take as little as three months but your chosen Assessor will give you guidance on this. Organisations that have already achieved ISO 27001 or ISO 9000 certification, or are regulated by the Financial Conduct Authority, may have systems and procedures in place which make Approval more straightforward.
For a general overview of the tScheme process, the best document is "tSd0244 - Required Assessment Procedures". This should let you understand that tScheme is based on ISO 27000 and operates by defining sets of controls that need to be in place to satisfy the assessors that your service complies with our requirements. These controls are split into sets relating to particular aspects of your service and which are referred to as Approval Profiles - Identity Provider, Identity Registration, Credential Management etc.; combined with a set of controls that relate to the management of the service itself, which are contained in the Base Profile set. Apologies for confusion with GPG45 Identity Profiles but hopefully the context will always determine what we are referring to when we use the term Profile.
Then there are a set of 'model' documents and agreements that cover the formal/contractual process:
tSd0230 - Model S3A;
tSi0076 - Registered Applicant letter;
tSd0253 - Model RegApp agreement;
tSd0254 - Model licence agreement.
Becoming a Registered Applicant
These are the initial steps involved in applying for tScheme Approval for your Service:
- Select your tScheme Approval Profiles – tScheme Profiles are available for PKI (Public Key Infrastructure) and non-PKI technologies (which are more commonly used by generic Identity Service Providers - IdPs);
- Select an Assessor – tScheme-recognised Assessors are 100% independent and UKAS accredited;
- Agree outline Specification of the Service Subject to Assessment (S3A) – this provides a high-level description of the service†, agreed with the Assessor, to be submitted for Approval and lists the relevant Approval Profiles for the type of Service Approval sought, see also Preparing for Assessment (tSi0101);
- Complete the Registered Applicant Request (tSi0076) – this includes an estimated timetable for Assessment and Approval and an agreement to pay a Registration fee* of up to £5,000 (+VAT) per annum should the application be accepted and which should be submitted along with the Outline S3A (electronically by preference);
- Submit request – your application is then submitted to the independent tScheme Approvals committee;
- Complete the Registered Applicant Agreement (tSd0253) – assuming the application is accepted, complete the Registered Applicant Agreement which commits your organisation to an agreed timetable for Assessment and Approval as well as to the tScheme Code of Conduct;
- Registered Applicant Agreement signed by both parties – an invoice is raised for Registration Fee as referred to in the Registered Applicant Request letter and our website is updated to include you as a Registered Applicant for the Service and, if applicable, the relevant Scheme owner is also informed.
† in the context of providing a service claiming conformance to GPG45, the S3A must contain an appropriate Public Service Description that explicitly references any relevant Scheme Guidelines plus a clear statement about which Identity Profiles from GPG45 are supported because this service description forms the basis of the scope of the Assessor audit.
* the Registered Applicant fee will be offset against any Approval Fee due within 12 months once the Grant of Approval has been achieved.
You now work with your chosen Assessor who will help guide you through the Approval process and make sure you have the systems and procedures in place to comply with the requirements of your selected Profiles.
Applying for Approval
These are the main steps involved in then obtaining tScheme Approval for your Service:
- Final audit and report – when systems are in place, your Assessor will conduct an audit and produce a report, which is submitted to tScheme as evidence that your Service meets the requirements.
- tScheme review – the Assessor’s report is reviewed by our independent Approvals Committee, which reports to the tScheme board. The Committee is formed from experts across our membership (provided they represent an organisation that does not provide Services that could give rise to a conflict of interest) as well as independent subject-matter experts — practitioners who are responsible for the development and maintenance of the technical aspects of tScheme.
- Approval – if our independent Approvals Committee is satisfied with the Assessor’s report, they will notify you that your application for a Grant of Approval for your Service has been successful.
- Licence Agreement signed by both parties – both parties will then sign the licence agreement (tSd0254) and the final invoice is raised for the tScheme licence fee (as per our website) less any Registration Fee that has been paid during the preceding 12 months.
- Publication and notification – the name of your organisation and of the Service will be added to the list of Approved Services on our website and, if appropriate, we also notify whichever Trust scheme you are seeking to be part of. You can then display the tScheme Approval Mark on your website or other materials in relation to the Trust Scheme concerned. More about tScheme approval Trust marks.
As part of our quality commitment, regular re-assessment audits are carried out by tScheme-recognised Assessors. In case of justified complaint, the contract between tScheme Limited and the Service Provider provides for an appropriate remedy and sanctions. This could mean a notice for immediate correction, suspension of Approval rights pending correction, or, in severe circumstances, termination of Approval rights. Any Trust Service Providers found to be in breach of their obligations also have rights of appeal against any decisions.