ISO 27566-1 Certification

ISO 27566-1 is the new international gold standard for age assurance systems. Developed through the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), it provides a comprehensive framework for assessing whether an age assurance service is safe, effective, privacy-preserving, and interoperable.

Certification to ISO 27566-1 by ACCS demonstrates that your solution is independently audited and internationally recognised, giving regulators, clients, and users confidence that your system meets the highest benchmark of trust and compliance.

Who Can Apply?

ISO 27566-1 certification applies across the age assurance ecosystem:

• Age Verification (AV) Providers
  Services that directly check or estimate a user’s age (e.g., via document checks, biometrics, or databases).
• Intermediaries
  Entities that act as a secure bridge between users, AV providers, and relying parties — ensuring age proofs can be reused safely across services.
• Relying Parties
  Online platforms, content providers, or service operators that depend on AV to manage user access and comply with regulation.
• Hybrid Services
  Organisations that perform more than one of these roles (e.g., a provider that both verifies ages and acts as an intermediary).

What Does the Certification Cover?

ACCS audits solutions against five core characteristics that regulators expect to see in effective age assurance:

1. Functionality – Does the system accurately assess or verify age at the required assurance level?
2. Privacy – Are personal data minimised, protected, and used lawfully, with clear user rights?
3. Accessibility – Is the service inclusive and usable across demographics, abilities, and devices?
4. Security – Are systems resilient to fraud, attacks, and misuse?
5. Performance – We look at measurable outcomes i.e. performance targets vs. achieved metrics.

Together, these criteria ensure a balanced, trustworthy, and regulator-ready solution.

The Age Check Practice Statement

At the heart of ISO 27566-1 certification is your Age Check Practice Statement (ACPS). This is a structured document that sets out:

• Your service’s scope, purpose, and role(s) (AV, intermediary, relying party, or hybrid)
• Your Technical Architecture and methods you use to check or estimate age.
• Your policies for data handling, user rights, and consent
• Your approach to accessibility, inclusion, and user support
• Your security and fraud prevention measures

The ACPS provides the foundation for the audit. It defines how your system operates in theory, and ACCS then evaluates whether your practice matches your promise.

What the Audit Involves

Our audit follows a rigorous, multi-layered approach:

• Policy & Documentation Review – Analysis of your ACPS, governance policies, and compliance framework.
• Component Testing – Assessment of the effectiveness and accuracy of the technology components (e.g., biometric age estimation, document checks).
• Context-of-Use Evaluation – Verification of how your service performs in real-world conditions, including accessibility and user experience.
• Risk & Security Analysis – Checks against vulnerabilities, attack vectors, and data protection standards.

Only services that pass across all these layers can achieve ISO 27566-1 certification.

Why It Matters

ISO 27566-1 is increasingly referenced as the benchmark by regulators worldwide:

• Ofcom (UK) – Recognises ISO 27566-1 as part of its Online Safety Act compliance pathways.
• European Union (DSA & AVMSD) – Alignment with harmonised standards underpins regulatory expectations for “highly effective” age verification.
• Australia (eSafety Commissioner) – Standards-based assurance is required for safety tech providers.
• United States (COPPA & state-level laws) – Independent validation of AV solutions strengthens compliance with child-safety mandates.
• Brazil (Law 15,211/2024) – Growing emphasis on certified age assurance providers in LATAM markets.

Achieving ISO 27566-1 certification positions your organisation as a trusted, regulator-ready provider able to serve global markets.

Choosing Your Certification Pathway

Choosing the right certification depends on your state of readiness, target markets, and whether you need component-level or system-level assurance. Many providers progress to a dual path, combining technical credibility with the global compliance signal increasingly expected by regulators.

• IEEE 2089.1 → technical performance badge (accuracy, robustness, fairness).
• ISO/IEC 27566-1 → holistic certification (privacy, security, accessibility, performance, functionality).
• Dual Path → technical credibility plus global compliance signal.

Download: PAS → IEEE → ISO Comparison Guide (Link) or view it online.
Take: “Which pathway fits us?” 2-minute quiz (Link )
Assess your organisation’s ISO/IEC 27566-1:2025 age assurance compliance maturity, click here.

Certification Process

1. Application & Scoping – Define your role(s), service boundaries, and intended level of certification.
2. Develop Your ACPS – With ACCS guidance, prepare your Age Checking Practice Statement.
3. Pre-Audit Review – We identify gaps and advise on remediation before the main audit.
4. Formal Audit – Policy review, component testing, and context-of-use evaluation.
5. Certification Decision – Successful applicants are awarded the ISO 27566-1 certificate and listed on the ACCS public register.
6. Surveillance & Renewal – Ongoing oversight to maintain certification validity.