ISO/IEC 25389:2025 – “The Safe Framework” for trust & safety in digital services

ISO and IEC have released a new international standard, ISO/IEC 25389:2025, titled “Information technology — The Safe Framework,” following its publication in June 2025. This first-edition document, a concise guide, establishes a structured, scalable approach for organizations operating public-facing digital services to identify, assess, and manage content- and conduct-related risks. 

What does ISO/IEC 25389 cover?

ISO/IEC 25389 provides a comprehensive framework of recommendations for service providers seeking to conduct or enhance “trust and safety operations”, including the establishment of systems to monitor, moderate, and mitigate harmful behavior or content online.

Commitments and practices are structured around five pillars:

  1. Product development
  2. Product governance
  3. Product enforcement
  4. Product improvement
  5. Product transparency

An assessment framework featuring a scalable maturity model:

  • Scoping and tailoring per product/service size and impact
  • Three maturity levels (L1‑L3)
  • Assessment phases: discovery, identification, assessment, testing, reporting

Annexes include illustrative scenarios, question banks, and templates for risk profiling and reporting.

Why it matters

  1. Tackles real‑world harms: In today’s digital era, platforms face harassment, misinformation, and abuse. This framework provides a consistent and structured method to counteract such threats in a flexible and evolving manner.
  2. Supports scalable implementation: Tailoring allows different service sizes to apply the framework appropriately, whether a niche community forum or a global social network.
  3. Bridges safety and accountability: While not itself a management system (e.g., ISO 9001), it provides internal governance clarity that enhances internal assurance, executive oversight, and compliance readiness.

How to make it work

  1. Adopt the Commitments & Practices Model: Utilize the five-pillar structure to review your workflow, from design to transparency, and identify gaps.
  2. Use the Maturity Assessment Tool: Conduct self‑assessments using the three maturity levels and questionnaires (Annex B) to benchmark progress and set targets.
  3. Tailor to Your Service: Adjust scope and effort based on your audience size, risk levels, and evolving threat landscape (e.g., extremist content, harassment).
  4. Embed Continuous Improvement: Integrate testing, reporting, and iterative cycles into governance processes to iterate and refine commitments over time.

Innovate trust and safety with ISO/IEC 25389

ISO/IEC 25389:2025 doesn’t just offer a checklist—it provides a dynamic, evidence-based pathway for organizations to develop safer and more responsible digital services. For developers, trust & safety teams, compliance officers, and executives, aligning with this standard enhances strategy, resilience, and societal value.

Bottom line

ISO/IEC 25389:2025 is a welcome and timely tool for digital service providers, striking a balance between protection and freedom of expression in an increasingly dynamic online world.