ISO/IEC JTC 1/SC 27

Last updated

ISO/IEC JTC 1/SC 27 Information security, cybersecurity and privacy protection is a standardization subcommittee of the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). ISO/IEC JTC 1/SC 27 develops International Standards, Technical Reports, and Technical Specifications within the field of information security. Standardization activity by this subcommittee includes general methods, management system requirements, techniques and guidelines to address information security, cybersecurity and privacy. Drafts of International Standards by ISO/IEC JTC 1 or any of its subcommittees are sent out to participating national standardization bodies for ballot, comments and contributions. Publication as an ISO/IEC International Standard requires approval by a minimum of 75% of the national bodies casting a vote. [1] The international secretariat of ISO/IEC JTC 1/SC 27 is the Deutsches Institut für Normung (DIN) located in Germany. [2]

Contents

History

ISO/IEC JTC 1/SC 27 was founded by ISO/IEC JTC 1 in 1990. The subcommittee was formed when ISO/IEC JTC 1/SC 20, which covered standardization within the field of security techniques, covering "secret-key techniques" (ISO/IEC JTC 1/SC 20/WG 1), "public-key techniques" (ISO/IEC JTC 1/SC 20/WG 2), and "data encryption protocols" (ISO/IEC JTC 1/SC 20/WG 3) was disbanded. This allowed for ISO/IEC JTC 1/SC 27 to take over the work of ISO/IEC JTC 1/SC 20 (specifically that of its first two working groups) as well as to extend its scope to other areas within the field of IT security techniques. [3] Since 1990, the subcommittee has extended or altered its scope and working groups to meet the current standardization demands. ISO/IEC JTC 1/SC 27, which started with three working groups, eventually expanded its structure to contain five. [4] The two new working groups were added in April 2006, at the 17th Plenary Meeting in Madrid, Spain. [5]

Scope

The scope of ISO/IEC JTC 1/SC 27 is "The development of standards for the protection of information and ICT. This includes generic methods, techniques and guidelines to address both security and privacy aspects, such as: [6]

SC 27 engages in active liaison and collaboration with appropriate bodies to ensure the proper development and application of SC 27 standards and technical reports in relevant areas."

Structure

ISO/IEC JTC 1/SC 27 is made up of five working groups (WG), each of which is responsible for the technical development of information and IT security standards within the programme of work of ISO/IEC JTC 1/SC 27. In addition, ISO/IEC JTC 1/SC 27 has two special working groups (SWG): (i) SWG-M, which operates under the direction of ISO/IEC JTC 1/SC 27 with the primary task of reviewing and evaluating the organizational effectiveness of ISO/IEC JTC 1/SC 27 processes and mode of operations; and (ii) SWG-T, which operates under the direction of ISO/IEC JTC 1/SC 27 to address topics beyond the scope of the respective existing WGs or that can affect directly or indirectly multiple WGs. ISO/IEC JTC 1/SC 27 also has a Communications Officer whose role is to promote the work of ISO/IEC JTC 1/SC 27 through different channels: press releases and articles, conferences and workshops, interactive ISO chat forums and other media channels.

The focus of each working group is described in the group's terms of reference. Working groups of ISO/IEC JTC 1/SC 27 are: [7]

Working GroupWorking Area
ISO/IEC JTC 1/SC 27/SWG-MManagement
ISO/IEC JTC 1/SC 27/SWG-TTransversal items
ISO/IEC JTC 1/SC 27/WG 1Information security management systems
ISO/IEC JTC 1/SC 27/WG 2 Cryptography and security mechanisms
ISO/IEC JTC 1/SC 27/WG 3Security evaluation, testing and specification
ISO/IEC JTC 1/SC 27/WG 4Security controls and services
ISO/IEC JTC 1/SC 27/WG 5 Identity management and privacy technologies

Collaborations

ISO/IEC JTC 1/SC 27 works in close collaboration with a number of other organizations or subcommittees, both internal and external to ISO or IEC, in order to avoid conflicting or duplicative work. Organizations internal to ISO or IEC that collaborate with or are in liaison to ISO/IEC JTC 1/SC 27 include: [6] [8]

Some organizations external to ISO or IEC that collaborate with or are in liaison to ISO/IEC JTC 1/SC 27 include: [6] [9]

Member countries

Countries pay a fee to ISO to be members of subcommittees. [10]

The 51 "P" (participating) members of ISO/IEC JTC 1/SC 27 are: Algeria, Argentina, Australia, Austria, Belgium, Brazil, Canada, Chile, China, Cyprus, Czech Republic, Côte d'Ivoire, Denmark, Finland, France, Germany, India, Ireland, Israel, Italy, Jamaica, Japan, Kazakhstan, Kenya, Republic of Korea, Luxembourg, Malaysia, Mauritius, Mexico, Netherlands, New Zealand, Norway, Peru, Poland, Romania, Russian Federation, Rwanda, Singapore, Slovakia, South Africa, Spain, Sri Lanka, Sweden, Switzerland, Thailand, the Republic of Macedonia, Ukraine, United Arab Emirates, United Kingdom, United States of America, and Uruguay.

The 20 "O" (observing) members of ISO/IEC JTC 1/SC 27 are: Belarus, Bosnia and Herzegovina, Costa Rica, El Salvador, Estonia, Ghana, Hong Kong, Hungary, Iceland, Indonesia, Islamic Republic of Iran, Lithuania, Morocco, State of Palestine, Portugal, Saudi Arabia, Serbia, Slovenia, Swaziland, and Turkey. [11]

As of August 2014, the spread of meeting locations since Spring 1990 has been as shown below:

Meeting Locations SC27-Locations.jpg
Meeting Locations

Published standards

ISO/IEC JTC 1/SC 27 currently has 147 published standards within the field of IT security techniques, including: [4] [12] [13] [14]

ISO/IEC StandardTitleStatusDescriptionWG
ISO/IEC 27000 free Information technology – Security techniques – Information security management systems – Overview and vocabularyPublished (2018)Describes the overview and vocabulary of ISMS [15] 1
ISO/IEC 27001 Information technology – Security techniques – Information security management systems – RequirementsPublished (2013)Specifies the requirements for establishing, implementing, monitoring, and maintaining documented a documented ISMS within an organization. [16] "Transition mapping" ISO/IEC 27023 provides a set of tables showing the correspondence between editions 1 and 2 of the standard1
ISO/IEC 27002 Information technology – Security techniques – Code of practice for information security controlsPublished (2013)Provides guidelines for information security management practices for use by those selecting, implementing, or maintaining ISMS [17] "Transition mapping" ISO/IEC 27023 provides a set of tables showing the correspondence between editions 1 and 2 of the standard1
ISO/IEC 27006Information technology -- Security techniques -- Requirements for bodies providing audit and certification of information security management systemsPublished (2015)Specifies general requirements for a third-party body operating ISMS (in accordance with ISO/IEC 27001:2005) certification/registration has to meet, if it is to be recognized as competent and reliable in the operation of ISMS certification / registration [18] 1
ITU-T X.1051 / ISO/IEC 27011Information technology -- Security techniques -- Information security management guidelines for telecommunications organizations based on ISO/IEC 27002Published (2008)This recommendation/international standard: a) establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in telecommunications organizations based on ISO/IEC 27002; b) provides an implementation baseline of Information Security Management within telecommunications organizations to ensure the confidentiality, integrity and availability of telecommunications facilities and services [19] 1
ISO/IEC 18033-1Information technology – Security techniques – Encryption algorithms – Part 1: GeneralPublished (2015)Specifies encryption systems for the purpose of data confidentiality [20] 2
ISO/IEC 19772Information technology – Security techniques – Authenticated encryptionPublished (2009)Specifies six methods for authenticated encryption with the security objectives of: [21] 2
ISO/IEC 15408-1 free Information technology – Security techniques – Evaluation criteria for IT security – Part 1: Introduction and general modelPublished (2009, corrected and reprinted 2014)Establishes the general concepts and principles of IT security evaluation, and specifies the general model of evaluation given by various other parts of ISO/IEC 15408. [22] 3
ISO/IEC 19792Information technology – Security techniques – Security evaluation of biometricsPublished (2009)Specifies the subjects to be addressed during the security evaluation of a biometric system [23] 3
ISO/IEC 27031Information technology – Security techniques – Guidelines for information and communication technology readiness for business continuityPublished (2011)Describes the concepts and principles of ICT readiness for business continuity and the method and framework needed to identify aspects in which to improve it. [24] 4
ISO/IEC 27034-1Information technology – Security techniques – Application security – Part 1: Overview and conceptsPublished (2011)Addresses the management needs for ensuring the security of applications [5] and presents an overview of application security through the introduction of definitions, concepts, principles and processes [25] 4
ISO/IEC 27035Information technology -- Security techniques -- Information security incident managementPublished (2011)Provides a structured and planned approach to: [26]
  • Detect, report, and assess information security incidents
  • Respond to and manage information security incidents
  • Detect, assess, and manage information security vulnerabilities
4
ISO/IEC 27037Information technology – Security techniques – Guidelines for identification, collection, acquisition and preservation of digital evidencePublished (2012)Provides guidance for the handling of digital evidence that could be of evidential value [27] 4
ISO/IEC 24760-1 free Information technology – Security techniques – A framework for identity management – Part 1: Terminology and conceptsPublished (2011)Provides a framework for the secure and reliable management of identities by: [28]
  • Defining the terms for identity management
  • Specifying the core concepts of identity and identity management [29]
5
ISO/IEC 24760-2Information technology - Security techniques - A framework for identity management - Part 2: Reference architecture and requirementsPublished (2015)Provides guidelines for the implementation of systems for the management of identity information and specifies requirements for the implementation and operation of a framework for identity management. [30] 5
ISO/IEC 24761Information technology – Security techniques – Authentication context for biometricsPublished (2009)Specifies the structure and data elements of Authentication Context for Biometrics (ACBio), which checks the validity of biometric verification process results [31] 5
ISO/IEC 29100 free Information technology – Security techniques – Privacy frameworkPublished (2011)Provides a privacy framework that: [32]
  • Specifies a common privacy terminology
  • Describes privacy safeguarding considerations
  • Provides references to known privacy principles for IT
5
ISO/IEC 29101Information technology – Security techniques – Privacy architecture frameworkPublished (2013)Defines a privacy architecture framework that: [33]
  • Specifies concerns for ICT systems that process PII
  • Lists components for the implementation of such systems
  • Provides architectural views contextualizing these components

Applicable to entities involved in specifying, procuring, designing, testing, maintaining, administering and operating ICT systems that process PII. Focuses primarily on ICT systems that are designed to interact with PII principals.

5

See also

Related Research Articles

ISO/IEC JTC 1, entitled "Information technology", is a joint technical committee (JTC) of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). Its purpose is to develop, maintain and promote standards in the fields of information and communications technology (ICT).

ISO/IEC JTC 1/SC 22 Programming languages, their environments and system software interfaces is a standardization subcommittee of the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) that develops and facilitates standards within the fields of programming languages, their environments and system software interfaces. ISO/IEC JTC 1/SC 22 is also sometimes referred to as the "portability subcommittee". The international secretariat of ISO/IEC JTC 1/SC 22 is the American National Standards Institute (ANSI), located in the United States.

ISO/IEC JTC 1/SC 36 Information Technology for Learning, Education and Training is a standardization subcommittee (SC), which is part of the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), that develops and facilitates standards within the field of information technology (IT) for learning, education and training (LET). ISO/IEC JTC 1/SC 36 was established at the November 1999 ISO/IEC JTC 1 plenary in Seoul, Korea. The subcommittee held its first plenary meeting in March 2000 in London, United Kingdom. The international secretariat of ISO/IEC JTC 1/SC 36 is the Korean Agency for Technology and Standards (KATS), located in the Republic of Korea.

ISO/IEC JTC 1/SC 37 Biometrics is a standardization subcommittee in the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), which develops and facilitates standards within the field of biometrics. The international secretariat of ISO/IEC JTC 1/SC 37 is the American National Standards Institute (ANSI), located in the United States.

ISO/IEC JTC 1/SC 38 Cloud Computing and Distributed Platforms is a standardization subcommittee, which is part of the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

ISO/IEC JTC 1/SC 39 Sustainability for and by Information Technology is a standardization subcommittee of the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), that develops and facilitates standards within the field of sustainability and resource efficiency through Information Technology. The international secretariat of ISO/IEC JTC 1/SC 39 is the American National Standards Institute (ANSI), located in the United States.

ISO/IEC JTC 1/SC 7 Software and systems engineering is a standardization subcommittee of the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), that develops and facilitates standards within the field of engineering of software products and systems. The international secretariat of ISO/IEC JTC 1/SC 7 is the Bureau of Indian Standards (BIS) located in India.

Note: This special working group has been disbanded.

ISO/IEC JTC 1/SC 25 Interconnection of information technology equipment is a standardization subcommittee of the Joint Technical Committee ISO/IEC JTC 1, of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), which develops and facilitates standards within the field of interconnection of information technology equipment. The international secretariat of ISO/IEC JTC 1/SC 25 is the Deutsches Institut für Normung (DIN) located in Germany.

ISO/IEC JTC 1/SC 28 Office equipment is a standardization subcommittee of the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), that develops and facilitates international standards, technical reports, and technical specifications within the field of office equipment and products, and systems composed of combinations of office equipment. The group's main focus lies within the area of printers and copiers. The international secretariat of ISO/IEC JTC 1/SC 28 is the Japanese Industrial Standards Committee (JISC) located in Japan.

ISO/IEC JTC 1/SC 2 Coded character sets is a standardization subcommittee of the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), that develops and facilitates standards within the field of coded character sets. The international secretariat of ISO/IEC JTC 1/SC 2 is the Japanese Industrial Standards Committee (JISC), located in Japan. SC 2 is responsible for the development of the Universal Coded Character Set which is the international standard corresponding to the Unicode Standard.

Note: This special working group has been disbanded. The work begun in ISO/IEC/JTC 1/SWG 5 on Internet of Things standardization gaps will be continued in ISO/IEC JTC 1/WG 10.

ISO/IEC JTC 1/SC 32 Data management and interchange is a standardization subcommittee of the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), which develops and facilitates standards within the field of data management and interchange. The international secretariat of ISO/IEC JTC 1/SC 32 is the American National Standards Institute (ANSI) located in the United States.

ISO/IEC JTC 1/SC 29, entitled Coding of audio, picture, multimedia and hypermedia information, is a standardization subcommittee of the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It develops and facilitates international standards, technical reports, and technical specifications within the field of audio, picture, multimedia, and hypermedia information coding. The standards developed by SC 29 have been recognized by nine Emmy Awards.

ISO/IEC JTC 1/SC 40 IT Service Management and IT Governance is a standardization subcommittee of the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). ISO/IEC JTC 1/SC 40 develops and facilitates the development of international standards, technical reports, and technical specifications within the fields of IT service management and IT governance, with a focus in IT activity such as audit, digital forensics, governance, risk management, outsourcing, service operations and service maintenance. The international secretariat of ISO/IEC JTC 1/SC 40 is Standards Australia (SA), located in Australia.

ISO/IEC JTC 1/SC 6 Telecommunications and information exchange between systems is a standardization subcommittee of the Joint Technical Committee ISO/IEC JTC 1. It is part of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), which develops and facilitates standards within the field of telecommunications and information exchange between systems.

Note: This working group has been disbanded.

ISO/IEC JTC 1/SC 23 Digitally recorded media for information interchange and storage is a standardization subcommittee of the joint technical committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), which develops and facilitates standards within the field of removable digital storage media for digital information interchange. The international secretariat of ISO/IEC JTC 1/SC 23 is the Japanese Industrial Standards Committee (JISC) located in Japan.

ISO/IEC JTC 1/SC 17 Cards and personal identification is a standardization subcommittee of the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), which develops and facilitates standards within the field of identification cards and personal identification. The international secretariat of ISO/IEC JTC 1/SC 17 is the British Standards Institution (BSI) located in the United Kingdom.

ISO/IEC JTC 1/SC 31 Automatic identification and data capture techniques is a subcommittee of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) Joint Technical Committee (JTC) 1, and was established in 1996. SC 31 develops and facilitates international standards, technical reports, and technical specifications in the field of automatic identification and data capture techniques. The first Plenary established three working groups (WGs): Data Carriers, Data Content, and Conformance. Subsequent Plenaries established other working groups: RFID, RTLS, Mobile Item Identification and Management, Security and File Management, and Applications.

References

  1. DIN (2015-08-12). "ISO/IEC JTC 1/SC 27 – IT Security techniques Home" . Retrieved 2013-09-26.
  2. ISO. "ISO/IEC JTC 1/SC 27 – Secretariat" . Retrieved 2013-08-22.
  3. ISO (2012), "ISO/IEC JTC 1/SC 27 Security techniques", ISO/IEC JTC1 Standing Document N 2
  4. 1 2 Humphreys, Edward, ed. (2010). SC 27 Platinum Book (PDF). Suffolk, UK: Gripping Press Ltd. Retrieved 2013-08-22.
  5. 1 2 Meng-Chow, Kang (2008). "Getting Ready to the Changing Risk Situation" (PDF). Synthesis Journal. Retrieved 2013-08-22.
  6. 1 2 3 Fumy, Walter (2012-10-10). SC 27 Business Plan October 2014 – September 2015 (PDF) (Business Plan). Retrieved 2013-08-22.
  7. ISO. "ISO/IEC JTC 1/SC 27 IT Security techniques". p. Structure. Retrieved 2013-08-22.
  8. "ISO/IEC JTC 1/SC 27 Liaisons". ISO. Retrieved 2015-07-14.
  9. DIN (2015-08-12). "ISO/IEC JTC 1/SC 27 Membership" . Retrieved 2013-08-22.
  10. ISO (June 2012). "III. What Help Can I Get from the ISO Central Secretariat?". ISO Membership Manual (PDF). ISO. pp. 17–18. Retrieved 2013-07-12.
  11. ISO. "ISO/IEC JTC 1/SC 27 - IT Security techniques" . Retrieved 2013-08-23.
  12. ISO. "Standards Catalogue: ISO/IEC JTC 1/SC 27 – IT Security techniques" . Retrieved 2015-08-20.
  13. "Freely Available Standards". ISO. Retrieved 2015-08-20.
  14. "ISO/IEC JTC 1/SC 27". ISO. Retrieved 2015-07-14.
  15. ISO (2014-01-15). "ISO/IEC 27000:2014" . Retrieved 2015-08-20.
  16. ISO (2013-09-25). "ISO/IEC 27001:2013" . Retrieved 2013-09-26.
  17. ISO (2013-09-25). "ISO/IEC 27002:2013" . Retrieved 2013-09-26.
  18. "ISO/IEC 27006:2011". ISO. Retrieved 2015-09-02.
  19. "ISO/IEC 27011:2008". ISO. Retrieved 2015-09-02.
  20. ISO/IEC (2015-07-24). "ISO/IEC 18033-1:2015" . Retrieved 2015-08-20.
  21. ISO/IEC (2009-02-12). "ISO/IEC 19772:2009" . Retrieved 2013-08-23.
  22. ISO (2015-03-18). "ISO/IEC 15408-1:2009" . Retrieved 2015-08-20.
  23. ISO/IEC (2009-07-30). "ISO/IEC 19792:2009" . Retrieved 2013-08-23.
  24. ISO/IEC (2011-03-01). "ISO/IEC 27031:2011" . Retrieved 2013-08-22.
  25. ISO/IEC (2011-11-21). "ISO/IEC 27034-1:2011" . Retrieved 2013-08-22.
  26. ISO/IEC (2011-08-17). "ISO/IEC 27035:2011" . Retrieved 2013-08-22.
  27. ISO (2012-10-15). "ISO/IEC 27037:2012" . Retrieved 2013-09-26.
  28. Brackney, Dick (2006-12-05). Report on ISO/IEC/JTC1/SC27 Activities in Digital Identities (PDF) (Presentation). Retrieved 2013-08-22.
  29. ISO/IEC (2011-12-07). "ISO/IEC 24760-1:2011" . Retrieved 2013-08-22.
  30. "ISO/IEC 24760-2". ISO. Retrieved 2015-08-20.
  31. ISO/IEC (2009-05-11). "ISO/IEC 24761:2009" . Retrieved 2013-08-23.
  32. ISO (2011-12-05). "ISO/IEC 29100:2011" . Retrieved 2013-09-26.
  33. ISO (2013-10-16). "ISO/IEC 29101:2013" (1 ed.). Retrieved 2013-12-12.