ISO/IEC JTC 1/SC 27

ISO/IEC JTC 1/SC 27 IT Security techniques is a standardization subcommittee of the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), that develops and facilitates International Standards, Technical Reports, and Technical Specifications within the field of IT security techniques. Standardization activity by this subcommittee includes general methods, techniques and guidelines to address both security and privacy aspects. Drafts of International Standards by ISO/IEC JTC 1 or any of its subcommittees are sent out to participating national standardization bodies for ballot, comments and contributions. Publication as an ISO/IEC International Standard requires approval by a minimum of 75% of the national bodies casting a vote.[1] The international secretariat of ISO/IEC JTC 1/SC 27 is the Deutsches Institut für Normung (DIN) located in Germany.[2]

History

ISO/IEC JTC 1/SC 27 was established in 1990 at ISO/IEC JTC 1's plenary in Paris, France. The subcommittee was formed when ISO/TC 97/SC 20, which covered standardization within the field of security techniques, such as "secret-key techniques" (ISO/TC 97/SC 20/WG 1) and "public-key techniques" (ISO/TC 97/SC 20/WG 2), was disbanded. This allowed for ISO/IEC JTC 1/SC 27 to take over the work of ISO/TC 97/SC 20 (specifically that of its first two working groups) as well as to extend its scope to other areas within the field of IT security techniques.[3] Since 1990, the subcommittee has extended or altered its scope and working groups to meet the current standardization demands. ISO/IEC JTC 1/SC 27, which started with three working groups, eventually expanded its structure to contain five.[4] The two working groups were added in April 2006, at the 17th Plenary Meeting in Madrid, Spain.[5]

Scope

The scope of ISO/IEC JTC 1/SC 27 is "The development of standards for the protection of information and ICT. This includes generic methods, techniques and guidelines to address both security and privacy aspects, such as:[6]

SC 27 engages in active liaison and collaboration with appropriate bodies to ensure the proper development and application of SC 27 standards and technical reports in relevant areas."

Structure

ISO/IEC JTC 1/SC 27 is made up of five working groups, each of which carries out specific tasks in standards development within the field of IT security techniques. The focus of each working group is described in the group's terms of reference. Working groups of ISO/IEC JTC 1/SC 27 are:[7]

Working Group Working Area
ISO/IEC JTC 1/SC 27/WG 1 Information security management systems
ISO/IEC JTC 1/SC 27/WG 2 Cryptography and security mechanisms
ISO/IEC JTC 1/SC 27/WG 3 Security evaluation, testing and specification
ISO/IEC JTC 1/SC 27/WG 4 Security controls and services
ISO/IEC JTC 1/SC 27/WG 5 Identity management and privacy technologies

Collaborations

ISO/IEC JTC 1/SC 27 works in close collaboration with a number of other organizations or subcommittees, both internal and external to ISO or IEC, in order to avoid conflicting or duplicative work. Organizations internal to ISO or IEC that collaborate with or are in liaison to ISO/IEC JTC 1/SC 27 include:[6]

Some organizations external to ISO or IEC that collaborate with or are in liaison to ISO/IEC JTC 1/SC 27 include:[6][8]

Member countries

Countries pay a fee to ISO to be members of subcommittees.[9]

The 52 "P" (participating) members of ISO/IEC JTC 1/SC 27 are: Algeria, Australia, Austria, Belgium, Brazil, Canada, Chile, China, Cyprus, Czech Republic, Côte d'Ivoire, Denmark, Estonia, Finland, France, Germany, India, Ireland, Israel, Italy, Jamaica, Japan, Kazakhstan, Kenya, Republic of Korea, Luxembourg, Malaysia, Mauritius, Mexico, Morocco, Netherlands, New Zealand, Norway, Peru, Poland, Romania, Russian Federation, Singapore, Slovakia, Slovenia, South Africa, Spain, Sri Lanka, Sweden, Switzerland, Thailand, the Republic of Macedonia, Ukraine, United Arab Emirates, United Kingdom, United States of America, and Uruguay.

The 17 "O" (observing) members of ISO/IEC JTC 1/SC 27 are: Argentina, Belarus, Bosnia and Herzegovina, Costa Rica, El Salvador, Ghana, Hong Kong, Hungary, Iceland, Indonesia, Islamic Republic of Iran, Lithuania, Portugal, Saudi Arabia, Serbia, Swaziland, and Turkey.[10]

As of August 2014, the spread of meeting locations since Spring 1990 has been as shown below:

Published standards

ISO/IEC JTC 1/SC 27 currently has 123 published standards within the field of IT security techniques, including:[4][11][12]

ISO/IEC Standard Title Status Description WG
ISO/IEC 27000 free Information technology – Security techniques – Information security management systems – Overview and vocabulary Published (2012) Describes the overview and vocabulary of ISMS[13] 1
ISO/IEC 27001 Information technology – Security techniques – Information security management systems – Requirements Published (2013) Specifies the requirements for establishing, implementing, monitoring, and maintaining documented a documented ISMS within an organization.[14] "Transition mapping" document published by WG 1 provides a set of tables showing the correspondence between editions 1 and 2 of the standard.[15] 1
ISO/IEC 27002 Information technology – Security techniques – Code of practice for information security controls Published (2013) Provides guidelines for information security management practices for use by those selecting, implementing, or maintaining ISMS[16] "Transition mapping" document published by WG 1 provides a set of tables showing the correspondence between editions 1 and 2 of the standard.[15] 1
ISO/IEC 18033-1 Information technology – Security techniques – Encryption algorithms – Part 1: General Published (2005) Specifies encryption systems for the purpose of data confidentiality[17] 2
ISO/IEC 19772 Information technology – Security techniques – Authenticated encryption Published (2009) Specifies six methods for authenticated encryption with the security objectives of:[18]
  • Data confidentiality
  • Data integrity
  • Data origin authentication
 2
ISO/IEC 15408-1 free Information technology – Security techniques – Evaluation criteria for IT security – Part 1: Introduction and general model Published (2009) Establishes the general concepts and principles of IT security evaluation, and specifies the general model of evaluation given by various other parts of ISO/IEC 15408.[19] 3
ISO/IEC 19792 Information technology – Security techniques – Security evaluation of biometrics Published (2009) Specifies the subjects to be addressed during the security evaluation of a biometric system[20] 3
ISO/IEC 27031 Information technology – Security techniques – Guidelines for information and communication technology readiness for business continuity Published (2011) Describes the concepts and principles of ICT readiness for business continuity and the method and framework needed to identify aspects in which to improve it.[21] 4
ISO/IEC 27034-1 Information technology – Security techniques – Application security – Part 1: Overview and concepts Published (2011) Addresses the management needs for ensuring the security of applications[5] and presents an overview of application security through the introduction of definitions, concepts, principles and processes[22] 4
ISO/IEC 27035 Information technology – Data Centres – Taxonomy and Maturity Model Published (2011) Provides a structured and planned approach to:[23]
  • Detect, report, and assess information security incidents
  • Respond to and manage information security incidents
  • Detect, assess, and manage information security vulnerabilities
 4
ISO/IEC 27037 Information technology – Security techniques – Guidelines for identification, collection, acquisition and preservation of digital evidence Published (2012) Provides guidance for the handling of digital evidence that could be of evidential value[24] 4
ISO/IEC 24760-1 free Information technology – Security techniques – A framework for identity management – Part 1: Terminology and concepts Published (2011) Provides a framework for the secure and reliable management of identities by:[25]
  • Defining the terms for identity management
  • Specifying the core concepts of identity and identity management[26]
 5
ISO/IEC 24761 Information technology – Security techniques – Authentication context for biometrics Published (2009) Specifies the structure and data elements of Authentication Context for Biometrics (ACBio), which checks the validity of biometric verification process results[27] 5
ISO/IEC 29100 Information technology – Security techniques – Privacy framework Published (2011) Provides a privacy framework that:[28]
  • Specifies a common privacy terminology
  • Describes privacy safeguarding considerations
  • Provides references to known privacy principles for IT
 5
ISO/IEC 29101 Information technology – Security techniques – Privacy architecture framework Published (2013) Defines a privacy architecture framework that:[29]
  • Specifies concerns for ICT systems that process PII
  • Lists components for the implementation of such systems
  • Provides architectural views contextualizing these components

Applicable to entities involved in specifying, procuring, architecting, designing, testing, maintaining, administering and operating ICT systems that process PII. Focuses primarily on ICT systems that are designed to interact with PII principals.

5

See also

References

  1. DIN (2011-12-14). "ISO/IEC JTC 1/SC 27 – IT Security techniques Home". Retrieved 2013-09-26.
  2. ISO. "ISO/IEC JTC 1/SC 27 – Secretariat". Retrieved 2013-08-22.
  3. ISO (2012), "ISO/IEC JTC 1/SC 27 Security techniques", ISO/IEC JTC1 Standing Document N 2
  4. 4.0 4.1 Humphreys, Edward, ed. (2010). SC 27 Platinum Book. Suffolk, UK: Gripping Press Ltd. Retrieved 2013-08-22.
  5. 5.0 5.1 Meng-Chow, Kang (2008). "Getting Ready to the Changing Risk Situation". Synthesis Journal. Retrieved 2013-08-22.
  6. 6.0 6.1 6.2 Fumy, Walter (2012-10-10). SC 27 Business Plan October 2012 – September 2013 (Business Plan). Retrieved 2013-08-22.
  7. ISO. "ISO/IEC JTC 1/SC 27 IT Security techniques". p. Structure. Retrieved 2013-08-22.
  8. DIN (2013-07-15). "ISO/IEC JTC 1/SC 27 Membership". Retrieved 2013-08-22.
  9. ISO (June 2012). "III. What Help Can I Get from the ISO Central Secretariat?". ISO Membership Manual. ISO. pp. 17–18. Retrieved 2013-07-12.
  10. ISO. "ISO/IEC JTC 1/SC 27 - IT Security techniques". Retrieved 2013-08-23.
  11. ISO. "Standards Catalogue: ISO/IEC JTC 1/SC 27 – IT Security techniques". Retrieved 2013-08-22.
  12. "Freely Available Standards". ISO. Retrieved 2013-09-26.
  13. ISO (2013-01-14). "ISO/IEC 2700:2012". Retrieved 2013-09-26.
  14. ISO (2013-09-25). "ISO/IEC 27001:2013". Retrieved 2013-09-26.
  15. 15.0 15.1 SC 27 (2013-10-25). "JTC 1/SC 27/SD3 – Mapping Old – New Editions of ISO/IEC 27001 and ISO/IEC 27002". Retrieved 2013-12-12.
  16. ISO (2013-09-25). "ISO/IEC 27002:2013". Retrieved 2013-09-26.
  17. ISO/IEC (2011-07-27). "ISO/IEC 18033-1:2005". Retrieved 2013-08-23.
  18. ISO/IEC (2009-02-12). "ISO/IEC 19772:2009". Retrieved 2013-08-23.
  19. ISO (2009-12-03). "ISO/IEC 15408-1:2009". Retrieved 2013-09-26.
  20. ISO/IEC (2009-07-30). "ISO/IEC 19792:2009". Retrieved 2013-08-23.
  21. ISO/IEC (2011-03-01). "ISO/IEC 27031:2011". Retrieved 2013-08-22.
  22. ISO/IEC (2011-11-21). "ISO/IEC 27034-1:2011". Retrieved 2013-08-22.
  23. ISO/IEC (2011-08-17). "ISO/IEC 27035:2011". Retrieved 2013-08-22.
  24. ISO (2012-10-15). "ISO/IEC 27037:2012". Retrieved 2013-09-26.
  25. Brackney, Dick (2006-12-05). Report on ISO/IEC/JTC1/SC27 Activities in Digital Identities (Presentation). Retrieved 2013-08-22.
  26. ISO/IEC (2011-12-07). "ISO/IEC 24760-1:2011". Retrieved 2013-08-22.
  27. ISO/IEC (2009-05-11). "ISO/IEC 24761:2009". Retrieved 2013-08-23.
  28. ISO (2011-12-05). "ISO/IEC 29100:2011". Retrieved 2013-09-26.
  29. ISO (2013-10-16). "ISO/IEC 29101:2013" (1 ed.). Retrieved 2013-12-12.

External links