ISO/IEC JTC 1/SC 27 Information security, cybersecurity and privacy protection is a standardization subcommittee of the Joint Technical Committee ISO/IEC JTC 1 of the

International Organization for Standardization The International Organization for Standardization (ISO ) is an international standard development organization composed of representatives from the national standards organizations of member countries. Membership requirements are given in Art ...

(ISO) and the International Electrotechnical Commission (IEC). ISO/IEC JTC 1/SC 27 develops International Standards, Technical Reports, and Technical Specifications within the field of information security. Standardization activity by this subcommittee includes general methods, management system requirements, techniques and guidelines to address

information security Information security, sometimes shortened to InfoSec, is the practice of protecting information by mitigating information risks. It is part of information risk management. It typically involves preventing or reducing the probability of unauthorize ...

, cybersecurity and privacy. Drafts of International Standards by ISO/IEC JTC 1 or any of its subcommittees are sent out to participating national standardization bodies for ballot, comments and contributions. Publication as an ISO/IEC International Standard requires approval by a minimum of 75% of the national bodies casting a vote. The international

secretariat Secretariat may refer to: * Secretariat (administrative office) * Secretariat (horse) Secretariat (March 30, 1970 – October 4, 1989), also known as Big Red, was a champion American thoroughbred racehorse who is the ninth winner of the Ame ...

of ISO/IEC JTC 1/SC 27 is the

Deutsches Institut für Normung ' (DIN; in English, the German Institute for Standardisation Registered Association) is the German national organization for standardization and is the German ISO member body. DIN is a German Registered Association ('' e.V.'') headquartere ...

(DIN) located in Germany.

History

ISO/IEC JTC 1/SC 27 was founded by ISO/IEC JTC 1 in 1990. The subcommittee was formed when ISO/IEC JTC 1/SC 20, which covered standardization within the field of security techniques, covering "secret-key techniques" (ISO/IEC JTC 1/SC 20/WG 1), "public-key techniques" (ISO/IEC JTC 1/SC 20/WG 2), and "data encryption protocols" (ISO/IEC JTC 1/SC 20/WG 3) was disbanded. This allowed for ISO/IEC JTC 1/SC 27 to take over the work of ISO/IEC JTC 1/SC 20 (specifically that of its first two working groups) as well as to extend its scope to other areas within the field of IT security techniques. Since 1990, the subcommittee has extended or altered its scope and working groups to meet the current standardization demands. ISO/IEC JTC 1/SC 27, which started with three working groups, eventually expanded its structure to contain five. The two new working groups were added in April 2006, at the 17th Plenary Meeting in Madrid, Spain.

Scope

The scope of ISO/IEC JTC 1/SC 27 is "The development of standards for the protection of information and ICT. This includes generic methods, techniques and guidelines to address both security and privacy aspects, such as: * Security requirements capture methodology; * Management of information and ICT security; in particular information security management systems, security processes, security controls and services; * Cryptographic and other security mechanisms, including but not limited to mechanisms for protecting the accountability, availability, integrity and confidentiality of information; * Security management support documentation including terminology, guidelines as well as procedures for the registration of security components; * Security aspects of identity management,

biometrics Biometrics are body measurements and calculations related to human characteristics. Biometric authentication (or realistic authentication) is used in computer science as a form of identification and access control. It is also used to identify i ...

and privacy; * Conformance assessment, accreditation and auditing requirements in the area of information security management systems; * Security evaluation criteria and methodology. SC 27 engages in active liaison and collaboration with appropriate bodies to ensure the proper development and application of SC 27 standards and technical reports in relevant areas."

Structure

ISO/IEC JTC 1/SC 27 is made up of five working groups (WG), each of which is responsible for the technical development of information and IT security standards within the programme of work of ISO/IEC JTC 1/SC 27. In addition, ISO/IEC JTC 1/SC 27 has two special working groups (SWG): (i) SWG-M, which operates under the direction of ISO/IEC JTC 1/SC 27 with the primary task of reviewing and evaluating the organizational effectiveness of ISO/IEC JTC 1/SC 27 processes and mode of operations; and (ii) SWG-T, which operates under the direction of ISO/IEC JTC 1/SC 27 to address topics beyond the scope of the respective existing WGs or that can affect directly or indirectly multiple WGs. ISO/IEC JTC 1/SC 27 also has a Communications Officer whose role is to promote the work of ISO/IEC JTC 1/SC 27 through different channels: press releases and articles, conferences and workshops, interactive ISO chat forums and other media channels. The focus of each working group is described in the group's terms of reference. Working groups of ISO/IEC JTC 1/SC 27 are:

Collaborations

ISO/IEC JTC 1/SC 27 works in close collaboration with a number of other organizations or subcommittees, both internal and external to ISO or IEC, in order to avoid conflicting or duplicative work. Organizations internal to ISO or IEC that collaborate with or are in liaison to ISO/IEC JTC 1/SC 27 include: * ISO/IEC JTC 1/SWG 6, Management * ISO/IEC JTC 1/WG 7, Sensor networks * ISO/IEC JTC 1/WG 9, Big Data * ISO/IEC JTC 1/WG 10, Internet of Things (IoT) * ISO/IEC JTC 1/SC 6, Telecommunications and information exchange between systems *

ISO/IEC JTC 1/SC 7 ISO/IEC JTC 1/SC 7 Software and systems engineering is a standardization subcommittee of the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC ...

, Software and systems engineering * ISO/IEC JTC 1/SC 17, Cards and personal identification *

ISO/IEC JTC 1/SC 22 ISO/IEC JTC 1/SC 22 Programming languages, their environments and system software interfaces is a standardization subcommittee of the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the Interna ...

, Programming languages, their environments and system software interfaces * ISO/IEC JTC 1/SC 25, Interconnection of information technology equipment * ISO/IEC JTC 1/SC 31, Automatic identification and data capture techniques *

ISO/IEC JTC 1/SC 36 ISO/IEC JTC 1/SC 36 Information Technology for Learning, Education and Training is a standardization subcommittee (SC), which is part of the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and th ...

, Information technology for learning, education and training *

ISO/IEC JTC 1/SC 37 ISO/IEC JTC 1/SC 37 Biometrics is a standardization subcommittee in the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), which develops and ...

, Biometrics *

ISO/IEC JTC 1/SC 38 ISO/IEC JTC 1/SC 38 Cloud Computing and Distributed Platforms is a standardization subcommittee, which is part of the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electr ...

, Cloud computing and distributed platforms *

ISO/IEC JTC 1/SC 40 ISO/IEC JTC 1/SC 40 IT Service Management and IT Governance is a standardization subcommittee of the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical Commis ...

, IT Service Management and IT Governance * ISO/TC 8, Ships and marine technology * ISO/TC 46, Information and documentation * ISO/TC 46/SC 11, Archives/records management * ISO/TC 68, Financial services * ISO/TC 68/SC 2, Financial Services, security * ISO/TC 68/SC 7, Core banking * ISO/TC 171, Document management applications * ISO/TC 176, Quality management and quality assurance * ISO/TC 176/SC 3, Supporting technologies * ISO/TC 204, Intelligent transport systems * ISO/TC 215, Health informatics * ISO/TC 251, Asset management * ISO/TC 259, Outsourcing * ISO/TC 262, Risk management * ISO/TC 272, Forensic sciences * ISO/TC 292, Security and resilience * ISO/CASCO, Committee on Conformity Assessments * ISO/TMB/JTCG, Joint technical Coordination Group on MSS * ISO/TMB/SAG EE 1, Strategic Advisory Group on Energy Efficiency * IEC/SC 45A, Instrumentation, control and electrical systems of nuclear facilities * IEC/TC 57, Power systems management and associated information exchange * IEC/TC 65, Industrial-process measurement, control and automation * IEC Advisory Committee on Information security and

data privacy Information privacy is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them. It is also known as data pr ...

(ACSEC) Some organizations external to ISO or IEC that collaborate with or are in liaison to ISO/IEC JTC 1/SC 27 include: * Attribute-based Credentials for Trust (ABC4Trust) *

Article 29 Data Protection Working Party The Article 29 Working Party (Art. 29 WP), full name "The Working Party on the Protection of Individuals with regard to the Processing of Personal Data", was an advisory body made up of a representative from the data protection authority of each ...

* Common Criteria Development Board (CCDB) * Consortium of Digital Forensic Specialists (CDFS) * CEN/TC 377 * CEN/PC 428 e-Competence and ICT professionalism * Cloud Security Alliance (CSA) * Cloud Standards Customer Council (CSCC) * Common Study Center of Telediffusion and Telecommunication (CCETT) * The Cyber Security Naming & Information Structure Groups (Cyber Security) *

Ecma International Ecma International () is a nonprofit standards organization for information and communication systems. It acquired its current name in 1994, when the European Computer Manufacturers Association (ECMA) changed its name to reflect the organization ...

* European Committee for Banking Standards (ECBS) * European Network and Information Security Agency (ENISA) *

European Payments Council The Single Euro Payments Area (SEPA) is a payment-integration initiative of the European Union for simplification of bank transfers denominated in euro. , there were 36 members in SEPA, consisting of the 27 member states of the European Union ...

(EPC) *

European Telecommunications Standards Institute The European Telecommunications Standards Institute (ETSI) is an independent, not-for-profit, standardization organization in the field of information and communications. ETSI supports the development and testing of global technical standard ...

(ETSI) * European Data Centre Association (EUDCA) * Eurocloud * Future of Identity in the Information Society (FIDIS) * Forum of Incident Response and Security Teams (FIRST) * Information Security Forum (ISF) * Latinoamerican Institute for Quality Assurance (INLAC) * Institute of Electrical and Electronics Engineers (IEEE) * International Conference of Data Protection and Privacy Commissioners * International Information Systems Security Certification Consortium ((ISC)2) * International Smart Card Certification Initiatives (ISCI) * The International Society of Automation (ISA) *

INTERPOL The International Criminal Police Organization (ICPO; french: link=no, Organisation internationale de police criminelle), commonly known as Interpol ( , ), is an international organization that facilitates worldwide police cooperation and cri ...

ISACA ISACA is an international professional association focused on IT (information technology) governance. On its IRS filings, it is known as the Information Systems Audit and Control Association, although ISACA now goes by its acronym only.

International Standardized Commercial Identifier Industry Standard Coding Identification (ISCI; ), also known as Industry Standard Commercial Identification) was a standard created to identify commercials that aired on TV in the United States, for ad agencies and advertisers from 1970. Histor ...

(ISCI) * Information Security Forum (ISF) * ITU-T * Kantara Initiative * MasterCard * PReparing Industry to Privacy-by-design by supporting its Application in REsearch (PRIPARE) * Technology-supported Risk Estimation by Predictive Assessment of Socio-technical Security (TREsPASS) * Privacy and Identity Management for Community Services (PICOS) * Privacy-Preserving Computation in the Cloud (PRACTICE) *

The Open Group The Open Group is a global consortium that seeks to "enable the achievement of business objectives" by developing "open, vendor-neutral technology standards and certifications." It has over 840 member organizations and provides a number of servi ...

* The OpenID Foundation (OIDF) * TeleManagement Forum (TMForum) *

Trusted Computing Group The Trusted Computing Group is a group formed in 2003 as the successor to the Trusted Computing Platform Alliance which was previously formed in 1999 to implement Trusted Computing concepts across personal computers. Members include Intel, AMD, ...

(TCG) *

Visa Visa most commonly refers to: *Visa Inc., a US multinational financial and payment cards company ** Visa Debit card issued by the above company ** Visa Electron, a debit card ** Visa Plus, an interbank network *Travel visa, a document that allows ...

Member countries

Countries pay a fee to ISO to be members of subcommittees. The 51 "P" (participating) members of ISO/IEC JTC 1/SC 27 are: Algeria, Argentina, Australia, Austria, Belgium, Brazil, Canada, Chile, China, Cyprus, Czech Republic, Côte d'Ivoire, Denmark, Finland, France, Germany, India, Ireland, Israel, Italy, Jamaica, Japan, Kazakhstan, Kenya, Republic of Korea, Luxembourg, Malaysia, Mauritius, Mexico, Netherlands, New Zealand, Norway, Peru, Poland, Romania, Russian Federation, Rwanda, Singapore, Slovakia, South Africa, Spain, Sri Lanka, Sweden, Switzerland, Thailand, the Republic of Macedonia, Ukraine, United Arab Emirates, United Kingdom, United States of America, and Uruguay. The 20 "O" (observing) members of ISO/IEC JTC 1/SC 27 are: Belarus, Bosnia and Herzegovina, Costa Rica, El Salvador, Estonia, Ghana, Hong Kong, Hungary, Iceland, Indonesia, Islamic Republic of Iran, Lithuania, Morocco, State of Palestine, Portugal, Saudi Arabia, Serbia, Slovenia, Swaziland, and Turkey. As of August 2014, the spread of meeting locations since Spring 1990 has been as shown below: SC27-Locations

Published standards

ISO/IEC JTC 1/SC 27 currently has 147 published standards within the field of IT security techniques, including:

References

External links

ISO/IEC JTC 1/SC 27 home page

ISO/IEC Joint Technical Committee 1 - Information Technology (public website)

ISO/IEC Joint Technical Committee 1 (Livelink password-protected available documents)

ISO/IEC Joint Technical Committee 1 (freely available documents), JTC 1 Supplement, Standing Documents and Templates

ISO and IEC procedural documentation

ISO DB Patents (including JTC 1 patents)

ISO International Organization for Standardization

IEC International Electrotechnical Commission

Access to ISO/IEC JTC 1/SC 27 Freely Available Standards
{{DEFAULTSORT:ISO IEC JTC1 SC27 #027 Identity management initiative Information assurance standards