JTC 1 Security and Privacy Entities

• SC 17 Cards and Personal Identification

• SC 27 IT Security
• SC 37 Biometrics
• SC 40 IT Governance

Pg 2 |
 JTC 1 Security and Privacy

JTC 1 Security focus on areas of IT Security

• Technology Mechanisms
• Services
• Management
• Governance
• Evaluation Testing
• Privacy Technologies

Pg 3 |
Security and Privacy Topic Areas
Governance

Information security management system (ISMS) requirements

plus
ISMS supporting guidance - codes of practice of information security
controls, ISMS risk management, ISMS performance evaluation and ISMS
implementation guidance
ISMS
accreditation,
Identity
Security services and certification
management and
ISMS sector controls (focusing on and auditing Security
contributing to security privacy (including acreddited
specific security Evaluation, Testing
controls and mechanisms, technologies (including CB requirements,
controls (including covering ICT readiness for application specific (e.g. cloud and guidance on ISMS
and Specification
application and sector business continuity, IT network PII), privacy impact analysis,
auditong and (including evaluation
privcy framework, identity criteria for IT security,
specific e.g. Cloud, security, 3rd party services, management framework, entity guidelines for
Telecoms, Energy, supplier relationships authentication assurance auditors on ISMS framework for IT security
Finance) and sector- (including Cloud), IDS, framework,) controls) assurance, methodology for
specific use of ISMS incident management, cyber IT security evaluation,
security, application security, cryptographic algorithms
requirements Cards and Personal
disaster recovery, forensics, and security mechanisms
standard Identification (including:
conformance testing,
digital redaction, time- Physical characteristics, circuit
stamping and other areas) cards, machine readable cards,
security assessment of
motor vehicle drivers licence) operational systems, SSE-
CMM, vulnerability
Biometrics (including file formats, programming interfaces, data interchange formats, disclosure, vulnerability
handling processes, physical
biometric profiles, biometric information protection, biometric authentication)
security attacks, mitigation
techniques and security
Cryptographic and security mechanisms (including encryption, digital requirements)
signature, authentication mechansisms, data integrity, non-repudiation, key management, prime
number generation, random number generation, hash functions)
4
 Key Security Products
• ISO/IEC 27001 – Information Security Management
System (ISMS)
• 27000 Family of Standards
• ISO/IEC 18033 – Encryption Algorithms
• specifies asymmetric ciphers and symmetric ciphers
• ISO/IEC 7811 – Identification Cards
• ISO/IEC 2382-37 – Vocabulary
• Harmonized vocabulary for biometrics

Pg 5 |
 ISO/IEC 27000 family relationship
31000

Vocabulary Audit
Governance 27000 27006 20000-1
27014 27007
ISMS 27008
27001
27009
Controls Metrics Risk
Implementation
Management
27010 27013
27002 27003 27004
27015 27005
27011
27017
Clause 17-27031 27018
Clause 13.1 - 27033 27019
Clause 16 - 27035 27799
Investigative
Clause 15 - 27036 27037 27016
Clause 12.4-27039 27038 27032
27040 27034
27041
27042
27043
27050
 Key Privacy Products

• ISO/IEC 29100 – Privacy Framework

• Identifies privacy principles
• ISO/IEC 29134 – Privacy impact assessment
• ISO/IEC 29115 - Entity authentication assurance
framework

Pg 7 |
 Vertical Topic Areas

• Cloud Computing
• Accessibility
• Health Care
• IoT
• Societal considerations
• Telecom

Pg 8 |
 Key Work Products Related to Verticals
• Cloud Computing
• ITU-T X.1631|ISO/IEC 27017 – Guidelines on Information security
controls for the use of cloud computing services based on ISO/IEC
27002
• ISO/IEC 27018 - Code of practice for PII protection in public clouds
acting as PII processors
• ISO/IEC 27036-4 - Information security for supplier relationships – Part
4: Guidelines for security of cloud services
• Health Care
• ISO/IEC 27999
• Societal considerations
• ISO/IEC 27032 – Guidelines for Cybersecurity
• Telecom
• ITU-T X.1051|ISO/IEC 27011 - Information security management
guidelines for telecommunications organizations based on ISO/IEC
27002
Pg 9 |
 In Progress and Future Work Areas
• Cyber Insurance
• Cyber Resilience
• Cloud Computing
• SLA for security and privacy
• Trusted connections
• Virtualization
• Big Data
• Security and Privacy considerations
• IoT
• Privacy considerations
• Identity Management
• Security considerations
• Privacy implications related to SmartPhone Applications
• Privacy
• Information Management System
• Notices and Consent
Pg 10 | • De-identification techniques
 Collaboration with GSC Organizations

• ITU-T
• SG 17 – Information Security, Cloud Security, ISMS, Identity
• SG 20 – IoT
• SG 13 – Cloud Computing
• ETSI
• Cybersecurity, Cloud Security, Privacy, Crypto mechanisms
• IEEE
• Cloud Security, Information Assurance, storage, IoT

Pg 11 |
 Collaboration with Groups outside JTC 1

• INTERPOL • Amex
• OASIS • MasterCard
• ISC2 • VISA
• FIRST • Article 29 Data
• Opengroup Protection Working
• ISACA Party
• ENISA

Pg 12 |
 Summary

JTC 1 sees Security and Privacy as a key

topic in all technology areas

JTC 1 Security and Privacy collaborates with

many Industry Organizations through close
liaison relationships

Security and privacy crosses many

Pg 13 |
technology areas
1
4

For Additional Information

1
5
JTC 1/SC 17 Cards and personal Identification

Standardization in the area of:

Identification and related documents,
Cards and devices associated with their use in inter-industry applications
and International interchange
1
6

SC17 Structure
SC17
Chair: Mr Richard A. Mabbott,
Secretariat: Ms Shanti Conn (BSI)

WG 1 (Physical
characteristics and WG 3 (Identification
cards-Machine WG8 (Contactless WG9 (Optical
test methods for ID- WG 4 (Integrated WG 5 (Registration integrated circuit memory cards and
cards) readable travel circuit card with Management Group
documents) cards) devices)
contacts) (RMG))
Convenor: Mr. Uwe Convenor: Mr. Convenor: Mr. Ron
Truggelmann Convenor: Mr. Tom Convenor: Mr. Jean- Convenor: Mr.
Kinneging Michael Hegenbarth Field
Yves Duveau Patrick Macy

WG 10 (Motor
WG 11 (Application
Vehicle driver licence
of biometrics to
and related
cards and personal
documents)
identification)
Convenor: Ms. Loffie
Convenor: Lin Yih
Jordaan
1
7

SC 37 Biometrics

Standardization of generic biometric technologies pertaining to human

beings to support interoperability and data interchange among applications
and systems. Generic human biometric standards include: common file
frameworks biometric application programming interfaces; biometric data
interchange formats; related biometric profiles; application of evaluation
criteri to biometric technologies; methodologies for performance testing
and reporting and cross jurisdictional and societal aspects.
1
8

SC37 Structure

SC37
Chair: Mr Fernando Podio,
Secretariat: Ms. Michaela Miller (ANSI)

WG6 (Cross-
WG 1 (Harmonized WG 5 (Biometric
jurisdictional and
biometric WG 2 (Biometric WG 3 (Biometric WG 4 (Technical testing and
societal aspects of
vocabulary) technical interfaces) data interchange Implementation of reporting)
biometrics)
formats) biometric systems)

Special Group on Strategy

1
9

SC 27 Mission
SC 27 is an internationally recognized centre of information and IT security standards
expertise serving the needs of business sectors as well as governments. Its work covers
the development of standards for the protection of information and ICT. This includes
requirements, methods, techniques and guidelines to address aspects of both security
and privacy in regard to:
Information security management systems (ISMS)
Cryptographic and security mechanisms
Security evaluation, testing and specification
Security controls and services
Identity management and privacy technologies

Take a look at the SC 27 site for further information

http://www.JTC 1SC 27.din.de/en

2
0

SC 27 Structure

SC 27
Chair: Dr. Walter Fumy, Vice-chair: Dr. Marijke De Soete,
Secretariat: Krystyna Passia (DIN)

WG 1 (Information WG 2 (Cryptography and WG 5 (Identity

security management WG 3 (Security management and privacy
security mechanisms) WG 4 (Security controls
systems) Evaluation, Testing and technologies)
Convenor: and services)
Specification)
Convenor: Convenor: Convenor:
Takeshi Chikazawa Convenor:
Prof. Edward Humphreys Johann Amsenga Prof. Dr. Kai Rannenberg
Vice-convenor: Miguel Bañón
Vice-convenor: Vice-convenor: Vice-convenor:
Toshio Tatsuta Vice-convenor:
Dale Johnstone François Lorek Dr. Jan Schallaböck
Naruki Kai

SWG-M (Management) SWG-T (Transversal Items)

Convenor: Faud Khan Convenor: Andreas Fuchsberger
Vice-convenor: Anders Carlstedt Vice-convenor: Laura Lindsay
2
1

SC 27 Projects Facts & Figures

Projects
- Total no of projects: 210
- No of active projects: 74
- Current number of published standards: 136
Standing Documents (all freely available from the SC 27 site as given below)
- SD6 Glossary of IT Security terminology (http://www.JTC 1SC 27.din.de/sbe/SD6)
- SD7 Catalogue of SC 27 Projects and Standards (http://www.JTC 1SC
27.din.de/sbe/SD7
- SD11 Overview of SC 27 (http://www.JTC 1SC 27.din.de/sbe/SD11)
- SD12 Assessment of cryptographic algorithms and key lengths (http://www.JTC
1SC 27.din.de/sbe/SD12)
2
2

SC 27 Members

P-members (voting)
Algeria, Argentina, Australia, Austria, Belgium, Brazil, Canada, China, Côte-d'Ivoire,
Cyprus, Czech Republic, Denmark, Finland, France, Germany, India, Ireland, Italy, Israel,
Jamaica, Japan, Kazakhstan, Kenya, Rep. of Korea, Luxembourg, Malaysia, Mauritius,
Mexico, Morocco, The Netherlands, New Zealand, Norway, Peru, Poland, Romania,
Russian Federation, Rwanda, Singapore, Slovakia, South Africa, Spain, Sri Lanka,
Sweden, Switzerland, Thailand, The Former Yugoslav Republic of Macedonia, Ukraine,
United Arab Emirates, United Kingdom, United States of America, Uruguay (Total: 51)

O-members (observing)
Belarus, Bosnia and Herzegovina, Costa Rica, El Salvador, Estonia, Ghana, Hong Kong,
Hungary, Iceland, Indonesia, Islamic Rep. of Iran, Lithuania, State of Palestine, Portugal,
Saudi Arabia, Serbia, Slovenia, State of Palestine, Swaziland, Turkey (Total: 20)
2
3
SC 27 Liaison Partners
Internal Liaisons within ISO

• ISO/CASCO
• ISO/JTCG Joint technical Coordination Group on MSS
• ISO/TC 46/SC 11 Information and documentation – Archives/Records
management
• ISO/TC 68/SC 2 Financial services -- Security
• ISO/TC 171 Document management applications
• ISO/TC 176/SC 3 - Quality management and quality assurance - Supporting
technologies
• ISO/TC 176/SC 3/WG 16 Quality management and quality assurance - Supporting
technologies - Joint WG with TC 207/SC2 for the revision of ISO 19011
• ISO/TC 204 Intelligent transport systems - WG 1 Architecture
• ISO/TC 208 Thermal turbines for industrial application (steam turbines, gas
expansion turbines)
2
4

SC 27 Liaison Partners

Internal Liaisons within ISO

• ISO/TC 215 Health informatics - WG 4 Security

• ISO/TC 251 Asset management
• ISO/TC 262 Risk management
• ISO/TC 292 Security and resilience
2
5

SC 27 Liaison Partners

Internal Liaisons within IEC

• IEC/TC 45/SC 45A Instrumentation, control and electrical systems of nuclear
facilities
• IEC/TC 57 Power systems management and associated information exchange -
WG 15 Data and communication security
• IEC/TC 65 Industrial-process measurement, control and automation – WG 10
Security for industrial process measurement and control – Network and system
security
2
6
SC 27 Liaison Partners
Internal Liaisons within ISO/IEC JTC 1
• JTC 1 Ad Hoc on vocabulary
• JTC 1/WG 7 Sensor networks
• JTC 1/WG 8 Governance of II
• JTC 1/WG 9 Big Data
• JTC 1/WG 10 Internet of Things (IoT)
• SC 6 Telecommunications and information exchange between system
• SC 7 Software engineering
• SC 17/WG 3 Machine readable travel documents
• SC 17/WG 4 Integrated circuit cards with contacts
• SC 17/WG 11 Application of biometrics to cards and personal identification
• SC 22 Programming languages, their environments and system software
interfaces
• SC 25 Interconnection of IT equipment
• SC 31/WG 4 Automatic identification and data capture techniques
• SC 36 Information technology for learning, education, and training
• SC 37 Biometrics
• SC 38 Distributed application platforms and services (DAPS)
• SC 40 IT service management and IT governance
2
7
SC 27 Liaison Partners
External CAT A Liaisons
• Cloud Computing Association (CSA)
• ECMA International
• European Network and Information Security Agency (ENISA)
• European Payment Council
• European Telecommunications Standards Institute (ETSI)
• ETSI Industry Specification Group (ISG) Information security indicators (ISI)
• ETSI TC Methods for Testing & Specification
• (ETSI TC MTS)
• Information Systems Audit and Control Association/IT Governance Institute
(ISACA/ITGI)
• ITU-D Study Group 2 ICT applications, cybersecurity, emergency,
telecommunications and climate-change adaption
• ITU-T Joint coordination activity on identity management (JCA-IdM)
• ITU-T Focus Group on aviation applications of cloud computing for flight data
monitoring (FG AC)
• ITU-T Study Group 13 (ITU-T SG 13)
• ITU-T Study Group 17 (ITU-T SG 17)
• MasterCard
• VISA Europe
2
8
SC 27 Liaison Partners

External CAT C Liaisons

• ABC4Trust
• ARTICLE 29 Data Protection Working Party
• Cloud Standards Customer Council (CSCC)
• Common Criteria Development Board (CCDB)
• Consortium of Digital Forensic Specialists (CDFS)
• Cyber Security Naming and Information Structure Group Corporation
• ETSI Industry Specification Group (ISG) Information Security Indicators (ISI)
• EuroCloud
• European Data Centre Association (EUDCA)
• European Telecommunications Standards Institute (ETSI)
• Forum of Incident Response and Security Teams (FIRST)
• Future of Identity in the Information Society (FIDIS)
• Information Security Forum (ISF)
• Instituto Latinoamericano de Aseguramiento de la Calidad A. C. (INLAC) (The
2
9
SC 27 Liaison Partners

External CAT C Liaisons

• International Conference of Data Protection and Privacy Commissioners
• International Information Systems Security Certification Consortium, Inc. (ISC)2
• International Smart Card Certification Initiatives
• Interpol
• Kantara Initiative
• PRACTICE (FP7 Project: Privacy-preserving Computation in the Cloud)
• PRIPARE (FP7 Project)
• Privacy and Identity Management for Community Services (PICOS)
• Technology-supported Risk Estimation by Predictive Assessment of Sociotechnical
Security (TREsPASS)
• The Open Group
• The OpenID Foundation
• Trusted Computing Group (TCG)
3
0

SC 27 Liaison Partners

External liaisons Under Vienna Agreement

• CEN/TC 224 Personal identification, electronic signature and cards and their
related systems and operations
• CEN/TC 225 AIDC technologies
• CEN/TC 377 Air Traffic Management
• CEN/CENELEC/ETSI/SGCG Joint CEN, CENELEC and ETSI activities on standards
for Smart Grid
3
1

SC 27 WG 1 Mission
Information Security Management Systems
The scope covers all aspects of standardisation related to
information security management systems:

a) Management system requirements;

b) ISMS methods and processes, implementation guidance, codes of practice for
information security controls;
c) Sector and application specific use of ISMS;
d) Accreditation, certification, auditing of ISMS;
e) Competence requirements for information security management system professionals
f) Governance;
g) Information security economics.
3
2
WG 1 Products
Standard Title Status Abstract

3rd ed. 2014 This International Standard describes the overview and the vocabulary
Overview and
ISO/IEC 27000 under of information security management systems, which form the subject of
vocabulary
revision (DIS) the ISMS family of standards, and defines related terms and definitions.
This International Standard specifies the requirements for establishing,
Information security implementing, operating, monitoring, reviewing, maintaining and
ISO/IEC 27001 management systems 2nd ed. 2013 improving a documented information security management system
– Requirements within the context of the organization’s business activities and the risks it
faces.
Code of practice for This International Standard offers a collection of commonly accepted
ISO/IEC 27002 information security 2nd ed. 2013 information security control objectives and controls and includes
controls guidelines for implementing these controls.
1st ed. 2010 This International Standard provides further information about using the
Information security
under PDCA model and give guidance addressing the requirements of the
ISO/IEC 27003 management system -
revision (2nd different stages on the PDCA process to establish, implement and
guidance
CD) operate, monitor and review and improve the ISMS.
Information security
1st ed. 2009
management This International Standard provides guidance on the specification and
under
ISO/IEC 27004 Monitoring, use of measurement techniques for providing assurance as regards the
revision (2nd
measurement, analysis effectiveness of information security management systems.
CD)
and evaluation
3
3
WG 1 Products
Standard Title
Information security risk
ISO/IEC 27005
management
International accreditation
guidelines for the
accreditation of bodies
ISO/IEC 27006 operating certification /
Registration of information
security management
systems
Guidelines for information
ISO/IEC 27007 security management
systems auditing
Guidelines for auditors on
ISO/IEC TR 27008
ISMS controls
Status Abstract
This International Standard provides guidelines for information
2nd ed. 2011
security risk management. This International Standard supports the
under
general concepts specified in ISO/IEC 27001 and is designed to assist
revision (4th
the satisfactory implementation of information security based on a
WD draft)
risk management approach.
This International Standard specifies general requirements for a third-
party body operating ISMS (in accordance with ISO/IEC 27001:2005)
2nd ed. 2011 certification/registration has to meet, if it is to be recognized as
under competent and reliable in the operation of ISMS certification /
revision registration. This International Standard follows the structure of
(FDIS) ISO/IEC 17021 with the inclusion of additional ISMS-specific
requirements and guidance on the application of ISO/IEC 17021 for
ISMS certification.
This International Standard provides guidance on conducting
1st ed. 2011
information security management system (ISMS) audits, as well as
under
guidance on the competence of ISMS auditors, in addition to the
revision (2nd
guidance contained in ISO 19011. It is applicable to those needing to
WD draft)
understand or conduct internal or external audits of an ISMS or to
manage an ISMS audit programme.
This Technical Report provides guidance for assessing the
1st ed. 2012
implementation of ISMS controls selected through a risk-based
under
approach for information security management. It supports the
revision (2nd
information security risk management process and assessment of
WD draft)
ISMS controls by explaining the relationship between the ISMS and
its supporting controls.
3
4
WG 1 Products
Standard Title Status Abstract

This International Standard defines the requirements for the use of

ISO/IEC 27001 for sector-specific applications. It explains how to include
Sector-specific
requirements additional to those in ISO/IEC 27001. This International
application of Under
Standard also explains how to include controls or control sets in addition
ISO/IEC 27009 ISO/IEC 27001 – development
to ISO/IEC 27001 Annex A. This International Standard also specifies
Requirements DIS
principles on the refinement of ISO/IEC 27001 requirements. This
International Standard prohibits requirements which are in conflict with
ISO/IEC 27001 requirements.
This International Standard provides guidelines in addition to guidance
Information security given in the ISO/IEC 27000 family of standards for implementing
management for 1st ed. 2012 information security management within information sharing
ISO/IEC 27010 inter-sector and under revision communities. This International Standard provides controls and guidance
inter-organisational (DIS) specifically relating to initiating, implementing, maintaining, and
communications improving information security in inter-organisational and inter-sector
communications.
This Recommendation | International Standard: a) establishes guidelines
Information security
and general principles for initiating, implementing, maintaining, and
management
1st ed. 2008 improving information security management in telecommunications
ITU-T X.1051 | guidelines for
under revision organizations based on ISO/IEC 27002; b) provides an implementation
ISO/IEC 27011 telecommunications
(DIS) baseline of Information Security Management within telecommunications
organizations based
organizations to ensure the confidentiality, integrity and availability of
on ISO/IEC 27002
telecommunications facilities and services.
3
5
WG 1 Products
Standard Title Status Abstract

This International Standard provides guidance on the integrated

Guidelines on the implementation of ISO/IEC 27001 and ISO/IEC 20000-1 for those
1st ed. 2012
integrated organizations which are intending to either:
under
ISO/IEC 27013 implementation of a. Implement ISO/IEC 27001 when ISO/IEC 20000-1 is already adopted, or vice
revision
ISO/IEC 27001 and versa; b. Implement both ISO/IEC 27001 and ISO/IEC 20000-1 together; or c.
(FDIS)
ISO/IEC 20000-1 Align existing ISO/IEC 27001 and ISO/IEC 20000-1 management system (MS)
implementations.
This International Standard provides guidance on the development and use of
governance of information security (GIS) through which organisations direct
and control the information security management system (ISMS) process as
ITU-T X.1054 | Governance of
1st ed. 2013 specified in ISO/IEC 27001.This International Standard provides guiding
ISO/IEC 27014 information security
principles and processes for top management of organisations on the
effective, efficient, and acceptable use of information security within their
organisations.
Information security This International Standard provides requirements, guidelines and general
management principles for initiating, implementing, maintaining, and improving the
ISO/IEC 27015 1st ed. 2012
guidelines for information security management within finance and insurance sectors based
financial services upon ISO/IEC 27001 and ISO/IEC 27002.
Information security
ISO/IEC TR This Technical Report provides guidelines on how an organization can make
management -
27016 1st ed. 2013 decisions to protect information and understand the economic consequences
Organisational
of these decisions in the context of competing requirements for resources.
economics
3
6
WG 1 Products
Standard Title Status Abstract

This Technical Specification/ International Standard is to define guidelines

Guidelines on
supporting the implementation of Information Security Management for the
Information security
use of cloud service. The adoption of this Technical Specification/
ITU-T X.1631 | controls for the use of
FDIS International Standard allows cloud consumers and providers to meet
ISO/IEC 27017 cloud computing
baseline information security management with the selection of appropriate
services based on
controls and implementation guidance based on risk assessment for the use
ISO/IEC 27002
of cloud service.
Information security
management
guidelines based on This Technical Report provides guidance for process control systems used by
ISO/IEC TR 1st ed. 2013
ISO/IEC 27002 for the energy utility industry for controlling and monitoring the generation,
27019 Under
process control transmission, storage and distribution of electric power, gas and heat in
revision WD
systems specific to combination with the control of supporting processes.
the energy utility
industry
Competence
Requirements for Under
ISO/IEC 27021 information security development
Management 2nd WD
Professionals
3
7
WG 1 Future Considerations
Topics Status

Cloud and new data technologies risk management Study Period

Cloud security use cases and potential standardisation gaps Study Period

Information security code of practice for the aviation industry Study Period

Definition processes and governance Study Period

Future Version Development of ISO/IEC 27000 Study Period

3
8
SC 27 WG 2 Mission
Cryptography and Security Mechanisms
The Terms of Reference:
Identify the need and requirements for these techniques and mechanisms in IT systems and
applications; and
Develop terminology, general models and standards for these techniques and mechanisms
for use in security services.
The scope covers both cryptographic and non-cryptographic techniques and mechanisms
including;
Confidentiality;
Entity authentication;
Non-repudiation;
Key management; and
Data integrity such as
Message authentication,
Hash-functions, and
Digital signatures.
3
9
WG 2 Products
Standard Title Status Abstract
ISO/IEC Encryption algorithms 1st ed. 2005
18033-1 Part 1: General Under revision

-2 Part 2: Asymmetric ciphers 1st ed. 2006

ISO/IEC 18033 specifies asymmetric ciphers (including
-3 Part 3: Block ciphers 2nd ed. 2010 identity-based ciphers, homomorphic encryption) and
symmetric ciphers (block ciphers and stream ciphers).
-4 Part 4: Stream ciphers 2nd ed. 2011

-5 Part 5: Identity-based ciphers Under development

-6 Part 6: Homomorphic encryption Under development

ISO/IEC Lightweight cryptography

1st ed. 2012
29192-1 Part 1: General
ISO/IEC 29192 specifies symmetric ciphers (block
-2 Part 2: Block ciphers 1st ed. 2012
ciphers and stream ciphers) , mechanisms using
asymmetric techniques (authentication, key exchange
-3 Part 3: Stream ciphers 1st ed. 2012
and identity-based signature) and hash functions
Part 4: Mechanisms using which are suitable for lightweight cryptographic
-4 1st ed. 2013 applications.
asymmetric techniques

-5 Part 5: Hash-functions Under development

4
0
WG 2 Products
Standard Title Status Abstract
ISO/IEC 29150 specifies mechanisms for signcryption
that employ public key cryptographic techniques
ISO/IEC
Signcryption 1st ed. 2011 requiring both the originator and the recipient of
29150
protected data to their own public and private key
pairs.
ISO/IEC 19772 specifies methods for authenticated
ISO/IEC encryption, i.e., defined ways of processing a data
Authenticated encryption 1st ed. 2009
19772 string for data confidentiality, data integrity and data
origin authentication.
ISO/IEC Modes of operation for an n-bit block 3rd ed. 2006 ISO/IEC 10116 specifies modes of operation for a block
10116 cipher algorithm Under revision cipher algorithm, i.e., ECB, CBC, OFB, CFB and CTR.
ISO/IEC Hash-functions 2nd ed. 2000
10118-1 Part 1: General Under revision
Part 2: Hash-functions using an n-bit
-2 3rd ed. 2010
block cipher ISO/IEC 10118 specifies some kinds of hash-functions
3rd ed. 2006 (+Amd 1) which map arbitrary strings of bits to a given range.
-3 Part 3: Dedicated hash-functions
Under revision
Part 4: Hash-functions using
-4 1st ed. 1998
modular arithmetic
Cryptographic techniques based on
ISO/IEC 2nd ed. 2008
elliptic curves ISO/IEC 15946 describes the mathematical background
15946-1 Under revision
Part 1: General and general techniques in addition to the elliptic curve
1st ed. 2009 generation techniques.
-5 Part 5: Elliptic curve generation
Under revision
4
1
WG 2 Products
Standard Title Status Abstract
Digital signature schemes giving
ISO/IEC message recovery
3rd ed. 2010 ISO/IEC 9796-2 specifies digital signature mechanisms
9796-2 Part 2: Integer factorization based
mechanisms giving partial or total message recovery aiming at
reducing storage and transmission overhead.
Part 3: Discrete logarithm based
-3 2nd ed. 2006
mechanisms
ISO/IEC Digital signatures with appendix
2nd ed. 2008
14888-1 Part 1: General
Part 2: Integer factorization based
-2 2nd ed. 2008 ISO/IEC 14888 specifies digital signature mechanisms
mechanisms
with appendix.
2nd ed. 2006
Part 3: Discrete logarithm based
-3 (+Amd 1, 2)
mechanisms
Under revision
ISO/IEC Anonymous digital signatures
1st ed. 2013 ISO/IEC 20008 specifies anonymous digital signature
20008-1 Part 1: General
mechanisms, in which a verifier makes use of a group
Part 2: Mechanisms using a group public key to verify a digital signature.
-2 1st ed. 2013
public key
ISO/IEC Blind digital signatures ISO/IEC 18370 specifies blind digital signature
Under development
18370-1 Part 1: General mechanisms which allow a recipient to obtain a
Part 2: Discrete logarithm based signature without giving signer any information about
-2 Under development the actual message or resulting signature.
mechanisms
4
2
WG 2 Products
Standard Title Status Abstract
ISO/IEC Entity authentication
3rd ed. 2010
9798-1 Part 1: General
Part 2: Mechanisms using symmetric 3rd ed. 2008
-2
encipherment algorithms Under revision
Part 3: Mechanisms using digital signature 2nd ed. 1998 (+Amd1) ISO/IEC 9798 specifies several kinds of
-3 entity authentication mechanisms that an
techniques Under revision
entity to be authenticated proves its
Part 4: Mechanisms using cryptographic check identity by showing its knowledge of a
-4 2nd ed. 1999
function secret.
Part 5: Mechanisms using zero knowledge
-5 3rd ed. 2009
techniques
Part 6: Mechanisms using manual data
-6 2nd ed. 2010
transfer
ISO/IEC Anonymous entity authentication ISO/IEC 20009 specifies anonymous entity
1st ed. 2013
20009-1 Part 1: General authentication mechanisms in which a
Part 2: Mechanisms based on signatures using verifier makes use of a group signature
-2 1st ed. 2013 scheme to authenticate the entity with
a group public key
which it is communicating, without
-3 Part 3: Mechanisms based on blind signatures Under development knowing this entity’s identity, and which
based on blind signatures and weak
-4 Part 4: Mechanisms based on weak secrets Under development secrets.
4
3
WG 2 Products
Standard Title Status Abstract

ISO/IEC Message authentication codes (MACs)

2nd ed. 2011
9797-1 Part 1: Mechanisms using a block cipher ISO/IEC 9797 specifies message
authentication code (MAC) algorithms,
-2 Part 2: Mechanisms using a dedicated hash-function 2nd ed. 2011 which are data integrity mechanisms
that compute a short string.
-3 Part 3: Mechanisms using a universal hash-function 1st ed. 2011

ISO/IEC 7064 specifies a set of check

ISO/IEC
Check character systems 1st ed. 2003 character systems capable of protecting
7064
strings against errors.
ISO/IEC Key management
2nd ed. 2010
11770-1 Part 1: Framework

-2 Part 2: Mechanisms using symmetric techniques 2nd ed. 2008

ISO/IEC 11770 describes general models
2nd ed. 2008
-3 Part 3: Mechanisms using asymmetric techniques on which key management mechanisms
Under revision
are based, defines the basic concepts of
1st ed. 2006 key management, and defines several
-4 Part 4: Mechanisms based on weak secrets
Under revision kinds of key establishment mechanisms .

-5 Part 5: Group key management 1st ed. 2011

-6 Part 6: Key derivation Under development

4
4
WG 2 Products
Standard Title Status Abstract
ISO/IEC Non-repudiation ISO/IEC 13888 specifies for the provision of non-repudiation
3rd ed. 2009
13888-1 Part 1: General services. The goal of the non-repudiation service is to generate,
collect, maintain, make available and validate evidence concerning
Part 2: Mechanisms using
-2 2nd ed. 2010 a claimed event or action to resolve disputes about the occurrence
symmetric techniques
or non-occurrence of the event or action. The event or act on can
Part 3: Mechanisms using be the generation, sending, receipt, submission, or transport of a
-3 2nd ed. 2009
asymmetric techniques message.
ISO/IEC Time-stamping services
2nd ed. 2008
18014-1 Part 1: Framework
Part 2: Mechanisms
-2 2nd ed. 2009 ISO/IEC 18014 defines time-stamping services that are provided
producing independent tokens
using time-stamp tokens between the participating entities in
Part 3: Mechanisms addition to the traceability of time sources.
-3 2nd ed. 2009
producing linked tokens
Part 4: Traceability of time
-4 1st ed. 2015
sources
ISO/IEC 18031 specifies a conceptual model for a random bit
ISO/IEC
Random bit generation 2nd ed. 2011 generator for cryptographic purposes, together with the elements
18031
of this model.
ISO/IEC 1st ed. 2005 ISO/IEC 18032 presents methods for generating prime numbers as
Prime number generation
18032 Under revision required in cryptographic protocols and algorithms.
4
5
WG 2 Products
Standard Title Status Abstract
ISO/IEC Secret sharing Under
19592-1 Part 1: General development ISO/IEC 19592 describes cryptographic secret sharing schemes and
Part 2: Fundamental Under their properties.
-2
mechanisms development
4
6
WG 2 Future Considerations
Topics Status
Review of UK proposal for a new mechanism in ISO/IEC 11770-3 Study Period

Amendment to ISO/IEC 29192-2 Study Period

Lightweight MACs Study Period

Inclusion of Chinese SM2 and IBS schemes in ISO/IEC 14888-3 Study Period
Quantum computing resistant cryptography Study Period

Inclusion of SM3 in ISO/IEC 10118-3 Study Period

Inclusion of FACE in ISO/IEC 18033-2 Study Period

Mechanisms and properties for ISO/IEC 9798 and ISO/IEC 11770 Study Period

Privacy-respecting identity management scheme using attribute-based credentials Study Period (with WG 5)
4
7
SC 27 WG 3 Mission

Security Evaluation, Testing and Specification

The scope covers aspects related to security engineering, with particular
emphasis on, but not limited to standards for IT security specification,
evaluation, testing and certification of IT systems, components, and
products. The following aspects may be distinguished:

a) security evaluation criteria;

b) methodology for application of the criteria;
c) security functional and assurance specification of IT systems, components and
products;
d) testing methodology for determination of security functional and assurance
conformance;
e) administrative procedures for testing, evaluation, certification, and
accreditation schemes.
4
8
WG 3 Products
Standard Title Status Abstract

ISO/IEC 15408-1:2009 establishes the general concepts and principles

of IT security evaluation and specifies the general model of evaluation
Evaluation criteria for IT
ISO/IEC 15408 3rd Ed given by various parts of ISO/IEC 15408 which in its entirety is meant
security
to be used as the basis for evaluation of security properties of IT
products.
ISO/IEC TR 15443 guides the IT security professional in the selection of
A framework for IT an appropriate assurance method when specifying, selecting, or
ISO/IEC TR 15443 2nd ed.
security assurance deploying a security service, product, or environmental factor such as
an organization or personnel.
Guide for the
ISO/IEC TR15446:2009 provides guidance relating to the construction
production of 1st WD
ISO/IEC TR 15446 of Protection Profiles (PPs) and Security Targets (STs) that are intended
Protection Profiles and Under revision
to be compliant with the third edition of ISO/IEC 15408.
Security Targets
Testing methods for the
mitigation of non- This International Standard specifies the non-invasive attack mitigation
Pending
ISO/IEC 17825 invasive attack classes test metrics for determining conformance to the requirements
publication
against cryptographic specified in ISO/IEC 19790:2012 for Security Levels 3 and 4.
modules
ISO/IEC 18045:2008 defines the minimum actions to be performed by
Methodology for IT
ISO/IEC 18045 2nd ed. an evaluator in order to conduct an ISO/IEC 15408 evaluation, using
security evaluation
the criteria and evaluation evidence defined in ISO/IEC 15408.
4
9
WG 3 Products
Standard Title Status Abstract

Cryptographic
The purpose of this standard is to address conformance testing
algorithms and security
ISO/IEC 18367 1st DIS methods of cryptographic algorithms and security mechanisms
mechanisms
implemented in a cryptographic module.
conformance testing
Catalogue of
Architectural and This Technical Report (TR) provides a catalogue with guidelines for
Design Principles for architectural and design principles for the development of secure
ISO/IEC 19249 1st PDTR
Secure Products, products, systems, and applications. Applying those principles should
Systems, and result in more secure products, systems, and applications.
Applications
Guidance for
This TR provides guidance for developing privacy functional
developing security and
requirements as extended components based on privacy principles
ISO/IEC 19608 privacy functional 3rd WD
defined in ISO/IEC 29100 through the paradigm described in ISO/IEC
requirements based on
15408-2.
ISO/IEC 15408
2nd ed.
Security requirements ISO/IEC 19790:2012 specifies the security requirements for a
Pending
ISO/IEC 19790 for cryptographic cryptographic module utilised within a security system protecting
corrected
modules sensitive information in computer and telecommunication systems
reprint
Security assessment of ISO/IEC TR 19791:2010 provides guidance and criteria for the security
ISO/IEC TR 19791 2nd ed.
operational systems evaluation of operational systems.
5
0
WG 3 Products
Standard Title Status Abstract

Security evaluation of ISO/IEC 19792:2009 specifies the subjects to be addressed during a

ISO/IEC 19792 1st Ed
biometrics security evaluation of a biometric system.
The objective of ISO/IEC 19896 is to provide the fundamental concepts
Competence related to the topic of the competence of the individuals responsible
requirements for for performing IT product evaluations and conformance testing, and to
ISO/IEC 19896 2nd WD
information security provide the specialised requirements to support competence of
testers and evaluators individuals in performing IT product evaluation and conformance
testing using established standards.
Security evaluation of For security evaluation of presentation attack detection for biometrics,
presentation attack this International Standard specifies extended security functional
ISO/IEC 19989 2nd WD
detection for components, extended security assurance components, and
biometrics complements to methodology specified in ISO/IEC 18045.
This Technical Report refines the AVA_VAN assurance family activities
Refining software
Pending defined in ISO/IEC 18045:2008(E) and provides more specific guidance
vulnerability analysis
ISO/IEC TR 20004 publication on the identification, selection and assessment of relevant potential
under ISO/IEC 15408
2nd Ed vulnerabilities in order to conduct an ISO/IEC 15408 evaluation of a
and ISO/IEC 18045
software target of evaluation
Test tool requirements
and test tool calibration
This standard aims at specifying what is a non-invasive attack test tool,
methods for use in
and how to operate it. The purpose is the collection of non-invasive
ISO/IEC 20085 testing noninvasive 2nd WD
signals, which are attest of the security of the implementation under
attack mitigation
test (IUT).
techniques in
cryptographic modules
5
1
WG 3 Products
Standard Title Status Abstract

This Technical Report provides guidelines to audit that cryptographic

Guidelines for testing module or integration of cryptographic modules is installed,
ISO/IEC TR cryptographic modules configured or operated safely by using the result which the approved
1st WD
20540 in their operational authority. It is related to ISO/IEC 19790 and ISO/IEC 24759 by
environment providing security requirements for cryptographic modules and test
requirements for cryptographic modules.
Test and analysis
This standard defines evaluation methods and test requirements to
methods for random
perform evaluation and testing of the different types of RBGs defined
ISO/IEC 20543 bit generators within 1st WD
in ISO/IEC 18031. It complements the existing set of ISO/IEC standards
ISO/IEC 19790 and
covering cryptographic algorithm and security mechanism testing.
ISO/IEC 15408
Systems Security ISO/IEC 21827:2008 specifies the Systems Security Engineering -
Engineering -- Capability Maturity Model® (SSE-CMM®), which describes the
ISO/IEC 21827 2nd ed
Capability Maturity essential characteristics of an organization's security engineering
Model® (SSE-CMM®) process that must exist to ensure good security engineering.
2nd ed
ISO/IEC 24759:2014 specifies the methods to be used by testing
Test requirements for Pending
ISO/IEC 24759 laboratories to test whether a cryptographic module conforms to the
cryptographic modules corrected
requirements specified in ISO/IEC 19790:2012.
reprint
Verification of ISO/IEC 29128:2011 establishes a technical base for the security proof
ISO/IEC 29128 1st ed
cryptographic protocols of the specification of cryptographic protocols.
1st WD ISO/IEC 29147:2014 gives guidelines for the disclosure of potential
ISO/IEC 29147 Vulnerability Disclosure
Under revision vulnerabilities in products and online services.
5
2
WG 3 Products
Standard Title Status Abstract

Physical security
1st Ed This Technical Report addresses how security assurance can be stated
attacks, mitigation
ISO/IEC TS 30104 Pending for products where the risk of the security environment requires the
techniques and security
publication support of physical protection mechanisms.
requirements
ISO/IEC 30111:2013 gives guidelines for how to process and resolve
Vulnerability handling 1st Ed. 2013
ISO/IEC 30111 potential vulnerability information in a product or online service. It is
processes Under revision
applicable to vendors involved in handling vulnerabilities.
5
3
SC 27 WG 4 Mission
Security controls and services
International Standards etc. for information security in the area of Security Controls and Services.
Assist organizations in the implementation of the Information Security Management Systems (ISMS)
standards.
Addressing existing and emerging information security issues and needs and other security
aspects that resulted from the proliferation and use of ICT and Internet related technology in
organizations.

Domains
Security incidents
Detection, Investigation, Management, Recovery
System and system life cycle security
Acquisition and supply
Security related to storage
Security related to processing
Security related to communication
5
4
WG 4 Products
Standard Title Status Abstract

Guidelines for the use Provides guidance for the use and management of Trusted Third Party
IITU-T X.842 | and management of 1st
Ed. 2002 (TTP) services, a clear definition of the basic duties and services
ISO/IEC TR 14516 Trusted Third Party under revision provided, their description and their purpose, and the roles and
services liabilities of TTPs and entities using their services.
Security information Provides object definitions that are commonly needed in security
IIITU-T X.841 |
objects for access 1st ed. 2002 standards to avoid multiple and different definitions of the same
ISO/IEC 15816
control functionality.
Specification of TTP
IITU-T X.843 | services to support the Defines the services required to support the application of digital
1st ed. 2002
ISO/IEC 15945 application of digital signatures for non-repudiation of creation of a document.
signatures
Describes the concepts and principles ICT readiness for business
Guidelines for ICT
continuity, and provides a framework of methods and processes to
ISO/IEC 27031 readiness for business 1st ed. 2011
identify and specify all aspects for improving an organization's ICT
continuity
readiness to ensure business continuity.
Provides guidance for improving the state of Cybersecurity, drawing
Guidelines for out the unique aspects of that activity and its dependencies on other
ISO/IEC 27032 1st ed. 2012
cybersecurity security domains. It covers the baseline security practices for
stakeholders in the Cyberspace.
5
5
WG 4 Products
Standard Title Status Abstract

Provides a structured and planned approach to detect, report and assess

Information security 1st Ed. 2011
information security incidents; respond to and manage information security
ISO/IEC 27035 incident (under
incidents; detect, assess and manage information security vulnerabilities;
management revision)
and continuously improve information security and incident management.
Guidelines for the
Guidelines for specific activities in the handling of digital evidence that can
identification,
be of evidential value. It provides guidance to individuals with respect to
collection,
ISO/IEC 27037 1st ed. 2012 common situations encountered throughout the digital evidence handling
acquisition and
process and assists organizations in their disciplinary procedures and in
preservation of
facilitating the exchange of potential digital evidence between jurisdictions.
digital evidence
Specifies characteristics of techniques for performing digital redaction on
Specification for
ISO/IEC 27038 1st Ed. 2014 digital documents. It also specifies requirements for software redaction tools
digital redaction
and methods of testing that digital redaction has been securely completed.
Selection,
deployment and
Provides guidelines to assist organizations in preparing to deploy Intrusion
operation of
ISO/IEC 27039 1st ed. 2015 Detection Prevention System (IDPS). In particular, it addresses the selection,
intrusion detection
deployment and operations of IDPS.
and prevention
systems (IDPS)
Provides detailed technical guidance on how organizations may define an
appropriate level of risk mitigation by employing a well-proven and
ISO/IEC 27040 Storage security 1st ed. 2015
consistent approach to the planning, design, documentation and
implementation of data storage security.
5
6
WG 4 Products
Standard Title
Network Security – Part 1:
ISO/IEC 27033-1
Overview and concepts
Network Security – Part 2:
Guidelines for the design and
ISO/IEC 27033-2
implementation of network
security
Network Security – Part 3:
Reference networking
ISO/IEC 27033-3
scenarios – Risks, design
techniques and control issues
Network security — Part 4:
Securing communications
ISO/IEC 27033-4
between networks using
security gateways
Network security — Part 5:
Securing communications
ISO/IEC 27033-5
across networks using Virtual
Private Networks (VPNs)
Status Abstract
Provides an overview of network security and related
1stEd. 2009 definitions. It defines and describes the concepts associated
(under with, and provides management guidance on, network
revision) security. Overall, it provides an overview of the ISO/IEC 27033
series and a “road map” to all other parts.
Provides guidelines for organizations to plan, design,
1st ed. 2012
implement and document network security.
Describes the threats, design techniques and control issues
associated with reference network scenarios. For each
1st ed. 2010 scenario, it provides detailed guidance on the security threats
and the security design techniques and controls required to
mitigate the associated risks.
Gives guidance for securing communications between
networks using security gateways in accordance with a
1st ed. 2014
documented
information security policy of the security gateways.
Gives guidelines for the selection, implementation and
monitoring of the technical controls necessary to provide
1st ed. 2013
network security using VPN connections to inter-
connect networks and connect remote users to networks.
5
7
WG 4 Products
Standard Title Status Abstract

ISO/IEC 27034 provides guidance to assist organizations in integrating

Application security – security into the processes used for managing their applications. This
1st Ed. 2011
ISO/IEC 27034-1 Part 1: Overview and International Standard presents an overview of application security. It
Cor. 1 2014
concepts introduces definitions, concepts, principles and processes involved in
application security.
Information security for Provides an overview of the guidance intended to assist organizations
supplier relationships – in securing their information and information systems within the
ISO/IEC 27036-1 1st ed. 2014
Part 1: Overview and context of supplier relationships. It addresses perspectives of both
concepts acquirers and suppliers.
Information security for Specifies fundamental information security requirements for defining,
ISO/IEC 27036-2 supplier relationships – 1st ed. 2014 implementing, operating, monitoring, reviewing, maintaining and
Part 2: Requirements improving supplier and acquirer relationships.
Information security for
supplier relationships –
Provides product and service acquirers and suppliers in ICT supply
ISO/IEC 27036-3 Part 3: 1st ed. 2013
chain with guidance.
Guidelines for ICT supply
chain security
5
8
WG 4 Products
Standard Title Status Abstract

Guidance on assuring
Provides guidance on mechanisms for ensuring that methods and
suitability and adequacy
ISO/IEC 27041 1st Ed. 2015 processes used in the investigation of Information Security Incidents
of incident investigative
are “fit for purpose”.
methods
Guidelines for the
Provides guidance on the analysis and interpretation of digital
analysis and
ISO/IEC 27042 1st ed. 2015 evidence in a manner which addresses issues of continuity, validity,
interpretation of digital
reproducibility and repeatability.
evidence
Provides guidelines that encapsulate idealized models for common
Incident investigation
ISO/IEC 27043 1st ed. 2015 incident investigation processes across various incident investigation
principles and processes
scenarios involving digital evidence.
This Technical Report explains how to provide and use time-stamping
Best practice on the services so that time-stamp tokens are effective when used to provide
ISO/IEC TR 29149 provision and use of time- 1st ed. 2012 timeliness and data integrity services, or non-repudiation services (in
stamping services conjunction with other mechanisms). It covers time-stamp services,
explaining how to generate, renew, and verify time-stamp tokens.
5
9
WG 4 Projects
Standard Title Status Abstract

Guidelines for the use and

Provides guidance for the use and management of SPs, a clear
management of
definition of the basic duties and services provided, their description
ISO/IEC TR 14516-1 electronic trust service 3rd WD
and their purpose, and the roles and liabilities of TSPs and entities
providers – Part 1:
using their services.
Overview and concepts
Guidelines for the use and
management of
Provides guidelines in addition to guidance given in the ISMS family
electronic trust service
of standards, for initiating, implementing, maintaining, and
ISO/IEC TR 14516-2 providers – Part 2: 3rd WD
improving information security in a Trust Service Provider (TSP, as
Guidelines on information
defined in Part 1) maintaining a Public Key Infrastructure (PKI).
security for CA trust
service providers
Guidelines for the use and
management of
electronic trust service
ISO/IEC TR 14516-3 providers – Part 3: 2nd WD To be elaborated.
Guidelines on information
security for PKI trust
service providers
Provides an overview of network security and related definitions. It
Network security – Part 1: Pending
ISO/IEC 27033-1 defines and describes the concepts associated with, and provides
Overview and concepts publication
management guidance on, network security.
Describes the threats, security requirements, security control and
Network security – Part 6: design techniques associated with wireless networks. It provides
ISO/IEC 27033-6 Securing wireless IP DIS guidelines for the selection, implementation and monitoring of the
network access technical controls necessary to provide secure communications using
wireless network.
6
0
WG 4 Projects
Standard Title
Application security – Part 2:
ISO/IEC 27034-2 Organization normative
framework
Application security – Part 3:
ISO/IEC 27034-3 Application security
management process
Application security – Part 4:
ISO/IEC 27034-4 Application security
validation
Application security – Part 5:
Protocols and application
ISO/IEC 27034-5
security control data
structure
Application security – Part 5-
ISO/IEC TS 27034- 1: Protocols and application
5-1 security control data
structure – XML Schemas
Application security – Part 6:
ISO/IEC 27034-6
Case studies
Application security – Part 7:
ISO/IEC 27034-7 Application security
assurance prediction
Status Abstract
Provides a detailed description of the Organization Normative
FDIS Framework and provides guidance to organizations for its
implementation.
Provides a detailed description and implementation guidance for the
1st CD
Application Security Management Process.
Provides a detailed description of an Application security validation
1st WD
process used to audit and verify Application Security.
Documents and explains the minimal set of essential attributes of
Application Security Controls (ASCs) and details the activities and
3rd CD
roles of the Application Security Life Cycle Reference Model
(ASLCRM).
Defines XML Schemas that implement the minimal set of
information requirements and essential attributes of Application
1st PDTS Security Controls (ASCs) and the activities and roles of the
Application Security Life Cycle Reference Model (ASLCRM) from Part
5.
Provides usage examples of Application Security Controls (ASCs) for
DIS
specific applications.
Provides the criteria and guidance for the extension of security
attributes in one application to a different but related application.
1st CD
Additionally the prediction will state the conditions under which the
prediction is valid and invalid.
6
1
WG 4 Projects
Standard Title Status Abstract

Information security Presents basic concepts and phases of information security incident
incident management – management and combines these concepts with principles in a
ISO/IEC 27035-1 DIS
Part 1: Principles of structured approach to detecting, reporting, assessing, and
incident management responding to incidents, and applying lessons learnt.
Information security
incident management – Describes how to plan and prepare for incident response. This part
ISO/IEC 27035-2 Part 2: Guidelines to DIS covers the “Plan and Prepare” and “Lessons Learnt” phases of the
plan and prepare for model presented in Part 1.
incident response
Information security Includes staff responsibilities and operational incident response
incident management – activities across the organization. Particular focus is given to the
ISO/IEC TS 27035-3 Part 3: Guidelines for 1st PDTS incident response team activities including monitoring, detection,
incident response analysis, and response activities for the collected data or security
operations events.
Information security for
supplier relationships –
Define guidelines supporting the implementation of Information
ISO/IEC 27036-4 Part 4: Guidelines for 2nd CD
Security Management for the use of cloud service.
security of cloud
services
Cloud computing –
Specifies the Security and Privacy aspects of Service Level
Service level agreement
ISO/IEC 19086-4 1st WD Agreements (SLA) for cloud services including requirements and
(SLA) framework – Part
guidance.
4: Security and privacy
6
2
WG 4 Projects
Standard Title Status Abstract
Provides an overview of electronic discovery. In addition, it defines
Electronic discovery –
related definitions and describes the concepts, including, but not
ISO/IEC 27050-1 Part 1: Overview and 3rd CD
limited to identification, preservation, collection, processing, review,
concepts
analysis, and production of Electronically Stored Information (ESI).
Electronic discovery –
Provides guidance for technical and non-technical personnel at
Part 2: Guidance for
senior levels within an organization, including those with
ISO/IEC 27050-2 governance and 4th WD
responsibility for compliance with regulatory requirements, industry
management of
standards and, in some jurisdictions, legal requirements.
electronic discovery
Provides requirements and guidance on activities in electronic
Electronic discovery –
discovery, including, but not limited to identification, preservation,
ISO/IEC 27050-3 Part 3: Code of Practice 4th WD
collection, processing, review, analysis, and production of
for electronic discovery
Electronically Stored Information (ESI)
Electronic discovery – Provides guidance on the ways an organization can plan and prepare
ISO/IEC 27050-4 Part 4: ICT readiness for 4th WD for, and implement, electronic discovery from the perspective of
electronic discovery both technology and processes.
6
3
WG 4 Future Considerations
Topics Status

Security information and event management (SIEM) Study period

realignment with current developments and processes
Virtualization security Study period

Cloud and new data-related technologies risk management Study period

6
4

SC 27 WG 5 Mission

Identity Management & Privacy Technologies

Development and maintenance of standards and guidelines addressing security
aspects of
Identity management
Biometrics, and
Privacy
6
5
WG 5 Products
Standard Title Status Abstract

ISO/IEC 24761 specifies the structure and the data elements of

Authentication Context for Biometrics (ACBio), which is used for
1st ed. 2009 checking the validity of the result of a biometric verification process
executed at a remote site. It allows any ACBio instance to accompany
Cor.1: 2013- any data item that is involved in any biometric process related to
Authentication context
ISO/IEC 24761 03-01 verification and enrolment. The specification of ACBio is applicable not
for biometrics
only to single modal biometric verification but also to multimodal
under revision fusion.
(WD) ISO/IEC 24761 also specifies the cryptographic syntax of an ACBio
instance based on an abstract Cryptographic Message Syntax (CMS)
schema.
ISO/IEC 24745 provides guidance for the protection of biometric
information under various requirements for confidentiality, integrity
and renewability/revocability during storage and transfer. Additionally,
Biometric information st it provides requirements and guidelines for the secure and privacy-
ISO/IEC 24745 1 ed. 2011
protection compliant management and processing of biometric information.
It does not include general management issues related to physical
security, environmental security and key management for
cryptographic techniques.
6
6
WG 5 Products
Standard Title Status Abstract

ISO/IEC 24760-1
• defines terms for identity management, and
• specifies core concepts of identity and identity management and
their relationships.
st To address the need to efficiently and effectively implement systems
1 ed. 2011
that make identity-based decisions ISO/IEC 24760 specifies a
framework for the issuance, administration, and use of data that
Freely available
A framework for identity serves to characterize individuals, organizations or information
via
management – technology components which operate on behalf of individuals or
ISO/IEC 24760-1 http://standard
Part 1: Terminology and organizations.
s.iso.org/ittf/Pu
concepts ISO/IEC 24760 specifies fundamental concepts and operational
bliclyAvailableS
structures of identity management with the purpose to realize
tandards/index.
information system management so that information systems can
html
meet business, contractual, regulatory and legal obligations.
ISO/IEC 24760-1 specifies the terminology and concepts for identity
management, to promote a common understanding in the field of
identity management. It also provides a bibliography of documents
related to standardization of various aspects of identity management.
ISO/IEC 24760-2
A framework for • provides guidelines for the implementation of systems for the
identity management – management of identity information, and
st
ISO/IEC 24760-2 Part 2: Reference 1 ed. 2015 • specifies requirements for the implementation and operation of a
architecture and framework for identity management.
requirements ISO/IEC 24760-2 is applicable to any information system where
information relating to identity is processed or stored.
6
7
WG 5 Products
Standard Title Status Abstract

st ISO/IEC 29100 provides a privacy framework which

1 ed. 2011
• specifies a common privacy terminology;
• defines the actors and their roles in processing personally
Freely
identifiable information (PII);
available via
• describes privacy safeguarding considerations; and
http://standar
ISO/IEC 29100 Privacy framework • provides references to known privacy principles for IT.
ds.iso.org/ittf/
ISO/IEC 29100 is applicable to natural persons and organizations
PubliclyAvaila
involved in specifying, procuring, architecting, designing, developing,
bleStandards/i
testing, maintaining, administering, and operating information and
ndex.html
communication technology systems or services where privacy controls
are required for the processing of PII.
ISO/IEC 29191 provides a framework and establishes requirements for
Requirements for
partially anonymous, partially unlinkable authentication.
partially anonymous, st
ISO/IEC 29191 1 ed. 2012 The term ‘partially anonymous, partially unlinkable’ means that an a
partially unlinkable
priori designated opener, and that designated opener only, can
authentication
identify the authenticated entity.
ISO/IEC 29115 provides a framework for managing entity
authentication assurance in a given context. In particular, it:
• specifies 4 levels of entity authentication assurance (LoA);
Entity authentication st • specifies criteria and guidelines for achieving these 4 levels;
ISO/IEC 29115 1 ed. 2013
assurance framework • provides guidance for mapping other authentication assurance
schemes to the 4 LoAs and for exchanging the results of
authentication that are based on the 4 LoAs; and
• provides guidance on mitigating authentication threats.
6
8
WG 5 Products
Standard Title Status Abstract

ISO/IEC 27018 establishes commonly accepted control objectives,

controls and guidelines for implementing measures to protect
Personally Identifiable Information (PII) in accordance with the privacy
principles in ISO/IEC 29100 for the public cloud computing
environment.
In particular, ISO/IEC 27018 specifies guidelines based on ISO/IEC
27002, taking into consideration the regulatory requirements for the
protection of PII which might be applicable within the context of the
information security risk environment(s) of a provider of public cloud
Code of practice for PII
services.
protection in public st
ISO/IEC 27018 1 ed. 2014 ISO/IEC 27018 is applicable to all types and sizes of organizations,
clouds acting as PII
including public and private companies, government entities, and not-
processors
for-profit organizations, which provide information processing services
as PII processors via cloud computing under contract to other
organizations.
The guidelines in ISO/IEC 27018 might also be relevant to
organizations acting as PII controllers; however, PII controllers can be
subject to additional PII protection legislation, regulations and
obligations, not applying to PII processors. ISO/IEC 27018 is not
intended to cover such additional obligations.
6
9
WG 5 Products
Project Title Status

Standing
WG 5 Roadmap
Document 1
Standing Freely available via www.JTC
Privacy references list
Document 2 1SC 27.din.de/en
Standing Freely available via www.JTC
Standards privacy assessment
Document 4 1SC 27.din.de/en
Standing
Guidelines on the application of ISMS in the area of privacy
Document 5
7
0
WG 5 Projects
Project Title Status

ISO/IEC 29190 Privacy capability assessment model FDIS approved

ISO/IEC 24760-3 A framework for identity management – Part 3: Practice 1st DIS
ISO/IEC 29146 A framework for access management 1st DIS
ITU-T X.1085 | Telebiometric authentication framework using biometric hardware security
3rd CD
ISO/IEC 17922 module
th
ISO/IEC 29003 Identity proofing 6 WD
th
ISO/IEC 29134 Privacy impact assessment – Guidelines 6 WD
ITU-T X.gpim | th
Code of practice for personally identifiable information protection 5 WD
ISO/IEC 29151

NWIP Privacy enhancing data de-identification techniques NWIP

A privacy-respecting identity management scheme using attribute-based

Study Period Extended
credentials

Study Period Privacy engineering framework Starting

On the adoption and usage of ISO/IEC 29115 and its interaction with ISO/IEC
Study Period Starting
29003
Study Period Anonymous attribute assurance Starting
7
1

Contact Point for SC 27

For further information contact
the ISO/IEC JTC 1/SC 27 Secretariat:

[email protected]