JTC1/SC27

Structure

JTC 1/SC 27 Chairman: DIN, Germany, Andreas Wolf (1st three-year term, January 2019 - January 2022)
JTC 1/SC 27 Vice-chair: ANSI, United States, Laura Lindsay (1st three-year term, April 2019 - April 2022)
JTC 1/SC 27 Communications Officer: BSI, United Kingdom, Edward Humphreys
JTC 1/SC 27 Committee Manager: DIN, Germany, Krystyna Passia
JTC 1/SC 27 Secretariat: DIN, Germany

Current activities of SC 27 are divided into five Working Groups:

  • Working Group 1: Information Security Management Systems
  • Working Group 2: Cryptography and Security Mechanisms
  • Working Group 3: Security Evaluation, Testing and Specification
  • Working Group 4: Security Controls and Services
  • Working Group 5: Identity Management and Privacy Technologies
  • SC 27 Management Advisory Group (MAG)
  • Special Working Group on Transversal Items (SWG-T)
  • Study Group on Data Security
  • Study Group on Thrustworthiness
  • Study Group on Concepts and Terminology (SG-CT)


To obtain the International Standards developed by JTC 1/SC 27 or further information, please contact your National Body of ISO/IEC JTC 1/SC 27.

--------------------------------------------------------------------------------

ISO/IEC JTC1/SC 27/WG 1

Information Security Management Systems

Convener: Edward Humphreys, BSI, United Kingdom
(10th three-year term, April 2018 - April 2021)

Vice-Convener: Pablo Corona, DGN, Mexico
(1st three-year term, April 2018 - April 2021)


The Terms of Reference of this working group are:

The scope of WG 1 covers the development of ISMS (Information Security Management System) standards and guidelines (see SC 27 N5114). This includes:

  1. Development and maintenance of the ISO/IEC 27000 ISMS standards family
  2. Identification of requirements for future ISMS standards and guidelines
  3. On-going maintenance of WG1 standing document SD WG 1/1 (WG 1 Roadmap)
  4. Collaboration with other Working Groups in SC 27, in particular with WG 4 on standards addressing the implementation of control objectives and controls as defined in ISO/IEC 27001.


Liaison and collaboration with those organizations and committees dealing with specific requirements and guidelines for ISMS, for example:

  • ITU-T Telecoms
  • ISO/TC 215 Healthcare
  • ISO/TC 68 Banking
  • ISO/TC 204 Intelligent transport systems
  • ISO/TC 223 Civil defense
  • ISSEA
  • Aerospace
  • Automotive industry
  • Standards bodies, such as IETF, IEEE
  • International institutions, e.g. OECD, APEC, EU
  • IAF and CASCO, and other relevant groups regarding the development of accreditation and certification standards and guidelines

--------------------------------------------------------------------------------

ISO/IEC JTC1/SC 27/WG 2

Cryptography and Security Mechanisms

Convener: Takeshi Chikazawa, JISC, Japan
(4th three-year term, April 2019 - April 2022)

Vice-Convener: Hirotaka Yoshida, JISC, Japan
(1st three-year term, April 2019 - April 2022)


The terms of reference of this working group are:

WG 2 provides a center of expertise for the standardization of IT Security techniques and mechanisms within JTC 1.
Terms of Reference:

  • identify the need and requirements for these techniques and mechanisms in IT systems and applications;
  • develop terminology, general models and standards for these techniques and mechanisms for use in security services.


The scope covers both cryptographic and non-cryptographic techniques and mechanisms including:

  • confidentiality;
  • entity authentication;
  • non-repudation;
  • key management;
  • data integrity such as message authentication;
    • hash-functions;
    • digital signatures.

The mechanisms in general include several options with respect to the techniques used including symmetric cryptographic, asymmetric cryptographic and non-cryptographic.

--------------------------------------------------------------------------------

ISO/IEC JTC 1/SC 27/WG 3

Security Evaluation, Testing and Specification

Convener: Miguel Bañón, UNE, Spain
(4th three-year term, April 2018 - April 2021)

Vice-Convener: Naruki Kai, JISC, Japan
(3rd three-year term, April 2019 - April 2022)


The terms of reference of this working group are:

The scope covers aspects related to security engineering, with particular emphasis on, but not limited to standards for IT security specification, evaluation, testing and certification of IT systems, components, and products. This will include consideration of computer networks, distributed systems, associated application services, biometrics, etc.
The following aspects may be distinguished:

  • security evaluation criteria;
  • methodology for application of the criteria;
  • security functional and assurance specification of IT systems, components and products;
  • testing methodology for determination of security functional and assurance conformance;
  • administrative procedures for testing, evaluation, certification, and accreditation schemes.


This work will reflect the needs of relevant sectors in society, as represented through ISO/IEC National Bodies and other organizations in liaison, expressed in standards for security functionality and assurance.
Account will be taken of related ISO/IEC and ISO standards for quality management and testing so as not to duplicate these efforts.

--------------------------------------------------------------------------------

ISO/IEC JTC 1/SC 27/WG 4

Security Controls and Services

Convener: Johann Amsenga, ILNAS, Luxembourg
(3rd term of office April 2018 - April 2021)

Vice-Convener: François Lorek, AFNOR, France
(2nd term of office April 2018 - April 2021)


The terms of reference of this working group are:

The scope of WG 4 covers the development and maintenance of standards and guidelines addressing services and applications supporting the implementation of control objectives and controls as defined in ISO/IEC 27001. This includes:

1. Current SC 27 projects:

  • IT Network security (ISO/IEC 27033)
  • Information security incident management (ISO/IEC 27035)
  • Selection, deployment and operation of Intrusion Detection Systems (IDS) (ISO/IEC 27039)
  • Guidelines on use and management of Trusted Third Party services (ITU-T X.842 I ISO/IEC TR 14516)
  • Specification of TTP services to support the application of digital signatures (ITU-T X.843 I ISO/IEC 15945)
  • Security information objects for access control (ITU-T X.841 I ISO/IEC 15816)


2. Identification of requirements for and development of future service and applications standards and guidelines, for example in the areas of

  • Business Continuity
  • Cyber Security
  • Outsourcing


3. On-going maintenance of WG4 standing document SD WG 4/1 (WG 4 Road Map)

4. Collaboration with other Working Groups in SC 27, in particular with WG1 on ISMS standards and guidelines

5. Liaison and collaboration with those organizations and committees dealing with specific requirements and guidelines for services and applications, for example:

  • ITU-T Telecoms
  • ISO/TC 215 Health informatics
  • ISO/TC 68 Banking
  • ISSEA
  • Aerospace
  • Automotive industry
  • Standards bodies, such as IETF, IEEE
  • International institutions, e.g. OECD, APEC, EU
  • IAF and CASCO, and other relevant groups regarding the development of accreditation and certification standards and guidelines


--------------------------------------------------------------------------------

ISO/IEC JTC 1/SC 27/WG 5

Identity Management and Privacy Technologies

Convener: Kai Rannenberg, DIN, Germany
(5th three-year term, April 2019 - April 2022)

Vice-Convener: Jan Schallaböck, DIN, Germany
(4th three-year term, April 2019 - April 2022)


The terms of reference of this working group are:

The scope of SC 27/WG 5 covers the development and maintenance of standards and guidelines addressing security aspects of identity management, biometrics and the protection of personal data.
This includes:

1. Current SC 27 projects:

  • Framework for Identity Management (ISO/IEC 24760)
  • Biometric template protection (ISO/IEC 24745)
  • Authentication context for biometrics (ISO/IEC 24761)

2. Identification of requirements for and development of future standards and guidelines in these areas. For example in the area of Identity Management, topics such as

  • Role based access control
  • Provisioning
  • Identifiers
  • Single sign-on

In the area of Privacy, topics such as

  • A Privacy Framework
  • A Privacy Reference Architecture
  • Privacy infrastructures
  • Anonymity and credentials
  • Specific Privacy Enhancing Technologies (PETs)
  • Privacy Engineering


In the area of Biometrics, topics such as

  • Protection of biometric data
  • Authentication techniques

3. Collaboration with other Working Groups in SC 27, e.g., WG 1 on management aspects, WG 2 on specific cryptographic techniques and WG 3 on evaluation aspects.

4. Liaison and collaboration with those organizations and committees dealing with specific requirements and guidelines for services and applications in this area, for example:

  • ISO/IEC SC 37 Biometrics
  • ECRYPT
  • ISO/TC68/SC2 Financial Services Security
  • ISO/TC68/SC6/WG10 Financial Services-Retail Financial Services-Privacy
  • ITU-T SG17 Security, languages and telecommunication software
  • Future of Identity in the Information Society (FIDIS)
  • The International Conference of Data Protection and Privacy Commissioners
  • The Open Group (IdM Forum and Jericho Forum)

 

--------------------------------------------------------------------------------

SC 27 Management Advisory Group (MAG)

Convenor: Jean-Pierre Quemard, AFNOR, France
(1st three-year term, December 2017 - December 2020)
Vice-Convenor: Mike Nash, BIS, United Kingdom
(1st three-year term, December 2017 - December 2020)

The Terms of Reference of this advisory group are:
The Advisory Group operates under the direction of SC 27 Management to review and evaluate the effectiveness of SC 27 and to make recommendations to SC 27 Management  to this effect.

This includes:

  • Review, audit and evaluate the structure and management processes in SC 27 and develop recommendations for improvements;
  • Explore alternatives for the meeting structures (Plenary and Working Groups) and agenda of the SC 27 Plenary meetings;
  • Provide advice on matters of operational efficiency;
  • Advise and review of tools used to support the SC 27 processes;
  • Review of the effective distribution of public information on SC 27 activities and propose suggestions for improvements;
  • Provide advice, help and guidance to SC 27 Management on standards management and development;
  • Serve as an appeal body in case of an arbitration request from an SC27 member or Officer;
  • Monitor the activities, reports and recommendations of the JTC 1 Advisory Group (JAG);
  • Periodically report results and recommendations to SC 27 Management and coordinate ongoing work with related plans prior to the SC 27 Plenary meetings.

The Advisory Group functions purely in an advisory capacity to the SC 27 Management. Any recommendations or proposals conveyed to the SC 27 Management shall reflect a consensus outcome among Advisory Group members. The Advisory Group is not empowered to make proposals directly to the SC 27 Plenary, except if prior delegation of authority is provided by the SC 27 Management.

Administration
The Advisory Group will be managed by a Convenor, supported by a Vice-Convener, under approval of the SC 27 Management and endorsement by the SC 27 Plenary. The Advisory Group management is responsible for the administration of the group.

Membership and composition
Membership shall consist of maximum ten (10) SC 27 members having at least 5, but ideally 10 years experience within SC 27, preferably as an SC 27 Officer but shall not involve anybody in office of the SC 27 Management. The size of the Advisory Group is kept small enough to communicate and operate effectively.
Members to the Advisory Group shall be nominated by National Bodies or Working Group Convenors but are appointed by the SC 27 Management for a term of three (3) years in agreement with the Advisory Group Management. A statement of motivation shall accompany National Body nominations. The Convenor and Vice-Convenor are elected by the Advisory Group members for a term of three (3) years. Any appointment to the Advisory Group (Convenor, Vice-Convenor or member) can only be renewed once. No alternate is allowed if a member cannot attend a meeting. Any Advisory Group Member not attending two meetings in a row will be subject to replacement.
The Advisory Group membership will contain at least one member from each Working Group and should ensure an appropriate geographical spread. Experts/ guests may be invited to meetings for specific subjects at the discretion of the Advisory Group Convenor.

Modus Operandi
The Advisory Group shall mainly work electronically via e-mail. From time to time a remote meeting (e.g., WebEx, teleconference) may be organised to progress the work and at least one physical meeting in conjunction with the SC27 meetings shall be held each half year.
Agendas and minutes (including action points) of the Advisory Group remote or physical meetings shall be prepared in due time and shared with the SC27 Management.
The Advisory Group shall agree yearly on a list of issues and priorities. Work items should be progressed via written position papers / proposals.
The Advisory Group Convenor and Vice-Convenor will be invited to the SC27 Management Coordination meetings.   

 --------------------------------------------------------------------------------

Special Working Group on Transversal Items (SWG-T)

Convenor: Andreas Fuchsberger, DIN, Germany
(2nd three-year term, October 2016 - April 2019)

Acting Vice-Convenor: Taewan Park, KATS, republic of Korea
(till October 2019)


The Terms of Reference of this special working group are:
SWG-T operates under the direction of SC 27 to address topics which are beyond the scope of the respective existing WGs or can affect directly or indirectly multiple WGs. SWG-T can make recommendations to SC 27 and to the SWG-M to this effect. This includes:

  • Identify any gaps in the portfolio of SC 27 standards and projects to ensure market needs are being adequately addressed;
  • Alignment and coordination of WG roadmaps and overall SC 27 roadmap;
  • Harmonisation of vocabulary;
  • Review of issues arising from overlapping / conflicting scopes, activities and projects as well as disagreement on project assignments between Working Groups and beyond. SWG-T shall work with SC 27 Working Group Conveners and Liaison Officers to identify issues and to reach acceptable resolutions;
  • Adherence to scope for projects under development and monitoring of project progress with related work programmes / plans and regularly report results and recommendations to SC 27;
  • Review proposals and provide advice to SC 27 on initiatives such as Study Groups,
  • New Work Item Proposals (NWIPs), Fast-Tracks, and PAS submissions;
  • Monitor progress of SC 27 Study Groups;
  • SC 27 liaisons and common topics with other SCs or Standardization Bodies.

The SWG-T functions purely in an advisory capacity to the SC 27 Management and SC 27. Any recommendations or organizational decisions conveyed to the SC 27 Management and SC 27 by the SWG shall reflect a consensus outcome among SWG-T members present at the meeting. SWG-T is not empowered to make decisions on behalf of the SC 27 Plenary, except if delegation of authority is provided by SC 27 Plenary.
--------------------------------------------------------------------------------

Study Group on Data Security

Convenors: Laura Lindsay, ANSI, United States
(till April 2020)

Vice-Convenor: Yan Sun, SAC, China
(till April 2020)

 

Terms of Reference

1. Proposal
Establish a 12-month Study Group focusing on Data Security.


2. Motivation and Scope

The risks and threats in data security are becoming increasingly serious. For example, mining the sensitive information such as medical and financial information with data aggregation and data analysis measures, the lack of widely accepted security practices in data exchange and sharing. Information system security usually focuses on confidentiality, integrity, and availability (i.e., the CIA triad). However, data security, besides the CIA triad, should take the interest of the individual and public impact into consideration. Ensuring the data flow among secure organizations, which have the same or higher security capabilities, is an important concern for data security.

We therefore propose this Study Period in order to:

  1. Clarify the definition of data security and explain the relationship between data security and information security, data protection, and privacy protection.
  2.  Collect the possible data security concerns/risks/challenges/requirements and implement gap analysis in order to get a clear direction for the data security standardization within the SC 27 scope. 
  3. When it is possible, examine the existing data security related standards across different SDOs, such as ISO/IEC JTC1/WG9, ISO/IEC JTC1/SC32, ISO/IEC/SC 38, ITU-T SG17, and ITU-T FG-DPM etc.


3. Activities

The Study Period is requested to:

  1. Collect information from SC27 experts on a list of relevant data security topics/questions;
  2. Invite other National Bodies, Liaisons Organizations and other JTC 1/SCs concerned by the subject to submit suggested topics and/or feedback;
  3. Ensure representation from all SC 27 WGs, especially SWG-T, as required, to participate in the study;
  4. Hold e-meeting study period meetings to flush out ideas, issues, and critical success factors;
  5. Consolidate information about available data security standards and build the road map.
  6. Submit a written report and draft recommendations to the ISO/IEC JTC 1/SC 27 Secretariat;
  7. Provide status report before each e-meeting meeting and before the SC 27 WG meetings in Oct 2018.
  8. Work with SWG-T to find out which WGs should be implied and how the subject should be managed in SC27 (coordination by one of the WG, creation of an ad’hoc coordination group, etc.)


4. Deliverable

The deliverable of this Study Period will be a report to SC27.  Principal elements of this will be:

  • Define the precise scope and objectives of data security by considering various kinds of data security techniques and data security application (e.g., cloud computing, big data, IoT).
  • A road map reflecting concerns/risks/challenges/requirements and a potential framework on data security.
  • Identification of how the existing standards of SC 27 can support the road map.
  • A report that includes:
  • A summary of the study group contributions,
  • How existing standards in the different WGs should be used/reviewed/replaced,
  • Recommendation whether to proceed with any NWIP, to form any new working group, to extend the Study Period or terminate the Study Period.

 --------------------------------------------------------------------------------

Study Group on Thrustworthiness

Convenor: Johann Amsenga, ILNAS, Luxembourg
(till April 2020)

Vice-Convenor: Faud Khan, SCC, Canada
(till April 2020)

Background

During 34th Meeting of ISO/IEC JTC 1, 5-8 November 2018 in Stockholm, Sweden, JTC 1 established a study group on Trustworthiness to improve the understanding of the current state of standardization in this area and to explore and/or clarify the role for JTC 1.


As per the JTC 1 resolution, the terms of reference is as follows:

  1. Assess the current state of standardization activities relevant to Trustworthiness in JTC 1 SCs, JTC 1/WGs, other ISO and IEC TCs and other SDOs;
  2. Collect information about standardization gaps relevant to Trustworthiness;
  3. Develop a common JTC 1 definition of Trustworthiness;
  4. Describe a superset of components or considerations of Trustworthiness;
  5. Identify and propose how JTC 1 should address the standardization needs of Trustworthiness;
  6. Provide reports and recommendations to JTC 1 including whether a guidance document or a JTC 1;
  7. Standing Document on Trustworthiness should be developed.


Membership is open to:

  1. JTC 1 National Bodies, JTC 1 Liaison Organizations and approved JTC 1 PAS Submitters;
  2. Representatives of JTC 1/SCs, JTC 1/WGs, relevant ISO and IEC TCs;
  3. Members of ISO Central Secretariat and IEC Central Office;
  4. Invited  standards  setting  organizations  that  are  engaged  in  Trustworthiness  standardization  as approved by the SG on Trustworthiness


Initial members included: Australia, Canada, Denmark, Finland, France, Germany, India, Ireland, Japan, Korea, Luxembourg, the Netherlands, South Africa, UK, US, SC 17, SC 23, SC 27, SC 31, SC 32, SC 37, SC 38, SC 40, SC 41, SC 42, JTC 1/WG 11 and ISO/PC 317.


SC 27 Participation

During the ISO/IEC JTC 1/SC 27 Heads of Delegation Meeting held in Gjøvik, Norway, 3rd October 2018, the following recommendation was made:

Recommendation 4: Nomination of SC 27 Member to JTC 1/JAG Group on Trustworthiness

ISO/IEC  JTC  1/SC  27  resolves  to  actively  participate  in  the  newly  established  JAG  Group  on Trustworthiness and nominates Johann Amsenga as SC 27 representative to this new group.

As per Resolution 32 the 31st SC 27 Plenary, held in Tel Aviv, Israel, 2019-04-01/05 (contained in SC 27 N19900) ISO/IEC JTC 1/SC 27 resolved to establish a 12-month Study Group on Trustworthiness in order to:

Provide for an environment where SC 27 members can discuss trustworthiness from a security viewpoint;

  1. As a single channel from which inputs can be made to the JTC 1 SG. The proposed terms of reference is:
  2. Follow the terms of reference of the ISO/IEC JTC 1 SG Trustworthiness as it is related to SC 27;
  3. Discuss and get consensus on contributions to be made from SC 27 to the JTC 1
  4. SG. Membership is open to all experts from all SC 27 working groups.

 --------------------------------------------------------------------------------

Study Group on Concepts and Terminology (SG-CT)

Convenor: Joanne Knight, NZSO, New Zealand
(till October 2019)

Vice-Convenor: Elzbieta Andrukiewicz, PKN, Poland
(till October 2019)


Terms of Reference

As per Resolution 18 of the 31st SC 27 Plenary, held in Tel Aviv, Israel, 2019-04-01/05 (contained in SC 27 N19900) ISO/IEC JTC 1/SC 27 resolved to establish a six-month Study Group on Concepts and Terminology to prepare the potential establishment of a new SWG, with the following expected deliverables for consideration at the SC 27 HoD meeting in October 2019:

  • An updated draft Terms of Reference based on the NB contributions received, this includes title and scope (See Resolution 17)
  • Initiate work according to the scope in the draft ToR (N19858), hereby leveraging the work already done on this subject by the WGs
  • Written report.

The Convenors should invite interested experts to support them in their task; in particular, they should invite experts who were involved previously in terminology work.
In addition SC 27 requests its Secretariat and its WG Convenors to circulate a call for experts to participate in this Study Group with a deadline of 2019-05-31.
The Study Group will hold two e-meetings, which will be announced within SC 27, and to any interested and nominated experts.

TOP