ISO/IEC JTC 1/SC 27 Security Techniques
ISO/IEC JTC 1/SC27 is an international recognized centre of information security expertise serving the needs of many business sectors as well as governments. Its work covers both management standards as well as technical standards. The work of ISO/IEC JTC 1/SC27 is in direct response to business, government and consumer requirements information security standards.
The history of SC27 goes back to the early 80’s. At this time an ISO Technical Committee TC 97 established a working party to address the development of the first set of security standards in ISO. The TC 97 working party was chaired by the late Sir Donald Davis (UK) and had just five national bodies (NBs) as members: Germany (ZfCH), Netherlands, Switzerland (Walter Widmer), UK (Edward Humphreys and Denis Willetts) and USA (Bob Elander).
ISO/TC 97/SC 20 developed out of TC 97. SC 20 had three working groups WG 1 Secret-key Techniques (Ted Humphreys, UK), WG 2 Public-key Techniques (Louis Guillou, France) and WG 3 (Joe Tardo, USA). Denis Willetts (UK) was the Chair of SC 20 with Secretariat DIN Annette Calkin (GMD, Germany). Eventually SC 20 came under the wing of the newly formed joint committee ISO/IEC JTC 1. In 1989 SC 20 was disbanded and SC27 was established in 1990 (Per Resolution 28 of the Paris JTC 1 Plenary), which took over the work of SC 20 WG 1 and WG 2 as well as extending the scope to cover several new projects and areas of work. The work of SC 20 WG 3 made its way into other areas of JTC 1 such as SC 6.
Twenty Years of Developing Standards
During the past 20 years SC 27 has successfully applied the PDCA model to adapt its standardization work to the changing security landscape. The committee has revised and extended its scope a number of times to reflect new or altering demands from the market in areas such as cryptographic algorithms, cyber security, privacy, identity management, or security aspects of biometrics.
When it became necessary, it also adapted its structure and expanded from three to five working groups in order to appropriately deal with all aspects of information security, from security techniques (including cryptographic algorithms) and services, via security evaluation and accreditation, to security guidance and management. The new structure not only helped to improve the focus of the various WGs, but also attracted a substantial amount of new resources. Currently SC 27 meetings are typically attended by more than 200 participants.
However, one aspect of the scope of SC 27 remained unchanged during these 20 years – the general nature of its deliverables. Focusing on the development of generic standards for the protection of information and ICT has lead to a considerable number of liaisons to other standardization and industry bodies, which have been shaped over the past years. Many of these liaison bodies typically use SC 27 standards and technical reports as a basis for developing their own security implementation standards specific for their sector such as telecom, financial industry, health care, or transport.
For more information on SC 27 and its work program, the reader is referred to http://www.jtc1sc27.din.de/en.