Revision August 2016
ISO/IEC JTC 1/SC 27 Security Techniques
ISO/IEC JTC 1/SC27 is an international recognized centre of information security expertise serving the needs of many business sectors as well as governments. Its work covers both management standards as well as technical standards. The work of ISO/IEC JTC 1/SC27 is in direct response to business, government and consumer requirements information security standards.
The history of SC27 goes back to the early 80’s. At this time an ISO Technical Committee TC 97 established a working party to address the development of the first set of security standards in ISO. The TC 97 working party was chaired by the late Sir Donald Davis (UK) and had just five national bodies (NBs) as members: Germany (ZfCH), Netherlands, Switzerland (Walter Widmer), UK (Edward (Ted) Humphreys and Denis Willetts) and USA (Bob Elander).
ISO/TC 97/SC 20 developed out of TC 97. SC 20 had three working groups WG 1 Secret-key Techniques (Edward (Ted) Humphreys, UK), WG 2 Public-key Techniques (Louis Guillou, France) and WG 3 (Joe Tardo, USA). Denis Willetts (UK) was the Chair of SC 20 with Secretariat DIN Annette Calkin (GMD, Germany). Eventually SC 20 came under the wing of the newly formed joint committee ISO/IEC JTC 1. In 1989 SC 20 was disbanded and SC 27 was established in 1990 (per Resolution 28 of the Paris JTC 1 Plenary), which took over the work of SC 20 WG 1 and WG 2 as well as extending the scope to cover several new projects and areas of work. The work of SC 20 WG 3 made its way into other areas of JTC 1 such as SC 6.
Twenty-five Years of Developing Standards
During the past 25 years SC 27 has successfully applied the PDCA model to adapt its standardization work to the changing security landscape. The committee has revised and extended its scope a number of times to reflect new or altering demands from the market in areas such as cryptographic algorithms, cyber security, privacy, identity management, or security aspects of biometrics.
When it became necessary, it also adapted its structure and expanded from three to five working groups in order to appropriately deal with all aspects of information security management, from security techniques (including cryptographic algorithms) and services, via security evaluation and accreditation, to security controls and services, through to privacy technology standards and identity management. The new structure not only helped to improve the focus of the various WGs, but also attracted a substantial amount of new resources.
- SC 27 has managed to increase committee membership from 18 P-members in 1990 to 52 P-members in 2016, covering a vast and diverse number of geographic areas of the globe. SC 27 meetings are typically attended by more than 250 participants.
- SC27 has brought together many of the world’s leading information and IT security and privacy experts, which so far has led to more than 150 publications, among them the most successful security standards within ISO/IEC.
- SC 27’s outreach spans all the major market sectors enabling it to effectively respond to market needs, to produce standards that serve the interests of a multi-stakeholder process and, given the large number of ‘top of their class’ professionals, to profit from global expert opinion.
In 2015 the success story of SC 27 was honoured with the prestigious Lawrence D. Eicher Award.
However, one aspect of the scope of SC 27 remained unchanged during these 25 years – the general nature of its deliverables. Focusing on the development of generic standards for the protection of information and ICT has led to a considerable number of liaisons to other standardization and industry bodies, which have been shaped over the past years. Many of these liaison bodies typically use SC 27 standards and technical reports as a basis for developing their own security implementation standards specific for their sector such as telecom, financial industry, health care, or transport.
For more information on SC 27 and its work program, the reader is referred to www.din.de/go/jtc1sc27.