Revision August 2018
ISO/IEC JTC 1/SC 27 Security Techniques
ISO/IEC JTC 1/SC27 is an international recognized centre of information security expertise serving the needs of a diverse range of business sectors as well as governments. Its work covers both management standards as well as technical standards. The work of ISO/IEC JTC 1/SC27 is in direct response to business, government and consumer requirements information security standards.
The history of SC27 goes back to the early 80’s. At this time an ISO Technical Committee TC 97 established a working party to address the development of the first set of security standards in ISO. The TC 97 working party was chaired by the late Sir Donald Davis (UK) and had just five national bodies (NBs) as members: Germany (ZfCH), Netherlands, Switzerland (Walter Widmer), UK (Edward (Ted) Humphreys and Denis Willetts) and USA (Bob Elander).
ISO/TC 97/SC 20 developed out of TC 97. SC 20 had three working groups WG 1 Secret-key Techniques (Edward (Ted) Humphreys, UK), WG 2 Public-key Techniques (Louis Guillou, France) and WG 3 (Joe Tardo, USA). Denis Willetts (UK) was the Chair of SC 20 with Secretariat DIN Annette Calkin (GMD, Germany). Eventually SC 20 came under the wing of the newly formed joint committee ISO/IEC JTC 1. In 1989 SC 20 was disbanded and SC 27 was established in 1990 (per Resolution 28 of the Paris JTC 1 Plenary), which took over the work of SC 20 WG 1 and WG 2 well as establishing a new working group (WG3) to cover security evaluation criteria. In the late 90s and early 2000s WG 1 handed over its work on cryptography to WG 2 in order to focus entirely on information security management standards and the development of the now famous ISO/IEC 27001 family of standards. With the continuing extension of its scope to cover new areas of work, SC 27 in 2006, establish two further working groups WG 4 and WG 5.
Twenty Eight Years of Developing Standards
During the past 28 years SC 27 has successfully applied the PDCA (Plan-Do-Check-Act) continual improvement model to adapt its standardization work to the changing security landscape. The committee has revised and extended its scope a number of times to reflect and reach out to new demands and emerging technologies from the market in areas such as information security management systems, cryptographic algorithms, cyber security, Cloud security, IoT security, privacy management, identity management, or security aspects of biometrics.
The structure of SC 27 has expanded from three (1990) to five working groups (2006) in order to appropriately deal with all aspects of information security management, from security techniques (including cryptographic algorithms) and services, via security evaluation and accreditation, to security controls and services, through to privacy technology standards and identity management. The new structure not only helped to improve the focus of the various WGs, but also attracted a substantial amount of new resources.
- SC 27 has managed to increase committee membership from 18 P-members in 1990 to 52 P-members in 2016, covering a vast and diverse number of geographic areas of the globe. SC 27 meetings are typically attended by more than 300 participants.
- SC27 has brought together many of the world’s leading information and IT security and privacy experts, which so far has led to more than 150 publications, among them the most successful security standards within ISO/IEC.
- SC 27’s outreach spans all the major market sectors enabling it to effectively respond to market needs, to produce standards that serve the interests of a multi-stakeholder process and, given the large number of ‘top of their class’ professionals, to profit from global expert opinion.
In 2015 the success story of SC 27 was honoured with the prestigious Lawrence D. Eicher Award.
However, one aspect of the scope of SC 27 remained unchanged during these 28 years – the general nature of its deliverables. Focusing on the development of generic standards for the protection of information and ICT has led to a considerable number of liaisons to other standardization and industry bodies, which have been shaped over the past years. Many of these liaison bodies typically use SC 27 standards and technical reports as a basis for developing their own security implementation standards specific for their sector such as telecom, financial industry, health care, or transport.
For more information on SC 27 and its work programme, the reader is referred to http://www.din.de/go/jtc1sc27, in particular, a more detailed overview of its work can be found in the Standing Document SD 11, available from the SC 27 web site.