Information security, cybersecurity and privacy protection

Revision May 2020

ISO/IEC JTC 1/SC27 is an international recognized centre of information security, cybersecurity and privacy expertise serving the needs of a diverse range of business sectors as well as governments and consumer requirements for international standards.


The history of SC27 goes back to the early 80’s.  At this time an ISO Technical Committee TC 97 established a working party to address the development of the first set of security standards in ISO.  The TC 97 working party was chaired by the late Sir Donald Davis (UK) and had just five national bodies (NBs) as members: Germany (ZfCH), Netherlands, Switzerland (Walter Widmer), UK (Edward (Ted) Humphreys and Denis Willetts) and USA (Bob Elander).

ISO/TC 97/SC 20 developed out of TC 97.  SC 20 had three working groups WG 1 Secret-key Techniques (Edward (Ted) Humphreys, UK), WG 2 Public-key Techniques (Louis Guillou, France) and WG 3 (Joe Tardo, USA).  Denis Willetts (UK) was the Chair of SC 20 with Secretariat DIN Annette Calkin (GMD, Germany).  Eventually SC 20 came under the wing of the newly formed joint committee ISO/IEC JTC 1.  In 1989 SC 20 was disbanded and SC 27 was established in 1990 (per Resolution 28 of the Paris JTC 1 Plenary), which took over the work of SC 20 WG 1 and WG 2 well as establishing a new working group (WG3) to cover security evaluation criteria.  In the late 90s and early 2000s WG 1 handed over its work on cryptography to WG 2 in order to focus entirely on information security management standards and the development of the now famous ISO/IEC 27001 family of standards.  With the continuing extension of its scope to cover new areas of work, SC 27 in 2006, establish two further working groups WG 4 and WG 5. 

Thirty Years of Developing Standards

During the past 30 years SC 27 has successfully applied the PDCA (Plan-Do-Check-Act) continual improvement model to adapt its standardization work to the changing security and privacy landscape.  The committee has revised and extended its scope a number of times to reflect and reach out to new demands and emerging technologies from the market in areas such as information security management systems, cybersecurity, cryptographic algorithms, Cloud security and privacy, IoT security, Big Data, privacy protection techniques, identity management, or security aspects of biometrics.

The structure of SC 27 has expanded from three (1990) to five working groups (2006) to appropriately deal with all aspects of information security management, from security techniques (including cryptographic algorithms) and services, via security evaluation and accreditation, to security controls and services, through to privacy technology standards and identity management.  The new structure not only helped to improve the focus of the various WGs, but also attracted a substantial amount of new resources.  Recently, various advisory groups have been established and added to the SC 27 structure to: (i) investigate specific areas of future standardization, such trustworthiness and data security, (ii) harmonize on terminology, (iii) management strategy, operations and working practices. 

SC 27 has developed many well-known standards such as ISO/IEC 27001 (ISMS requirements) ranked 3rd in the ISO survey of management system standards, ISO/IEC 27002 (information security controls) and ISO/IEC 15408 (security evaluation criteria for IT security).  More recently the emergence of ISO/IEC 27701(an extension of ISO/IEC 27001 and ISO/IEC 27002 for privacy information management) is a much needed addition to the SC 27 portfolio.    

SC 27 also engages with other standards groups to work on collaborative projects, for example, with ISO/TC 307/JWG 4 on Blockchain and distributed ledger technologies and IT Security techniques and with ITU-T SG 17 on collaborative common-text projects such as X.1051|ISO/IEC 27011 (telecoms use of ISO/IEC 27002) and X.1054 | ISO/IEC 27014 (governance of information security).

  • SC 27 has increased committee membership from 18 P-members in 1990 to 50 P-members and 28 O-members in 2020, covering a vast and diverse number of geographic areas of the globe, with over 1500 registered experts from a diverse range of industries.  SC 27 meetings are typically attended by more than 320 participants.
  • SC27 has brought together many of the world’s leading information security, cyber security and privacy experts, which so far has led to more than 261 projects and 182 publications, among them the most successful security standards within ISO/IEC. 
  • SC 27 has ‘top of their class’ professionals and a global outreach that enables it to produce quality standards that serve all the major market sectors and multi-stakeholder interests. 

In 2015 the success story of SC 27 was honoured with the prestigious Lawrence D. Eicher Award.

The mission statement of SC 27 has remained unchanged during these 30 years, that is, to deliver quality generic standards for its discerning customer base.  Focusing on the development of generic standards for information security, cybersecurity and privacy and this has led to a considerable number of liaisons to other standardization and industry bodies.  Many of these liaison bodies typically use SC 27 standards and technical reports as a basis for developing their own security implementation standards specific for their sector such as telecom, finance, utilities, healthcare, and transport.

For more information on SC 27 and its work programme, the reader is referred to, in particular, a more detailed overview of its work can be found in the Standing Document SD 11, available from the SC 27 web site.