SC 27

Revision May 2019

ISO/IEC JTC 1/SC 27 Information security, cyber security and privacy protection

ISO/IEC JTC 1/SC27 is an international recognized centre of information security, cyber and privacy expertise serving the needs of a diverse range of business sectors as well as governments and consumer requirements for international standards.

History

The history of SC27 goes back to the early 80’s.  At this time an ISO Technical Committee TC 97 established a working party to address the development of the first set of security standards in ISO.  The TC 97 working party was chaired by the late Sir Donald Davis (UK) and had just five national bodies (NBs) as members: Germany (ZfCH), Netherlands, Switzerland (Walter Widmer), UK (Edward (Ted) Humphreys and Denis Willetts) and USA (Bob Elander).

ISO/TC 97/SC 20 developed out of TC 97.  SC 20 had three working groups WG 1 Secret-key Techniques (Edward (Ted) Humphreys, UK), WG 2 Public-key Techniques (Louis Guillou, France) and WG 3 (Joe Tardo, USA).  Denis Willetts (UK) was the Chair of SC 20 with Secretariat DIN Annette Calkin (GMD, Germany).  Eventually SC 20 came under the wing of the newly formed joint committee ISO/IEC JTC 1.  In 1989 SC 20 was disbanded and SC 27 was established in 1990 (per Resolution 28 of the Paris JTC 1 Plenary), which took over the work of SC 20 WG 1 and WG 2 well as establishing a new working group (WG3) to cover security evaluation criteria.  In the late 90s and early 2000s WG 1 handed over its work on cryptography to WG 2 in order to focus entirely on information security management standards and the development of the now famous ISO/IEC 27001 family of standards.  With the continuing extension of its scope to cover new areas of work, SC 27 in 2006, establish two further working groups WG 4 and WG 5. 

Twenty Nine Years of Developing Standards

During the past 29 years SC 27 has successfully applied the PDCA (Plan-Do-Check-Act) continual improvement model to adapt its standardization work to the changing security and privacy landscape.  The committee has revised and extended its scope a number of times to reflect and reach out to new demands and emerging technologies from the market in areas such as information security management systems, cyber security, cryptographic algorithms, Cloud security and privacy, IoT security, Big Data, privacy protection techniques , identity management, or security aspects of biometrics.

The structure of SC 27 has expanded from three (1990) to five working groups (2006) in order to appropriately deal with all aspects of information security management, from security techniques (including cryptographic algorithms) and services, via security evaluation and accreditation, to security controls and services, through to privacy technology standards and identity management.  The new structure not only helped to improve the focus of the various WGs, but also attracted a substantial amount of new resources. 

  • SC 27 has increased committee membership from 18 P-members in 1990 to 50 P-members in 2019, covering a vast and diverse number of geographic areas of the globe.  SC 27 meetings are typically attended by more than 320 participants.
  • SC27 has brought together many of the world’s leading information security, cyber security and privacy experts, which so far has led to more than 261 projects and 182 publications, among them the most successful security standards within ISO/IEC. 
  • SC 27 has ‘top of their class’ professionals and a global outreach that enables it to produce quality standards that serve all the major market sectors and multi-stakeholder interests. 

In 2015 the success story of SC 27 was honoured with the prestigious Lawrence D. Eicher Award.

The mission statement of SC 27 has remained unchanged during these 29 years, that is, to deliver quality generic standards for its discerning customer base.  Focusing on the development of generic standards for the protection of information and ICT has led to a considerable number of liaisons to other standardization and industry bodies, which have been shaped over the past years.  Many of these liaison bodies typically use SC 27 standards and technical reports as a basis for developing their own security implementation standards specific for their sector such as telecom, financial industry, utilities, health care, or transport.

For more information on SC 27 and its work programme, the reader is referred to http://www.din.de/go/jtc1sc27, in particular, a more detailed overview of its work can be found in the Standing Document SD 11, available from the SC 27 web site.