ISO SC27 Introduction and History

Hi Andreas Fuchsberger here.....

In order to better understand a report I am about to post next on a recent ISO security meeting I thought I would include some additional information about the language used in SC 27 and how SC 27 standards are created.

SC 27 is a sub-committee of the Joint Technical Committee (JTC1) of the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The International Organization for Standardization (Organisation internationale de normalisation) usually known as ISO is an international-standard-setting body composed of representatives from various national standards organizations. Created in 1947, the organization creates worldwide proprietary industrial and commercial standards. It is headquartered in Geneva, Switzerland. The International Electrotechnical Commission (IEC) is a not-for-profit, non-governmental international standards organization that prepares and publishes International Standards for all electrical, electronic and related technologies. Currently there exists only one joint technical committee (JTC1). JTC1 standards use the prefix ISO/IEC.

The correct abbreviation used to indicate SC 27 output is ISO/IEC JTC1/SC 27. All output produced in SC 27 is given a project number. A definitive list of current projects is published in SC 27 Standing Document (SD)

SC 27 started worked in the early 1990s originally split into three working groups: (1) Security Management, (2) Cryptographic Mechanisms and (3) Security Evaluation Criteria. Much of the attention and success was derived from the WG 1 adoption of British Standard BS7799 and transformation and publication of originally ISO/IEC 17799 Parts 1 and 2 for Information Security Management and accompanying standards. The ISO/IEC 17799 series was later renamed to become the ISO/IEC 27000 Information Security Management series. Due to its success WG 1 was split into 3 Working Groups:

· · Working Group 1: Information Security Management Systems (ISMS)

· · Working Group 4: Security Controls and Services

· · Working Group 5: Privacy and Identity Management

A definitive list of projects including all published standards and work in progress is made available through Standing Document (SD) 7 Catalogue of SC 27 Projects and Standards.

Progression of Standards

Although the editing work of creating a new standard is performed by National Body experts during the Working Group meetings, it is SC 27 that delegates the authority to start a new standard. A national body may propose a New Work Item (NWI) by providing input to a WG meeting, or WG may initiate a new Study Period on a particular topic, usually also prompted by a NB or a subject matter expert. Both NWIP and SP are circulated by the SC 27 Secretariat for distribution through National Bodies. NB then vote on starting the process for creating new International Standard.

Once an editor is found, either through a volunteer or by a call for contributions to the NBs, the process for a new International Standard, the editor produces a series of Working Drafts. NBs are not required to distribute Working Drafts (WDs), however it is common practice. NBs consult their own experts for contributions to WDs. Editors then collect the international contributions and during the editing sessions of the WG meetings either accept, reject or otherwise find a compromise to the comments made by the National Body experts. SC 27 relies usually on finding a consensus by taking the NB comments into account, rarely does it come to a vote on accepting or rejecting a comment. Depending on the NB it may be more appropriate to let the NB withdraw a comment than reject it outright. After a WD draft has gone through multiple iterations and during the editing session it is agreed that the document has reached an acceptable level of maturity the WG can request SC 27 for a delegation of authority to move the document to Committee Draft (CD) stage. CDs are distributed to the NBs for study and comment. Once the CD has reached a further level of maturity, the WG can request to move to Final CD stage. FCDs are distributed by NBs for comment and are subject to a NB postal vote. For a FCD to pass it needs a three quarters majority SC 27 P-member NBs. Thereafter SC 27 takes over the progression of the standard to Daft International Standard (DIS) and then to publication by JTC1 to International Standard (IS).

The whole process takes now on average 2 – 2.5 years. This is a significant improvement since the mid 1990s when the process has taken up to 7 years. This used to be one of the major criticisms of the ISO Standards process. This and the fact that most ISO/IEC standards are chargeable, which is in contrast to the Internet standards RFCs and other industry standards.