| Name |
Description |
Abstract |
Status |
Publication date |
Edition |
Number of pages |
Technical committee |
ICS |
| ISO/IEC 20897-2:2022 |
Information security, cybersecurity and privacy protection — Physically unclonable functions — Part 2: Test and evaluation methods |
This document specifies the test and evaluation methods for physically unclonable functions (PUFs). The test and evaluation methods consist of inspection of the design rationale of the PUF and comparison between statistical analyses of the responses from a batch of PUFs or a unique PUF versus specified thresholds.
This document is related to ISO/IEC 19790 which specifies security requirements for cryptographic modules. In those modules, critical security parameters (key) and public security parameters (product serial number, identification code, etc.) are the assets to protect. PUF is one solution to avoid storing security parameters, thereby increasing the overall security of a cryptographic module.
|
Published |
2022-05 |
Edition : 1 |
Number of pages : 27 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC TS 20540:2018 |
Information technology — Security techniques — Testing cryptographic modules in their operational environment |
This document provides recommendations and checklists which can be used to support the specification and operational testing of cryptographic modules in their operational environment within an organization's security system.
The cryptographic modules have four security levels which ISO/IEC 19790 defines to provide for a wide spectrum of data sensitivity (e.g. low-value administrative data, million-dollar funds transfers, life-protecting data, personal identity information, and sensitive information used by government) and a diversity of application environments (e.g. a guarded facility, an office, removable media, and a completely unprotected location).
This document includes:
a) recommendations to perform secure assessing for cryptographic module installation, configuration and operation;
b) recommendations to inspecting the key management system, protection of authentication credentials, and public and critical security parameters in the operational environment;
c) recommendations for identifying cryptographic module vulnerabilities;
d) checklists for the cryptographic algorithm policy, security guidance and regulation, security manage requirements, security level for each of the 11 requirement areas, the strength of the security function, etc.; and
e) recommendations to determine that the cryptographic module's deployment satisfies the security requirements of the organization.
This document assumes that the cryptographic module has been validated as conformant with ISO/IEC 19790.
It can be used by an operational tester along with other recommendations if needed.
This document is limited to the security related to the cryptographic module. It does not include assessing the security of the operational or application environment. It does not define techniques for the identification, assessment and acceptance of the organization's operational risk.
The organization's accreditation, deployment and operation processes, shown in Figure 1, is not included to the scope of this document.
This document addresses operational testers who perform the operational testing for the cryptographic modules in their operational environment authorizing officials of cryptographic modules.
|
Published |
2018-05 |
Edition : 1 |
Number of pages : 39 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 20543:2019 |
Information technology — Security techniques — Test and analysis methods for random bit generators within ISO/IEC 19790 and ISO/IEC 15408 |
This document specifies a methodology for the evaluation of non-deterministic or deterministic random bit generators intended to be used for cryptographic applications. The provisions given in this document enable the vendor of an RBG to submit well-defined claims of security to an evaluation authority and shall enable an evaluator or a tester, for instance a validation authority, to evaluate, test, certify or reject these claims.
This document is implementation-agnostic. Hence, it offers no specific guidance on design and implementation decisions for random bit generators. However, design and implementation issues influence the evaluation of an RBG in this document, for instance because it requires the use of a stochastic model of the random source and because any such model is supported by technical arguments pertaining to the design of the device at hand.
Random bit generators as evaluated in this document aim to output bit strings that appear evenly distributed. Depending on the distribution of random numbers required by the consuming application, however, it is worth noting that additional steps can be necessary (and can well be critical to security) for the consuming application to transform the random bit strings produced by the RBG into random numbers of a distribution suitable to the application requirements. Such subsequent transformations are outside the scope of evaluations performed in this document.
|
Published |
2019-10 |
Edition : 1 |
Number of pages : 40 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 20648:2016 |
Information technology — TLS specification for storage systems |
ISO/IEC 20648:2016 details the requirements for use of the Transport Layer Security (TLS) protocol in conjunction with data storage technologies. The requirements set out in this specification are intended to facilitate secure interoperability of storage clients and servers as well as non-storage technologies that may have similar interoperability needs.
ISO/IEC 20648:2016 is relevant to anyone involved in owning, operating or using data storage devices. This includes senior managers, acquirers of storage product and service, and other non-technical managers or users, in addition to managers and administrators who have specific responsibilities for information security and/or storage security, storage operation, or who are responsible for an organization's overall security program and security policy development. It is also relevant to anyone involved in the planning, design and implementation of the architectural aspects of storage security.
|
Published |
2016-03 |
Edition : 1 |
Number of pages : 11 |
Technical Committee |
35.030
IT Security
;
35.220.01
Data storage devices in general
|
| ISO/IEC DIS 20648 |
Information technology — TLS specification for storage systems |
ISO/IEC 20648:2016 details the requirements for use of the Transport Layer Security (TLS) protocol in conjunction with data storage technologies. The requirements set out in this specification are intended to facilitate secure interoperability of storage clients and servers as well as non-storage technologies that may have similar interoperability needs.
ISO/IEC 20648:2016 is relevant to anyone involved in owning, operating or using data storage devices. This includes senior managers, acquirers of storage product and service, and other non-technical managers or users, in addition to managers and administrators who have specific responsibilities for information security and/or storage security, storage operation, or who are responsible for an organization's overall security program and security policy development. It is also relevant to anyone involved in the planning, design and implementation of the architectural aspects of storage security.
|
Under development |
|
Edition : 2 |
Number of pages : 17 |
Technical Committee |
35.030
IT Security
;
35.220.01
Data storage devices in general
|
| ISO/IEC 20889:2018 |
Privacy enhancing data de-identification terminology and classification of techniques |
This document provides a description of privacy-enhancing data de-identification techniques, to be used to describe and design de-identification measures in accordance with the privacy principles in ISO/IEC 29100.
In particular, this document specifies terminology, a classification of de-identification techniques according to their characteristics, and their applicability for reducing the risk of re-identification.
This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that are PII controllers or PII processors acting on a controller's behalf, implementing data de-identification processes for privacy enhancing purposes.
|
Published |
2018-11 |
Edition : 1 |
Number of pages : 46 |
Technical Committee |
35.030
IT Security
|
| ISO 2094:1986 |
Textile floor coverings — Determination of thickness loss under dynamic loading |
|
Withdrawn |
1986-11 |
Edition : 2 |
Number of pages : 3 |
Technical Committee |
97.150
Floor coverings
|
| ISO 21177:2023 |
Intelligent transport systems — ITS station security services for secure session establishment and authentication between trusted devices |
This document contains specifications for a set of ITS station security services required to ensure the authenticity of the source and integrity of information exchanged between trusted entities, i.e.:
— between devices operated as bounded secured managed entities, i.e. "ITS Station Communication Units" (ITS-SCU) and "ITS station units" (ITS-SU) as specified in ISO 21217; and
— between ITS-SUs (composed of one or several ITS-SCUs) and external trusted entities such as sensor and control networks.
These services include the authentication and secure session establishment which are required to exchange information in a trusted and secure manner.
These services are essential for many intelligent transport system (ITS) applications and services including time-critical safety applications, automated driving, remote management of ITS stations (ISO 24102-2), and roadside/infrastructure-related services.
|
Published |
2023-04 |
Edition : 1 |
Number of pages : 100 |
Technical Committee |
35.030
IT Security
;
03.220.01
Transport in general
;
35.240.60
IT applications in transport
|
| ISO/TS 21177:2019 |
Intelligent transport systems — ITS station security services for secure session establishment and authentication between trusted devices |
This document contains specifications for a set of ITS station security services required to ensure the authenticity of the source and integrity of information exchanged between trusted entities:
— devices operated as bounded secured managed entities, i.e. "ITS Station Communication Units" (ITS-SCU) and "ITS station units" (ITS-SU) specified in ISO 21217, and
— between ITS-SUs (composed of one or several ITS-SCUs) and external trusted entities such as sensor and control networks.
These services include authentication and secure session establishment which are required to exchange information in a trusted and secure manner.
These services are essential for many ITS applications and services including time-critical safety applications, automated driving, remote management of ITS stations (ISO 24102-2[5]), and roadside/infrastructure related services.
|
Withdrawn |
2019-08 |
Edition : 1 |
Number of pages : 83 |
Technical Committee |
35.030
IT Security
;
03.220.01
Transport in general
;
35.240.60
IT applications in transport
|
| ISO/IEC 21827:2002 |
Information technology — Systems Security Engineering — Capability Maturity Model (SSE-CMM®) |
|
Withdrawn |
2002-10 |
Edition : 1 |
Number of pages : 123 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 21827:2008 |
Information technology — Security techniques — Systems Security Engineering — Capability Maturity Model® (SSE-CMM®) |
ISO/IEC 21827:2008 specifies the Systems Security Engineering - Capability Maturity Model® (SSE-CMM®), which describes the essential characteristics of an organization's security engineering process that must exist to ensure good security engineering. ISO/IEC 21827:2008 does not prescribe a particular process or sequence, but captures practices generally observed in industry. The model is a standard metric for security engineering practices covering the following:
the entire life cycle, including development, operation, maintenance and decommissioning activities;
the whole organization, including management, organizational and engineering activities;
concurrent interactions with other disciplines, such as system, software, hardware, human factors and test engineering; system management, operation and maintenance;
interactions with other organizations, including acquisition, system management, certification, accreditation and evaluation.
The objective is to facilitate an increase of maturity of the security engineering processes within the organization. The SSE-CMM® is related to other CMMs which focus on different engineering disciplines and topic areas and can be used in combination or conjunction with them.
|
Published |
2008-10 |
Edition : 2 |
Number of pages : 144 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 21878:2018 |
Information technology — Security techniques — Security guidelines for design and implementation of virtualized servers |
This document specifies security guidelines for the design and implementation of VSs. Design considerations focusing on identifying and mitigating risks, and implementation recommendations with respect to typical VSs are covered in this document.
This document is not applicable to: (see also 5.3.2 Exclusions)
— desktop, OS, network, and storage virtualization; and
— vendor attestation.
This document is intended to benefit any organization using and/or providing VSs.
|
Published |
2018-11 |
Edition : 1 |
Number of pages : 22 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 21964-1:2018 |
Information technology — Destruction of data carriers — Part 1: Principles and definitions |
This standard defines terms and principles for the destruction of data carriers.
|
Published |
2018-08 |
Edition : 1 |
Number of pages : 6 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 21964-2:2018 |
Information technology — Destruction of data carriers — Part 2: Requirements for equipment for destruction of data carriers |
This standard applies to machines for the destruction of data carriers. This standard specifies the requirements for machines in order to ensure the safe destruction of data carriers.
|
Published |
2018-08 |
Edition : 1 |
Number of pages : 9 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 21964-3:2018 |
Information technology — Destruction of data carriers — Part 3: Process of destruction of data carriers |
This standard defines the requirements for the process of destruction of data carriers and is applicable for the responsible authority and for all parties who are involved in the destruction process.
|
Published |
2018-08 |
Edition : 1 |
Number of pages : 8 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC TR 22216:2022 |
Information security, cybersecurity and privacy protection — New concepts and changes in ISO/IEC 15408:2022 and ISO/IEC 18045:2022 |
This document:
— introduces the break down between the former ISO/IEC 15408 series (ISO/IEC 15408-1:2009, ISO/IEC 15408-2:2008) and ISO/IEC 15408-3:2008) and ISO/IEC 18045:2008 and the new parts introduced in the ISO/IEC 15408:2022 series and ISO/IEC 18045:2022;
— presents the concepts newly introduced as well as the rationale for their inclusion;
— proposes an evolution path and information on how to move from CC 3.1 and CEM 3.1 to the ISO/IEC 15408:2022 series and ISO/IEC 18045:2022, respectively;
— maps the evolutions between the CC 3.1 and CEM 3.1 and the ISO/IEC 15408:2022 series and ISO/IEC 18045:2022, respectively.
|
Published |
2022-05 |
Edition : 1 |
Number of pages : 46 |
Technical Committee |
35.030
IT Security
|
| ISO 22739:2020 |
Blockchain and distributed ledger technologies — Vocabulary |
This document provides fundamental terminology for blockchain and distributed ledger technologies.
|
Published |
2020-07 |
Edition : 1 |
Number of pages : 10 |
Technical Committee |
35.030
IT Security
;
01.040.35
Information technology (Vocabularies)
;
35.240.40
IT applications in banking
;
35.240.99
IT applications in other fields
|
| ISO/DIS 22739 |
Blockchain and distributed ledger technologies — Vocabulary |
|
Under development |
|
Edition : 2 |
Number of pages : 14 |
Technical Committee |
35.030
IT Security
;
01.040.35
Information technology (Vocabularies)
;
35.240.40
IT applications in banking
;
35.240.99
IT applications in other fields
|
| ISO/TR 23244:2020 |
Blockchain and distributed ledger technologies — Privacy and personally identifiable information protection considerations |
This document provides an overview of privacy and personally identifiable information (PII) protection as applied to blockchain and distributed ledger technologies (DLT) systems.
|
Published |
2020-05 |
Edition : 1 |
Number of pages : 17 |
Technical Committee |
35.030
IT Security
;
35.240.40
IT applications in banking
;
35.240.99
IT applications in other fields
|
| ISO/TR 23249:2022 |
Blockchain and distributed ledger technologies – Overview of existing DLT systems for identity management |
This document provides an overview of existing DLT systems for identity management, i.e. the mechanisms by which one or more entities can create, receive, modify, use and revoke a set of identity attributes.
This document covers the following topics:
— Managing identity for individuals, organizations, things (IoT & objects), functions and processes and other entities including within and across DLT systems.
— Description of the actors and their interactions and common interfaces.
— Architectures.
— Existing relevant standards and frameworks.
|
Published |
2022-05 |
Edition : 1 |
Number of pages : 37 |
Technical Committee |
35.030
IT Security
;
35.240.40
IT applications in banking
;
35.240.99
IT applications in other fields
|
| ISO 23257:2022 |
Blockchain and distributed ledger technologies — Reference architecture |
This document specifies a reference architecture for Distributed Ledger Technology (DLT) systems including blockchain systems. The reference architecture addresses concepts, cross-cutting aspects, architectural considerations, and architecture views, including functional components, roles, activities, and their relationships for blockchain and DLT.
|
Published |
2022-02 |
Edition : 1 |
Number of pages : 52 |
Technical Committee |
35.030
IT Security
;
35.240.40
IT applications in banking
;
35.240.99
IT applications in other fields
|
| ISO/TS 23258:2021 |
Blockchain and distributed ledger technologies — Taxonomy and Ontology |
This document specifies a taxonomy and an ontology for blockchain and distributed ledger technologies (DLT). The taxonomy includes a taxonomy of concepts, a taxonomy of DLT systems and a taxonomy of application domains, purposes and economy activity sections for use cases. The ontology includes classes and attributes as well as relations between concepts.
The audience includes but is not limited to academics, architects, customers, users, tool developers, regulators, auditors and standards development organizations.
|
Published |
2021-11 |
Edition : 1 |
Number of pages : 28 |
Technical Committee |
35.030
IT Security
;
35.240.40
IT applications in banking
;
35.240.99
IT applications in other fields
|
| ISO/DTS 23259 |
Blockchain and distributed ledger technologies — Legally binding smart contracts |
|
Deleted |
|
Edition : 1 |
|
Technical Committee |
35.030
IT Security
;
35.240.40
IT applications in banking
;
35.240.99
IT applications in other fields
|
| ISO/IEC TR 13335-2:1997 |
Information technology — Guidelines for the management of IT Security — Part 2: Managing and planning IT Security |
|
Withdrawn |
1997-12 |
Edition : 1 |
Number of pages : 14 |
Technical Committee |
35.030
IT Security
;
03.100.70
Management systems
|
| ISO/TR 23455:2019 |
Blockchain and distributed ledger technologies — Overview of and interactions between smart contracts in blockchain and distributed ledger technology systems |
This document provides an overview of smart contracts in BC/DLT systems; describing what smart contracts are and how they work. It also discusses methods of interaction between multiple smart contracts. This document focuses on technical aspects of smart contracts. Smart contracts for legally binding use and applications will only be briefly mentioned in this document.
|
Published |
2019-09 |
Edition : 1 |
Number of pages : 42 |
Technical Committee |
35.030
IT Security
;
35.240.40
IT applications in banking
;
35.240.99
IT applications in other fields
|
| ISO/IEC TS 23532-1:2021 |
Information security, cybersecurity and privacy protection — Requirements for the competence of IT security testing and evaluation laboratories — Part 1: Evaluation for ISO/IEC 15408 |
This document complements and supplements the procedures and general requirements found in ISO/IEC 17025:2017 for laboratories performing evaluations based on the ISO/IEC 15408 series and ISO/IEC 18045.
|
Published |
2021-11 |
Edition : 1 |
Number of pages : 20 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC TS 23532-2:2021 |
Information security, cybersecurity and privacy protection — Requirements for the competence of IT security testing and evaluation laboratories — Part 2: Testing for ISO/IEC 19790 |
This document complements and supplements the procedures and general requirements found in ISO/IEC 17025:2017 for laboratories performing testing based on ISO/IEC 19790 and ISO/IEC 24759.
|
Published |
2021-11 |
Edition : 1 |
Number of pages : 26 |
Technical Committee |
35.030
IT Security
|
| ISO/TR 23576:2020 |
Blockchain and distributed ledger technologies — Security management of digital asset custodians |
This document discusses the threats, risks, and controls related to:
— systems that provide digital asset custodian services and/or exchange services to their customers (consumers and businesses) and management of security when an incident occurs;
— asset information (including the signature key of the digital asset) that a custodian of digital assets manages.
This document is addressed to digital asset custodians that manage signature keys associated with digital asset accounts. In such a case, certain specific recommendations apply.
The following is out of scope of this document:
— core security controls of blockchain and DLT systems;
— business risks of digital asset custodians;
— segregation of customer's assets;
— governance and management issues.
|
Published |
2020-12 |
Edition : 1 |
Number of pages : 35 |
Technical Committee |
35.030
IT Security
;
35.240.40
IT applications in banking
;
35.240.99
IT applications in other fields
|
| ISO/TS 23635:2022 |
Blockchain and distributed ledger technologies — Guidelines for governance |
This document provides guiding principles and a framework for the governance of DLT systems.
The document also provides guidance on the fulfilment of governance, including risk and regulatory contexts, that supports the effective, efficient, and acceptable use of DLT systems.
|
Published |
2022-02 |
Edition : 1 |
Number of pages : 26 |
Technical Committee |
35.030
IT Security
;
35.240.40
IT applications in banking
;
35.240.99
IT applications in other fields
|
| ISO/TR 23644 |
Blockchain and distributed ledger technologies (DLTs) — Overview of trust anchors for DLT-based identity management |
|
Under development |
|
Edition : 1 |
|
Technical Committee |
35.030
IT Security
;
35.240.40
IT applications in banking
;
35.240.99
IT applications in other fields
|
| ISO/IEC DIS 23837-1 |
Information security — Security requirements, test and evaluation methods for quantum key distribution — Part 1: Requirements |
|
Under development |
|
Edition : 1 |
Number of pages : 51 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC DIS 23837-2 |
Information security — Security requirements, test and evaluation methods for quantum key distribution — Part 2: Evaluation and testing methods |
|
Under development |
|
Edition : 1 |
Number of pages : 100 |
Technical Committee |
35.030
IT Security
|
| ISO/TR 24374 |
Financial services — Security information for PKI in blockchain and DLT implementations |
|
Under development |
2023-04 |
Edition : 1 |
|
Technical Committee |
35.030
IT Security
;
35.240.40
IT applications in banking
|
| ISO/IEC FDIS 24392 |
Cybersecurity — Security reference model for industrial internet platform (SRM- IIP) |
|
Under development |
|
Edition : 1 |
Number of pages : 34 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC TR 13335-3:1998 |
Information technology — Guidelines for the management of IT Security — Part 3: Techniques for the management of IT Security |
|
Withdrawn |
1998-06 |
Edition : 1 |
Number of pages : 47 |
Technical Committee |
35.030
IT Security
;
03.100.70
Management systems
|
| ISO/IEC TR 24485:2022 |
Information security, cybersecurity and privacy protection — Security techniques — Security properties and best practices for test and evaluation of white box cryptography |
This document introduces security properties and provides best practices on the test and evaluation of white box cryptography (WBC). WBC is a cryptographic algorithm specialized for a key or secret, but where the said key cannot be extracted.
The WBC implementation can consist of plain source code for the cryptographic algorithm and/or of a device implementing the algorithm. In both cases, security functions are implemented to deter an attacker from uncovering the key or secret.
Security properties consist in the secrecy of security parameters concealed within the implementation of the white box cryptography. Best practices for the test and evaluation includes mathematical and practical analyses, static and dynamic analyses, non-invasive and invasive analyses.
This document is related to ISO/IEC 19790 which specifies security requirements for cryptographic modules. In those modules, critical security parameters (CSPs) and public security parameters (PSPs) are the assets to protect. WBC is one solution to conceal CSPs inside of the implementation.
|
Published |
2022-10 |
Edition : 1 |
Number of pages : 12 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 24745:2011 |
Information technology — Security techniques — Biometric information protection |
ISO/IEC 24745:2011 provides guidance for the protection of biometric information under various requirements for confidentiality, integrity and renewability/revocability during storage and transfer. Additionally, ISO/IEC 24745:2011 provides requirements and guidelines for the secure and privacy-compliant management and processing of biometric information.
ISO/IEC 24745:2011 specifies the following:
analysis of the threats to and countermeasures inherent in a biometric and biometric system application models;
security requirements for secure binding between a biometric reference and an identity reference;
biometric system application models with different scenarios for the storage of biometric references and comparison; and
guidance on the protection of an individual's privacy during the processing of biometric information.
ISO/IEC 24745:2011 does not include general management issues related to physical security, environmental security and key management for cryptographic techniques.
|
Withdrawn |
2011-06 |
Edition : 1 |
Number of pages : 50 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 24745:2022 |
Information security, cybersecurity and privacy protection — Biometric information protection |
This document covers the protection of biometric information under various requirements for confidentiality, integrity and renewability/revocability during storage and transfer. It also provides requirements and recommendations for the secure and privacy-compliant management and processing of biometric information.
This document specifies the following:
— analysis of the threats to and countermeasures inherent to biometrics and biometric system application models;
— security requirements for securely binding between a biometric reference (BR) and an identity reference (IR);
— biometric system application models with different scenarios for the storage and comparison of BRs;
— guidance on the protection of an individual's privacy during the processing of biometric information.
This document does not include general management issues related to physical security, environmental security and key management for cryptographic techniques.
|
Published |
2022-02 |
Edition : 2 |
Number of pages : 63 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 24759:2008 |
Information technology — Security techniques — Test requirements for cryptographic modules |
ISO/IEC 24759:2008 specifies the methods to be used by testing laboratories to test whether a cryptographic module conforms to the requirements specified in ISO/IEC 19790:2006. The methods are developed to provide a high degree of objectivity during the testing process and to ensure consistency across the testing laboratories. Within each subclause of the security requirements clause of ISO/IEC 24759:2008, the corresponding security requirements from ISO/IEC 19790:2006 are divided into a set of assertions (i.e. statements that have to be true for the module to satisfy the requirement of a given area at a given level). All of the assertions are direct quotations from ISO/IEC 19790:2006.
Following each assertion is a set of requirements levied on the vendor. These specify the types of documentation or explicit information that the vendor is required to provide in order for the tester to verify conformance to the given assertion.
Also following each assertion and the requirements levied on the vendor is a set of requirements levied on the tester of the cryptographic module. These specify what the tester needs to do in order to test the cryptographic module with respect to the given assertion.
Vendors can use ISO/IEC 24759:2008 as guidance in trying to verify whether their cryptographic modules satisfy the requirements specified in ISO/IEC 19790:2006 before they apply to the testing laboratory for testing.
|
Withdrawn |
2008-07 |
Edition : 1 |
Number of pages : 103 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 24759:2014 |
Information technology — Security techniques — Test requirements for cryptographic modules |
ISO/IEC 24759:2014 specifies the methods to be used by testing laboratories to test whether the cryptographic module conforms to the requirements specified in ISO/IEC 19790:2012/Cor.1:2015. The methods are developed to provide a high degree of objectivity during the testing process and to ensure consistency across the testing laboratories.
ISO/IEC 24759:2014 also specifies the requirements for information that vendors provide to testing laboratories as supporting evidence to demonstrate their cryptographic modules' conformity to the requirements specified in ISO/IEC 19790:2012/Cor.1:2015.
Vendors can use this International Standard as guidance in trying to verify whether their cryptographic modules satisfy the requirements specified in ISO/IEC 19790:2012/Cor.1:2015 before they apply to the testing laboratory for testing.
|
Withdrawn |
2014-02 |
Edition : 2 |
Number of pages : 135 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 24759:2014/Cor 1:2015 |
Information technology — Security techniques — Test requirements for cryptographic modules — Technical Corrigendum 1 |
|
Withdrawn |
2015-10 |
Edition : 2 |
Number of pages : 135 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 24759:2017 |
Information technology — Security techniques — Test requirements for cryptographic modules |
ISO/IEC 24759:2017 specifies the methods to be used by testing laboratories to test whether the cryptographic module conforms to the requirements specified in ISO/IEC 19790:2012. The methods are developed to provide a high degree of objectivity during the testing process and to ensure consistency across the testing laboratories.
This document also specifies the requirements for information that vendors provide to testing laboratories as supporting evidence to demonstrate their cryptographic modules' conformity to the requirements specified in ISO/IEC 19790:2012.
Vendors can use this document as guidance in trying to verify whether their cryptographic modules satisfy the requirements specified in ISO/IEC 19790:2012 before they apply to the testing laboratory for testing.
|
Published |
2017-03 |
Edition : 3 |
Number of pages : 135 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC CD 24759 |
Information technology — Security techniques — Test requirements for cryptographic modules |
|
Under development |
|
Edition : 4 |
|
Technical Committee |
35.030
IT Security
|
| ISO/IEC 24760-1:2011 |
Information technology — Security techniques — A framework for identity management — Part 1: Terminology and concepts |
ISO/IEC 24760-1:2011
defines terms for identity management, and
specifies core concepts of identity and identity management and their relationships.
It is applicable to any information system that processes identity information.
A bibliography of documents describing various aspects of identity information management is provided.
|
Withdrawn |
2011-12 |
Edition : 1 |
Number of pages : 20 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 24760-1:2019 |
IT Security and Privacy — A framework for identity management — Part 1: Terminology and concepts |
This document defines terms for identity management, and specifies core concepts of identity and identity management and their relationships.
It is applicable to any information system that processes identity information.
|
Published |
2019-05 |
Edition : 2 |
Number of pages : 24 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 24760-1:2019/Amd 1:2023 |
IT Security and Privacy — A framework for identity management — Part 1: Terminology and concepts — Amendment 1 |
|
Published |
2023-01 |
Edition : 2 |
Number of pages : 4 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 24760-2:2015 |
Information technology — Security techniques — A framework for identity management — Part 2: Reference architecture and requirements |
ISO/IEC 24760-2:2015
provides guidelines for the implementation of systems for the management of identity information, and
specifies requirements for the implementation and operation of a framework for identity management.
ISO/IEC 24760-2:2015 is applicable to any information system where information relating to identity is processed or stored.
|
Published |
2015-06 |
Edition : 1 |
Number of pages : 47 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC DIS 24760-2 |
IT Security and Privacy — A framework for identity management — Part 2: Reference architecture and requirements |
|
Under development |
|
Edition : 2 |
Number of pages : 47 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 24760-3:2016 |
Information technology — Security techniques — A framework for identity management — Part 3: Practice |
ISO/IEC 24760-3:2016 provides guidance for the management of identity information and for ensuring that an identity management system conforms to ISO/IEC 24760-1 and ISO/IEC 24760-2.
ISO/IEC 24760-3:2016 is applicable to an identity management system where identifiers or PII relating to entities are acquired, processed, stored, transferred or used for the purposes of identifying or authenticating entities and/or for the purpose of decision making using attributes of entities. Practices for identity management can also be addressed in other standards.
|
Published |
2016-08 |
Edition : 1 |
Number of pages : 31 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 24760-3:2016/Amd 1:2023 |
Information technology — Security techniques — A framework for identity management — Part 3: Practice — Amendment 1: Identity Information Lifecycle processes |
|
Published |
2023-01 |
Edition : 1 |
Number of pages : 3 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 24761:2009 |
Information technology — Security techniques — Authentication context for biometrics |
ISO/IEC 24761:2009 specifies the structure and the data elements of Authentication Context for Biometrics (ACBio), which is used for checking the validity of the result of a biometric verification process executed at a remote site. ISO/IEC 24761:2009 allows any ACBio instance to accompany any data item that is involved in any biometric process related to verification and enrolment. The specification of ACBio is applicable not only to single modal biometric verification but also to multimodal fusion. ISO/IEC 24761:2009 specifies the cryptographic syntax of an ACBio instance. The cryptographic syntax of an ACBio instance is based on an abstract Cryptographic Message Syntax (CMS) schema whose concrete values can be represented using either a compact binary encoding or a human-readable XML encoding. ISO/IEC 24761:2009 does not define protocols to be used between entities such as biometric processing units, claimant, and validator. Its concern is entirely with the content and encoding of the ACBio instances for the various processing activities.
|
Withdrawn |
2009-05 |
Edition : 1 |
Number of pages : 50 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 24761:2019 |
Information technology — Security techniques — Authentication context for biometrics |
This document defines the structure and the data elements of Authentication Context for Biometrics (ACBio), which is used for checking the validity of the result of a biometric enrolment and verification process executed at a remote site. This document allows any ACBio instance to accompany any biometric processes related to enrolment and verification. The specification of ACBio is applicable not only to single modal biometric enrolment and verification but also to multimodal fusion. The real-time information of presentation attack detection is not provided in this document. Only the assurance information of presentation attack detection (PAD) mechanism can be contained in the BPU report.
Biometric identification is out of the scope of this document.
This document specifies the cryptographic syntax of an ACBio instance. The cryptographic syntax of an ACBio instance is defined in this document applying a data structure specified in Cryptographic Message Syntax (CMS) schema whose concrete values can be represented using a compact binary encoding. This document does not define protocols to be used between entities such as BPUs, claimant, and validator. Its concern is entirely with the content and encoding of the ACBio instances for the various processing activities.
|
Published |
2019-10 |
Edition : 2 |
Number of pages : 75 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 24762:2008 |
Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services |
ISO/IEC 24762:2008 provides guidelines on the provision of information and communications technology disaster recovery (ICT DR) services as part of business continuity management, applicable to both “in-house” and “outsourced” ICT DR service providers of physical facilities and services.
ISO/IEC 24762:2008 specifies:
the requirements for implementing, operating, monitoring and maintaining ICT DR services and facilities;
the capabilities which outsourced ICT DR service providers should possess and the practices they should follow, so as to provide basic secure operating environments and facilitate organizations' recovery efforts;
the guidance for selection of recovery site; and
the guidance for ICT DR service providers to continuously improve their ICT DR services.
|
Withdrawn |
2008-02 |
Edition : 1 |
Number of pages : 67 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 27000:2009 |
Information technology — Security techniques — Information security management systems — Overview and vocabulary |
ISO/IEC 27000:2009 provides an overview of information security management systems, which form the subject of the information security management system (ISMS) family of standards, and defines related terms. As a result of implementing ISO/IEC 27000:2009, all types of organization (e.g. commercial enterprises, government agencies and non-profit organizations) are expected to obtain:
an overview of the ISMS family of standards;
an introduction to information security management systems (ISMS);
a brief description of the Plan-Do-Check-Act (PDCA) process; and
an understanding of terms and definitions in use throughout the ISMS family of standards.
The objectives of ISO/IEC 27000:2009 are to provide terms and definitions, and an introduction to the ISMS family of standards that:
define requirements for an ISMS and for those certifying such systems;
provide direct support, detailed guidance and/or interpretation for the overall Plan-Do-Check-Act (PDCA) processes and requirements;
address sector-specific guidelines for ISMS; and
address conformity assessment for ISMS.
|
Withdrawn |
2009-05 |
Edition : 1 |
Number of pages : 19 |
Technical Committee |
35.030
IT Security
;
01.040.35
Information technology (Vocabularies)
;
03.100.70
Management systems
|
| ISO/IEC 27000:2012 |
Information technology — Security techniques — Information security management systems — Overview and vocabulary |
ISO/IEC 27000:2012 describes the overview and the vocabulary of information security management systems, which form the subject of the ISMS family of standards, and defines related terms and definitions.
ISO/IEC 27000:2012 is applicable to all types and sizes of organisation (e.g. commercial enterprises, government agencies, not-for-profit organisations).
|
Withdrawn |
2012-12 |
Edition : 2 |
Number of pages : 25 |
Technical Committee |
35.030
IT Security
;
01.040.35
Information technology (Vocabularies)
;
03.100.70
Management systems
|
| ISO/IEC 27000:2014 |
Information technology — Security techniques — Information security management systems — Overview and vocabulary |
ISO/IEC 27000:2014 provides the overview of information security management systems (ISMS), and terms and definitions commonly used in the ISMS family of standards.
It is applicable to all types and sizes of organization (e.g. commercial enterprises, government agencies, not-for-profit organizations).
|
Withdrawn |
2014-01 |
Edition : 3 |
Number of pages : 31 |
Technical Committee |
35.030
IT Security
;
01.040.35
Information technology (Vocabularies)
;
03.100.70
Management systems
|
| ISO/IEC 27000:2016 |
Information technology — Security techniques — Information security management systems — Overview and vocabulary |
ISO/IEC 27000:2016 the overview of information security management systems, and terms and definitions commonly used in the ISMS family of standards. This International Standard is applicable to all types and sizes of organization (e.g. commercial enterprises, government agencies, not-for-profit organizations).
|
Withdrawn |
2016-02 |
Edition : 4 |
Number of pages : 34 |
Technical Committee |
35.030
IT Security
;
01.040.35
Information technology (Vocabularies)
;
03.100.70
Management systems
|
| ISO/IEC 27000:2018 |
Information technology — Security techniques — Information security management systems — Overview and vocabulary |
ISO/IEC 27000:2018 provides the overview of information security management systems (ISMS). It also provides terms and definitions commonly used in the ISMS family of standards. This document is applicable to all types and sizes of organization (e.g. commercial enterprises, government agencies, not-for-profit organizations).
The terms and definitions provided in this document
- cover commonly used terms and definitions in the ISMS family of standards;
- do not cover all terms and definitions applied within the ISMS family of standards; and
- do not limit the ISMS family of standards in defining new terms for use.
|
Published |
2018-02 |
Edition : 5 |
Number of pages : 27 |
Technical Committee |
35.030
IT Security
;
01.040.35
Information technology (Vocabularies)
|
| ISO/IEC 27002:2005 |
Information technology — Security techniques — Code of practice for information security management |
ISO/IEC 27002:2005 comprises ISO/IEC 17799:2005 and ISO/IEC 17799:2005/Cor.1:2007. Its technical content is identical to that of ISO/IEC 17799:2005. ISO/IEC 17799:2005/Cor.1:2007 changes the reference number of the standard from 17799 to 27002.
ISO/IEC 27002:2005 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management. ISO/IEC 27002:2005 contains best practices of control objectives and controls in the following areas of information security management:
security policy;
organization of information security;
asset management;
human resources security;
physical and environmental security;
communications and operations management;
access control;
information systems acquisition, development and maintenance;
information security incident management;
business continuity management;
compliance.
The control objectives and controls in ISO/IEC 27002:2005 are intended to be implemented to meet the requirements identified by a risk assessment. ISO/IEC 27002:2005 is intended as a common basis and practical guideline for developing organizational security standards and effective security management practices, and to help build confidence in inter-organizational activities.
|
Withdrawn |
2005-06 |
Edition : 1 |
Number of pages : 115 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 27002:2013 |
Information technology — Security techniques — Code of practice for information security controls |
ISO/IEC 27002:2013 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization's information security risk environment(s).
It is designed to be used by organizations that intend to:
select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001;
implement commonly accepted information security controls;
develop their own information security management guidelines.
|
Withdrawn |
2013-10 |
Edition : 2 |
Number of pages : 80 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 27002:2013/Cor 1:2014 |
Information technology — Security techniques — Code of practice for information security controls — Technical Corrigendum 1 |
|
Withdrawn |
2014-09 |
Edition : 2 |
Number of pages : 3 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 27002:2013/Cor 2:2015 |
Information technology — Security techniques — Code of practice for information security controls — Technical Corrigendum 2 |
|
Withdrawn |
2015-11 |
Edition : 2 |
Number of pages : 2 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 27002:2022 |
Information security, cybersecurity and privacy protection — Information security controls |
This document provides a reference set of generic information security controls including implementation guidance. This document is designed to be used by organizations:
a) within the context of an information security management system (ISMS) based on ISO/IEC27001;
b) for implementing information security controls based on internationally recognized best practices;
c) for developing organization-specific information security management guidelines.
|
Published |
2022-02 |
Edition : 3 |
Number of pages : 152 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 27003:2010 |
Information technology — Security techniques — Information security management system implementation guidance |
ISO/IEC 27003:2010 focuses on the critical aspects needed for successful design and implementation of an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2005. It describes the process of ISMS specification and design from inception to the production of implementation plans. It describes the process of obtaining management approval to implement an ISMS, defines a project to implement an ISMS (referred to in ISO/IEC 27003:2010 as the ISMS project), and provides guidance on how to plan the ISMS project, resulting in a final ISMS project implementation plan.
|
Withdrawn |
2010-02 |
Edition : 1 |
Number of pages : 68 |
Technical Committee |
35.030
IT Security
;
03.100.70
Management systems
|
| ISO/IEC 27003:2017 |
Information technology — Security techniques — Information security management systems — Guidance |
ISO/IEC 27003:2017 provides explanation and guidance on ISO/IEC 27001:2013.
|
Published |
2017-03 |
Edition : 2 |
Number of pages : 45 |
Technical Committee |
35.030
IT Security
;
03.100.70
Management systems
|
| ISO 14520-7:2000 |
Gaseous fire-extinguishing systems — Physical properties and system design — Part 7: HCFC 124 extinguishant |
|
Withdrawn |
2000-08 |
Edition : 1 |
Number of pages : 6 |
Technical Committee |
13.220.10
Fire-fighting
|
| ISO/IEC 27004:2009 |
Information technology — Security techniques — Information security management — Measurement |
ISO/IEC 27004:2009 provides guidance on the development and use of measures and measurement in order to assess the effectiveness of an implemented information security management system (ISMS) and controls or groups of controls, as specified in ISO/IEC 27001.
ISO/IEC 27004:2009 is applicable to all types and sizes of organization.
|
Withdrawn |
2009-12 |
Edition : 1 |
Number of pages : 55 |
Technical Committee |
35.030
IT Security
;
03.100.70
Management systems
|
| ISO/IEC 27004:2016 |
Information technology — Security techniques — Information security management — Monitoring, measurement, analysis and evaluation |
ISO/IEC 27004:2016 provides guidelines intended to assist organizations in evaluating the information security performance and the effectiveness of an information security management system in order to fulfil the requirements of ISO/IEC 27001:2013, 9.1. It establishes:
a) the monitoring and measurement of information security performance;
b) the monitoring and measurement of the effectiveness of an information security management system (ISMS) including its processes and controls;
c) the analysis and evaluation of the results of monitoring and measurement.
ISO/IEC 27004:2016 is applicable to all types and sizes of organizations.
|
Published |
2016-12 |
Edition : 2 |
Number of pages : 58 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 27005:2008 |
Information technology — Security techniques — Information security risk management |
ISO/IEC 27005:2008 provides guidelines for information security risk management. It supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of ISO/IEC 27005:2008. ISO/IEC 27005:2008 is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that could compromise the organization's information security.
|
Withdrawn |
2008-06 |
Edition : 1 |
Number of pages : 55 |
Technical Committee |
35.030
IT Security
;
03.100.70
Management systems
|
| ISO/IEC 27005:2011 |
Information technology — Security techniques — Information security risk management |
ISO/IEC 27005:2011 provides guidelines for information security risk management.
It supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach.
Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of ISO/IEC 27005:2011.
ISO/IEC 27005:2011 is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that could compromise the organization's information security.
|
Withdrawn |
2011-06 |
Edition : 2 |
Number of pages : 68 |
Technical Committee |
35.030
IT Security
;
03.100.70
Management systems
|
| ISO/IEC 27005:2018 |
Information technology — Security techniques — Information security risk management |
This document provides guidelines for information security risk management.
This document supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach.
Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of this document.
This document is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that can compromise the organization's information security.
|
Withdrawn |
2018-07 |
Edition : 3 |
Number of pages : 56 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 27005:2022 |
Information security, cybersecurity and privacy protection — Guidance on managing information security risks |
This document provides guidance to assist organizations to:
— fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks;
— perform information security risk management activities, specifically information security risk assessment and treatment.
This document is applicable to all organizations, regardless of type, size or sector.
|
Published |
2022-10 |
Edition : 4 |
Number of pages : 62 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC DIS 27006-1.2 |
Information technology, cybersecurity and privacy protection — Requirements for bodies providing audit and certification of information security management systems — Part 1: General |
ISO/IEC 27006:2015 specifies requirements and provides guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021‑1 and ISO/IEC 27001. It is primarily intended to support the accreditation of certification bodies providing ISMS certification.
The requirements contained in this International Standard need to be demonstrated in terms of competence and reliability by any body providing ISMS certification, and the guidance contained in this International Standard provides additional interpretation of these requirements for any body providing ISMS certification.
NOTE This International Standard can be used as a criteria document for accreditation, peer assessment or other audit processes.
|
Under development |
|
Edition : 1 |
Number of pages : 62 |
Technical Committee |
35.030
IT Security
;
03.120.20
Product and company certification. Conformity assessment
|
| ISO/IEC CD 27006-2.2 |
Requirements for bodies providing audit and certification of information security management systems — Part 2: Privacy information management systems |
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.
The requirements contained in this document need to be demonstrated in terms of competence and reliability by any body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification.
NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.
|
Under development |
|
Edition : 1 |
|
Technical Committee |
35.030
IT Security
;
03.120.20
Product and company certification. Conformity assessment
|
| ISO/IEC TS 27006-2:2021 |
Requirements for bodies providing audit and certification of information security management systems — Part 2: Privacy information management systems |
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.
The requirements contained in this document need to be demonstrated in terms of competence and reliability by anybody providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification.
NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.
|
Published |
2021-02 |
Edition : 1 |
Number of pages : 9 |
Technical Committee |
35.030
IT Security
;
03.120.20
Product and company certification. Conformity assessment
|
| ISO/IEC 27006:2007 |
Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems |
ISO/IEC 27006:2007 specifies requirements and provides guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021 and ISO/IEC 27001. It is primarily intended to support the accreditation of certification bodies providing ISMS certification.
The requirements contained in ISO/IEC 27006:2007 need to be demonstrated in terms of competence and reliability by any body providing ISMS certification, and the guidance contained in ISO/IEC 27006:2007 provides additional interpretation of these requirements for any body providing ISMS certification.
|
Withdrawn |
2007-03 |
Edition : 1 |
Number of pages : 36 |
Technical Committee |
35.030
IT Security
;
03.100.70
Management systems
|
| ISO/IEC 27006:2011 |
Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems |
ISO/IEC 27006:2011 specifies requirements and provides guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021 and ISO/IEC 27001. It is primarily intended to support the accreditation of certification bodies providing ISMS certification.
The requirements contained in ISO/IEC 27006:2011 need to be demonstrated in terms of competence and reliability by any body providing ISMS certification, and the guidance contained in ISO/IEC 27006:2011 provides additional interpretation of these requirements for any body providing ISMS certification.
|
Withdrawn |
2011-12 |
Edition : 2 |
Number of pages : 37 |
Technical Committee |
35.030
IT Security
;
03.100.70
Management systems
|
| ISO/IEC 27006:2015 |
Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems |
ISO/IEC 27006:2015 specifies requirements and provides guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021‑1 and ISO/IEC 27001. It is primarily intended to support the accreditation of certification bodies providing ISMS certification.
The requirements contained in this International Standard need to be demonstrated in terms of competence and reliability by any body providing ISMS certification, and the guidance contained in this International Standard provides additional interpretation of these requirements for any body providing ISMS certification.
NOTE This International Standard can be used as a criteria document for accreditation, peer assessment or other audit processes.
|
Published |
2015-10 |
Edition : 3 |
Number of pages : 35 |
Technical Committee |
35.030
IT Security
;
03.120.20
Product and company certification. Conformity assessment
|
| ISO/IEC 27006:2015/Amd 1:2020 |
Information technology — Security techniques — Requirements for bodies providing audit and certification of information security management systems — Amendment 1 |
|
Published |
2020-03 |
Edition : 3 |
Number of pages : 2 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 27033-5:2013 |
Information technology — Security techniques — Network security — Part 5: Securing communications across networks using Virtual Private Networks (VPNs) |
ISO/IEC 27033-5:2013 gives guidelines for the selection, implementation, and
monitoring of the technical controls necessary to provide network security using
Virtual Private Network (VPN) connections to interconnect networks and connect
remote users to networks.
|
Published |
2013-08 |
Edition : 1 |
Number of pages : 14 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 27007:2011 |
Information technology — Security techniques — Guidelines for information security management systems auditing |
ISO/IEC 27007:2011 provides guidance on managing an information security management system (ISMS) audit programme, on conducting the audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011.
ISO/IEC 27007:2011 is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme.
|
Withdrawn |
2011-11 |
Edition : 1 |
Number of pages : 27 |
Technical Committee |
35.030
IT Security
;
03.100.70
Management systems
|
| ISO/IEC 27007:2017 |
Information technology — Security techniques — Guidelines for information security management systems auditing |
ISO/IEC 27007 provides guidance on managing an information security management system (ISMS) audit programme, on conducting audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011:2011.
ISO/IEC 27007 is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme.
|
Withdrawn |
2017-10 |
Edition : 2 |
Number of pages : 41 |
Technical Committee |
35.030
IT Security
;
03.120.20
Product and company certification. Conformity assessment
|
| ISO/IEC 27007:2020 |
Information security, cybersecurity and privacy protection — Guidelines for information security management systems auditing |
This document provides guidance on managing an information security management system (ISMS) audit programme, on conducting audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011.
This document is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme.
|
Published |
2020-01 |
Edition : 3 |
Number of pages : 39 |
Technical Committee |
35.030
IT Security
;
03.120.20
Product and company certification. Conformity assessment
|
| ISO/IEC TR 27008:2011 |
Information technology — Security techniques — Guidelines for auditors on information security controls |
ISO/IEC TR 27008:2011 provides guidance on reviewing the implementation and operation of controls, including technical compliance checking of information system controls, in compliance with an organization's established information security standards.
ISO/IEC TR 27008:2011 is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations conducting information security reviews and technical compliance checks. It is not intended for management systems audits.
|
Withdrawn |
2011-10 |
Edition : 1 |
Number of pages : 36 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC TS 27008:2019 |
Information technology — Security techniques — Guidelines for the assessment of information security controls |
This document provides guidance on reviewing and assessing the implementation and operation of information security controls, including the technical assessment of information system controls, in compliance with an organization's established information security requirements including technical compliance against assessment criteria based on the information security requirements established by the organization.
This document offers guidance on how to review and assess information security controls being managed through an Information Security Management System specified by ISO/IEC 27001.
It is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations conducting information security reviews and technical compliance checks.
|
Published |
2019-01 |
Edition : 1 |
Number of pages : 91 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 27009:2016 |
Information technology — Security techniques — Sector-specific application of ISO/IEC 27001 — Requirements |
ISO/IEC 27009:2016 defines the requirements for the use of ISO/IEC 27001 in any specific sector (field, application area or market sector). It explains how to include requirements additional to those in ISO/IEC 27001, how to refine any of the ISO/IEC 27001 requirements, and how to include controls or control sets in addition to ISO/IEC 27001:2013, Annex A.
It ensures that additional or refined requirements are not in conflict with the requirements in ISO/IEC 27001.
It is applicable to those involved in producing sector-specific standards that relate to ISO/IEC 27001.
|
Withdrawn |
2016-06 |
Edition : 1 |
Number of pages : 9 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 27009:2020 |
Information security, cybersecurity and privacy protection — Sector-specific application of ISO/IEC 27001 — Requirements |
This document specifies the requirements for creating sector-specific standards that extend ISO/IEC 27001, and complement or amend ISO/IEC 27002 to support a specific sector (domain, application area or market).
This document explains how to:
— include requirements in addition to those in ISO/IEC 27001,
— refine or interpret any of the ISO/IEC 27001 requirements,
— include controls in addition to those of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002,
— modify any of the controls of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002,
— add guidance to or modify the guidance of ISO/IEC 27002.
This document specifies that additional or refined requirements do not invalidate the requirements in ISO/IEC 27001.
This document is applicable to those involved in producing sector-specific standards.
|
Published |
2020-04 |
Edition : 2 |
Number of pages : 18 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC TR 13335-4:2000 |
Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards |
|
Withdrawn |
2000-03 |
Edition : 1 |
Number of pages : 61 |
Technical Committee |
35.030
IT Security
;
03.100.70
Management systems
|
| ISO/IEC 27010:2012 |
Information technology — Security techniques — Information security management for inter-sector and inter-organizational communications |
ISO/IEC 27010:2012 provides guidelines in addition to guidance given in the ISO/IEC 27000 family of standards for implementing information security management within information sharing communities.
ISO/IEC 27010:2012 provides controls and guidance specifically relating to initiating, implementing, maintaining, and improving information security in inter-organizational and inter-sector communications.
ISO/IEC 27010:2012 is applicable to all forms of exchange and sharing of sensitive information, both public and private, nationally and internationally, within the same industry or market sector or between sectors. In particular, it may be applicable to information exchanges and sharing relating to the provision, maintenance and protection of an organization's or nation state's critical infrastructure.
|
Withdrawn |
2012-04 |
Edition : 1 |
Number of pages : 34 |
Technical Committee |
35.030
IT Security
;
03.100.70
Management systems
|
| ISO/IEC 27010:2015 |
Information technology — Security techniques — Information security management for inter-sector and inter-organizational communications |
ISO/IEC 27010:2015 provides guidelines in addition to the guidance given in the ISO/IEC 27000 family of standards for implementing information security management within information sharing communities.
This International Standard provides controls and guidance specifically relating to initiating, implementing, maintaining, and improving information security in inter-organizational and inter-sector communications. It provides guidelines and general principles on how the specified requirements can be met using established messaging and other technical methods.
This International Standard is applicable to all forms of exchange and sharing of sensitive information, both public and private, nationally and internationally, within the same industry or market sector or between sectors. In particular, it may be applicable to information exchanges and sharing relating to the provision, maintenance and protection of an organization's or nation state's critical infrastructure. It is designed to support the creation of trust when exchanging and sharing sensitive information, thereby encouraging the international growth of information sharing communities.
|
Published |
2015-11 |
Edition : 2 |
Number of pages : 32 |
Technical Committee |
35.030
IT Security
;
03.100.70
Management systems
|
| ISO/IEC 27011:2008 |
Information technology — Security techniques — Information security management guidelines for telecommunications organizations based on ISO/IEC 27002 |
The scope of this Recommendation | International Standard is to define guidelines supporting the implementation of information security management in telecommunications organizations.
The adoption of this Recommendation | International Standard will allow telecommunications organizations to meet baseline information security management requirements of confidentiality, integrity, availability and any other relevant security property.
|
Withdrawn |
2008-12 |
Edition : 1 |
Number of pages : 44 |
Technical Committee |
35.030
IT Security
;
03.100.70
Management systems
|
| ISO/IEC 27011:2016 |
Information technology — Security techniques — Code of practice for Information security controls based on ISO/IEC 27002 for telecommunications organizations |
The scope of this Recommendation | ISO/IEC 27011:2016 is to define guidelines supporting the implementation of information security controls in telecommunications organizations.
The adoption of this Recommendation | ISO/IEC 27011:2016 will allow telecommunications organizations to meet baseline information security management requirements of confidentiality, integrity, availability and any other relevant security property.
|
Published |
2016-12 |
Edition : 2 |
Number of pages : 31 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 27011:2016/Cor 1:2018 |
Information technology — Security techniques — Code of practice for Information security controls based on ISO/IEC 27002 for telecommunications organizations — Technical Corrigendum 1 |
|
Published |
2018-09 |
Edition : 2 |
Number of pages : 1 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC DIS 27011 |
Information security, cybersecurity and privacy protection — Information security controls based on ISO/IEC 27002 for telecommunications organizations |
|
Under development |
|
Edition : 3 |
Number of pages : 30 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 27013:2012 |
Information technology — Security techniques — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 |
ISO/IEC 27013:2012 provides guidelines on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 for those organizations which are intending to either:
a) implement ISO/IEC 27001 when ISO/IEC 20000-1 is already implemented, or vice versa;
b) implement both ISO/IEC 27001 and ISO/IEC 20000-1 together;
c) integrate existing ISO/IEC 27001 and ISO/IEC 20000-1 management systems.
ISO/IEC 27013:2012 focuses exclusively on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1.
|
Withdrawn |
2012-10 |
Edition : 1 |
Number of pages : 38 |
Technical Committee |
35.020
Information technology (IT) in general
;
35.030
IT Security
;
03.080.99
Other services
;
03.100.70
Management systems
|
| ISO/IEC TR 13335-5:2001 |
Information technology — Guidelines for the management of IT Security — Part 5: Management guidance on network security |
|
Withdrawn |
2001-11 |
Edition : 1 |
Number of pages : 31 |
Technical Committee |
35.030
IT Security
;
03.100.70
Management systems
|
| ISO/IEC 27013:2015 |
Information technology — Security techniques — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 |
ISO/IEC 27013:2015 provides guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000‑1 for those organizations that are intending to either
a) implement ISO/IEC 27001 when ISO/IEC 20000‑1 is already implemented, or vice versa,
b) implement both ISO/IEC 27001 and ISO/IEC 20000‑1 together, or
c) integrate existing management systems based on ISO/IEC 27001 and ISO/IEC 20000‑1.
ISO/IEC 27013:2015 focuses exclusively on the integrated implementation of an information security management system (ISMS) as specified in ISO/IEC 27001 and a service management system (SMS) as specified in ISO/IEC 20000‑1.
In practice, ISO/IEC 27001 and ISO/IEC 20000‑1 can also be integrated with other management system standards, such as ISO 9001 and ISO 14001.
|
Withdrawn |
2015-12 |
Edition : 2 |
Number of pages : 39 |
Technical Committee |
35.020
Information technology (IT) in general
;
35.030
IT Security
;
03.080.99
Other services
;
03.100.70
Management systems
|
| ISO/IEC 27013:2021 |
Information security, cybersecurity and privacy protection — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 |
This document gives guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 for organizations intending to:
a) implement ISO/IEC27001 when ISO/IEC 20000-1 is already implemented, or vice versa;
b) implement both ISO/IEC27001 and ISO/IEC 20000-1 together; or
c) integrate existing management systems based on ISO/IEC27001 and ISO/IEC 20000-1.
This document focuses exclusively on the integrated implementation of an information security management system (ISMS) as specified in ISO/IEC 27001 and a service management system (SMS) as specified in ISO/IEC 20000-1.
|
Published |
2021-11 |
Edition : 3 |
Number of pages : 60 |
Technical Committee |
35.020
Information technology (IT) in general
;
35.030
IT Security
;
03.080.99
Other services
;
03.100.70
Management systems
|
| ISO/IEC 27013:2021/CD Amd 1 |
Information security, cybersecurity and privacy protection — Guidance on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 — Amendment 1 |
|
Under development |
|
Edition : 3 |
|
Technical Committee |
35.020
Information technology (IT) in general
;
35.030
IT Security
;
03.080.99
Other services
;
03.100.70
Management systems
|
| ISO/IEC 27014:2013 |
Information technology — Security techniques — Governance of information security |
ISO/IEC 27014:2013 provides guidance on concepts and principles for the governance of information security, by which organizations can evaluate, direct, monitor and communicate the information security related activities within the organization.
ISO/IEC 27014:2013 is applicable to all types and sizes of organizations
|
Withdrawn |
2013-05 |
Edition : 1 |
Number of pages : 11 |
Technical Committee |
35.030
IT Security
|