| Name |
Description |
Abstract |
Status |
Publication date |
Edition |
Number of pages |
Technical committee |
ICS |
| ISO/IEC 19896-2:2018 |
IT security techniques — Competence requirements for information security testers and evaluators — Part 2: Knowledge, skills and effectiveness requirements for ISO/IEC 19790 testers |
This document provides the minimum requirements for the knowledge, skills and effectiveness requirements of individuals performing testing activities for a conformance scheme using ISO/IEC 19790 and ISO/IEC 24759.
|
Published |
2018-08 |
Edition : 1 |
Number of pages : 34 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19896-3:2018 |
IT security techniques — Competence requirements for information security testers and evaluators — Part 3: Knowledge, skills and effectiveness requirements for ISO/IEC 15408 evaluators |
This document provides the specialized requirements to demonstrate competence of individuals in performing IT product security evaluations in accordance with ISO/IEC 15408 (all parts) and ISO/IEC 18045.
|
Published |
2018-08 |
Edition : 1 |
Number of pages : 33 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19989-1:2020 |
Information security — Criteria and methodology for security evaluation of biometric systems — Part 1: Framework |
For security evaluation of biometric recognition performance and presentation attack detection for biometric verification systems and biometric identification systemsthis document specifies:
— extended security functional components to SFR Classes in ISO/IEC 15408-2;
— supplementary activities to methodology specified in ISO/IEC 18045 for SAR Classes of ISO/IEC 15408-3.
This document introduces the general framework for the security evaluation of biometric systems, including extended security functional components, and supplementary activities to methodology, which is additional evaluation activities and guidance/recommendations for an evaluator to handle those activities. The supplementary evaluation activities are developed in this document while the detailed recommendations are developed in ISO/IEC 19989-2 (for biometric recognition aspects) and in ISO/IEC 19989-3 (for presentation attack detection aspects). This document is applicable only to TOEs for single biometric characteristic type. However, the selection of a characteristic from multiple characteristics in SFRs is allowed.
|
Published |
2020-09 |
Edition : 1 |
Number of pages : 62 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19989-2:2020 |
Information security — Criteria and methodology for security evaluation of biometric systems — Part 2: Biometric recognition performance |
For security evaluation of biometric verification systems and biometric identification systems, this document is dedicated to the security evaluation of biometric recognition performance applying the ISO/IEC 15408 series.
It provides requirements and recommendations to the developer and the evaluator for the supplementary activities on biometric recognition performance specified in ISO/IEC 19989-1.
The evaluation of presentation attack detection techniques is out of the scope of this document except for presentation from impostor attempts under the policy of the intended use following the TOE guidance documentation.
|
Published |
2020-10 |
Edition : 1 |
Number of pages : 33 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 19989-3:2020 |
Information security — Criteria and methodology for security evaluation of biometric systems — Part 3: Presentation attack detection |
For security evaluation of biometric verification systems and biometric identification systems, this document is dedicated to security evaluation of presentation attack detection applying the ISO/IEC 15408 series. It provides recommendations and requirements to the developer and the evaluator for the supplementary activities on presentation attack detection specified in ISO/IEC 19989-1.
This document is applicable only to TOEs for single biometric characteristic type but for the selection of a characteristic from multiple characteristics.
|
Published |
2020-09 |
Edition : 1 |
Number of pages : 18 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC TR 20004:2012 |
Information technology — Security techniques — Refining software vulnerability analysis under ISO/IEC 15408 and ISO/IEC 18045 |
ISO/IEC TR 20004:2012 refines the AVA_VAN assurance family activities defined in ISO/IEC 18045:2008 and provides more specific guidance on the identification, selection and assessment of relevant potential vulnerabilities in order to conduct an ISO/IEC 15408 evaluation of a software target of evaluation.
ISO/IEC TR 20004:2012 leverages the Common Weakness Enumeration (CWE) and the Common Attack Pattern Enumeration and Classification (CAPEC) to support the method of scoping and implementing ISO/IEC 18045:2008(E) vulnerability analysis activities.
ISO/IEC TR 20004:2012 does not define evaluator actions for certain high assurance ISO/IEC 15408 components, where there is as yet no generally agreed guidance.
|
Withdrawn |
2012-08 |
Edition : 1 |
Number of pages : 17 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC TR 20004:2015 |
Information technology — Security techniques — Refining software vulnerability analysis under ISO/IEC 15408 and ISO/IEC 18045 |
ISO/IEC TR 20004:2015 refines the AVA_VAN assurance family activities defined in ISO/IEC 18045 and provides more specific guidance on the identification, selection and assessment of relevant potential vulnerabilities in order to conduct an ISO/IEC 15408 evaluation of a software target of evaluation. This Technical Report leverages publicly available information security resources to support the method of scoping and implementing ISO/IEC 18045 vulnerability analysis activities. The Technical Report currently uses the common weakness enumeration (CWE) and the common attack pattern enumeration and classification (CAPEC), but does not preclude the use of any other appropriate resources. Furthermore, this Technical Report is not meant to address all possible vulnerability analysis methods, including those that fall outside the scope of the activities outlined in ISO/IEC 18045.
ISO/IEC TR 20004:2015 does not define evaluator actions for certain high assurance ISO/IEC 15408 components, where there is as yet no generally agreed guidance.
|
Published |
2015-12 |
Edition : 2 |
Number of pages : 17 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 20008-1:2013 |
Information technology — Security techniques — Anonymous digital signatures — Part 1: General |
ISO/IEC 20008-1:2013 specifies principles, including a general model, a set of entities, a number of processes, and general requirements for the following two categories of anonymous digital signature mechanisms:
signature mechanisms using a group public key, and
signature mechanisms using multiple public keys.
|
Published |
2013-12 |
Edition : 1 |
Number of pages : 20 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 29134 |
Information technology — Security techniques — Guidelines for privacy impact assessment |
ISO/IEC 29134:2017 gives guidelines for
- a process on privacy impact assessments, and
- a structure and content of a PIA report.
It is applicable to all types and sizes of organizations, including public companies, private companies, government entities and not-for-profit organizations.
ISO/IEC 29134:2017 is relevant to those involved in designing or implementing projects, including the parties operating data processing systems and services that process PII.
|
Under development |
|
Edition : 2 |
|
Technical Committee |
35.030
IT Security
|
| ISO/IEC 20008-2:2013 |
Information technology — Security techniques — Anonymous digital signatures — Part 2: Mechanisms using a group public key |
ISO/IEC 20008-2:2013 specifies anonymous digital signature mechanisms, in which a verifier makes use of a group public key to verify a digital signature.
It provides
a general description of an anonymous digital signature mechanism using a group public key;
a variety of mechanisms that provide such anonymous digital signatures.
For each mechanism, ISO/IEC 20008-2:2013 specifies
the process for generating group member signature keys and a group public key;
the process for producing signatures;
the process for verifying signatures;
the process for opening signatures (if the mechanism supports opening);
the process for linking signatures (if the mechanism supports linking);
the process for revoking group members.
|
Published |
2013-11 |
Edition : 1 |
Number of pages : 85 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 20008-2:2013/Amd 1:2021 |
Information technology — Security techniques — Anonymous digital signatures — Part 2: Mechanisms using a group public key — Amendment 1 |
|
Published |
2021-02 |
Edition : 1 |
Number of pages : 1 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 20008-2:2013/Amd 2 |
Information technology — Security techniques — Anonymous digital signatures — Part 2: Mechanisms using a group public key — Amendment 2 |
|
Under development |
2023-04 |
Edition : 1 |
|
Technical Committee |
35.030
IT Security
|
| ISO/IEC CD 20008-3 |
Information technology — Security techniques — Anonymous digital signatures — Part 3: Mechanisms using multiple public keys |
|
Under development |
|
Edition : 2 |
|
Technical Committee |
35.030
IT Security
|
| ISO/IEC 20009-1:2013 |
Information technology — Security techniques — Anonymous entity authentication — Part 1: General |
ISO/IEC 20009-1:2013 specifies a model, requirements and constraints for anonymous entity authentication mechanisms that allow the legitimacy of an entity to be corroborated.
|
Published |
2013-08 |
Edition : 1 |
Number of pages : 6 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 20009-2:2013 |
Information technology — Security techniques — Anonymous entity authentication — Part 2: Mechanisms based on signatures using a group public key |
ISO/IEC 20009-2:2013 specifies anonymous entity authentication mechanisms based on signatures using a group public key in which a verifier verifies a group signature scheme to authenticate the entity with which it is communicating, without knowing this entity's identity.
ISO/IEC 20009-2:2013 provides:
a general description of an anonymous entity authentication mechanism based on signatures using a group public key;
a variety of mechanisms of this type.
ISO/IEC 20009-2:2013 describes:
the group membership issuing processes;
anonymous authentication mechanisms without an online Trusted Third Party (TTP);
anonymous authentication mechanisms involving an online TTP.
Furthermore, ISO/IEC 20009-2:2013 also specifies:
the group membership opening process (optional);
the group signature linking process (optional).
|
Published |
2013-12 |
Edition : 1 |
Number of pages : 51 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 20009-3:2022 |
Information security — Anonymous entity authentication — Part 3: Mechanisms based on blind signatures |
This document provides general descriptions and specifications of anonymous entity authentication mechanisms based on blind digital signatures.
|
Published |
2022-02 |
Edition : 1 |
Number of pages : 16 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 20009-4:2017 |
Information technology — Security techniques — Anonymous entity authentication — Part 4: Mechanisms based on weak secrets |
ISO/IEC 20009-4:2017 specifies anonymous entity authentication mechanisms based on weak secrets. The precise operation of each mechanism is specified, together with details of all inputs and outputs. This document is applicable to situations in which the server only verifies that the user belongs to a certain user group without obtaining any information that can be used to identify the user later on.
|
Published |
2017-08 |
Edition : 1 |
Number of pages : 20 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 20085-1:2019 |
IT Security techniques — Test tool requirements and test tool calibration methods for use in testing non-invasive attack mitigation techniques in cryptographic modules — Part 1: Test tools and techniques |
This document provides specifications for non-invasive attack test tools and provides information about how to operate such tools. The purpose of the test tools is the collection of signals (i.e. side-channel leakage) and their analysis as a non-invasive attack on a cryptographic module implementation under test (IUT).
|
Published |
2019-10 |
Edition : 1 |
Number of pages : 18 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 20085-2:2020 |
IT Security techniques — Test tool requirements and test tool calibration methods for use in testing non-invasive attack mitigation techniques in cryptographic modules — Part 2: Test calibration methods and apparatus |
This document specifies the test calibration methods and apparatus used when calibrating test tools for cryptographic modules under ISO/IEC 19790 and ISO/IEC 24759 against the test metrics defined in ISO/IEC 17825 for mitigation of non-invasive attack classes.
|
Published |
2020-03 |
Edition : 1 |
Number of pages : 17 |
Technical Committee |
35.030
IT Security
|
| ISO 3411:1982/Amd 2:1994 |
Earth-moving machinery — Human physical dimensions of operators and minimum operator space envelope — Amendment 2 |
|
Withdrawn |
1994-10 |
Edition : 2 |
Number of pages : 2 |
Technical Committee |
53.100
Earth-moving machinery
|
| ISO/IEC 20243-1:2018 |
Information technology — Open Trusted Technology ProviderTM Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations |
ISO/IEC 20243-1:2018 (O-TTPS) is a set of guidelines, requirements, and recommendations that address specific threats to the integrity of hardware and software COTS ICT products throughout the product life cycle. This release of the Standard addresses threats related to maliciously tainted and counterfeit products.
The provider's product life cycle includes the work it does designing and developing products, as well as the supply chain aspects of that life cycle, collectively extending through the following phases: design, sourcing, build, fulfillment, distribution, sustainment, and disposal. While this Standard cannot fully address threats that originate wholly outside any span of control of the provider ? for example, a counterfeiter producing a fake printed circuit board assembly that has no original linkage to the Original Equipment Manufacturer (OEM) ? the practices detailed in the Standard will provide some level of mitigation. An example of such a practice would be the use of security labeling techniques in legitimate products.
|
Published |
2018-02 |
Edition : 1 |
Number of pages : 32 |
Technical Committee |
13.310
Protection against crime
;
35.030
IT Security
|
| ISO/IEC DIS 20243-1 |
Information technology — Open Trusted Technology ProviderTM Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 1: Requirements and recommendations |
ISO/IEC 20243-1:2018 (O-TTPS) is a set of guidelines, requirements, and recommendations that address specific threats to the integrity of hardware and software COTS ICT products throughout the product life cycle. This release of the Standard addresses threats related to maliciously tainted and counterfeit products.
The provider's product life cycle includes the work it does designing and developing products, as well as the supply chain aspects of that life cycle, collectively extending through the following phases: design, sourcing, build, fulfillment, distribution, sustainment, and disposal. While this Standard cannot fully address threats that originate wholly outside any span of control of the provider ? for example, a counterfeiter producing a fake printed circuit board assembly that has no original linkage to the Original Equipment Manufacturer (OEM) ? the practices detailed in the Standard will provide some level of mitigation. An example of such a practice would be the use of security labeling techniques in legitimate products.
|
Under development |
|
Edition : 2 |
Number of pages : 29 |
Technical Committee |
13.310
Protection against crime
;
35.030
IT Security
|
| ISO/IEC 20243-2:2018 |
Information technology — Open Trusted Technology ProviderTM Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 2: Assessment procedures for the O-TTPS and ISO/IEC 20243-1:2018 |
ISO/IEC 20243-2:2018 specifies the procedures to be utilized by an assessor when conducting a conformity assessment to the mandatory requirements in the Open Trusted Technology Provider? Standard (O-TTPS).1
These Assessment Procedures are intended to ensure the repeatability, reproducibility, and objectivity of assessments against the O-TTPS. Though the primary audience for this document is the assessor, an Information Technology (IT) provider who is undergoing assessment or preparing for assessment, may also find this document useful.
|
Published |
2018-01 |
Edition : 1 |
Number of pages : 33 |
Technical Committee |
13.310
Protection against crime
;
35.030
IT Security
|
| ISO/IEC DIS 20243-2 |
Information technology — Open Trusted Technology ProviderTM Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products — Part 2: Assessment procedures for the O-TTPS |
ISO/IEC 20243-2:2018 specifies the procedures to be utilized by an assessor when conducting a conformity assessment to the mandatory requirements in the Open Trusted Technology Provider? Standard (O-TTPS).1
These Assessment Procedures are intended to ensure the repeatability, reproducibility, and objectivity of assessments against the O-TTPS. Though the primary audience for this document is the assessor, an Information Technology (IT) provider who is undergoing assessment or preparing for assessment, may also find this document useful.
|
Under development |
|
Edition : 2 |
Number of pages : 44 |
Technical Committee |
13.310
Protection against crime
;
35.030
IT Security
|
| ISO/IEC 20243:2015 |
Information Technology — Open Trusted Technology ProviderTM Standard (O-TTPS) — Mitigating maliciously tainted and counterfeit products |
ISO/IEC 20243:2015 ? the Open Trusted Technology Provider Standard (O-TTPS) ? and the normative terminology that should be understood in relation to specific requirements and recommendations found in Chapter 4 of this document.
|
Withdrawn |
2015-09 |
Edition : 1 |
Number of pages : 32 |
Technical Committee |
13.310
Protection against crime
;
35.030
IT Security
|
| ISO/IEC 20897-2:2022 |
Information security, cybersecurity and privacy protection — Physically unclonable functions — Part 2: Test and evaluation methods |
This document specifies the test and evaluation methods for physically unclonable functions (PUFs). The test and evaluation methods consist of inspection of the design rationale of the PUF and comparison between statistical analyses of the responses from a batch of PUFs or a unique PUF versus specified thresholds.
This document is related to ISO/IEC 19790 which specifies security requirements for cryptographic modules. In those modules, critical security parameters (key) and public security parameters (product serial number, identification code, etc.) are the assets to protect. PUF is one solution to avoid storing security parameters, thereby increasing the overall security of a cryptographic module.
|
Published |
2022-05 |
Edition : 1 |
Number of pages : 27 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC TS 20540:2018 |
Information technology — Security techniques — Testing cryptographic modules in their operational environment |
This document provides recommendations and checklists which can be used to support the specification and operational testing of cryptographic modules in their operational environment within an organization's security system.
The cryptographic modules have four security levels which ISO/IEC 19790 defines to provide for a wide spectrum of data sensitivity (e.g. low-value administrative data, million-dollar funds transfers, life-protecting data, personal identity information, and sensitive information used by government) and a diversity of application environments (e.g. a guarded facility, an office, removable media, and a completely unprotected location).
This document includes:
a) recommendations to perform secure assessing for cryptographic module installation, configuration and operation;
b) recommendations to inspecting the key management system, protection of authentication credentials, and public and critical security parameters in the operational environment;
c) recommendations for identifying cryptographic module vulnerabilities;
d) checklists for the cryptographic algorithm policy, security guidance and regulation, security manage requirements, security level for each of the 11 requirement areas, the strength of the security function, etc.; and
e) recommendations to determine that the cryptographic module's deployment satisfies the security requirements of the organization.
This document assumes that the cryptographic module has been validated as conformant with ISO/IEC 19790.
It can be used by an operational tester along with other recommendations if needed.
This document is limited to the security related to the cryptographic module. It does not include assessing the security of the operational or application environment. It does not define techniques for the identification, assessment and acceptance of the organization's operational risk.
The organization's accreditation, deployment and operation processes, shown in Figure 1, is not included to the scope of this document.
This document addresses operational testers who perform the operational testing for the cryptographic modules in their operational environment authorizing officials of cryptographic modules.
|
Published |
2018-05 |
Edition : 1 |
Number of pages : 39 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 20543:2019 |
Information technology — Security techniques — Test and analysis methods for random bit generators within ISO/IEC 19790 and ISO/IEC 15408 |
This document specifies a methodology for the evaluation of non-deterministic or deterministic random bit generators intended to be used for cryptographic applications. The provisions given in this document enable the vendor of an RBG to submit well-defined claims of security to an evaluation authority and shall enable an evaluator or a tester, for instance a validation authority, to evaluate, test, certify or reject these claims.
This document is implementation-agnostic. Hence, it offers no specific guidance on design and implementation decisions for random bit generators. However, design and implementation issues influence the evaluation of an RBG in this document, for instance because it requires the use of a stochastic model of the random source and because any such model is supported by technical arguments pertaining to the design of the device at hand.
Random bit generators as evaluated in this document aim to output bit strings that appear evenly distributed. Depending on the distribution of random numbers required by the consuming application, however, it is worth noting that additional steps can be necessary (and can well be critical to security) for the consuming application to transform the random bit strings produced by the RBG into random numbers of a distribution suitable to the application requirements. Such subsequent transformations are outside the scope of evaluations performed in this document.
|
Published |
2019-10 |
Edition : 1 |
Number of pages : 40 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 20648:2016 |
Information technology — TLS specification for storage systems |
ISO/IEC 20648:2016 details the requirements for use of the Transport Layer Security (TLS) protocol in conjunction with data storage technologies. The requirements set out in this specification are intended to facilitate secure interoperability of storage clients and servers as well as non-storage technologies that may have similar interoperability needs.
ISO/IEC 20648:2016 is relevant to anyone involved in owning, operating or using data storage devices. This includes senior managers, acquirers of storage product and service, and other non-technical managers or users, in addition to managers and administrators who have specific responsibilities for information security and/or storage security, storage operation, or who are responsible for an organization's overall security program and security policy development. It is also relevant to anyone involved in the planning, design and implementation of the architectural aspects of storage security.
|
Published |
2016-03 |
Edition : 1 |
Number of pages : 11 |
Technical Committee |
35.030
IT Security
;
35.220.01
Data storage devices in general
|
| ISO/IEC DIS 20648 |
Information technology — TLS specification for storage systems |
ISO/IEC 20648:2016 details the requirements for use of the Transport Layer Security (TLS) protocol in conjunction with data storage technologies. The requirements set out in this specification are intended to facilitate secure interoperability of storage clients and servers as well as non-storage technologies that may have similar interoperability needs.
ISO/IEC 20648:2016 is relevant to anyone involved in owning, operating or using data storage devices. This includes senior managers, acquirers of storage product and service, and other non-technical managers or users, in addition to managers and administrators who have specific responsibilities for information security and/or storage security, storage operation, or who are responsible for an organization's overall security program and security policy development. It is also relevant to anyone involved in the planning, design and implementation of the architectural aspects of storage security.
|
Under development |
|
Edition : 2 |
Number of pages : 17 |
Technical Committee |
35.030
IT Security
;
35.220.01
Data storage devices in general
|
| ISO/IEC 20889:2018 |
Privacy enhancing data de-identification terminology and classification of techniques |
This document provides a description of privacy-enhancing data de-identification techniques, to be used to describe and design de-identification measures in accordance with the privacy principles in ISO/IEC 29100.
In particular, this document specifies terminology, a classification of de-identification techniques according to their characteristics, and their applicability for reducing the risk of re-identification.
This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations, that are PII controllers or PII processors acting on a controller's behalf, implementing data de-identification processes for privacy enhancing purposes.
|
Published |
2018-11 |
Edition : 1 |
Number of pages : 46 |
Technical Committee |
35.030
IT Security
|
| ISO 3457:1979 |
Earth-moving machinery — Guards and shields — Definitions and specifications |
|
Withdrawn |
1979-09 |
Edition : 2 |
Number of pages : 5 |
Technical Committee |
53.100
Earth-moving machinery
|
| ISO 21177:2023 |
Intelligent transport systems — ITS station security services for secure session establishment and authentication between trusted devices |
This document contains specifications for a set of ITS station security services required to ensure the authenticity of the source and integrity of information exchanged between trusted entities, i.e.:
— between devices operated as bounded secured managed entities, i.e. "ITS Station Communication Units" (ITS-SCU) and "ITS station units" (ITS-SU) as specified in ISO 21217; and
— between ITS-SUs (composed of one or several ITS-SCUs) and external trusted entities such as sensor and control networks.
These services include the authentication and secure session establishment which are required to exchange information in a trusted and secure manner.
These services are essential for many intelligent transport system (ITS) applications and services including time-critical safety applications, automated driving, remote management of ITS stations (ISO 24102-2), and roadside/infrastructure-related services.
|
Published |
2023-04 |
Edition : 1 |
Number of pages : 100 |
Technical Committee |
35.030
IT Security
;
03.220.01
Transport in general
;
35.240.60
IT applications in transport
|
| ISO/TS 21177:2019 |
Intelligent transport systems — ITS station security services for secure session establishment and authentication between trusted devices |
This document contains specifications for a set of ITS station security services required to ensure the authenticity of the source and integrity of information exchanged between trusted entities:
— devices operated as bounded secured managed entities, i.e. "ITS Station Communication Units" (ITS-SCU) and "ITS station units" (ITS-SU) specified in ISO 21217, and
— between ITS-SUs (composed of one or several ITS-SCUs) and external trusted entities such as sensor and control networks.
These services include authentication and secure session establishment which are required to exchange information in a trusted and secure manner.
These services are essential for many ITS applications and services including time-critical safety applications, automated driving, remote management of ITS stations (ISO 24102-2[5]), and roadside/infrastructure related services.
|
Withdrawn |
2019-08 |
Edition : 1 |
Number of pages : 83 |
Technical Committee |
35.030
IT Security
;
03.220.01
Transport in general
;
35.240.60
IT applications in transport
|
| ISO/IEC 21827:2002 |
Information technology — Systems Security Engineering — Capability Maturity Model (SSE-CMM®) |
|
Withdrawn |
2002-10 |
Edition : 1 |
Number of pages : 123 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 21827:2008 |
Information technology — Security techniques — Systems Security Engineering — Capability Maturity Model® (SSE-CMM®) |
ISO/IEC 21827:2008 specifies the Systems Security Engineering - Capability Maturity Model® (SSE-CMM®), which describes the essential characteristics of an organization's security engineering process that must exist to ensure good security engineering. ISO/IEC 21827:2008 does not prescribe a particular process or sequence, but captures practices generally observed in industry. The model is a standard metric for security engineering practices covering the following:
the entire life cycle, including development, operation, maintenance and decommissioning activities;
the whole organization, including management, organizational and engineering activities;
concurrent interactions with other disciplines, such as system, software, hardware, human factors and test engineering; system management, operation and maintenance;
interactions with other organizations, including acquisition, system management, certification, accreditation and evaluation.
The objective is to facilitate an increase of maturity of the security engineering processes within the organization. The SSE-CMM® is related to other CMMs which focus on different engineering disciplines and topic areas and can be used in combination or conjunction with them.
|
Published |
2008-10 |
Edition : 2 |
Number of pages : 144 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 21878:2018 |
Information technology — Security techniques — Security guidelines for design and implementation of virtualized servers |
This document specifies security guidelines for the design and implementation of VSs. Design considerations focusing on identifying and mitigating risks, and implementation recommendations with respect to typical VSs are covered in this document.
This document is not applicable to: (see also 5.3.2 Exclusions)
— desktop, OS, network, and storage virtualization; and
— vendor attestation.
This document is intended to benefit any organization using and/or providing VSs.
|
Published |
2018-11 |
Edition : 1 |
Number of pages : 22 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 21964-1:2018 |
Information technology — Destruction of data carriers — Part 1: Principles and definitions |
This standard defines terms and principles for the destruction of data carriers.
|
Published |
2018-08 |
Edition : 1 |
Number of pages : 6 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 21964-2:2018 |
Information technology — Destruction of data carriers — Part 2: Requirements for equipment for destruction of data carriers |
This standard applies to machines for the destruction of data carriers. This standard specifies the requirements for machines in order to ensure the safe destruction of data carriers.
|
Published |
2018-08 |
Edition : 1 |
Number of pages : 9 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 21964-3:2018 |
Information technology — Destruction of data carriers — Part 3: Process of destruction of data carriers |
This standard defines the requirements for the process of destruction of data carriers and is applicable for the responsible authority and for all parties who are involved in the destruction process.
|
Published |
2018-08 |
Edition : 1 |
Number of pages : 8 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC TR 22216:2022 |
Information security, cybersecurity and privacy protection — New concepts and changes in ISO/IEC 15408:2022 and ISO/IEC 18045:2022 |
This document:
— introduces the break down between the former ISO/IEC 15408 series (ISO/IEC 15408-1:2009, ISO/IEC 15408-2:2008) and ISO/IEC 15408-3:2008) and ISO/IEC 18045:2008 and the new parts introduced in the ISO/IEC 15408:2022 series and ISO/IEC 18045:2022;
— presents the concepts newly introduced as well as the rationale for their inclusion;
— proposes an evolution path and information on how to move from CC 3.1 and CEM 3.1 to the ISO/IEC 15408:2022 series and ISO/IEC 18045:2022, respectively;
— maps the evolutions between the CC 3.1 and CEM 3.1 and the ISO/IEC 15408:2022 series and ISO/IEC 18045:2022, respectively.
|
Published |
2022-05 |
Edition : 1 |
Number of pages : 46 |
Technical Committee |
35.030
IT Security
|
| ISO 22739:2020 |
Blockchain and distributed ledger technologies — Vocabulary |
This document provides fundamental terminology for blockchain and distributed ledger technologies.
|
Published |
2020-07 |
Edition : 1 |
Number of pages : 10 |
Technical Committee |
35.030
IT Security
;
01.040.35
Information technology (Vocabularies)
;
35.240.40
IT applications in banking
;
35.240.99
IT applications in other fields
|
| ISO/DIS 22739 |
Blockchain and distributed ledger technologies — Vocabulary |
|
Under development |
|
Edition : 2 |
Number of pages : 14 |
Technical Committee |
35.030
IT Security
;
01.040.35
Information technology (Vocabularies)
;
35.240.40
IT applications in banking
;
35.240.99
IT applications in other fields
|
| ISO/TR 23244:2020 |
Blockchain and distributed ledger technologies — Privacy and personally identifiable information protection considerations |
This document provides an overview of privacy and personally identifiable information (PII) protection as applied to blockchain and distributed ledger technologies (DLT) systems.
|
Published |
2020-05 |
Edition : 1 |
Number of pages : 17 |
Technical Committee |
35.030
IT Security
;
35.240.40
IT applications in banking
;
35.240.99
IT applications in other fields
|
| ISO/TR 23249:2022 |
Blockchain and distributed ledger technologies – Overview of existing DLT systems for identity management |
This document provides an overview of existing DLT systems for identity management, i.e. the mechanisms by which one or more entities can create, receive, modify, use and revoke a set of identity attributes.
This document covers the following topics:
— Managing identity for individuals, organizations, things (IoT & objects), functions and processes and other entities including within and across DLT systems.
— Description of the actors and their interactions and common interfaces.
— Architectures.
— Existing relevant standards and frameworks.
|
Published |
2022-05 |
Edition : 1 |
Number of pages : 37 |
Technical Committee |
35.030
IT Security
;
35.240.40
IT applications in banking
;
35.240.99
IT applications in other fields
|
| ISO 23257:2022 |
Blockchain and distributed ledger technologies — Reference architecture |
This document specifies a reference architecture for Distributed Ledger Technology (DLT) systems including blockchain systems. The reference architecture addresses concepts, cross-cutting aspects, architectural considerations, and architecture views, including functional components, roles, activities, and their relationships for blockchain and DLT.
|
Published |
2022-02 |
Edition : 1 |
Number of pages : 52 |
Technical Committee |
35.030
IT Security
;
35.240.40
IT applications in banking
;
35.240.99
IT applications in other fields
|
| ISO/TS 23258:2021 |
Blockchain and distributed ledger technologies — Taxonomy and Ontology |
This document specifies a taxonomy and an ontology for blockchain and distributed ledger technologies (DLT). The taxonomy includes a taxonomy of concepts, a taxonomy of DLT systems and a taxonomy of application domains, purposes and economy activity sections for use cases. The ontology includes classes and attributes as well as relations between concepts.
The audience includes but is not limited to academics, architects, customers, users, tool developers, regulators, auditors and standards development organizations.
|
Published |
2021-11 |
Edition : 1 |
Number of pages : 28 |
Technical Committee |
35.030
IT Security
;
35.240.40
IT applications in banking
;
35.240.99
IT applications in other fields
|
| ISO/DTS 23259 |
Blockchain and distributed ledger technologies — Legally binding smart contracts |
|
Deleted |
|
Edition : 1 |
|
Technical Committee |
35.030
IT Security
;
35.240.40
IT applications in banking
;
35.240.99
IT applications in other fields
|
| ISO/IEC 1539-1:2004/Cor 4:2009 |
Information technology — Programming languages — Fortran — Part 1: Base language — Technical Corrigendum 4 |
|
Withdrawn |
2009-09 |
Edition : 2 |
Number of pages : 4 |
Technical Committee |
35.060
Languages used in information technology
|
| ISO/TR 23455:2019 |
Blockchain and distributed ledger technologies — Overview of and interactions between smart contracts in blockchain and distributed ledger technology systems |
This document provides an overview of smart contracts in BC/DLT systems; describing what smart contracts are and how they work. It also discusses methods of interaction between multiple smart contracts. This document focuses on technical aspects of smart contracts. Smart contracts for legally binding use and applications will only be briefly mentioned in this document.
|
Published |
2019-09 |
Edition : 1 |
Number of pages : 42 |
Technical Committee |
35.030
IT Security
;
35.240.40
IT applications in banking
;
35.240.99
IT applications in other fields
|
| ISO/IEC TS 23532-1:2021 |
Information security, cybersecurity and privacy protection — Requirements for the competence of IT security testing and evaluation laboratories — Part 1: Evaluation for ISO/IEC 15408 |
This document complements and supplements the procedures and general requirements found in ISO/IEC 17025:2017 for laboratories performing evaluations based on the ISO/IEC 15408 series and ISO/IEC 18045.
|
Published |
2021-11 |
Edition : 1 |
Number of pages : 20 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC TS 23532-2:2021 |
Information security, cybersecurity and privacy protection — Requirements for the competence of IT security testing and evaluation laboratories — Part 2: Testing for ISO/IEC 19790 |
This document complements and supplements the procedures and general requirements found in ISO/IEC 17025:2017 for laboratories performing testing based on ISO/IEC 19790 and ISO/IEC 24759.
|
Published |
2021-11 |
Edition : 1 |
Number of pages : 26 |
Technical Committee |
35.030
IT Security
|
| ISO/TR 23576:2020 |
Blockchain and distributed ledger technologies — Security management of digital asset custodians |
This document discusses the threats, risks, and controls related to:
— systems that provide digital asset custodian services and/or exchange services to their customers (consumers and businesses) and management of security when an incident occurs;
— asset information (including the signature key of the digital asset) that a custodian of digital assets manages.
This document is addressed to digital asset custodians that manage signature keys associated with digital asset accounts. In such a case, certain specific recommendations apply.
The following is out of scope of this document:
— core security controls of blockchain and DLT systems;
— business risks of digital asset custodians;
— segregation of customer's assets;
— governance and management issues.
|
Published |
2020-12 |
Edition : 1 |
Number of pages : 35 |
Technical Committee |
35.030
IT Security
;
35.240.40
IT applications in banking
;
35.240.99
IT applications in other fields
|
| ISO/TS 23635:2022 |
Blockchain and distributed ledger technologies — Guidelines for governance |
This document provides guiding principles and a framework for the governance of DLT systems.
The document also provides guidance on the fulfilment of governance, including risk and regulatory contexts, that supports the effective, efficient, and acceptable use of DLT systems.
|
Published |
2022-02 |
Edition : 1 |
Number of pages : 26 |
Technical Committee |
35.030
IT Security
;
35.240.40
IT applications in banking
;
35.240.99
IT applications in other fields
|
| ISO/TR 23644 |
Blockchain and distributed ledger technologies (DLTs) — Overview of trust anchors for DLT-based identity management |
|
Under development |
|
Edition : 1 |
|
Technical Committee |
35.030
IT Security
;
35.240.40
IT applications in banking
;
35.240.99
IT applications in other fields
|
| ISO/IEC DIS 23837-1 |
Information security — Security requirements, test and evaluation methods for quantum key distribution — Part 1: Requirements |
|
Under development |
|
Edition : 1 |
Number of pages : 51 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC DIS 23837-2 |
Information security — Security requirements, test and evaluation methods for quantum key distribution — Part 2: Evaluation and testing methods |
|
Under development |
|
Edition : 1 |
Number of pages : 100 |
Technical Committee |
35.030
IT Security
|
| ISO/TR 24374 |
Financial services — Security information for PKI in blockchain and DLT implementations |
|
Under development |
2023-04 |
Edition : 1 |
|
Technical Committee |
35.030
IT Security
;
35.240.40
IT applications in banking
|
| ISO/IEC FDIS 24392 |
Cybersecurity — Security reference model for industrial internet platform (SRM- IIP) |
|
Under development |
|
Edition : 1 |
Number of pages : 34 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 1539-1:2004 |
Information technology — Programming languages — Fortran — Part 1: Base language |
ISO/IEC 1539-1:2004 specifies the form and establishes the interpretation of programs expressed in the base Fortran language. Its purpose is to promote portability, reliability, maintainability and efficient execution of Fortran programs for use on a variety of computing systems.
|
Withdrawn |
2004-11 |
Edition : 2 |
Number of pages : 567 |
Technical Committee |
35.060
Languages used in information technology
|
| ISO/IEC TR 24485:2022 |
Information security, cybersecurity and privacy protection — Security techniques — Security properties and best practices for test and evaluation of white box cryptography |
This document introduces security properties and provides best practices on the test and evaluation of white box cryptography (WBC). WBC is a cryptographic algorithm specialized for a key or secret, but where the said key cannot be extracted.
The WBC implementation can consist of plain source code for the cryptographic algorithm and/or of a device implementing the algorithm. In both cases, security functions are implemented to deter an attacker from uncovering the key or secret.
Security properties consist in the secrecy of security parameters concealed within the implementation of the white box cryptography. Best practices for the test and evaluation includes mathematical and practical analyses, static and dynamic analyses, non-invasive and invasive analyses.
This document is related to ISO/IEC 19790 which specifies security requirements for cryptographic modules. In those modules, critical security parameters (CSPs) and public security parameters (PSPs) are the assets to protect. WBC is one solution to conceal CSPs inside of the implementation.
|
Published |
2022-10 |
Edition : 1 |
Number of pages : 12 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 24745:2011 |
Information technology — Security techniques — Biometric information protection |
ISO/IEC 24745:2011 provides guidance for the protection of biometric information under various requirements for confidentiality, integrity and renewability/revocability during storage and transfer. Additionally, ISO/IEC 24745:2011 provides requirements and guidelines for the secure and privacy-compliant management and processing of biometric information.
ISO/IEC 24745:2011 specifies the following:
analysis of the threats to and countermeasures inherent in a biometric and biometric system application models;
security requirements for secure binding between a biometric reference and an identity reference;
biometric system application models with different scenarios for the storage of biometric references and comparison; and
guidance on the protection of an individual's privacy during the processing of biometric information.
ISO/IEC 24745:2011 does not include general management issues related to physical security, environmental security and key management for cryptographic techniques.
|
Withdrawn |
2011-06 |
Edition : 1 |
Number of pages : 50 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 24745:2022 |
Information security, cybersecurity and privacy protection — Biometric information protection |
This document covers the protection of biometric information under various requirements for confidentiality, integrity and renewability/revocability during storage and transfer. It also provides requirements and recommendations for the secure and privacy-compliant management and processing of biometric information.
This document specifies the following:
— analysis of the threats to and countermeasures inherent to biometrics and biometric system application models;
— security requirements for securely binding between a biometric reference (BR) and an identity reference (IR);
— biometric system application models with different scenarios for the storage and comparison of BRs;
— guidance on the protection of an individual's privacy during the processing of biometric information.
This document does not include general management issues related to physical security, environmental security and key management for cryptographic techniques.
|
Published |
2022-02 |
Edition : 2 |
Number of pages : 63 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 24759:2008 |
Information technology — Security techniques — Test requirements for cryptographic modules |
ISO/IEC 24759:2008 specifies the methods to be used by testing laboratories to test whether a cryptographic module conforms to the requirements specified in ISO/IEC 19790:2006. The methods are developed to provide a high degree of objectivity during the testing process and to ensure consistency across the testing laboratories. Within each subclause of the security requirements clause of ISO/IEC 24759:2008, the corresponding security requirements from ISO/IEC 19790:2006 are divided into a set of assertions (i.e. statements that have to be true for the module to satisfy the requirement of a given area at a given level). All of the assertions are direct quotations from ISO/IEC 19790:2006.
Following each assertion is a set of requirements levied on the vendor. These specify the types of documentation or explicit information that the vendor is required to provide in order for the tester to verify conformance to the given assertion.
Also following each assertion and the requirements levied on the vendor is a set of requirements levied on the tester of the cryptographic module. These specify what the tester needs to do in order to test the cryptographic module with respect to the given assertion.
Vendors can use ISO/IEC 24759:2008 as guidance in trying to verify whether their cryptographic modules satisfy the requirements specified in ISO/IEC 19790:2006 before they apply to the testing laboratory for testing.
|
Withdrawn |
2008-07 |
Edition : 1 |
Number of pages : 103 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 24759:2014 |
Information technology — Security techniques — Test requirements for cryptographic modules |
ISO/IEC 24759:2014 specifies the methods to be used by testing laboratories to test whether the cryptographic module conforms to the requirements specified in ISO/IEC 19790:2012/Cor.1:2015. The methods are developed to provide a high degree of objectivity during the testing process and to ensure consistency across the testing laboratories.
ISO/IEC 24759:2014 also specifies the requirements for information that vendors provide to testing laboratories as supporting evidence to demonstrate their cryptographic modules' conformity to the requirements specified in ISO/IEC 19790:2012/Cor.1:2015.
Vendors can use this International Standard as guidance in trying to verify whether their cryptographic modules satisfy the requirements specified in ISO/IEC 19790:2012/Cor.1:2015 before they apply to the testing laboratory for testing.
|
Withdrawn |
2014-02 |
Edition : 2 |
Number of pages : 135 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 24759:2014/Cor 1:2015 |
Information technology — Security techniques — Test requirements for cryptographic modules — Technical Corrigendum 1 |
|
Withdrawn |
2015-10 |
Edition : 2 |
Number of pages : 135 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 24759:2017 |
Information technology — Security techniques — Test requirements for cryptographic modules |
ISO/IEC 24759:2017 specifies the methods to be used by testing laboratories to test whether the cryptographic module conforms to the requirements specified in ISO/IEC 19790:2012. The methods are developed to provide a high degree of objectivity during the testing process and to ensure consistency across the testing laboratories.
This document also specifies the requirements for information that vendors provide to testing laboratories as supporting evidence to demonstrate their cryptographic modules' conformity to the requirements specified in ISO/IEC 19790:2012.
Vendors can use this document as guidance in trying to verify whether their cryptographic modules satisfy the requirements specified in ISO/IEC 19790:2012 before they apply to the testing laboratory for testing.
|
Published |
2017-03 |
Edition : 3 |
Number of pages : 135 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC CD 24759 |
Information technology — Security techniques — Test requirements for cryptographic modules |
|
Under development |
|
Edition : 4 |
|
Technical Committee |
35.030
IT Security
|
| ISO/IEC 24760-1:2011 |
Information technology — Security techniques — A framework for identity management — Part 1: Terminology and concepts |
ISO/IEC 24760-1:2011
defines terms for identity management, and
specifies core concepts of identity and identity management and their relationships.
It is applicable to any information system that processes identity information.
A bibliography of documents describing various aspects of identity information management is provided.
|
Withdrawn |
2011-12 |
Edition : 1 |
Number of pages : 20 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 24760-1:2019 |
IT Security and Privacy — A framework for identity management — Part 1: Terminology and concepts |
This document defines terms for identity management, and specifies core concepts of identity and identity management and their relationships.
It is applicable to any information system that processes identity information.
|
Published |
2019-05 |
Edition : 2 |
Number of pages : 24 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 24760-1:2019/Amd 1:2023 |
IT Security and Privacy — A framework for identity management — Part 1: Terminology and concepts — Amendment 1 |
|
Published |
2023-01 |
Edition : 2 |
Number of pages : 4 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 24760-2:2015 |
Information technology — Security techniques — A framework for identity management — Part 2: Reference architecture and requirements |
ISO/IEC 24760-2:2015
provides guidelines for the implementation of systems for the management of identity information, and
specifies requirements for the implementation and operation of a framework for identity management.
ISO/IEC 24760-2:2015 is applicable to any information system where information relating to identity is processed or stored.
|
Published |
2015-06 |
Edition : 1 |
Number of pages : 47 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC DIS 24760-2 |
IT Security and Privacy — A framework for identity management — Part 2: Reference architecture and requirements |
|
Under development |
|
Edition : 2 |
Number of pages : 47 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 24760-3:2016 |
Information technology — Security techniques — A framework for identity management — Part 3: Practice |
ISO/IEC 24760-3:2016 provides guidance for the management of identity information and for ensuring that an identity management system conforms to ISO/IEC 24760-1 and ISO/IEC 24760-2.
ISO/IEC 24760-3:2016 is applicable to an identity management system where identifiers or PII relating to entities are acquired, processed, stored, transferred or used for the purposes of identifying or authenticating entities and/or for the purpose of decision making using attributes of entities. Practices for identity management can also be addressed in other standards.
|
Published |
2016-08 |
Edition : 1 |
Number of pages : 31 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 24760-3:2016/Amd 1:2023 |
Information technology — Security techniques — A framework for identity management — Part 3: Practice — Amendment 1: Identity Information Lifecycle processes |
|
Published |
2023-01 |
Edition : 1 |
Number of pages : 3 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 24761:2009 |
Information technology — Security techniques — Authentication context for biometrics |
ISO/IEC 24761:2009 specifies the structure and the data elements of Authentication Context for Biometrics (ACBio), which is used for checking the validity of the result of a biometric verification process executed at a remote site. ISO/IEC 24761:2009 allows any ACBio instance to accompany any data item that is involved in any biometric process related to verification and enrolment. The specification of ACBio is applicable not only to single modal biometric verification but also to multimodal fusion. ISO/IEC 24761:2009 specifies the cryptographic syntax of an ACBio instance. The cryptographic syntax of an ACBio instance is based on an abstract Cryptographic Message Syntax (CMS) schema whose concrete values can be represented using either a compact binary encoding or a human-readable XML encoding. ISO/IEC 24761:2009 does not define protocols to be used between entities such as biometric processing units, claimant, and validator. Its concern is entirely with the content and encoding of the ACBio instances for the various processing activities.
|
Withdrawn |
2009-05 |
Edition : 1 |
Number of pages : 50 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 24761:2019 |
Information technology — Security techniques — Authentication context for biometrics |
This document defines the structure and the data elements of Authentication Context for Biometrics (ACBio), which is used for checking the validity of the result of a biometric enrolment and verification process executed at a remote site. This document allows any ACBio instance to accompany any biometric processes related to enrolment and verification. The specification of ACBio is applicable not only to single modal biometric enrolment and verification but also to multimodal fusion. The real-time information of presentation attack detection is not provided in this document. Only the assurance information of presentation attack detection (PAD) mechanism can be contained in the BPU report.
Biometric identification is out of the scope of this document.
This document specifies the cryptographic syntax of an ACBio instance. The cryptographic syntax of an ACBio instance is defined in this document applying a data structure specified in Cryptographic Message Syntax (CMS) schema whose concrete values can be represented using a compact binary encoding. This document does not define protocols to be used between entities such as BPUs, claimant, and validator. Its concern is entirely with the content and encoding of the ACBio instances for the various processing activities.
|
Published |
2019-10 |
Edition : 2 |
Number of pages : 75 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 24762:2008 |
Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services |
ISO/IEC 24762:2008 provides guidelines on the provision of information and communications technology disaster recovery (ICT DR) services as part of business continuity management, applicable to both “in-house” and “outsourced” ICT DR service providers of physical facilities and services.
ISO/IEC 24762:2008 specifies:
the requirements for implementing, operating, monitoring and maintaining ICT DR services and facilities;
the capabilities which outsourced ICT DR service providers should possess and the practices they should follow, so as to provide basic secure operating environments and facilitate organizations' recovery efforts;
the guidance for selection of recovery site; and
the guidance for ICT DR service providers to continuously improve their ICT DR services.
|
Withdrawn |
2008-02 |
Edition : 1 |
Number of pages : 67 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 27000:2009 |
Information technology — Security techniques — Information security management systems — Overview and vocabulary |
ISO/IEC 27000:2009 provides an overview of information security management systems, which form the subject of the information security management system (ISMS) family of standards, and defines related terms. As a result of implementing ISO/IEC 27000:2009, all types of organization (e.g. commercial enterprises, government agencies and non-profit organizations) are expected to obtain:
an overview of the ISMS family of standards;
an introduction to information security management systems (ISMS);
a brief description of the Plan-Do-Check-Act (PDCA) process; and
an understanding of terms and definitions in use throughout the ISMS family of standards.
The objectives of ISO/IEC 27000:2009 are to provide terms and definitions, and an introduction to the ISMS family of standards that:
define requirements for an ISMS and for those certifying such systems;
provide direct support, detailed guidance and/or interpretation for the overall Plan-Do-Check-Act (PDCA) processes and requirements;
address sector-specific guidelines for ISMS; and
address conformity assessment for ISMS.
|
Withdrawn |
2009-05 |
Edition : 1 |
Number of pages : 19 |
Technical Committee |
35.030
IT Security
;
01.040.35
Information technology (Vocabularies)
;
03.100.70
Management systems
|
| ISO/IEC 27000:2012 |
Information technology — Security techniques — Information security management systems — Overview and vocabulary |
ISO/IEC 27000:2012 describes the overview and the vocabulary of information security management systems, which form the subject of the ISMS family of standards, and defines related terms and definitions.
ISO/IEC 27000:2012 is applicable to all types and sizes of organisation (e.g. commercial enterprises, government agencies, not-for-profit organisations).
|
Withdrawn |
2012-12 |
Edition : 2 |
Number of pages : 25 |
Technical Committee |
35.030
IT Security
;
01.040.35
Information technology (Vocabularies)
;
03.100.70
Management systems
|
| ISO/IEC 27000:2014 |
Information technology — Security techniques — Information security management systems — Overview and vocabulary |
ISO/IEC 27000:2014 provides the overview of information security management systems (ISMS), and terms and definitions commonly used in the ISMS family of standards.
It is applicable to all types and sizes of organization (e.g. commercial enterprises, government agencies, not-for-profit organizations).
|
Withdrawn |
2014-01 |
Edition : 3 |
Number of pages : 31 |
Technical Committee |
35.030
IT Security
;
01.040.35
Information technology (Vocabularies)
;
03.100.70
Management systems
|
| ISO/IEC 27000:2016 |
Information technology — Security techniques — Information security management systems — Overview and vocabulary |
ISO/IEC 27000:2016 the overview of information security management systems, and terms and definitions commonly used in the ISMS family of standards. This International Standard is applicable to all types and sizes of organization (e.g. commercial enterprises, government agencies, not-for-profit organizations).
|
Withdrawn |
2016-02 |
Edition : 4 |
Number of pages : 34 |
Technical Committee |
35.030
IT Security
;
01.040.35
Information technology (Vocabularies)
;
03.100.70
Management systems
|
| ISO/IEC 27000:2018 |
Information technology — Security techniques — Information security management systems — Overview and vocabulary |
ISO/IEC 27000:2018 provides the overview of information security management systems (ISMS). It also provides terms and definitions commonly used in the ISMS family of standards. This document is applicable to all types and sizes of organization (e.g. commercial enterprises, government agencies, not-for-profit organizations).
The terms and definitions provided in this document
- cover commonly used terms and definitions in the ISMS family of standards;
- do not cover all terms and definitions applied within the ISMS family of standards; and
- do not limit the ISMS family of standards in defining new terms for use.
|
Published |
2018-02 |
Edition : 5 |
Number of pages : 27 |
Technical Committee |
35.030
IT Security
;
01.040.35
Information technology (Vocabularies)
|
| ISO/IEC 27002:2005 |
Information technology — Security techniques — Code of practice for information security management |
ISO/IEC 27002:2005 comprises ISO/IEC 17799:2005 and ISO/IEC 17799:2005/Cor.1:2007. Its technical content is identical to that of ISO/IEC 17799:2005. ISO/IEC 17799:2005/Cor.1:2007 changes the reference number of the standard from 17799 to 27002.
ISO/IEC 27002:2005 establishes guidelines and general principles for initiating, implementing, maintaining, and improving information security management in an organization. The objectives outlined provide general guidance on the commonly accepted goals of information security management. ISO/IEC 27002:2005 contains best practices of control objectives and controls in the following areas of information security management:
security policy;
organization of information security;
asset management;
human resources security;
physical and environmental security;
communications and operations management;
access control;
information systems acquisition, development and maintenance;
information security incident management;
business continuity management;
compliance.
The control objectives and controls in ISO/IEC 27002:2005 are intended to be implemented to meet the requirements identified by a risk assessment. ISO/IEC 27002:2005 is intended as a common basis and practical guideline for developing organizational security standards and effective security management practices, and to help build confidence in inter-organizational activities.
|
Withdrawn |
2005-06 |
Edition : 1 |
Number of pages : 115 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 27002:2013 |
Information technology — Security techniques — Code of practice for information security controls |
ISO/IEC 27002:2013 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization's information security risk environment(s).
It is designed to be used by organizations that intend to:
select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001;
implement commonly accepted information security controls;
develop their own information security management guidelines.
|
Withdrawn |
2013-10 |
Edition : 2 |
Number of pages : 80 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 27002:2013/Cor 1:2014 |
Information technology — Security techniques — Code of practice for information security controls — Technical Corrigendum 1 |
|
Withdrawn |
2014-09 |
Edition : 2 |
Number of pages : 3 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 27002:2013/Cor 2:2015 |
Information technology — Security techniques — Code of practice for information security controls — Technical Corrigendum 2 |
|
Withdrawn |
2015-11 |
Edition : 2 |
Number of pages : 2 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 27002:2022 |
Information security, cybersecurity and privacy protection — Information security controls |
This document provides a reference set of generic information security controls including implementation guidance. This document is designed to be used by organizations:
a) within the context of an information security management system (ISMS) based on ISO/IEC27001;
b) for implementing information security controls based on internationally recognized best practices;
c) for developing organization-specific information security management guidelines.
|
Published |
2022-02 |
Edition : 3 |
Number of pages : 152 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 27003:2010 |
Information technology — Security techniques — Information security management system implementation guidance |
ISO/IEC 27003:2010 focuses on the critical aspects needed for successful design and implementation of an Information Security Management System (ISMS) in accordance with ISO/IEC 27001:2005. It describes the process of ISMS specification and design from inception to the production of implementation plans. It describes the process of obtaining management approval to implement an ISMS, defines a project to implement an ISMS (referred to in ISO/IEC 27003:2010 as the ISMS project), and provides guidance on how to plan the ISMS project, resulting in a final ISMS project implementation plan.
|
Withdrawn |
2010-02 |
Edition : 1 |
Number of pages : 68 |
Technical Committee |
35.030
IT Security
;
03.100.70
Management systems
|
| ISO/IEC 27003:2017 |
Information technology — Security techniques — Information security management systems — Guidance |
ISO/IEC 27003:2017 provides explanation and guidance on ISO/IEC 27001:2013.
|
Published |
2017-03 |
Edition : 2 |
Number of pages : 45 |
Technical Committee |
35.030
IT Security
;
03.100.70
Management systems
|
| ISO 13416:1997 |
Aerospace — Airframe needle track roller, yoke type, single-row, sealed — Metric series |
|
Withdrawn |
1997-12 |
Edition : 1 |
Number of pages : 8 |
Technical Committee |
49.035
Components for aerospace construction
|
| ISO/IEC 27004:2016 |
Information technology — Security techniques — Information security management — Monitoring, measurement, analysis and evaluation |
ISO/IEC 27004:2016 provides guidelines intended to assist organizations in evaluating the information security performance and the effectiveness of an information security management system in order to fulfil the requirements of ISO/IEC 27001:2013, 9.1. It establishes:
a) the monitoring and measurement of information security performance;
b) the monitoring and measurement of the effectiveness of an information security management system (ISMS) including its processes and controls;
c) the analysis and evaluation of the results of monitoring and measurement.
ISO/IEC 27004:2016 is applicable to all types and sizes of organizations.
|
Published |
2016-12 |
Edition : 2 |
Number of pages : 58 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 27005:2008 |
Information technology — Security techniques — Information security risk management |
ISO/IEC 27005:2008 provides guidelines for information security risk management. It supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach. Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of ISO/IEC 27005:2008. ISO/IEC 27005:2008 is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that could compromise the organization's information security.
|
Withdrawn |
2008-06 |
Edition : 1 |
Number of pages : 55 |
Technical Committee |
35.030
IT Security
;
03.100.70
Management systems
|
| ISO/IEC 27005:2011 |
Information technology — Security techniques — Information security risk management |
ISO/IEC 27005:2011 provides guidelines for information security risk management.
It supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach.
Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of ISO/IEC 27005:2011.
ISO/IEC 27005:2011 is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that could compromise the organization's information security.
|
Withdrawn |
2011-06 |
Edition : 2 |
Number of pages : 68 |
Technical Committee |
35.030
IT Security
;
03.100.70
Management systems
|
| ISO/IEC 27005:2018 |
Information technology — Security techniques — Information security risk management |
This document provides guidelines for information security risk management.
This document supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach.
Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of this document.
This document is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that can compromise the organization's information security.
|
Withdrawn |
2018-07 |
Edition : 3 |
Number of pages : 56 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC 27005:2022 |
Information security, cybersecurity and privacy protection — Guidance on managing information security risks |
This document provides guidance to assist organizations to:
— fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks;
— perform information security risk management activities, specifically information security risk assessment and treatment.
This document is applicable to all organizations, regardless of type, size or sector.
|
Published |
2022-10 |
Edition : 4 |
Number of pages : 62 |
Technical Committee |
35.030
IT Security
|
| ISO/IEC DIS 27006-1.2 |
Information technology, cybersecurity and privacy protection — Requirements for bodies providing audit and certification of information security management systems — Part 1: General |
ISO/IEC 27006:2015 specifies requirements and provides guidance for bodies providing audit and certification of an information security management system (ISMS), in addition to the requirements contained within ISO/IEC 17021‑1 and ISO/IEC 27001. It is primarily intended to support the accreditation of certification bodies providing ISMS certification.
The requirements contained in this International Standard need to be demonstrated in terms of competence and reliability by any body providing ISMS certification, and the guidance contained in this International Standard provides additional interpretation of these requirements for any body providing ISMS certification.
NOTE This International Standard can be used as a criteria document for accreditation, peer assessment or other audit processes.
|
Under development |
|
Edition : 1 |
Number of pages : 62 |
Technical Committee |
35.030
IT Security
;
03.120.20
Product and company certification. Conformity assessment
|
| ISO/IEC 27007:2011 |
Information technology — Security techniques — Guidelines for information security management systems auditing |
ISO/IEC 27007:2011 provides guidance on managing an information security management system (ISMS) audit programme, on conducting the audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011.
ISO/IEC 27007:2011 is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme.
|
Withdrawn |
2011-11 |
Edition : 1 |
Number of pages : 27 |
Technical Committee |
35.030
IT Security
;
03.100.70
Management systems
|
| ISO/IEC CD 27006-2.2 |
Requirements for bodies providing audit and certification of information security management systems — Part 2: Privacy information management systems |
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.
The requirements contained in this document need to be demonstrated in terms of competence and reliability by any body providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification.
NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.
|
Under development |
|
Edition : 1 |
|
Technical Committee |
35.030
IT Security
;
03.120.20
Product and company certification. Conformity assessment
|
| ISO/IEC TS 27006-2:2021 |
Requirements for bodies providing audit and certification of information security management systems — Part 2: Privacy information management systems |
This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.
The requirements contained in this document need to be demonstrated in terms of competence and reliability by anybody providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification.
NOTE This document can be used as a criteria document for accreditation, peer assessment or other audit processes.
|
Published |
2021-02 |
Edition : 1 |
Number of pages : 9 |
Technical Committee |
35.030
IT Security
;
03.120.20
Product and company certification. Conformity assessment
|