ISO/IEC JTC 1/SC 27 - Information security, cybersecurity and privacy protection

For security evaluation of biometric verification systems and biometric identification systems, this document is dedicated to the security evaluation of biometric recognition performance applying the ISO/IEC 15408 series. It provides requirements and recommendations to the developer and the evaluator for the supplementary activities on biometric recognition performance specified in ISO/IEC 19989-1. The evaluation of presentation attack detection techniques is out of the scope of this document ex...view more

For security evaluation of biometric recognition performance and presentation attack detection for biometric verification systems and biometric identification systemsthis document specifies: — extended security functional components to SFR Classes in ISO/IEC 15408-2; — supplementary activities to methodology specified in ISO/IEC 18045 for SAR Classes of ISO/IEC 15408-3. This document introduces the general framework for the security evaluation of biometric systems, including extended security fu...view more

This document specifies the security and privacy aspects applicable to the big data reference architecture (BDRA) including the big data roles, activities and functional components and also provides guidance on security and privacy operations for big data.

For security evaluation of biometric verification systems and biometric identification systems, this document is dedicated to security evaluation of presentation attack detection applying the ISO/IEC 15408 series. It provides recommendations and requirements to the developer and the evaluator for the supplementary activities on presentation attack detection specified in ISO/IEC 19989-1. This document is applicable only to TOEs for single biometric characteristic type but for the selection of a c...view more

This document gives guidelines for information security incident response in ICT security operations. This document does this by firstly covering the operational aspects in ICT security operations from a people, processes and technology perspective. It then further focuses on information security incident response in ICT security operations including information security incident detection, reporting, triage, analysis, response, containment, eradication, recovery and conclusion. This document is...view more

This document specifies mechanisms for the provision of specific, communication-related, non‑repudiation services using asymmetric cryptographic techniques.

This document serves as a general model for subsequent parts specifying non-repudiation mechanisms using cryptographic techniques. The ISO/IEC 13888 series provides non-repudiation mechanisms for the following phases of non-repudiation: — evidence generation; — evidence transfer, storage and retrieval; and — evidence verification. Dispute arbitration is outside the scope of the ISO/IEC 13888 series.

This document specifies controls which shape the content and the structure of online privacy notices as well as the process of asking for consent to collect and process personally identifiable information (PII) from PII principals. This document is applicable in any online context where a PII controller or any other entity processing PII informs PII principals of processing.

This document specifies the requirements for creating sector-specific standards that extend ISO/IEC 27001, and complement or amend ISO/IEC 27002 to support a specific sector (domain, application area or market). This document explains how to: — include requirements in addition to those in ISO/IEC 27001, — refine or interpret any of the ISO/IEC 27001 requirements, — include controls in addition to those of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002, — modify any of the controls of ISO/IEC 2700...view more

This document specifies the test calibration methods and apparatus used when calibrating test tools for cryptographic modules under ISO/IEC 19790 and ISO/IEC 24759 against the test metrics defined in ISO/IEC 17825 for mitigation of non-invasive attack classes.

This document provides requirements and recommendations on activities in electronic discovery, including, but not limited to, identification, preservation, collection, processing, review, analysis and production of electronically stored information (ESI). In addition, this document specifies relevant measures that span the lifecycle of the ESI from its initial creation through to final disposition. This document is relevant to both non-technical and technical personnel involved in some or all of...view more

This document provides guidance on managing an information security management system (ISMS) audit programme, on conducting audits, and on the competence of ISMS auditors, in addition to the guidance contained in ISO 19011. This document is applicable to those needing to understand or conduct internal or external audits of an ISMS or to manage an ISMS audit programme.

This document specifies three block ciphers suitable for applications requiring lightweight cryptographic implementations: — PRESENT: a lightweight block cipher with a block size of 64 bits and a key size of 80 or 128 bits; — CLEFIA: a lightweight block cipher with a block size of 128 bits and a key size of 128, 192 or 256 bits; — LEA: a lightweight block cipher with a block size of 128 bits and a key size of 128, 192 or 256 bits.

Electronic discovery is the process of discovering pertinent Electronically Stored Information (ESI) or data by one or more parties involved in an investigation or litigation, or similar proceeding. This document provides an overview of electronic discovery. In addition, it defines related terms and describes the concepts, including, but not limited to, identification, preservation, collection, processing, review, analysis, and production of ESI. This document also identifies other relevant stan...view more

This document provides specifications for non-invasive attack test tools and provides information about how to operate such tools. The purpose of the test tools is the collection of signals (i.e. side-channel leakage) and their analysis as a non-invasive attack on a cryptographic module implementation under test (IUT).

This document defines the structure and the data elements of Authentication Context for Biometrics (ACBio), which is used for checking the validity of the result of a biometric enrolment and verification process executed at a remote site. This document allows any ACBio instance to accompany any biometric processes related to enrolment and verification. The specification of ACBio is applicable not only to single modal biometric enrolment and verification but also to multimodal fusion. The real-ti...view more

This document specifies a methodology for the evaluation of non-deterministic or deterministic random bit generators intended to be used for cryptographic applications. The provisions given in this document enable the vendor of an RBG to submit well-defined claims of security to an evaluation authority and shall enable an evaluator or a tester, for instance a validation authority, to evaluate, test, certify or reject these claims. This document is implementation-agnostic. Hence, it offers no spe...view more