SC27Platinum Book201010

SC27 laLlnum 8ook
1weoty eots of l5O/lc I1c 1/5c27

lofotmotloo 5ecotlty 5tooJotJlsotloo

SC27 laLlnum 8ook
1weoty eots of l5O/lc I1c 1/5c27
lofotmotloo 5ecotlty 5tooJotJlsotloo

LdlLor rof. Ldward Pumphreys

Copyr|ght 2010
1he auLhor(s) assoclaLed wlLh each speclflc arLlcle presenLed ln Lhls publlcaLlon (wlLh
Lhe excepLlon of Lhose menLloned ln noLe 1) have asserLed Lhelr moral rlghLs as
auLhors of Lhe sald arLlcles under Lhelr own naLlonal and lnLernaLlonal copyrlghL
laws.
nelLher Lhe edlLor of Lhls publlcaLlon nor lSC/lLC !1C 1/SC27 ls responslble for Lhe
accuracy of Lhe conLenL of Lhese arLlcles and so cannoL be held llable regardlng Lhe
readers use, lnLerpreLaLlon or any lmplemenLaLlon of Lhese arLlcles or Lhelr conLenL.
noLe 1. 1hls 8ook also conLalns several arLlcles from Lhe l5O locos and l5O
Moooqemeot 5ystems magazlnes. 1hey are reproduced ln Lhls 8ook wlLh Lhe klnd
permlsslon of lSC CenLral SecreLarlaL who reLalns full copyrlghL over Lhese arLlcles.
1hese parLlcular arLlcles flrsL appeared ln varlous edlLlons of Lhe followlng
magazlnes: l5O locos www.lso.org/lsofocus and Lhe l5O Moooqemeot 5ystems as
lndlcaLed ln Lhe fooLer of each arLlcle.

Acknow|edgements
A speclal Lhanks ls glven Lo all Lhose LhaL have conLrlbuLed arLlcles Lo Lhls publlcaLlon
and also Lo organlzaLlons LhaL have senL leLLers of congraLulaLlons Lo SC27 on lLs 20
Lh

blrLhday.

M|crosoft Sponsorsh|p
llnally, a speclal, Lhanks go Lo MlcrosofL CorporaLlon for Lhelr klnd sponsorshlp of
Lhls publlcaLlon and Lhelr supporL of lSC/lLC !1C 1/SC 27.

rof. Ldward ! Pumphreys
laLlnum 8ook LdlLor

rlnLers
Clpplng ress LLd
unlL 2
Llon 8arn lndusLrlal LsLaLe
needham MarkeL
Suffolk, uk

//

Foreword by
ISO Secretary-General
Mr. Rob Steele
to the book celebrating the
20
th
anniversary of
ISO/IEC JTC 1/SC 27, IT security techniques

E-business is as much an essential way of doing business in the
corporate world as it has for public sector organizations and for
individual consumers and citizens. Its undoubted advantages also
bring new risks. These can range from fraudulent transactions to
mistakes in identifying citizens, customers and business partners.

These and other risks can lead to actual or potential financial loss
and therefore loss of confidence. This, in turn, can have a significant
financial impact on citizens using the Internet for on-line shopping,
and on businesses or public sector bodies exchanging legal
documents, or performing electronic payments or transactions.

In addition, information in all its forms is a well recognized and
powerful lever for the success of an organization and this is as
true for small and medium-sized organizations (SMEs), in both
private and public sectors, as it is for large organizations.
In this environment, it is clear that the standards developed by
ISO/JTC 1/SC 27, IT security techniques, provide considerable
benefits to business, government and to people in their roles as
consumers and citizens.
SC 27 is responsible for two of ISO's best-selling and most
widely implemented standards, ISO/IEC 27001 and ISO/IEC
27002, for information security management systems.
These follow on the past success of SC 27 in developing the
Security Evaluation Criteria (also known as the "Common
Criteria") for security products.
In addition, SC 27 has been at the forefront in developing
encryption and digital security standards. But not content to rest
on its laurels, SC 27 has already embarked on or is planning
future standards including ones to solve the problems of identity
// 2

management, privacy, cyber security and IT readiness for
business continuity.
In view of SC 27's impressive track record combined with its
forward-looking perspective, it gives me great pleasure to wish
the subcommittee, its officers and all the international experts,
past and present, who have contributed to its success, a well
deserved and joyful 20
th
anniversary celebration, as well as best
wishes for the future.

CUNTENTS

Welcome 1
Letters of Congratulations 3

lT0-T
0lN
AFN0R
BSl
NlST
FNlSA
lSHS 0ser 6roup

ISC]ILC I1C 1]SC27 13
Tbe Times tbey ore o Cbonqinq SC 27s role in on olterinq security
lonJscope {0r Wolter Fumy onJ 0r Horijke 0e Soete)
SC27 lnformotion {Professor FJworJ humpbreys onJ 0ole }obnstone)
lS0,lFC }TC 1 SC27 - Tbe Sbow Hust 6o 0n {0ole }obnstone)
'Hemories ore moJe of tbis' A view of tbe post {Professor FJworJ
humpbreys)

SC27J WC1 37
W61 lnformotion Security Honoqement System StonJorJs {Professor
FJworJ humpbreys)
lS0,lFC 2700S onJ Risk Honoqement {AnJers CorlsteJt)
CoulJ moturity belp risk monoqement? {Hottbieu 6roll)
Fotber of lSHS StonJorJs {}omes Butler-Stewort)
Cose stuJies sbow volue of lS0,lFC 27001 conformity {lS0 Honoqement
Systems)
lnformotion security monoqement systems for smoll onJ meJium-sizeJ
enteprises {lS0 Honoqement Systems)
Service monoqement witb o smile of confiJence {lS0 Focus)

SC27 WC2 85
Cryptoqropbic StonJorJs: Acbievements, Current Activities
onJ Future Perspectives of SC 27,W6 2 {Prof. Kenji Noemuro onJ Tokesbi
Cbikozowo)
StonJorJizotion of moJern cryptoqropbic mecbonisms: liqbtweiqbt
cryptoqropby {Riool 0ominques)
0sinq lS0 Security StonJorJs in lnternotionol Poyment CorJ Systems {Hike
WorJ onJ 0oviJ Hoin)
FCRYPT ll Furopeon Network of Fxcellence for Cryptoloqy {Bort Preneel)

SC27 WG3 103
Current Activities onJ Future Perspectives of SC 27,W6 S {Hiquel Bonon)
lS0 1S408, tbe Common Criterio Recoqnition Arronqement, onJ tbe role
of SC27 {0oviJ Hortin)
lS0,lFC 19790 Security Requirements for Cryptoqropbic HoJules
{RonJoll Foster onJ }eon Pierre uemorJ)
Security ottributes extension onJ relotion witb JepenJobility
{Anne Coot Romes onJ }eon Coire)
Fvoluotion Criterio for lT Security {Professor Svein }obon Knopskoq)
Assuronce lonJscope {}obn hopkinson)
lS0,lFC 19792 - Tbe first biometric project in SC 27 {Nils Tekompe)
SSF-CHH {}obn hopkinson)
Professor Hots 0blin - An obituory {0oq Stromon onJ
Hike Nosb)

SC27 WG4 148
Fstoblisbinq lnformotion Security ReoJiness - o stonJorJ opproocb
{0r Henq Cbow Konq)
lnformotion Security & Business Continuity - lCT ReoJiness of on Fnterprise
{Pbilip Sy)
lnformotion Security lnciJent Honoqement is reneweJ os lnternotionol
StonJorJ {Yosbibiro Sotob)
lnformotion security: Risks or bozorJs {lS0 Focus)
SC27 WGS 15
Tecbnoloqies for privocy, iJentity monoqement onJ biometrics
{Professor Koi Ronnenberq)
ACBio, tbe first lnternotionol StonJorJ on online biometric verificotion,
onJ its bormonizotion octivities witb otber stonJorJs boJies {YomoJo
Asobik)
Fl0lS {hons heJbom)
PlC0S conqrotulotes SC 27 on its 20tb birtbJoy! {ZJenek Ribo)

1
We|come to the SC27 |at|num 8ook

1hls book has been produced Lo celebraLe Lhe LwenLleLh-blrLhday of lSC/lLC !1C
1/SC27, Lhe sub-commlLLee responslble for lnformaLlon and l1 securlLy sLandards.
lncluded ln Lhls book are many arLlcles wrlLLen by experLs worklng ln SC27, as well
Lhe currenL and pasL offlcers of SC27. Also lncluded are sLaLemenLs and leLLers from
llalson organlzaLlons LhaL work wlLh SC27 as well as some of Lhe naLlonal SLandard
8odles LhaL are members of SC27.

lSC/lLC !1C 1/SC27 ls an lnLernaLlonal recognlzed cenLre of lnformaLlon securlLy
experLlse servlng Lhe needs of many buslness secLors as well as governmenLs. lLs
work covers boLh managemenL sLandards as well as Lechnlcal sLandards. 1he work
of lSC/lLC !1C 1/SC27 ls ln dlrecL response Lo buslness, governmenL and consumer
requlremenLs lnformaLlon securlLy sLandards. 1he arLlcles ln Lhls laLlnum 8ook
reflecLs some of Lhe many achlevemenLs of SC27 slnce lLs esLabllshmenL ln Aprll
1990. 1hese achlevemenLs have flourlshed as a dlrecL resulL of SC 27 keeplng up Lo
daLe wlLh changes ln markeL and buslness requlremenLs, greaLer lnLeresL ln
managemenL sysLems securlLy, new LhreaLs and rlsks, new Lechnology, ublqulLous
deploymenL of wlreless and moblle compuLlng and communlcaLlons neLworks and
devlces, socleLal securlLy, economlc changes and Lhe lmpacL of new regulaLlons and
leglslaLlon.

1he work of SC27 enables organlzaLlons Lo engage ln prevenLlve acLlons Lo proLecL
Lhelr lnformaLlon and for buslness avallablllLy and conLlnulLy and Lo avold buslness
conLlnually needlng Lo apply correcLlve acLlon Lo resolve securlLy compromlses and
fallures of yesLerday and Lhe pasL. lL ls more economlcally sound for Lhe lSC/lLC
communlLy Lo work Lowards prevenLlve acLlons raLher Lhan correcLlve acLlons. ln
parLlcular such proLecLlon ls requlred Lo malnLaln operaLlonal condlLlons wlLhln
buslness envlronmenLs wlLhln and across lndusLry secLors, for economlc growLh and
naLlonal and global susLalnablllLy, as well as for crlLlcal lnfrasLrucLure purposes ln
Llmes of crlsls and dlsasLers.

CongraLulaLlons go Lo all Lhose LhaL have been lnvolved ln Lhe success of SC27 over
Lhe lasL LwenLy years and Lo Lhe readers of Lhls publlcaLlon please make yourselves
comforLable and en[oy Lhe read.

rof. Ldward Pumphreys
laLlnum 8ook LdlLor
!une 2010
2
S

Letters of Congratu|at|ons

!une 2010

uear ur lumy

CongraLulaLlons on Lhe 20
Lh
blrLhday for lSC/lLC !1C1/SC27. l1u-1 SLudy Croup 17
(SecurlLy) and lLs predecessor SLudy Croup 7 ls pleased wlLh our long and frulLful
parLnershlp wlLh SC 27 ln developlng lC1 securlLy sLandards.

lor example, early [olnL work wlLh SC 27 on LrusLed Lhlrd parL servlces resulLed
common LexL sLandards l1u-1 x.841 | lSC/lLC 1S816, l1u-1 x.842 | lSC/lLC 18 14S16
and l1u-1 x.843 | lSC/lLC 1S94S. 1hls was followed by Lwln LexLs l1u-1 x.80S and
lSC/lLC 18028-2 on neLwork securlLy archlLecLure.

ln Lhe l1u-1 sLudy perlod of 200S-2008, SC 17 worked [olnLly wlLh SC 27, especlally
WC 1, on lnformaLlon SecurlLy ManagemenL SysLem (lSMS) ln order Lo develop an
ldenLlcal sLandard for lnformaLlon SecurlLy ManagemenL Culdellne for
LelecommunlcaLlons organlzaLlons among lSC/lLC and l1u-1. 1he work was
successfully compleLed ln 2008 resulLlng ln l1u-1 x.10S1 | lSC/lLC 27011.

Lxpandlng on Lhese successful experlences, SC 17 ls now worklng [olnLly wlLh SC 27
on lnformaLlon securlLy governance, ldenLlLy managemenL (ldM), cybersecurlLy, and
oLher Loplcs. SC17 ls pleased wlLh Lhe [olnL cooperaLlon ln developlng securlLy
sLandards and ln workshops. We look forward Lo conLlnulng sLrong collaboraLlon ln
Lhe common areas of lC1 securlLy.

Perb 8erLlne
Chalrman of l1u-1 SC 17 (2001-2008)
Chalrman of l1u-1 SC 7 (1993-2001)
Arkadly kremer,
SLudy Croup 17 Chalrman, 2008-2012

Dear Members of JTC 1/SC 27 IT Security techniques

Cord Wischhfer is the Secretary of
NIA, the German mirror committee of
JTC 1. He joined DIN, the German
Institute for Standardization, in 1993.
Since then he worked in various
national and international standards
committees e.g. those on information
technology, terminology, documen-
tation and graphic technology. Cord
is also a member of the German
delegation to JTC 1 and participates
in the work of JTC 1/SWG-D and
SWG-P.

JTC 1/SC 27 is celebrating its 20
th
anniversary this year. You, we,
can look back on 20 years of very successful standardization
work in the field of IT Security.
Even though 20 years may appear to be quite a long time the
story of JTC 1/SC 27 is not yet over. Quite to the contrary! It is
obvious to me that the work of the committee is becoming more
and more important and that the results of your work are increas-
ingly accepted worldwide. This is apparent from the large number
of national bodies that participate in the work as well as the great
amount of work that is being done in the working groups. The high
quality of the standards developed by JTC 1/SC 27 explains why
these standards are adopted at the national level and applied at
the international one.
I am proud of the achievements of JTC 1/SC 27 and NIA, the
German mirror committee of JTC 1, is glad that we have been
able to contribute to the success of the international committee
through the technical expertise of our experts, the work of the
JTC 1/SC 27 Secretariat and the leadership of the SC Chairmen
over the years.
Looking into the future I am pleased to assure you that Germany
is fully committed to continuing the success story of JTC 1/SC 27.
The German IT industry and the German government continue to
strongly support the work of the JTC/SC 27 Secretariat. NIA will
make sure that the resources needed for efficiently running the
committee's secretariat are available and we will do our best to
meet the future demands of JTC 1/SC 27.
Yours sincerely

SLCUkI1 IN MIND
1he !1C 1/SC 27 lrench mlrror commlLLee:
AlNOk Ctoope Je cootJlootloo 5cotlt Jes 5ystmes Jlofotmotloo (Cc55l)

1he rapld evoluLlon, lndeed dazzllng ln recenL years, of lnformaLlon, neLwork communlcaLlon and lnLerneL
Lechnologles ls Lo be offseL by Lhe lncrease of rlsks assoclaLed Lo daLa manlpulaLlon, sLorage and Lransmlsslon.
As a maLLer of facL, Lhls progress hlghllghLs Lhe absoluLe need of proLecLlon noL only for compuLlng, buL also for
daLa, when exchanged and sLored, as well as for l1 sysLems.

More Lhan ever, Lhe news ls echoed wlLh fallures and hacklngs. Powever, beyond Lhese exemplary cases much-
publlclzed, how many prlvaLe and publlc organlzaLlons are paylng for dysfuncLlons and scams because of
lnefflclenL lnformaLlon securlLy?

lor SM8s, large lndusLrlal groups, banks or even governmenL servlces, Lhe securlLy of Lhelr lnformaLlon
sysLems, keysLone for exLernally-orlenLed acLlvlLles (sales, purchase, promoLlon, eLc) as for lnLernally-orlenLed
acLlvlLles (human resources managemenL, accounLlng, eLc), has become cruclal, lf noL vlLal!

1hus, lL ls essenLlal LhaL users of Lhese Lechnologles could have full confldence ln Lhe sysLems Lhey use. 1hls
confldence, resulLlng from Lhe appllcaLlon of securlLy Lechnlques, may be lncreased Lhrough Lhe
lmplemenLaLlon of operaLlonal securlLy pollcles, efflclenL and scalable ln Lhe organlzaLlon, and Lhe adopLlon of
sLandards LhaL wlll effecLlvely ensure Lhe achlevemenL of Lhe deslred level of securlLy, expressed ln Lerms of:
daLa avallablllLy, lnLegrlLy and confldenLlallLy, equlpmenLs and sofLware lnLeroperablllLy as well as comparaLlve
lnformaLlon securlLy governance pracLlces.

neverLheless, desplLe of Lhe facL LhaL lSMS has become Lhe maln concern of l1 managers, lnformaLlon securlLy
should noL be llmlLed Lo Lhe scope of Lhelr own company or publlc auLhorlLy, buL exLended Lo a global approach
of securlLy LhaL Lhe lnLerconnecLlon of neLworks and sysLems requlres.

ln Lhls conLexL, Lhe use of sLandardlzed Lechnlques ls a key asseL as lL allows Lransparency, comparablllLy,
lmprovemenL and skllls enhancemenL ln an area where, by naLure, Lhe reflexes of dlscreLlon and secrecy perslsL
as a Loken of pseudo efflclency.

1hls sLandardlzaLlon eases Lhe use of Lools and sysLems LhaL can communlcaLe LogeLher, as well as lL enables
soluLlons provlders Lo preserve Lhelr markeL share. AcLually, ln Lhe absence of ob[ecLlve basls for Lhe
comparlson of Lhelr producLs, Lhere would be a rlsk for Lhem noL Lo meeL Lhe needs of users, allowlng
globallzed suppllers and lndusLrlals Lo promoLe lncompaLlble and non lnLeroperable proprleLary soluLlons. 1hls
comes ln addlLlon Lo Lhe rlsks relaLed Lo securlLy and economlc Lhlevery LhaL could resulL from Lhe use of
algorlLhms undlsclosed and noL ob[ecLlvely assessed.

Such are Lhe challenges faced by lrench auLhorlLles and companles when achlevlng Lhelr roles: proLecLlng Lhe
publlc for Lhe flrsL, and belng compeLlLlve acLors and advocaLes of naLlonal experLlse for Lhe laLLer.

And such ls Lhe responslblllLy of !1C 1/SC 27 lrench mlrror commlLLee, whlch also celebraLes lLs 20Lh blrLhday,
a sLeerlng commlLLee for Lransversal coordlnaLlon, a recognlzed neLwork of experLlse and an lnformaLlon and
waLch plaLform, whose members are acLlvely lnvolved ln Lhe sLandards developmenL carrled ouL wlLhln SC 27
Worklng Croups.

1he !1C 1/SC 27 lrench mlrror commlLLee: AlNOk Ctoope Je cootJlootloo 5cotlt Jes 5ystmes
Jlofotmotloo (Cc55l)
ISMS International User Group (IUG)

www.iso27001certificates.com

10
Lh
!une 2010
lSC/lLC !1C 1/SC27
uln
8erlln
Cermany

uear SC27 Chalr, vlce-Chalr and SecreLarlaL

Cn behalf of many Lhousands of lSMS user organlzaLlons around world we
congraLulaLe you and your commlLLee on reachlng lLs 20
Lh
blrLhday. 1hls ls a
mllesLone evenL ln Lhe hlsLory of lnLernaLlonal lnformaLlon and l1 securlLy
sLandardlzaLlon. We would parLlcular llke Lo congraLulaLe you on Lhe developmenL
of Lhe successful famlly of lSC/lLC 2700x lSMS sLandards whlch have provlded
buslnesses and governmenLs around Lhe global wlLh Lhe rlghL seL of Lools Lo meeL
Lhelr own lnformaLlon securlLy managemenL and governance requlremenLs as well
as saLlsfylng compllance and conLracLual obllgaLlons. 1he Lake-up of Lhe flagshlp of
Lhe lSMS famlly of sLandards, lSC/lLC 27001, has proved Lo be Lhe besL selllng, world
beaLlng lSC lnformaLlon securlLy sLandard. 1he success of lSC/lLC 27001 has been
clearly demonsLraLed by Lhe number of organlzaLlons LhaL have had Lhelr lSMS
cerLlfled as can be seen by vlslLlng Lhe lSMS lnLernaLlonal CerLlflcaLe 8eglsLer
(www.lSC27001cerLlflcaLes.com). 1he lSMS luC conLlnually geLs feedback from
lSMS user organlzaLlons expresslng Lhe many beneflLs recelved from lmplemenLlng
lSC/lLC 27001.

1he lSMS luC looks forward Lo conLlnued collaboraLlon wlLh SC27 ln Lhe fuLure
developmenL and progress of lSMS sLandardlzaLlon.
Slncerely,
lSMS luC lounder and ulrecLor

13

ISC]ILC I1C 1]SC27

14
'1he 1|mes they are a-Chang|ng' -
SC 27's ro|e |n an a|ter|ng secur|ty |andscape

WalLer lumy
1
and Marl[ke ue SoeLe
2

1: 8undesdruckerel CmbP, Cermany
2: SecurlLy48lz, 8elglum

1he pasL quarLer-cenLury has seen a mlgraLlon of human acLlvlLles from a physlcal,
person-Lo-person conLacL lnLo an elecLronlc world wlLh lLs laLesL lncarnaLlon known
as Lhe cloud". CloballsaLlon would noL be posslble wlLhouL modern l1, hlgh-
bandwldLh and lnexpenslve communlcaLlons, and Lhe World Wlde Web. Among Lhe
crlLlcal lssues ralsed by Lhls LransformaLlon are lLs effecLs on securlLy and prlvacy,
effecLs whlch are of concern Lo lndlvlduals, Lo enLerprlses, and Lo governmenLs.
SecurlLy and prlvacy can be proLecLed or obLalned ln a varleLy of ways, and ln
parLlcular ln Lhe elecLronlc world crypLography ls an essenLlal Lool Lo Lhls end.

New Approaches to Cryptography
lor cenLurles, crypLography had been LreaLed as a secreL arL, and from Lhe
beglnnlng, Lhe exporL of crypLographlc producLs had been LlghLly conLrolled wlLh Lhe
lnLenLlon Lo conflne lLs use Lo governmenL, mlllLary, and a llmlLed number of
commerclal secLors wlLh obvlous securlLy needs, such as Lhe flnanclal lndusLry. 1hls
aLLlLude has changed noL very long ago. lor example, Lhe uS exporL rules were only
revlsed ln 2000 Lo place less emphasls on Lhe sLrengLh of crypLographlc Lechnlques
used ln commerclal producLs, and only Lhen, selllng such producLs LhroughouL (mosL
of) Lhe world became relaLlvely easy.
CrypLography was a naLural Loplc for Lhe Otqoolzotloo fot cooomlc co-opetotloo
ooJ uevelopmeot (CLCu), whlch Lhen already had a hlsLory ln prlvacy pollcy. Pavlng
developed pollcy guldellnes for lnformaLlon securlLy ln 1992, Lhe CLCu Lackled Lhe
encrypLlon debaLe ln 1996. ln March 1997, Lhe organlzaLlon lssued lLs crypLography
guldellnes whlch emphaslzed Lhe lmporLance of LrusL ln crypLographlc producLs and
urged LhaL tbe Jevelopmeot ooJ ptovlsloo of ctyptoqtopblc metboJs sboolJ be
JetetmloeJ by tbe motket lo oo opeo ooJ competltlve eovltoomeot, ooJ tbot tbe
Jevelopmeot of lotetootloool tecbolcol stooJotJs, ctltetlo ooJ ptotocols fot
ctyptoqtopblc metboJs sboolJ olso be motket Jtlveo [CLCu 1997].
lL was Lhls developmenL LhaL flnally allowed SC 27 Lo change lLs scope and Lo no
longer exclude Lhe sLandardlzaLlon of crypLographlc algorlLhms. 1hls happened aL a
Llme when Lhe approach Lo Lhe sLandardlsaLlon of crypLographlc Lechnlques was a-
changlng. When seeklng Lo replace Lhe more Lhan LwenLy-year-old uaLa LncrypLlon

15
SLandard (uLS) wlLh a new algorlLhm, Lhe uS Notloool lostltote of 5tooJotJs ooJ
1ecbooloqy (nlS1) Look a novel approach and Lhe conLrasL wlLh Lhe process LhaL led
Lo Lhe adopLlon of uLS Lwo decades earller could barely have been larger. 1he fleld
had maLured and as a resulL, Lhe Advanced LncrypLlon SLandard (ALS) can [usLly be
called a second-generaLlon block clpher.
ALS and Lhe ALS sLandardlsaLlon process were noL Lhe only fundamenLal changes.
ConLlnuous advances ln compuLlng and dlscreLe maLhemaLlcs had made Lhe 8SA
publlc-key crypLosysLem uncomforLably cosLly. 1he soluLlon comlng Lo hand makes
use of maLhemaLlcal sLrucLures called elllpLlc curves. CrypLosysLems based on
elllpLlc curves only requlre abouL Lwlce as many blLs as Lhe ALS Lo achleve an
analogous level of securlLy - noL Lhousands of blLs as Lhe 8SA scheme or a
LradlLlonal ulffle-Pellman key esLabllshmenL proLocol. SC 27 was aL Lhe forefronL of
sLandardlzlng such second-generaLlon publlc-key crypLosysLems.
Slnce Lhen Lhe markeL for crypLography has exploded. uue Lo securlLy requlremenLs
of Lhe lnLerneL, Lhe Secure SockeL Layer proLocol (SSL) became Lhe mosL wldely
deployed crypLographlc Lool. 1oday, lL ls vlrLually lmposslble Lo flnd a commerclal
secLor wlLhouL securlLy and prlvacy needs.

1he k|se of Comp||ance
8uL noL only Lhe way crypLography ls dealL wlLh has changed over Lhe lasL Lwo
decades. Lven more lmporLanL changes happened ln Lhe way lnformaLlon securlLy ls
addressed by enLerprlses and governmenLs. LnLerprlses are noL [usL flghLlng Lhe bad
guys or enabllng new buslness opporLunlLles, Lhey also need Lo show cusLomers and
compeLlLors LhaL Lhey are properly proLecLed. ln addlLlon, lnLernaLlonal and
reglonally mandaLed securlLy and prlvacy requlremenLs, dlrecLlves and sLandards
have shaped a hlgher level of securlLy awareness and undersLandlng.
lollowlng a number of ma[or accounLlng and reporLlng scandals around Lhe Lurn of
Lhe cenLury, whlch lnvolved promlnenL companles such as Lnron, armalaL, or
WorldCom, was Lo refocus on decenL "corporaLe governance" ln order Lo resLore
publlc LrusL and lnvesLor confldence ln accounLlng pracLlces. Several legal
regulaLlons lncludlng 8asel ll, Lhe Sarbanes-Cxley AcL (SCA), and Lhe Cramm-Leach-
8llley AcL were esLabllshed and compllance became a mandaLory Loplc on Lhe
agendas of board meeLlngs ln many enLerprlses wlLh securlLy belng an lnherenL
componenL wlLhln compllance requlremenLs. Cn Lhe oLher hand Lhe 9/11 evenLs
augmenLed securlLy awareness wlLh governmenLs leadlng Lo regulaLlons addresslng,
noL only homeland securlLy, buL also crlLlcal lnfrasLrucLures, cybercrlme, and many
oLher areas.

16
WlLh Lhese developmenLs, securlLy evolved from a Lechnlcal, ofLen add-on feaLure"
dealL wlLh by academlcs and compuLer speclallsLs Lo an overall lnLegraLed servlce"
whlch also lnvolves buslness and senlor managemenL. More and more
organlzaLlons lmplemenLed an lnformaLlon securlLy managemenL sysLem (lSMS) as
parL of Lhelr corporaLe governance, Lhereby drlven by a buslness rlsk managemenL
orlenLed approach. Many of Lhem hereby use Lhe lSMS 2700x serles developed by
SC 27. 1hese lSMS sysLems do noL only address Lhe pure Lechnlcal lmplemenLaLlons
buL also deal wlLh aspecLs such as ldenLlLy managemenL, lncldenL handllng, human
resources, Lhlrd parLy lnvolvemenL, and evaluaLlon. 1he approach ls based on Lhe
so-called uCA (plan-do-check-acL) model, whlch ls essenLlal for Lhe permanenL
lmprovemenL of any securlLy managemenL sysLem.

DCA app||ed to SC 27
uurlng Lhe pasL 20 years SC 27 has successfully applled Lhe uCA model Lo adapL lLs
sLandardlzaLlon work Lo Lhe changlng securlLy landscape. 1he commlLLee has
revlsed and exLended lLs scope a number of Llmes Lo reflecL new or alLerlng
demands from Lhe markeL ln areas such as crypLographlc algorlLhms, cyber securlLy,
prlvacy, ldenLlLy managemenL, or securlLy aspecLs of blomeLrlcs.

17
When lL became necessary, lL also adapLed lLs sLrucLure and expanded from Lhree Lo
flve worklng groups ln order Lo approprlaLely deal wlLh all aspecLs of lnformaLlon
securlLy, from securlLy Lechnlques (lncludlng crypLographlc algorlLhms) and servlces,
vla securlLy evaluaLlon and accredlLaLlon, Lo securlLy guldance and managemenL.
1he new sLrucLure noL only helped Lo lmprove Lhe focus of Lhe varlous WCs, buL also
aLLracLed a subsLanLlal amounL of new resources. CurrenLly SC 27 meeLlngs are
Lyplcally aLLended by more Lhan 200 parLlclpanLs. Powever, one aspecL of Lhe scope
of SC 27 remalned unchanged durlng Lhese 20 years - Lhe general naLure of lLs
dellverables. locuslng on Lhe developmenL of generlc sLandards for Lhe proLecLlon
of lnformaLlon and lC1 has lead Lo a conslderable number of llalsons Lo oLher
sLandardlzaLlon and lndusLry bodles, whlch have been shaped over Lhe pasL years.
Many of Lhese llalson bodles Lyplcally use SC 27 sLandards and Lechnlcal reporLs as a
basls for developlng Lhelr own securlLy lmplemenLaLlon sLandards speclflc for Lhelr
secLor such as Lelecom, flnanclal lndusLry, healLh care, or LransporL.
lor more lnformaLlon on SC 27 and lLs work program, Lhe reader ls referred Lo
[SC27].
keferences
[CLCu 1997]: 8ecommendaLlon of Lhe Councll concernlng Culdellnes for
CrypLography ollcy
(hLLp://www.oecd.org/documenL/34/0,3343,en_2649_342SS_1814690_1_1_1_1,00
.hLml)
[SC27]: hLLp://www.[Lc1sc27.dln.de/en

18
ISC]ILC I1C 1 SC27 - INICkMA1ICN
Ldward Pumphreys, SC27 WC1 Convenor
uale !ohnsLone, SC27 WC1 vlce-Convenor
SC27 Management 1eam
5c27 choir
ChrlsLlan !ahl, uln, Cermany (1990 - 1992)
ur klaus vedder, uln, Cermany (1992 - 1996)
ur WalLer lumy, uln, Cermany (1996 Lo presenL)
5c27 vice-choir
ur Marl[ke de SoeLe, n8n, 8elglum (2003 Lo presenL)
5c27 5ecretoriot
Ms AnneLLe Calkln, CMu (1990-1992)
Ms W. Wllke, uln, Cermany (1992 - 1996)
Ms krysLyna assla, uln Cermany (1996 Lo presenL)

Work|ng Group Convenors and Secretar|es
WG1 ISMS
Convenor: rof. Ldward Pumphreys, 8Sl, uk (1990 Lo presenL)
SecreLary: ur Angellka laLe, 8Sl, uk (200S - 2008)
vlce-convener : Mr uale !ohnsLone SA, AusLralla (2009 Lo presenL)

1be 1etms of kefeteoce of tbls wotkloq qtoop ote.

1he scope of WC 1 covers Lhe developmenL of lSMS (lnformaLlon SecurlLy
ManagemenL SysLem) sLandards and guldellnes (see SC 27 nS114). 1hls lncludes:

1. uevelopmenL and malnLenance of Lhe lSC/lLC 27000 lSMS sLandards famlly
2. ldenLlflcaLlon of requlremenLs for fuLure lSMS sLandards and guldellnes
3. Cn-golng malnLenance of WC1 sLandlng documenL Su WC 1/1 (WC 1
8oadmap)
4. CollaboraLlon wlLh oLher Worklng Croups ln SC 27, ln parLlcular wlLh WC 4 on
sLandards addresslng Lhe lmplemenLaLlon of conLrol ob[ecLlves and conLrols
as deflned ln lSC/lLC 27001.

19
Llalson and collaboraLlon wlLh Lhose organlzaLlons and commlLLees deallng wlLh
speclflc requlremenLs and guldellnes for lSMS, for example:

l1u-1 1elecoms
lSC/1C 21S PealLhcare
lSC/1C 68 8anklng
lSC/1C 176 CuallLy MS
lSC/1C 204 lnLelllgenL LransporL
sysLems
lSC/1C 223 Clvll uefence
lSSLA
lSACA
lSl
LnlSA
lnLerpol
1ransporL SecLor
Lnergy SecLor
Aerospace
AuLomoLlve lndusLry
SLandards bodles, such as lL1l, lLLL
lnLernaLlonal lnsLlLuLlons, e.g. CLCu,
ALC, Lu
lAl and CASCC, !1CC and oLher
relevanL groups regardlng Lhe
developmenL of accredlLaLlon and
cerLlflcaLlon sLandards and
guldellnes

WG2 Cryptography and secur|ty mechan|sms
Convenor: Mr L. Culllou, AlnC8, lrance (1990 - 1993)
SecreLary: Mr C. 8oursLln, AlnC8, lrance (1990 - 1993)

Convenor: ur Marl[ke de SoeLe, 8elglum (1994 - 2003)

Convenor: rof. ken[l naemura, !lSC, !apan (2003 - 2010)
SecreLary: A. CLsuka, !lSC, !apan (2003 - 200S)
SecreLary: 1akeshl Chlkazawa, !lSC, !apan (200S - 2010)

Convenor: Mr. 1akeshl Chlkazawa, !lSC, !apan (2010 Lo presenL)
vlce-convener: Mr. 1oshlo 1aLsuLa, !lSC, !apan (2010 Lo presenL)

1be tetms of tefeteoce of tbls wotkloq qtoop ote.

WC 2 provldes a cenLre of experLlse for Lhe sLandardlzaLlon of l1 SecurlLy Lechnlques
and mechanlsms wlLhln !1C 1:

ldenLlfy Lhe need and requlremenLs for Lhese Lechnlques and mechanlsms ln
l1 sysLems and appllcaLlons,
develop Lermlnology, general models and sLandards for Lhese Lechnlques and
mechanlsms for use ln securlLy servlces.
1he scope covers boLh crypLographlc and non-crypLographlc Lechnlques and
mechanlsms lncludlng:

20

confldenLlallLy,
enLlLy auLhenLlcaLlon,
non-repudaLlon,
key managemenL,
daLa lnLegrlLy such as
o message auLhenLlcaLlon,
o hash-funcLlons,
o dlglLal slgnaLures.

1he mechanlsms ln general lnclude several opLlons wlLh respecL Lo Lhe Lechnlques
used lncludlng symmeLrlc crypLographlc, asymmeLrlc crypLographlc and non-
crypLographlc.

WG3 Secur|ty Lva|uat|on
Convenor: rof. Sveln knapskog, norway (1990 - 1999)

Convenor: MaLs Chlln, SlS, Sweden (1999 - 2009)
SecreLary: ur Mlke nash, 8Sl, uk (2001 - 2009)

Convenor: Mlguel 8ann, ALnC8, Spaln (2009 Lo presenL)
SecreLary: ur 8erLolL kruger, uln, Cermany (2009 Lo presenL)

1he terms of reference of th|s work|ng group are:

SLandards for l1 SecurlLy evaluaLlon and cerLlflcaLlon of l1 sysLems, componenLs, and
producLs. 1hls wlll lnclude conslderaLlon of compuLer neLworks, dlsLrlbuLed sysLems,
assoclaLed appllcaLlon servlces, eLc.
1hree aspecLs may be dlsLlngulshed:

evaluaLlon crlLerla,
meLhodology for appllcaLlon of Lhe crlLerla,
admlnlsLraLlve procedures for evaluaLlon, cerLlflcaLlon, and accredlLaLlon
schemes.

1hls work wlll reflecL Lhe needs of relevanL secLors ln socleLy, as represenLed
Lhrough lSC/lLC naLlonal 8odles and oLher organlsaLlons ln llalson, expressed ln
sLandards for securlLy funcLlonalLy and assurance. AccounL wlll be Laken of relaLed
lSC/lLC and lSC sLandards for quallLy managemenL and LesLlng so as noL dupllcaLe
Lhese efforLs.

21

WG4 Secur|ty Contro|s and Serv|ces
Convenor: ur Meng Chow kang, S8lnC, Slngapore (2006 Lo presenL)
SecreLary: hlllp Sy, S8lnC, Slngapore (2009 Lo presenL)


1he scope of WC 4 covers Lhe developmenL and malnLenance of sLandards and
guldellnes addresslng servlces and appllcaLlons supporLlng Lhe lmplemenLaLlon of
conLrol ob[ecLlves and conLrols as deflned ln lSC/lLC 27001. 1hls lncludes:

1. CurrenL SC 27 pro[ecLs:
l1 neLwork securlLy (lSC/lLC 18028)
lnformaLlon securlLy lncldenL managemenL (lSC/lLC 18 18044)
Culdellnes for lnformaLlon and communlcaLlons Lechnology dlsasLer
recovery servlces (lSC/lLC 24762)
SelecLlon, deploymenL and operaLlon of lnLruslon ueLecLlon SysLems (luS)
(lSC/lLC 18043)
Culdellnes on use and managemenL of 1rusLed 1hlrd arLy servlces (l1u-1
x.842 | lSC/lLC 18 14S16)
SpeclflcaLlon of 11 servlces Lo supporL Lhe appllcaLlon of dlglLal slgnaLures
(l1u-1 x.843 | lSC/lLC 1S94S)
SecurlLy lnformaLlon ob[ecLs for access conLrol (l1u-1 x.841 | lSC/lLC
1S816)

2. ldenLlflcaLlon of requlremenLs for and developmenL of fuLure servlce and
appllcaLlons sLandards and guldellnes, for example ln Lhe areas of:
8uslness ConLlnulLy
Cyber SecurlLy
CuLsourclng

3. Cn-golng malnLenance of WC4 sLandlng documenL Su WC 4/1 (WC 4 8oad
Map)
4. CollaboraLlon wlLh oLher Worklng Croups ln SC 27, ln parLlcular wlLh WC1 on
lSMS sLandards and guldellnes.
S. Llalson and collaboraLlon wlLh Lhose organlzaLlons and commlLLees deallng
wlLh speclflc requlremenLs and guldellnes for servlces and appllcaLlons, for
example:
l1u-1 1elecoms
lSC/1C 21S PealLh lnformaLlcs
lSC/1C 68 8anklng
lSSLA

22
Aerospace
AuLomoLlve lndusLry
SLandards bodles, such as lL1l,
lLLL
lnLernaLlonal lnsLlLuLlons, e.g.
CLCu, ALC, Lu

WGS r|vacy and Ident|ty Management
AcLlng Convenor: !ohn Snare, SA, AusLralla (2006)

Convener: rof. kal 8annenberg, uln, Cermany (2007 Lo presenL)
SecreLary: !an Schallaboeck, uln, Cermany (2007 Lo presenL)


1he scope of SC 27/WC S covers Lhe developmenL and malnLenance of sLandards
and guldellnes addresslng securlLy aspecLs of ldenLlLy managemenL, blomeLrlcs and
Lhe proLecLlon of personal daLa.
1hls lncludes:

1. CurrenL SC 27 pro[ecLs:
lramework for ldenLlLy ManagemenL (lSC/lLC 24760)
8lomeLrlc LemplaLe proLecLlon (lSC/lLC 2474S)
AuLhenLlcaLlon conLexL for blomeLrlcs (lSC/lLC 24761)

2. ldenLlflcaLlon of requlremenLs for and developmenL of fuLure sLandards and
guldellnes ln Lhese areas. lor example ln Lhe area of ldenLlLy ManagemenL, Loplcs
such as:
8ole based access conLrol
rovlslonlng
ldenLlflers
Slngle slgn-on
ln Lhe area of rlvacy, Loplcs such as:
A rlvacy lramework
A rlvacy 8eference ArchlLecLure
rlvacy lnfrasLrucLures
AnonymlLy and credenLlals
Speclflc rlvacy Lnhanclng 1echnologles (L1s)
rlvacy Lnglneerlng
ln Lhe area of 8lomeLrlcs, Loplcs such as:
roLecLlon of blomeLrlc daLa
AuLhenLlcaLlon Lechnlques

23

3. CollaboraLlon wlLh oLher Worklng Croups ln SC 27 e.g. WC 1 on managemenL
aspecLs, WC 2 on speclflc crypLographlc Lechnlques and WC 3 on evaluaLlon aspecLs.

4. Llalson and collaboraLlon wlLh Lhose organlzaLlons and commlLLees deallng wlLh
speclflc requlremenLs and guldellnes for servlces and appllcaLlons ln Lhls area, for
example:
lSC/lLC SC 37 8lomeLrlcs
LC8?1
lSC/1C68/SC2 llnanclal Servlces SecurlLy
lSC/1C68/SC6/WC10 llnanclal Servlces-8eLall llnanclal Servlces-rlvacy
l1u-1 SC17 SecurlLy, languages and LelecommunlcaLlon sofLware
luLure of ldenLlLy ln Lhe lnformaLlon SocleLy (llulS)
1he lnLernaLlonal Conference of uaLa roLecLlon and rlvacy Commlssloners
1he Cpen Croup (ldM lorum and !erlcho lorum)
SC27 Members
-members
Algerla, AusLralla, AusLrla, 8elglum, 8razll, Canada, Chlna, CLe-d'lvolre, Cyprus,
Czech 8epubllc, uenmark, llnland, lrance, Cermany, lndla, lLaly, lreland, !amalca,
!apan, kazakhsLan, kenya, 8ep. of korea, Luxembourg, Malaysla, Morocco, 1he
neLherlands, new Zealand, norway, oland, 8omanla, 8usslan lederaLlon,
Slngapore, Slovakla, SouLh Afrlca, Spaln, Srl Lanka, Sweden, SwlLzerland, ukralne,
unlLed klngdom, unlLed SLaLes of Amerlca, uruguay.
(1oLal: 42)

C-members
ArgenLlna, 8elarus, 8osnla and Perzegovlna, CosLa 8lca, Ll Salvador , LsLonla, Chana,
Pong kong, Pungary, lndonesla, lsrael, LlLhuanla, orLugal, Serbla, Slovenla,
Swazlland, 1halland, 1urkey
(1oLal: 18)
SC27 L|a|sons
1he followlng are some of Lhe llalsons LhaL SC27 has had wlLh oLher organlzaLlons
and sLandards groups boLh wlLhln lSC/lLC and exLernal Lo lSC/lLC. 1hls llsL covers
Lhe llalsons of Lhe lasL LwenLy years.
Lxterna| CA1 A L|a|sons
LnlSA (Luropean neLwork and lnformaLlon SecurlLy Agency)

24
Luropean aymenL Councll / SecurlLy of aymenL 1ask lorce (LC/S1l)
l1u uevelopmenL SecLor (l1u-u)
l1u-1 SLudy Croup 13 (l1u-1 SC 17)
l1u-1 SLudy Croup 17 (l1u-1 SC 13)
MasLerCard
vlSA Lurope

Lxterna| CA1 C L|a|sons
ASlS lnLernaLlonal
CLn Workshop on Cyber ldenLlLy
Common CrlLerla uevelopmenL 8oard (CCu8)
lorum of lncldenL 8esponse and SecurlLy 1eams (ll8S1)
luLure of ldenLlLy ln Lhe lnformaLlon SocleLy (llulS)
Luropean neLwork of Lxcellence for CrypLology (LC8?1)
lnformaLlon SecurlLy lorum (lSl)
lnformaLlon SysLems AudlL and ConLrol AssoclaLlon/l1 Covernance lnsLlLuLe
(lSACA / l1Cl)
lnLernaLlonal Conference of uaLa roLecLlon and rlvacy Commlssloners
lnLernaLlonal SysLems SecurlLy AssoclaLlon (lSSA)
lnLernaLlonal SysLems SecurlLy Lnglneerlng AssoclaLlon (lSSLA)
LlberLy Alllance
neLwork and lnformaLlon SecurlLy SLeerlng Croup (CLn/nlSSC)
rlvacy and ldenLlLy ManagemenL for CommunlLy Servlces (lCCS)
rlvacy and ldenLlLy ManagemenL ln Lurope for Llfe (rlmeLlfe)
1he Cpen Croup
1he World LoLLery AssoclaLlon (WLA)
1rusLed CompuLlng Croup (1CC)
1AS3 (1rusLed ArchlLecLure for Securely Shared Servlces)

Interna| L|a|sons w|th|n ISC
lSC/CASCC
lSC/1M8/!1CC (!olnL Lechnlcal CoordlnaLlon Croup) on MSS (ManagemenL
SysLem SLandards)
lSC/C 246 AnLl-counLerfelLlng Lools
lSC/1C 46/SC11 lnformaLlon and documenL - Archlves/8ecords managemenL
lSC/1C 68/SC 2 llnanclal servlces -- SecurlLy managemenL and general
banklng operaLlons
lSC/lLC 1C 176 - CuallLy ManagemenL SysLems
lSC/1C 204 lnLelllgenL LransporL sysLems - WC1 ArchlLecLure

25
lSC/1C 21S PealLh lnformaLlcs - WC 4 SecurlLy & WC S PealLh cards
lSC/1C 223 SocleLal SecurlLy
lSC/1M8 WC 8M (8lsk ManagemenL)

L|a|sons w|th ILC
lLC/1C 6S lndusLrlal-process measuremenL, conLrol and auLomaLlon - WC 10
SecurlLy for lndusLrlal process measuremenL and conLrol - neLwork and
sysLem securlLy

Interna| L|a|sons w|th|n ISC]ILC I1C 1
!1C 1 Ad Poc on vocabulary
!1C 1/WC 6 CorporaLe Covernance of l1
SC 6 1elecommunlcaLlons and lnformaLlon exchange beLween sysLems
SC 7 SysLems englneerlng
SC 17/WC 3 Machlne readable Lravel documenLs
SC 17/WC 4 lnLegraLed clrculL cards wlLh conLacLs
SC 17/WC 11 AppllcaLlon of 8lomeLrlcs Lo Cards and ersonal ldenLlflcaLlon
SC21 Cpen SysLems lnLerconnecLlon sLandards
SC 22 rogrammlng languages, Lhelr envlronmenLs and sysLem sofLware
lnLerfaces
SC 2S lnLerconnecLlon of l1 LqulpmenL
SC2 31/WC4 AuLomaLlc ldenLlflcaLlon and daLa capLure Lechnlques
SC 36 lnformaLlon Lechnology for learnlng, educaLlon, and Lralnlng
SC 37 8lomeLrlcs

26
n|stor|ca| Meet|ng Summary
lSC/lLC !1C 1/ SC27 has been successfully ln operaLlon for 20 years and has been
holdlng lLs regular 6-monLhly meeLlngs ln dlfferenL parLs of Lhe world. 1he full
locaLlon hlsLory of Lhe meeLlngs ls summarlzed as follows:

2010 (CcLober) - 8erlln, Cermany
2010 (Aprll) - Melaka, Malaysla
2009 (november) - 8edmond,
WashlngLon, uSA
2009 (May) - 8el[lng, Chlna
2008 (CcLober) - Llmassol, Cyprus
2008 (Aprll) - kyoLo, !apan
2007 (CcLober) - Lucerne, SwlLzerland
2007 (May) - Moscow/SL eLersburg,
8ussla
2006 (november) - Clenburn Lodge,
SouLh Afrlca
2006 (May) - Madrld, Spaln
200S (november) - kuala Lumpur,
Malaysla
200S (Aprll) - vlenna, AusLrla
2004 (CcLober) - lorLaleza, 8razll
2004 (Aprll) - Slngapore
2003 (CcLober) - arls, lrance
2003 (Aprll)- Cuebec, Canada
2002 (CcLober) - Warsaw, oland
2002 (Aprll) - 8erlln, Cermany
2001 (CcLober) - Seoul, 8epubllc of korea
2001 (Aprll) - Cslo, norway
2000 (CcLober) - 1okyo, !apan
2000 (Aprll) - London, uk

1999 (CcLober) - Columbla,
Maryland, uSA
1999 (Aprll) - Madrld, Spaln
1998 (CcLober) - lLacurussa, 8razll
1998 (Aprll) - klsLa, Sweden
1997 (CcLober) - 8ad 8oll, Cermany
1997 (Aprll) - Sydney, AusLralla
1996 (CcLober) - LrmaLlngen,
SwlLzerland
1996 (Aprll) - London, uk
199S (november) - Seoul, 8epubllc of
korea
199S (Aprll) Pelslnkl, llnland
1994 (november) - CLLawa, Canada
1994 (March) - 1rondhelm, norway
1993 (CcLober) - arls, lrance
1993 (March) - Mllan, lLaly
1992 (CcLober) - CalLhersberg,
Maryland, uSA
1992 (March) - Zurlch, SwlLzerland
1991 (CcLober) - 8russels, 8elglum
1991 (Aprll) - 1okyo, !apan
1990 (CcLober) - Munlch, Cermany
1990 (Aprll) - SLockholm, Sweden

27
Lach of Lhese meeLlngs has boughL wlLh lL lLs own unlque loglsLlcal challenges,
happy memorles and producLlve work ouLpuLs. ln Lhe paper lSC/lLC !1C 1 SC27 -
1he Show MusL Co Cn" some of Lhe challenges encounLer on one unlque occaslon
are dlscussed.

28
ISC]ILC I1C 1 SC27 - 1he Show Must Go Cn
uale !ohnsLone, SC27 WC1 vlce-Convenor
1he purpose of Lhls paper ls Lo dlscuss Lhe meeLlng LhaL easlly presenLed SC27 wlLh
probably lLs largesL challenge of all of lLs meeLlngs held.
1he meeLlng LhaL dellvered Lhe mosL challenges for Lhe SC27 ManagemenL 1eam,
meeLlng aLLendees and naLlonal 8ody parLlclpanLs, was LhaL whlch occurred ln
Melaka, Malaysla ln Aprll of 2010. 1hls ls Lhe flrsL Llme LhaL a ma[or naLural evenL
occurred [usL as Lhe flnal preparaLlons were belng made by parLlclpanLs ln seLLlng off
on Lhelr [ourney Lo Lhe SC27 meeLlng locaLlon.
ApproxlmaLely four days before Lhe sLarL of Lhe Malaysla meeLlng was scheduled Lo
commence Lhe Ly[af[alla[kull volcano ln lceland erupLed causlng subsLanLlal
dlsrupLlons Lo Lhe Lravel plans of a large number of parLlclpanLs lnLendlng Lo Lravel
from Lurope Lo Lhe SC27 meeLlngs. 1hls slngle naLural evenL caused Lhe largesL
number of SC27 members plannlng Lo Lravel (ln Lhls case from Lhe Luropean reglon)
Lo Lhe meeLlng ln Melaka, Malaysla Lo evenLually cancel Lhelr Lravel plans.
Lven before Lhe meeLlng commenced, lL was very qulckly apparenL LhaL conLlnulLy
arrangemenLs were requlred Lo be adopLed Lo ensure Lhe meeLlngs conLlnued ln a
successful manner. 1hls ls especlally so, glven LhaL a large number of delegaLes who
were already ln LranslL Lo Lhe meeLlng locaLlon ln Malaysla ensured LhaL Lhe meeLlng
musL go on.
1he unlque challenges encounLered for Lhls parLlcular meeLlng lncluded Lhe
followlng lndlvlduals noL belng able Lo lnlLlally Lravel Lo Lhe meeLlng locaLlon ln
Malaysla:
SC27 Chalrman,
SC27 vlce-Chalrman,
WC1, WC3, WCS Convenors,
WC3 and WCS vlce-Convenors,
Large number of ro[ecL LdlLors and Co-LdlLors,
number of naLlonal 8ody ro[ecL LxperLs key Lo Lhe progresslng of selecLed
pro[ecLs.
CLher challenges encounLered lncluded:
8earrangemenLs of hoLel booklngs for parLlclpanLs,
MeeLlng faclllLles equlpped for on-slLe (noL remoLe) parLlclpaLlon,
ulmlnlshed SC27 ManagemenL 1eam.

29
AlLhough SC27 dld noL have any formally adopLed ln-place documenLed conLlngency
plans, Lhe overall slLuaLlon was managed successfully due Lo Lhe qulck Lhlnklng
acLlons of many parLlclpanLs. 1helr acLlons lncluded:
reparlng MeeLlng laclllLles for 8emoLe Access (l.e. speaker/mlcrophone
communlcaLlons),
ueLermlnlng pracLlcable remoLe communlcaLlon soluLlon(s) accesslble by all
wlLh mlnlmum preparedness Lo access (l.e. llcenslng) and no experLlse ln lLs use
(l.e. Lralnlng),
ueLermlnlng acLlng pro[ecL coordlnaLors (AcLlng LdlLors) for pro[ecLs where no
ro[ecL LdlLor represenLaLlon were presenL,
8eallocaLlon of responslblllLles for formal presenLaLlons, meeLlng leadershlp
and oLher evenLs,
Managlng Lhe frusLraLlons of naLlonal 8ody parLlclpanLs who had Lhelr Lravel
plans severely lmpacLed by Lhe evenL.
As a resulL of Lhls parLlcular evenL and unlque clrcumsLances, SC27 conLlnuously
alms Lo sLrlve ln lmprovlng on lLs conLlngency arrangemenLs whlch lncludes
conslderaLlon for:
ldenLlfylng poLenLlal hosLs for shorL-noLlce reglonal meeLlng locaLlons where
SC27 naLlonal 8ody members can collecLlve use Lhe avallable faclllLles,
Lncouraglng greaLer global separaLlon of key meeLlng parLlclpanLs (l.e. co-
edlLors),
1aklng Lhe experlences learned and uslng Lhese as lessons Lowards fuLure
poLenLlal occurrences of a slmllar naLure.
1here are Lhose lndlvlduals (and you all know who you are) who wlll say Lhls was
one of Lhelr buslesL and mosL challenglng worklng weeks ever. 8uL wlLh all of Lhelr
commlLmenL and asslsLance Lhe meeLlngs proved Lo be very successful. ln parLlcular
Lhe evenL organlzers are slngled ouL as havlng been crlLlcal Lo Lhe overall success of
Lhe meeLlngs. 1helr ablllLy Lo very qulckly adopL Lhe meeLlng locaLlon Lo Lechnlcally
accommodaLe Lhe remoLe parLlclpanLs, whlch ln lLself generaLed communlcaLlon
challenges (excellenLly supporLed and resolved by a one of Lhe meeLlng's sponsors),
was very much appreclaLed and acknowledged by all lnvolved as belng crlLlcal Lo Lhe
meeLlng's success.
AlLhough on Lhls occaslon Lhe lSC/lLC !1C 1/SC 27 meeLlngs lacked a number of
Luropean experLs LhaL could noL aLLend Lhe meeLlng due Lo Lhe lcelandlc volcano
lncldenL and Lhe assoclaLed dlsrupLlon ln alr LransporLaLlon, Lhelr commlLmenL and
acLlve regular parLlclpaLlon vla remoLe communlcaLlons Lo Lhe lenary and edlLlng

30
meeLlngs (vla emall or vla Skype conference calls) durlng Lhe course of Lhe week
proved lnvaluable.
Lven Lhough SC27 dld noL posses ln-hand documenLed conLlngency plans (whlch
one would have expecLed would have enabled a more effecLlve approach Lowards
deallng wlLh Lhe unexpecLed evenL), Lhe ablllLy for alLernaLlve leadershlp Lo form
qulckly and for all lnvolved lndlvlduals Lo communlcaLe and agree on Lhe relevanL
acLlons requlred, resulLed ln Lhe SC27 meeLlngs proceedlng smooLhly. 1hls ln lLself
ls a LesLamenL Lo Lhe level of close bondlng, cooperaLlon and undersLandlng LhaL has
formed beLween all Lhe lndlvlduals assoclaLed wlLh SC27 over lLs pasL 20-years of
operaLlon.

31

'Memor|es are made of th|s'
V|ew of SC27 ast

S

36

37

SC27] WG1

38

39
Informat|on Secur|ty Management System Standards

lSC/lLC !1C 1/SC27/ WC1 Convenor

8ackground
SC27 27/WC 1 from lLs lnaugural meeLlng Lo Loday has been lnvolved ln some form
of sLandardlsaLlon relaLed Lo Lhe managemenL of securlLy sysLems. ln Lhe early
years (1990-97) Lhls malnly lnvolved Lhe managemenL of l1 securlLy as well as
appllcaLlon level securlLy, Lhls Lhen progressed (1996-200S) Lo oLhers sLandards such
as a serles of neLwork securlLy sLandards, 1rusLed 1hlrd arLles and ulglLal
SlgnaLures, lnLruslon ueLecLlon SysLems and a sLandard on lncldenL handllng and
Lhen flnally ln Lhe laLLer years (1999-Lo daLe) managemenL of lnformaLlon securlLy
and Lhe publlcaLlon of Lhe lSC/lLC 2700x famlly of sLandards.

uurlng Lhe 90s WC1 collaboraLed regularly wlLh !1Cl/SC21/WC1, WC4 (CSl
managemenL) and WC6 (Cu) on varlous aspecLs of lSC securlLy, for example on
CuLS (upper layer securlLy), l1AM securlLy, Lhe access conLrol, confldenLlallLy, non-
repudlaLlon, auLhenLlcaLlon and lnLegrlLy frameworks (Lhe l1u-1 x.800 famlly of
sLandards), CSl managemenL sLandards, WC1 also worked wlLh:

l1u-1 on uAl, messaglng sysLem securlLy (l1u-1 x.400) and dlrecLorles
securlLy (l1u-1 x.S00) and Cu securlLy (ln con[uncLlon !1C1/SC21) (llalson
offlcer rof. Ldward Pumphreys, uk),
!1C1/SC6 on neLwork layer nLS and LransporL layer 1LS sLandards for
securlLy (llalson offlcer !lm Long, uk),
!1C1/WC3 on Lhe securlLy aspecLs of Cpen-Lul sLandards (llalson offlcer
elkonen, llnland),
!1C1/SC22 on Al securlLy and securlLy lnformaLlon ob[ecLs (llalson offlcer
rof. Ldward Pumphreys, uk),
!1C1/W18 on MulLl-medla/Pyper-medla securlLy aspecLs (llalson offlcer rof.
Ldward Pumphreys, uk),
LCMA on securlLy lnformaLlon ob[ecLs (llalson offlcers kre resLLun, norway
and 1om arker, uk).

uurlng Lhe 20 years of lLs sLandardlsaLlon work of WC1 has seen many changes and
meeL many challenges ln Lhe markeL requlremenLs for lnformaLlon and l1 securlLy.
WC1 has always successfully responded Lo Lhese challenges Lo dellver sLandards
LhaL would provlde for buslnesses whaL needs Lo be done Lo manage lLs lnformaLlon
and l1 securlLy rlsks and Lo lmplemenL level of proLecLlon for lLs lnformaLlon and l1
40
sysLem asseLs. As Lhe work of WC1 expanded (pre-lSMS work see below) lL was
declded ln 2008 Lo spllL Lhe work of Lhe group lnLo Lwo and so a new worklng group
was formed, WC4. under Lhe new arrangemenLs WC1 became fully responslble for
all lSMS (lnformaLlon securlLy managemenL sysLem) sLandards and WC4 responslble
for sLandards deallng wlLh lnformaLlon securlLy managemenL servlces and
appllcaLlons.

llnally ln May 2009 uale !ohnsLone was appolnLed Lhe vlce-convenor of WC1.

re-ISMS Work
rocedures for Lhe 8eglsLraLlon of CrypLo AlgorlLhms (lS 9979)
o LdlLor rof. Ldward Pumphreys (uk)
o 1hls pro[ecL was carrled over from !1C1/SC20
o 1hls pro[ecL was handed over Lo WC2 ln 1997
eer LnLlLy AuLhenLlcaLlon arL 1 Ceneral Model (lS 9798 arL 1)
o LdlLors rof. Ldward Pumphreys (uk), and Lhen !ohn Popklnson
(Canada) and karen 8andell (uSA)
o 1hls pro[ecL was carrled over from !1C1/SC20
lramework for key ManagemenL
o LdlLors 8ob Llander (uSA) and Lhen 8oland Muller (Cermany) from
1994
1hls pro[ecL was handed over Lo WC2 ln 1997
SpeclflcaLlon of 11 servlces Lo supporL Lhe appllcaLlon of dlglLal slgnaLures
(l1u-1 x.843 l lSC/lLC 1S94S)
o LdlLor ur. 8erLolL kruger (Cermany)
Culdellnes for Lhe use and ManagemenL of 1rusLed 1hlrd arLles (l1u-1 x.842
| lSC/lLC 14S16)
o LdlLors Andre Crlssonnanche (lrance), Lhen Maynard Panscom
(Canada) and Lhen Pans !oachlm elka (Cermany)
l1 lnLruslon ueLecLlon lramework (lSC/lLC 1S947)
o LdlLor 8lchard 8rackney (uSA)
o 1hls pro[ecL lncorporaLed lnLo lSC/lLC 18043 ln 2006
Culdellnes for Lhe lmplemenLaLlon, managemenL and operaLlon of lnLruslon
ueLecLlon sysLems (luS) (lSC/lLC 18043)
o LdlLor 8lchard 8rackney (uSA)
Culdellnes for Lhe ManagemenL of l1 SecurlLy (lSC/lLC 1333S arLs 1-S)
41
o arL 1 ConcepLs and Models for lC1 SecurlLy ManagemenL: edlLor !ohn
Popklnson (Canada) and Lhen Allce SLurgeon (Canada) for Lhe revlslon
o arL 2 Managlng and lannlng l1 SecurlLy: edlLors Andre Crlssonnanche
(lrance) up Lo 1994, Lhen WalLer Wldmer (SwlLzerland) from 1994 and
!lm Long (uk) revlslon of arL 2
o arL 3 1echnlques for ManagemenL: edlLors Permann SleberL
(Cermany) up Lo 1994 and Lhen Angellka laLe (Cermany) from 1994
o arL 4 8asellne Approach: edlLor Angellka laLe (Cermany)
o 1he conLenL of Lhese pro[ecLs were subsumed lnLo parLs of Lhe lSC/lLC
2700x famlly. lor example CMl1S-3 was lnpuL lnLo Lhe developmenL of
lSC/lLC 2700S.
o arL S AppllcaLlon of l1 SecurlLy Servlces and 1echnlques: edlLor 8obln
Mosses (uk)
o 1hls pro[ecL was lncorporaLed lnLo lSC/lLC 18028-1 ln 2006
SecurlLy lnformaLlon Cb[ecLs for Access ConLrol (l1u-1 x.841 | lSC/lLC 1S816)
o LdlLors ur Warwlck lord (Canada), Lhen 8oberL 8osenLhal (uSA), noel
nazarlo (uSA), Larry nelson (uSA) and flnally 8uarldh Macdonald (uk)
neLwork SecurlLy (lSC/lLC 18028 arLs 1-S)
o arL 1 neLwork SecurlLy ManagemenL: edlLor Lrlc Cheur (8elglum) and
!lm Long (uk) and Lhe 8obln Mosses (uk)
o arL 2 neLwork SecurlLy ArchlLecLure: edlLor 8lchard kelghley (uk)
o arL 3 Securlng CommunlcaLlons beLween neLworks uslng SecurlLy
CaLeways: edlLor !oachlm SchleLLe (Cermany)
o arL 4 8emoLe Access: edlLor 8olland Muller (Cermany)
o arL S Securlng CommunlcaLlons across vns: edlLors !lm Long (uk) and
lgor kadoschuk (uSA), and Lhen aul Panley (uk)
o 1hese pro[ecLs were handed over Lo WC4 ln 2008
1lme SLamplng
o LdlLor 8olland Muller (Cermany)
lnformaLlon SecurlLy lncldenL Pandllng (lSC/lLC 18044)
o LdlLor Crzegorz ohoreckl (oland) and Lhen 8obln Mosses (uk)

ISMS Work
CcLober 2000 saw Lhe dawn of a new age ln lnformaLlon securlLy sLandards when 8S
7799-1 was submlLLed Lo lSC/lLC and was approved for publlcaLlon as lSC/lLC 17799
(edlLor rof. Ldward Pumphreys (uk) and for Lhe revlslon ur. Angellka laLe (uk)
and ur. Cllver Welssmann (Cermany). 1hls sLandard was renumbered as lSC/lLC
42
27002 ln 2006. 1hls evenL ln 2000 opened Lhe door Lo Lhe developmenL of a famlly
of lSC/lLC 2700x of lnformaLlon securlLy managemenL sLandards, whlch conLlnues Lo
develop, expand and be adopLed by buslness around Lhe world.

Cf course Lhe flagshlp of Lhe lSC/lLC 2700x famlly, ls Lhe lSMS requlremenLs
sLandard lSC/lLC 27001 (edlLor !ohn Snare (AusLralla). 1hls sLandard seLs Lhe
requlremenLs for Lhe whole Lhe oLher sLandards ln Lhe famlly. lL ls Lhe only sLandard
ln lSC/lLC, whlch can be used for Lhlrd parLy cerLlflcaLlon of an organlsaLlon's lSMS
lmplemenLaLlon. lLs pedlgree ls Lhe uk sLandard 8S 7799-2 whlch became Lhe
lSC/lLC 27001 sLandard ln 200S. 1hls sLandard ls a code of pracLlce for lnformaLlon
securlLy managemenL and provldes a caLalogue of securlLy conLrols. lSC/lLC 27002
ls used alongslde lSC/lLC 27001 and ls used ln Lhe followlng way. ln esLabllshlng an
lSMS an organlsaLlon needs Lo carry ouL a rlsk assessmenL ln accordance wlLh Lhe
requlremenL speclfled ln lSC/lLC 27001. Cnce Lhe assessmenL has been carrled Lhen
a sysLem of conLrols need Lo be selecLed reduce Lhe seL of ldenLlfled rlsks. 1hese
conLrols are selecLed from a caLalogue of conLrols glven ln Annex A of lSC/lLC
27001, whlch ls a dupllcaLe copy of Lhose conLrols glven ln lSC/lLC 27002. WhaL
lSC/lLC 27002 offers ln addlLlon Lo a seL of conLrols ls lmplemenL guldance for each
of Lhe conLrols and Lhls does noL appear ln Annex A of lSC/lLC 27001.

8oLh lSC/lLC 27001 and lSC/lLC 27002 are currenLly undergolng Lhe normal lSC S-
year process of revlslon LhaL applles Lo all lSC/lLC sLandards. 1he alm of Lhls ls Lo
make sure LhaL boLh Lhese sLandards are up Lo daLe and conLlnue Lo meeL Lhe needs
Lo buslness. lf Lhere are new buslness requlremenLs LhaL need Lo be meL Lhen Lhese
wlll be lncorporaLed lnLo Lhe new verslons. 1he revlslon process ls conslderlng
conLrlbuLlons from many sources and buslness secLors Lo ensure LhaL Lhe nexL
verslons of Lhese sLandards wlll remaln flL-for-purpose for anoLher S years once Lhey
have been publlshed. 1he currenL 200S verslons of Lhese sLandards wlll remaln legal
and valld unLll Lhey are replaced wlLh Lhe revlsed verslons, whlch ls llkely Lo be aL
leasL 18-24 monLhs down Lhe road.

ISMS Support|ng Standards
1he oLher sLandards ln Lhe core of Lhe lSC/lLC 2700x famlly are:

ISC]ILC 27000 Cverv|ew and Vocabu|ary (edlLors uale !ohnsLone,

kel Parada, !apan and Cllver Welssmann, Cermany)

1bls lotetootloool 5tooJotJ ptovlJes oo ovetvlew of lofotmotloo secotlty
moooqemeot systems, wblcb fotm tbe sobject of tbe l5M5 fomlly of stooJotJs,
ooJ Jefloes teloteJ tetms.
43

NO1 Aooex A ptovlJes clotlflcotloo oo bow vetbol fotms ote oseJ to exptess
tepoltemeots ooJ/ot qolJooce lo tbe l5M5 fomlly of stooJotJs.

1be l5M5 fomlly of stooJotJs locloJes stooJotJs tbot.

o) Jefloe tepoltemeots fot oo l5M5 ooJ fot tbose cettlfyloq socb systems,
b) ptovlJe Jltect soppott, JetolleJ qolJooce ooJ/ot lotetptetotloo fot tbe
ovetoll lloo-uo-cbeck-Act (lucA) ptocesses ooJ tepoltemeots,
c) oJJtess sectot-speclflc qolJelloes fot l5M5, ooJ
J) oJJtess coofotmlty ossessmeot fot l5M5.

1be tetms ooJ Jefloltloos ptovlJeJ lo tbls lotetootloool 5tooJotJ.
covet commooly oseJ tetms ooJ Jefloltloos lo tbe l5M5 fomlly of
stooJotJs,
wlll oot covet oll tetms ooJ Jefloltloos opplleJ wltblo tbe l5M5 fomlly of
stooJotJs, ooJ
Jo oot llmlt tbe l5M5 fomlly of stooJotJs lo Jefloloq tetms fot owo ose.

5tooJotJs oJJtessloq ooly tbe lmplemeototloo of coottols, os opposeJ to
oJJtessloq oll coottols, ftom l5O/lc 27002 ote excloJeJ ftom tbe l5M5 fomlly of
stooJotJs.

ISC]ILC 27003 ISMS Imp|ementat|on Gu|dance (eJltots Ioo 8toozell, 5weJeo,
umo cbooJtosbekbot, u5A, Ollvet welssmooo, Cetmooy ooJ 5ototo omosokl,
Iopoo)

1be potpose of tbls lotetootloool 5tooJotJ ls to ptovlJe ptoctlcol qolJooce lo
Jeveloploq tbe lmplemeototloo ploo fot oo lofotmotloo 5ecotlty Moooqemeot
5ystem (l5M5) wltblo oo otqoolzotloo lo occotJooce wltb l5O/lc 27001.2005.
1be octool lmplemeototloo of oo l5M5 ls qeoetolly execoteJ os o ptoject.

1be ptocess JesctlbeJ wltblo tbls lotetootloool 5tooJotJ bos beeo JeslqoeJ to
ptovlJe soppott of tbe lmplemeototloo of l5O/lc 27001.2005, (televoot potts
ftom clooses 1, 5, ooJ 7 locloslve) ooJ Jocomeot.

o) tbe ptepototloo of beqlooloq oo l5M5 lmplemeototloo ploo lo oo otqoolzotloo,
Jefloloq tbe otqoolzotloool sttoctote fot tbe ptoject, ooJ qololoq moooqemeot
opptovol,
b) tbe ctltlcol octlvltles fot tbe l5M5 ptoject ooJ,
44
c) exomples to ocbleve tbe tepoltemeots lo l5O/lc 27001.2005.

8y osloq tbls lotetootloool 5tooJotJ tbe otqoolzotloo wlll be oble to Jevelop o
ptocess fot lofotmotloo secotlty moooqemeot, qlvloq stokebolJets tbe ossotooce
tbot tlsks to lofotmotloo ossets ote cootloooosly molotoloeJ wltblo occeptoble
lofotmotloo secotlty boooJs os JefloeJ by tbe otqoolzotloo.

1bls lotetootloool 5tooJotJ Joes oot covet tbe opetotloool octlvltles ooJ otbet
l5M5 octlvltles, bot covets tbe coocepts oo bow to Jeslqo tbe octlvltles, wblcb wlll
tesolt oftet tbe l5M5 opetotloos beqlo. 1be coocept tesolts lo tbe flool l5M5
ptoject lmplemeototloo ploo. 1be octool execotloo of tbe otqoolzotloool speclflc
pott of oo l5M5 ptoject ls ootslJe tbe scope of tbls lotetootloool 5tooJotJ.

ISC]ILC 27004 Informat|on secur|ty measurements (eJltots vo kolpet, u5A ooJ
lolomo llooezo, 5polo)

1bls lotetootloool 5tooJotJ ptovlJes qolJooce oo tbe Jevelopmeot ooJ ose of
meosotes ooJ meosotemeot lo otJet to ossess tbe effectlveoess of oo
lmplemeoteJ lofotmotloo secotlty moooqemeot system (l5M5) ooJ coottols ot
qtoops of coottols, os speclfleJ lo l5O/lc 27001.

1bls woolJ locloJe pollcy, lofotmotloo secotlty tlsk moooqemeot, coottol
objectlves, coottols, ptocesses ooJ ptoceJotes, ooJ soppott tbe ptocess of lts
tevlsloo, belploq to Jetetmloe wbetbet ooy of tbe l5M5 ptocesses ot coottols oeeJ
to be cbooqeJ ot lmptoveJ. lt oeeJs to be kept lo mloJ tbot oo meosotemeot of
coottols coo qootootee complete secotlty.

1be lmplemeototloo of tbls opptoocb coostltotes oo lofotmotloo 5ecotlty
Meosotemeot ltoqtomme. 1be lofotmotloo 5ecotlty Meosotemeot ltoqtomme
wlll osslst moooqemeot lo lJeotlfyloq ooJ evolootloq ooocomplloot ooJ
loeffectlve l5M5 ptocesses ooJ coottols ooJ ptlotltlzloq octloos ossocloteJ wltb
lmptovemeot ot cbooqloq tbese ptocesses ooJ/ot coottols. lt moy olso osslst tbe
otqoolzotloo lo Jemoosttotloq l5O/lc 27001 compllooce ooJ ptovlJe oJJltloool
evlJeoce fot moooqemeot tevlew ooJ lofotmotloo secotlty tlsk moooqemeot
ptocesses.

1bls lotetootloool 5tooJotJ ossomes tbot tbe stottloq polot fot tbe Jevelopmeot
of meosotes ooJ meosotemeot ls o soooJ ooJetstooJloq of tbe lofotmotloo
secotlty tlsks tbot oo otqoolzotloo foces, ooJ tbot oo otqoolzotloos tlsk
ossessmeot octlvltles bove beeo petfotmeJ cottectly (l.e. boseJ oo l5O/lc
45
27005), os tepolteJ by l5O/lc 27001. 1be lofotmotloo 5ecotlty Meosotemeot
ltoqtomme wlll eocootoqe oo otqoolzotloo to ptovlJe telloble lofotmotloo to
televoot stokebolJets coocetoloq lts lofotmotloo secotlty tlsks ooJ tbe stotos of
tbe lmplemeoteJ l5M5 to moooqe tbese tlsks.

ffectlvely lmplemeoteJ, tbe lofotmotloo 5ecotlty Meosotemeot ltoqtomme
woolJ lmptove stokebolJet cooflJeoce lo meosotemeot tesolts, ooJ eooble tbe
stokebolJets to ose tbese meosotes to effect cootloool lmptovemeot of
lofotmotloo secotlty ooJ tbe l5M5. 1be occomoloteJ meosotemeot tesolts wlll
ollow compotlsoo of ptoqtess lo ocblevloq lofotmotloo secotlty objectlves ovet o
petloJ of tlme os pott of oo otqoolzotloos l5M5 cootloool lmptovemeot ptocess.

ISC]ILC 2700S ISMS k|sk Management (eJltots lzbleto AoJtoklewlcz, lolooJ
ooJ AoJets cotlsteJt, 5weJeo)

1bls lotetootloool 5tooJotJ ptovlJes qolJelloes fot lofotmotloo 5ecotlty klsk
Moooqemeot lo oo otqoolzotloo, soppottloq lo pottlcolot tbe tepoltemeots of oo
l5M5 occotJloq to l5O/lc 27001. nowevet, tbls lotetootloool 5tooJotJ Joes oot
ptovlJe ooy speclflc metboJoloqy fot lofotmotloo secotlty tlsk moooqemeot. lt ls
op to tbe otqoolzotloo to Jefloe tbelt opptoocb to tlsk moooqemeot, JepeoJloq
fot exomple oo tbe scope of tbe l5M5, cootext of tlsk moooqemeot, ot loJostty
sectot. A oombet of exlstloq metboJoloqles coo be oseJ ooJet tbe ftomewotk
JesctlbeJ lo tbls lotetootloool 5tooJotJ to lmplemeot tbe tepoltemeots of oo
l5M5.

1bls lotetootloool 5tooJotJ ls televoot to moooqets ooJ stoff coocetoeJ wltb
lofotmotloo secotlty tlsk moooqemeot wltblo oo otqoolzotloo ooJ, wbete
opptoptlote, extetool pottles soppottloq socb octlvltles.

ISMS Accred|tat|on and Aud|t|ng Standards
ln 200S Lhe WC1 convenor Ldward Pumphreys Look Lhe nexL bold sLep ln
esLabllshlng Lhe lSC/lLC 2700x famlly on Lhe world's sLage by havlng dlscusslons
wlLh lAl and CASCC on Lhe Loplc of lnLernaLlonal conformance assessmenLs for
lSC/lLC 27001. 1hls resulLed ln Lhe WC1 convenor seLLlng up a worklng parLy wlLh
represenLaLlves from lL1l, CASCC, lAl and LA Lo conslder Lhe adopLlon of Lhe LA
documenL LA 7/03 as an lSC sLandard for Lhe accredlLaLlon of bodles provldlng
assessmenL servlces of lSMS lmplemenLaLlons. Cver a space of slx monLhs Lhe work
lnvolved formaLLlng of LA 7/03 as an lSC/lLC sLandard and allgnlng and addlng Lo
Lhe LexL of LA 7/03 wlLh Lhe LexL of Lhe generlc accredlLaLlon sLandard lSC 17021.
Cnce Lhls work was flnlshed Lhe edlLor Ldward Pumphreys Labled Lhe documenL ln
46
SC27/WC1 for experL revlew and commenL. 1he resulL of all Lhls work was Lhen
lSC/lLC 27006.

1he nexL sLage ln Lhe process was Lhe developmenL of lSC/lLC 27007 Culdellnes for
lnformaLlon securlLy managemenL sysLems audlLlng (edlLors ur Angellka laLe, uk
and Wang xln[le, Chlna). 1hls work sLarLed afLer dlscusslons beLween Lhe WC1
Convenor and 1M8 groups SAC and !1CC boLh of whlch are responslble for Lhe
coordlnaLlon of requlremenLs and Lechnlcal aspecLs of managemenL sysLem
sLandards. 1hls work ls belng done ln collaboraLlon wlLh Lhose lnvolved ln Lhe
revlslon of lSC 19011 and lSC 17021-2 boLh of whlch address audlLor guldance for
Lhe generlc famlly of managemenL sysLem sLandards. AddlLlonal lnpuL lnLo Lhls work
was provlded by Lhe lSC 9001 AudlLlng racLlces Croup, whlch ls an lnformal group
of quallLy managemenL sysLem experLs, audlLors and pracLlLloners drawn from
lSC/1C 176 and Lhe lAl. lL has developed a number of guldance papers and
presenLaLlons LhaL conLaln explanaLlons abouL Lhe audlLlng of quallLy managemenL
sysLems. 1hese reflecL Lhe process-based approach LhaL ls essenLlal for audlLlng Lhe
requlremenLs of lSC 9001.

A flnal developmenL ln Lhls area ls lSC/lLC 27008 Culdance for audlLors on
lnformaLlon securlLy managemenL sysLems conLrols (edlLor Anders CarlsLedL). 1hls
provldes guldance on revlewlng Lhe lmplemenLaLlon and operaLlon of conLrols,
lncludlng Lechnlcal compllance checklng of lnformaLlon sysLem conLrols, ln
compllance wlLh an organlzaLlon's esLabllshed lnformaLlon securlLy sLandards.

ISMS Sector Support|ng Standards
A new range of sLandards are belng developed LhaL look aL Lhe speclflc requlremenLs
of secLors and appllcaLlons LhaL are adopLlng lSC/lLC 27001. 1hese sLandards, of
course, wlll noL replace lSC/lLC 27001, buL Lhey supply deflnlLlons of addlLlonal
secLor-speclflc requlremenL. 1he currenL programme of work lncludes:

ISC]ILC 27010 - for |nter-sector commun|cat|ons
1hls sLandard conslders varlous securlLy requlremenLs regardlng Lhose secLors
and organlzaLlons lnvolved ln naLlonal lnfrasLrucLure. 1hls lncludes Lhe
securlLy of command and conLrol appllcaLlons such as supervlsory conLrol and
daLa acqulslLlon.
I1U-1 x.10S1 | ISC]ILC 27011 - for te|ecommun|cat|on organ|zat|ons
8ased on lSC/lLC 27002, Lhls sLandard was [olnLly publlshed by l1u-1 and
lSC/lLC ln 2008 .
ISC]ILC 27013 - |ntegrat|ng ISC]ILC 20000-1 and ISC]ILC 27001
47
1hls sLandard provldes guldance Lo Lhose organlzaLlons LhaL wlsh Lo lnLegraLe
Lhelr l1 servlce managemenL and lnformaLlon securlLy managemenL sysLems
Lo Lake advanLage of Lhe common elemenLs of Lhese Lo sLandards. lor
example, Lhey can comblne documenLaLlon sysLems, lncldenL handllng
sysLems and secure servlce dellvery, monlLorlng and revlew processes.
ISC]ILC 27014 - |nformat|on secur|ty governance framework
1hls sLandard supporLs Lhe lnformaLlon securlLy aspecL of a corporaLe
governance framework. lSC/lLC 27001 ls an ldeal lnformaLlon securlLy
framework as lL lncludes Lhe Lhree key elemenLs of governance: rlsk
managemenL, sysLem of conLrols and an audlLlng funcLlon.
ISC]ILC 2701S - for f|nanc|a| and |nsurance serv|ces sector
1hls sLandard addresses Lhe speclflc requlremenLs of Lhose organlzaLlons ln
Lhe flnanclal and lnsurance secLors LhaL are adopLlng lSC/lLC 27001.

ISMS Iuture Work
1here are many areas of lSMS sLandardlsaLlon sLlll Lo be addressed. Cne parLlcular
Loplc, whlch ls llkely Lo be a pro[ecL ln Lhe noL Loo dlsLanL fuLure, ls on lnformaLlon
securlLy managemenL - CrganlzaLlonal economlcs. 1hls pro[ecL wlll alm aL provldlng
advlce, guldance and economlc approaches for managemenL conslderaLlon ln Lhe
conLexL of lnformaLlon securlLy, lnformlng Lhem of Lhe buslness raLlonale for Lhe
efflclenL allocaLlon of flnlLe resources, e.g. expendlLure, on Lhe proLecLlon of
lnformaLlon asseLs, lncludlng an undersLandlng of Lhe behavlour of Lhe human
LhreaL acLors.

CLher posslble areas of lSMS sLandards developmenL could lnclude:

lSMS Culdellnes on SecurlLy and Puman 8esources
lSMS Culdellnes for 8uslness rocesses
lSMS Culdellnes for ManagemenL and SecurlLy 8evlews
lSMS for Lhe LransporLaLlon secLor
lSMS for Lhe energy secLor

48
ISC]ILC 2700S and k|sk Management
Anders CarlsLedL
Co-edlLor of lSC/lLC 2700S

8lsk managemenL analyses whaL can happen and whaL Lhe posslble consequences
can be, before decldlng whaL should be done and when, Lo reduce Lhe rlsk Lo an
accepLable level. 8lsk managemenL ls deflned as coordlnaLed acLlvlLles Lo dlrecL
and conLrol an organlzaLlon wlLh regard Lo rlsk" and lnformaLlon securlLy rlsk as
"effecL of lnformaLlon securlLy uncerLalnLy on ob[ecLlves"
lSC/lLC 2700S was developed and deslgned Lo asslsL organlzaLlons wlLh Lhe
saLlsfacLory lmplemenLaLlon of lnformaLlon securlLy based on a rlsk managemenL
approach. lL provldes guldellnes for lnformaLlon securlLy rlsk managemenL
supporLlng Lhe general concepLs speclfled ln lSC/lLC 27001.
A sysLemaLlc approach Lo lnformaLlon securlLy rlsk managemenL ls necessary Lo
ldenLlfy organlzaLlonal needs regardlng lnformaLlon securlLy requlremenLs and Lo
creaLe an effecLlve lnformaLlon securlLy managemenL sysLem (lSMS). 1hls approach
should be sulLable for Lhe organlzaLlons envlronmenL, and ln parLlcular should be
allgned wlLh overall enLerprlse rlsk managemenL. SecurlLy efforLs should address
rlsks ln an effecLlve and Llmely manner where and when Lhey are needed.
lnformaLlon securlLy rlsk managemenL should be an lnLegral parL of all lnformaLlon
securlLy managemenL acLlvlLles and should be applled boLh Lo Lhe lmplemenLaLlon
and Lhe ongolng operaLlon of an lSMS.
lSC/lLC 27001 speclfles LhaL Lhe conLrols lmplemenLed wlLhln Lhe scope, boundarles
and conLexL of Lhe lSMS shall be rlsk based. 1he appllcaLlon of an lnformaLlon
securlLy rlsk managemenL process can saLlsfy Lhls requlremenL. 1here are many
approaches by whlch Lhe process can be successfully lmplemenLed ln an
organlzaLlon. 1he organlzaLlon should use whaLever approach besL sulLs Lhelr
clrcumsLances for each speclflc appllcaLlon of Lhe process.
ln an lSMS, esLabllshlng Lhe conLexL, rlsk assessmenL, developlng rlsk LreaLmenL plan
and rlsk accepLance are all parL of Lhe plan" phase. ln Lhe do" phase of Lhe lSMS,
Lhe acLlons and conLrols requlred Lo reduce Lhe rlsk Lo an accepLable level are
lmplemenLed accordlng Lo Lhe rlsk LreaLmenL plan. ln Lhe check" phase of Lhe lSMS,
managers wlll deLermlne Lhe need for revlslons of Lhe rlsk assessmenL and rlsk
LreaLmenL ln Lhe llghL of lncldenLs and changes ln clrcumsLances. ln Lhe "acL" phase,
any acLlons requlred, lncludlng addlLlonal appllcaLlon of Lhe lnformaLlon securlLy rlsk
managemenL process, are performed.
49
lnformaLlon securlLy rlsk managemenL should be a conLlnual process. 1he process
should esLabllsh Lhe conLexL, assess Lhe rlsks and LreaL Lhe rlsks uslng a rlsk
LreaLmenL plan Lo lmplemenL Lhe recommendaLlons and declslons. 1he lnformaLlon
securlLy rlsk managemenL process can be applled Lo Lhe organlzaLlon as a whole, any
dlscreLe parL of Lhe organlzaLlon (e.g. a deparLmenL, a physlcal locaLlon, a servlce),
any lnformaLlon sysLem, exlsLlng or planned or parLlcular aspecLs of conLrol (e.g.
buslness conLlnulLy plannlng).
1he sLandard conLalns a descrlpLlon of Lhe lnformaLlon securlLy rlsk managemenL
process and lLs acLlvlLles:
ConLexL esLabllshmenL,
8lsk assessmenL,
8lsk LreaLmenL,
8lsk accepLance,
8lsk communlcaLlon,
8lsk monlLorlng and revlew.
50

I|gure 1 Informat|on secur|ty r|sk management process
1he conLexL ls esLabllshed flrsL. 1hen a rlsk assessmenL ls conducLed. lf Lhls provldes
sufflclenL lnformaLlon Lo effecLlvely deLermlne Lhe acLlons requlred Lo modlfy Lhe
rlsks Lo an accepLable level Lhen Lhe Lask ls compleLe and Lhe rlsk LreaLmenL follows.
lf Lhe lnformaLlon ls lnsufflclenL, anoLher lLeraLlon of Lhe rlsk assessmenL wlLh
revlsed conLexL (e.g. rlsk evaluaLlon crlLerla, rlsk accepLance crlLerla or lmpacL
crlLerla) wlll be conducLed, posslbly on llmlLed parLs of Lhe LoLal scope (see lSC/lLC
2700S - llgure 1 - 8lsk ueclslon olnL 1 above). An lLeraLlve approach Lo conducLlng
rlsk assessmenL can lncrease depLh and deLall of Lhe assessmenL aL each lLeraLlon.
1he lLeraLlve approach provldes a good balance beLween mlnlmlzlng Lhe Llme and
51
efforL spenL ln ldenLlfylng conLrols, whlle sLlll ensurlng LhaL hlgh rlsks are
approprlaLely assessed.
1he effecLlveness of Lhe rlsk LreaLmenL depends on Lhe resulLs of Lhe rlsk
assessmenL. lL ls posslble LhaL Lhe rlsk LreaLmenL wlll noL lmmedlaLely lead Lo an
accepLable level of resldual rlsk. ln Lhls slLuaLlon, anoLher lLeraLlon of Lhe rlsk
assessmenL wlLh changed conLexL parameLers (e.g. rlsk assessmenL, rlsk accepLance
or lmpacL crlLerla), lf necessary, may be requlred, followed by furLher rlsk LreaLmenL
(see llgure 1, 8lsk ueclslon olnL 2).
8lsk LreaLmenL opLlons should be selecLed based on Lhe ouLcome of Lhe rlsk
assessmenL, Lhe expecLed cosL for lmplemenLlng Lhese opLlons and Lhe expecLed
beneflLs from Lhese opLlons.
lSC/lLC 2700S - llgure 2 - below lllusLraLes Lhe rlsk LreaLmenL acLlvlLy wlLhln Lhe
lnformaLlon securlLy rlsk managemenL process as presenLed ln llgure 1.

52
Figure 2 The risk treatment activity
When laige ieuuctions in iisks may be obtaineu with ielatively low expenuituie,
such options shoulu be implementeu. Fuithei options foi impiovements may be
uneconomic anu juugement neeus to be exeiciseu as to whethei they aie
justifiable.
In geneial, the auveise consequences of iisks shoulu be maue as low as
ieasonably piacticable anu iiiespective of any absolute ciiteiia. Nanageis
shoulu consiuei iaie but seveie iisks. In such cases, contiols that aie not
justifiable on stiictly economic giounus may neeu to be implementeu (foi
example, business continuity contiols consiueieu to covei specific high iisks).
The foui options foi iisk tieatment aie not mutually exclusive. Sometimes the
oiganization can benefit substantially by a combination of options such as
ieuucing the likelihoou of iisks, ieuucing theii consequences, anu shaiing oi
ietaining any iesiuual iisks.
Some iisk tieatments can effectively auuiess moie than one iisk (e.g.
infoimation secuiity tiaining anu awaieness). A iisk tieatment plan shoulu be
uefineu which cleaily iuentifies the piioiity oiueiing in which inuiviuual iisk
tieatments shoulu be implementeu anu theii timefiames. Piioiities can be
establisheu using vaiious techniques, incluuing iisk ianking anu cost-benefit
analysis. It is the oiganization's manageis' iesponsibility to ueciue the balance
between the costs of implementing contiols anu the buuget assignment.
The iuentification of existing contiols may ueteimine that existing contiols
exceeu cuiient neeus, in teims of cost compaiisons, incluuing maintenance. If
iemoving ieuunuant oi unnecessaiy contiols is consiueieu (especially if the
contiols have high maintenance costs), infoimation secuiity anu cost factois
shoulu be taken into account. Since contiols may influence each othei, iemoving
ieuunuant contiols might ieuuce the oveiall secuiity in place. In auuition, it may
be cheapei to leave ieuunuant oi unnecessaiy contiols in place than to iemove
them.
Risk tieatment options shoulu be consiueieu taking into account:
Bow iisk is peiceiveu by affecteu paities
The most appiopiiate ways to communicate to those paities
Context establishment pioviues infoimation on legal anu iegulatoiy
iequiiements with which the oiganization neeus to comply. The iisk to
oiganizations is failuie to comply anu tieatment options to limit this possibility
shoulu be implementeu. All constiaints - oiganizational, technical, stiuctuial etc.
53
- that aie iuentifieu uuiing the context establishment activity shoulu be taken
into account uuiing the iisk tieatment.
0nce the iisk tieatment plan has been uefineu, iesiuual iisks neeu to be
ueteimineu. This involves an upuate oi ie-iteiation of the iisk assessment,
taking into account the expecteu effects of the pioposeu iisk tieatment. Shoulu
the iesiuual iisk still not meet the oiganization's iisk acceptance ciiteiia, a
fuithei iteiation of iisk tieatment may be necessaiy befoie pioceeuing to iisk
acceptance. Noie infoimation can be founu in IS0IEC 27uu2.
The iisk acceptance activity has to ensuie that iesiuual iisks aie explicitly
accepteu by the manageis of the oiganization. This is especially impoitant in a
situation wheie the implementation of contiols is omitteu oi postponeu, e.g. uue
to cost.
Buiing the whole infoimation secuiity iisk management piocess it is impoitant
that iisks anu theii tieatment aie communicateu to the appiopiiate manageis
anu opeiational staff. Even befoie the tieatment of the iisks, infoimation about
iuentifieu iisks can be veiy valuable to manage inciuents anu may help to ieuuce
potential uamage. Awaieness by manageis anu staff of the iisks, the natuie of
the contiols in place to mitigate the iisks anu the aieas of concein to the
oiganization assist in uealing with inciuents anu unexpecteu events in the most
effective mannei. The uetaileu iesults of eveiy activity of the infoimation
secuiity iisk management piocess anu fiom the two iisk uecision points shoulu
be uocumenteu.
The infoimation secuiity iisk management piocess can be iteiative not only foi
iisk assessment but also iisk tieatment activities.
Infoimation secuiity iisk management shoulu contiibute to the following:
Risks being iuentifieu
Risks being assesseu in teims of theii consequences to the business anu the
likelihoou of theii occuiience
The likelihoou anu consequences of these iisks being communicateu anu
unueistoou
Piioiity oiuei foi iisk tieatment being establisheu
Piioiity foi actions to ieuuce iisks occuiiing
Stakeholueis being involveu when iisk management uecisions aie maue anu
kept infoimeu of the iisk management status
Effectiveness of iisk tieatment monitoiing
54
Risks anu the iisk management piocess being monitoieu anu ievieweu
iegulaily
Infoimation being captuieu to impiove the iisk management appioach
Nanageis anu staff being euucateu about the iisks anu the actions taken to
mitigate them
The annexes of IS0IEC 27uuS incluue fuithei infoimation on aieas such as
context establishment, iuentification anu valuation of assets anu impact
assessments, thieats & vulneiabilities anu pioviues examples of infoimation
secuiity iisk assessment appioaches anu constiaints foi iisk ieuuction.
This stanuaiu is cuiiently subject to a minoi ievision in oiuei to align the
content with IS0 S1uuu on Risk Nanagement.

55
Cou|d matur|ty he|p r|sk management?
1owards a sLep by sLep lnformaLlon securlLy
rlsk managemenL lmprovemenL
Mottbleo CkAll, l5O/I1c1/5c27/wC1 & wC5 membet,
l5O/lc 27001 co-eJltot.
Introduct|on
lnformaLlon securlLy rlsk managemenL has been deflned by lSC/!1C1/SC27/WC1 ln
[lSC 2700S]. lLs acLlvlLles are descrlbed as sub-processes:
conLexL esLabllshmenL,
lnformaLlon securlLy rlsk assessmenL,
lnformaLlon securlLy rlsk LreaLmenL,
lnformaLlon securlLy rlsk accepLance,
lnformaLlon securlLy rlsk communlcaLlon,
lnformaLlon securlLy rlsk monlLorlng and revlew.
1hese acLlvlLles rely on Lhe managemenL process, deals wlLh all prlmary asseLs
(lnformaLlon and buslness processes) and all supporLlng asseLs (sysLems,
organlzaLlons, slLes.).
8uL noL everyone ls able Lo lmplemenL lL, because Lhelr maLurlLy ls noL hlgh enough.
1hey need pracLlcal Lools or consulLancy servlces.

lSC/!1C1/SC27/WC3 has publlshed [lSC 21827]. lL descrlbes a capablllLy and
maLurlLy model (SSL-CMM), whlch deflnes "cumulaLlve" capablllLy levels. Lach of
Lhem represenLs Lhe way an organlzaLlon performs, conLrols, malnLalns and
monlLors a process. Achlevlng a level assumes Lo have already reached Lhe prevlous
one:
level 1 - erformed lnformally,
level 2 - lanned and Lracked,
level 3 - Well deflned,
level 4 - CuanLlLaLlvely conLrolled,
level S - ConLlnuously lmprovlng.
1hls model could easlly be applled Lo each process lnvolved ln an lnformaLlon
securlLy managemenL sysLem (lSMS), deflned ln [lSC 27001]. Concernlng rlsk
managemenL, many of Lhe SSL-CMM process areas are lnvolved (A02 Assess
lmpacL, A03 Assess SecurlLy 8lsk, A04 Assess 1hreaL, A0S Assess vulnerablllLy.).
56
8uL Lhese processes are noL fully compllanL wlLh Lhose deflned ln [lSC 2700S].
Moreover, [lSC 21827] doesn'L explaln how Lo reach each level, nor lf Lhe hlghesL
level ls requlred.
So, why noL uslng Lhese concepLs, ln order Lo lmprove rlsk managemenL wlLh a
pracLlcal sLep by sLep approach?

1he prlnclple ls Lhe followlng: lnformaLlon securlLy has Lo be managed ln llne wlLh
Lhe organlzaLlon sLakes. And low sLakes do noL requlre lnformaLlon securlLy Lo be
managed as rlgorously as lf Lhey are hlgh. 1hls sLaLemenL, seemlngly slmple, ls a
challenge lf you wanL Lo answer slmply, wlLhouL huge lnvesLmenLs.
lnsplred by [lSC 21827], Lhe approach uses pragmaLlc quesLlons. lL alms aL qulckly
ldenLlfylng sLakes, measurlng Lhe gap beLween whaL should be done and whaL ls
done, and explalnlng Lhe acLlons Lo be lmplemenLed Lo manage lnformaLlon securlLy
properly.
What |s the appropr|ate |eve|?
Ooestloo. uo l teolly oeeJ to teocb tbe blqbest mototlty level to moke tlsk
moooqemeot?
Aoswet. Moybe yoo Joo't eveo oeeJ to teocb tbe blqbest level. lt JepeoJs oo tbe
stokes yoo foce. 1be blqbet tbey ote, tbe blqbet yoot mototlty level sboolJ be.

knowlng Lhe adequaLe capablllLy level ls Lhe flrsL sLage of Lhe approach. 1hls should
be conducLed by Lhe auLhorlLy ln charge of Lhe lSMS. 1he "rlghL" capablllLy level for
rlsk managemenL ls noL Lhe hlghesL, buL Lhe approprlaLe level ln Lerms of
operaLlonal requlremenLs and LhreaLs Lo Lhe lnformaLlon sysLem.

1he sLakes are relaLed Lo Lhe global level of rlsk. 1hey can be assessed wlLh a shorL
quesLlonnalre whlch addresses:
- Lhe consequences, based on Lhe poLenLlal lmpacLs of lnformaLlon securlLy
rlsks,
- Lhe llkellhood, based on Lhe LhreaL sources capablllLles and Lhe level of
vulnerablllLy.
consequences ossessment
WhaL could happen lf avallablllLy, lnLegrlLy or confldenLlallLy of some of Lhe prlmary
asseLs (lnformaLlon and buslness processes) ls losL? use Lhe followlng Lable Lo geL
57
Lhe worse level of consequences of lnformaLlon securlLy rlsks (example ls glven ln
bo|d on grey):

Level of
consequences
lmpacLs on
buslness
(mlsslon,
declslon-
maklng
ablllLles.)
Puman
lmpacLs
(safeLy, soclal
Lles.)
lmpacLs on
asseLs
(flnanclal,
lmage.)
CLher lmpacLs
(legal, non-
compllance,
envlronmenL.)
1. negllglble
AcLlvlLy
dlsrupLed for a
very shorL
perlod of Llme
A person was
near|y |n[ured,
or m|nor
persona|
d|ssat|sfact|on
very low
flnanclal loss or
negaLlve word
of mouLh
1hreats of |ega|
prosecut|on, no
act|on
2. S|gn|f|cant
Act|v|ty
d|srupted, or
|nab|||ty to
make
dec|s|ons for
one day
ln[ury Lo a
person, or
ma[or personal
dlssaLlsfacLlon
Loss of |ess
than 1S of
sa|es, or
negat|ve buzz
market|ng
Legal prosecuLlon
and flne, or non-
compllance Lo an
lnLernal sLandard
3. lmporLanL
AcLlvlLy
dlsrupLed or
sLopped, or
lnablllLy Lo
make
declslons, for a
few days
A person was
nearly kllled, or
mlnor sLrlke
Loss of 1S-30
of sales or
menLlon ln a
medla
Legal prosecuLlon
and senLence for
an offense, or
non-compllance Lo
an exLernal
sLandard, or mlnor
envlronmenLal
damage
4.
CaLasLrophlc
AcLlvlLy
sLopped, or
lnablllLy Lo
make
declslons, for
more Lhan a
week
ueaLh of one
or more
persons, or
ma[or sLrlke
Loss greaLer
Lhan 30 of
sales or arLlcle
ln Lhe press
Legal prosecuLlon
and senLence for a
crlme, or non-
compllance Lo a
legal sLandard, or
ma[or
envlronmenLal
damage

58
Like/ihood ossessment
Pow lmporLanL ls Lhe LhreaL sources
1
capaclLy
2
? use Lhe followlng llsL Lo choose Lhe
mosL approprlaLe level of LhreaL sources capaclLy:
1. negllglble capaclLy
2. Low capaclLy
3. Substant|a| capac|ty
4. unllmlLed capaclLy

Pow lmporLanL are Lhe supporLlng asseLs vulnerablllLles (lnLrlnslc properLles whlch
can be explolLed by LhreaL sources)? use Lhe followlng llsL Lo choose Lhe mosL
approprlaLe level of vulnerablllLy of Lhe lnformaLlon sysLem:
1. Closed, slmple and sLable
2. noL LoLally close, slmple or sLable
3. ke|at|ve|y open (|nterconnected), comp|ex and chang|ng
4. Wldely open, complex and changlng

Pow posslble ls a rlsk? use Lhe followlng Lable Lo geL Lhe llkellhood of lnformaLlon
securlLy rlsks:

4 2. osslble 4. Sure, shorL-Lerm 4. Sure, shorL-Lerm
4. Sure, shorL-
Lerm
3 2. osslble
3. Sure, noL
lmmedlaLely
3. Sure, not
|mmed|ate|y
4. Sure, shorL-
Lerm
2
1.
unlmaglnable
2. osslble
3. Sure, noL
lmmedlaLely
4. Sure, shorL-
Lerm
1hreaL
sources
capaclLy
1
1.
unlmaglnable
1. unlmaglnable 2. osslble 2. osslble
1 2 3 4
Llkellhood
vulnerablllLy

1
1hlngs, persons or organlzaLlons LhaL could be aL Lhe orlgln of a LhreaL.
2
Skllls, Llme, money, close Lo Lhe lnformaLlon sysLem, aLLracLlveness of asseLs.
59
lrom the q/obo/ risk ossessment to the oppropriote /eve/
WhaL ls Lhe approprlaLe capablllLy level? use Lhe followlng Lable Lo geL Lhe
approprlaLe level, dependlng on Lhe global level of rlsk (consequences and
llkellhood):

4
3. Well
deflned
4. CuanLlLaLlvely
conLrolled
S. ConLlnuously
lmprovlng
S.
ConLlnuously
lmprovlng
3
2. lanned
and Lracked
3. Well deflned
4. CuanLlLaLlvely
conLrolled
S.
ConLlnuously
lmprovlng
2
1.
erformed
lnformally
2. lanned and
Lracked
3. We|| def|ned
4.
CuanLlLaLlvely
conLrolled
Consequences
1
1.
erformed
lnformally
1. erformed
lnformally
2. lanned and
Lracked
3. Well
deflned
1 2 3 4 ApproprlaLe
capablllLy level Llkellhood

What |s the actua| |eve|?
Ooestloo. we bove beeo tolJ tbot we sboolJ "lmplemeot" jl5O 27005]. 8ot we bove
lost o lot of tlme ooJ mooey, ttyloq to teotqoolze steps ooJ to cteote ptoctlcol tools,
wltboot soccess! ls tbls o ptoblem of mototlty?
Aoswet. lt ls o ptoblem of ooJetstooJloq of wbot stooJotJs ote. tbe qeoetlc tlsk
moooqemeot ptocess ls JesctlbeJ lo jl5O J1000], ooJ lofotmotloo secotlty speclflc
tecommeoJotloos fot tlsk moooqemeot ote qlveo lo jl5O 27005], wblcb ls obsolotely
ooJ bopefolly oot o metboJ. lt Jesctlbes o ptocess, oot ptoceJotes. 5o, lt ls polte
obvloos tbot yoo coo't "lmplemeot" lt. Mooy ptoctlcol, otqoolzeJ ooJ cobeteot
metboJs exlst to Jo tbot, socb os j8lO5] (ltooce), jckAMM] (uk), jl18lM]
(Cetmooy), jMACkl1] (5polo), jA5-N25 1J60] (Aosttollo ooJ New 2eolooJ).
LsLlmaLlon of Lhe acLual capablllLy level can geL a "snapshoL" of Lhe level acLually
achleved. 1hls should be conducLed by Lhe lnformaLlon securlLy rlsk managemenL
process owner. Pe has Lo ldenLlfy Lhe level, whlch flLs Lhe way lL ls acLually made. Pls
responses reflecL hls percepLlon of how lL ls currenLly managed. lf all polnLs of
descrlpLlon are noL made, Lhen Lhe level ls noL reached.

60
use Lhe followlng Lable Lo esLlmaLe Lhe acLual capablllLy level:

8equlremenLs for achlevlng a level uone
CapablllLy level 1 - lnformal pracLlces: a few lsolaLed acLlons
AcLlons are performed by uslng baslc pracLlces. es
CapablllLy level 2 - 8epeaLable and followed pracLlces: repeaLable acLlons
1he acLlons are planned. es
1he acLlons are performed by a person who has experLlse ln
lnformaLlon securlLy.
es
Some pracLlces are formallzed, whlch allows copylng and reuse
(posslbly by anoLher person).
es
CuallLaLlve measuremenLs are made (slmple lndlcaLors for resulLs).
1he compeLenL auLhorlLles are kepL lnformed of such measures. es
CapablllLy level 3 - ueflned process: Lhe sLandardlzaLlon of pracLlces
1he acLlons are performed accordlng Lo a deflned process (e.g.
adapLaLlon Lo Lhe conLexL, use of a meLhod), sLandardlzed (common
Lo Lhe enLlre organlzaLlon) and formallzed (exlsLence of
documenLaLlon).

1hose carrylng ouL such acLlons have approprlaLe experLlse ln Lhe
process.
es
1he organlzaLlon supporLs Lhe process and provldes resources, Lools
and Lralnlng necessary for lLs operaLlon.
es
1he process ls well undersLood boLh by managemenL and by Lhe
performers.

CapablllLy level 4 - ConLrolled process: Lhe quanLlLaLlve measuremenL
1he process ls coordlnaLed LhroughouL Lhe lSMS and for each
execuLlon.

CuanLlLaLlve measuremenLs are regularly performed (ln Lerms of
performance).

1he measuremenLs (quallLaLlve and quanLlLaLlve lndlcaLors) are
analyzed.

lmprovemenLs are made Lo Lhe process from Lhe analysls of
measuremenLs.

CapablllLy level S - CpLlmlzed process: conLlnuous lmprovemenL
1he process ls dynamlcally adapLed Lo Lhe slLuaLlon.
1he analysls of measuremenLs ls deflned, sLandardlzed and
formallzed.

1he lmprovemenL process ls deflned, sLandardlzed and formallzed.
1he evoluLlon of Lhe process ls logged.
Level reached Leve| 1
61
now to reach appropr|ate |eve| from the actua| |eve|?
Ooestloo. we ote lotetesteJ lo lofotmotloo secotlty tlsk moooqemeot, bot we
Joo't feel teoJy fot socb o boqe lssoe. now sboolJ we beqlo?
Aoswet. loJeeJ, yoo coo't cbooqe evetytbloq lo tbe otqoolzotloo ftom ootbloq.
oo sboolJ lmptove yoot mototlty level step by step.

1o lmprove Lhe acLual level for reachlng Lhe approprlaLe one, Lhe organlzaLlon
wlll gradually have Lo change lLs pracLlces.

1he prlnclple ls Lo sLarL from Lhe lowesL unachleved level, Lo plan and lmplemenL
a serles of acLlons, and Lhen Lo repeaL Lhe operaLlon Lo achleve Lhe approprlaLe
capablllLy level. lndeed, Lhe capablllLy scale ls cumulaLlve. So, reachlng a level
requlres prlor achlevemenL of Lhe prevlous level.

necessary acLlons have Lo be planned ln order Lo ensure LhaL Lhe process meeLs
Lhe requlremenLs of Lhe LargeLed level (acLlons, persons ln charge, dellverables,
resources, schedule.). And Lhe organlzaLlon should provlde a sLable perlod of
Llme beLween each sLep Lo glve Lhe process Lhe ablllLy Lo adapL Lo Lhe new
operaLlon.

1hus, Lhe acLual capablllLy level wlll gradually move up Lo converge wlLh Lhe
approprlaLe level. 1hls approach wlll achleve vlslble resulLs and qulck proflLs.
Conc|us|on
1hls cosL-effecLlve meLhod helps Lo deflne, slmply and qulckly, necessary and
sufflclenL pracLlces for lnformaLlon securlLy rlsk managemenL. ln addlLlon, Lhe
ease of poslLlonlng and Lhe benchmarklng approach, make lL a markeLlng Lool,
perfecLly sulLed for communlcaLlon wlLh CLCs, senlor managemenL, ClSCs, and
Lhose wlLh an lnLeresL ln lmplemenLlng, uslng and audlLlng agalnsL Lhe SC27
sLandards. llnally, Lhe approach provldes Lhe baslc elemenLs for Lhe developmenL
of a sLraLeglc plan or an lnformaLlon securlLy pollcy, Lhe esLabllshmenL of an
lSMS, and Lhe lnLegraLlon of lnformaLlon securlLy lnLo Lhe pro[ecLs.

1hls arLlcle shows LhaL, ln Lhe fuLure, [lSC 21827] should be perfecLly allgned wlLh
[lSC 27001] and [lSC 2700S], even lf Lhe Lwo sLandards are noL managed by Lhe
same worklng group ln SC 27 (WC1 and WC3).
62
1he relaLlon beLween lSMS requlremenLs and process areas descrlbed ln [lSC
21827] should also be explalned, ln order Lo lmprove Lhe global lnformaLlon
securlLy governance.
keferences
[AS-nZS
4360]
A5/N25 1J60 - klsk Moooqemeot, Aosttolloo/New 2eolooJ
5tooJotJ (2004).
[C8AMM] cc1A klsk Aoolysls ooJ Moooqemeot MetboJ, verslon S, Slemens.
[L8lCS] xptessloo Jes 8esolos et lJeotlflcotloo Jes Objectlfs Je 5cotlt,
Agence naLlonale de la securlLe des sysLemes d'lnformaLlon
(2010).
[lSC 21827] lSC/lLC 21827:2008. lofotmotloo tecbooloqy - 5ystems 5ecotlty
oqloeetloq - copoblllty Mototlty MoJel (55-cMM).
[lSC 27001] l5O/lc 27001.2005 - lofotmotloo tecbooloqy - 5ecotlty
tecbolpoes - lofotmotloo secotlty moooqemeot systems -
kepoltemeots.
[lSC 2700S] l5O/lc 27005.2008 - lofotmotloo tecbooloqy - 5ecotlty
tecbolpoes - lofotmotloo secotlty tlsk moooqemeot.
[lSC 31000] l5O J1000.2009 - klsk moooqemeot - ltloclples ooJ qolJelloes.
[l18M] 85l-5tooJotJ 100-J. klsk Aoolysls boseJ oo l1-CtooJscbotz,
8ooJesomt fot 5lcbetbelt lo Jet lofotmotloostecbolk (2008).
[MACL8l1] MetoJoloqlo Je Aollsls y Cestlo Je klesqos Je los 5lstemos Je
lofotmoclo, verslon 2, Mlolstetlo Je oJmlolsttoclooes pobllcos
(2006).

63
Iather of ISMS Standards
3

(85 7799-1 { l5O/lc 27002 & 85 7799-2 { l5O/lc 27001)
!ames 8uLler-SLewarL
4

1he Lwo besL selllng and successful sLandards on lnformaLlon securlLy LhaL
lSC/lLC has ever publlshed are lSC/lLC 27001 and lSC/lLC 27002. 1hls arLlcle
explalns Lhe hlsLory of evenLs LhaL led Lo Lhls remarkable lnLernaLlonal success
sLory and of Lhe one man, Ldward (1ed) Pumphreys 'Lhe faLher of lSMS'
S
, who
has noL only been lnvolved ln Lhls process and as auLhor of Lhe sLandards and
accredlLaLlon crlLerla, buL from Lhe very sLarL has also been boLh a uk and
lnLernaLlonal ambassador for Lhe promoLlon of Lhese sLandards. ln hls own
words, 'lSC/lLC 27001 and lSC/lLC 27002 represenL a common language for
organlsaLlons Lo show Lhey are flL-for-purpose Lo do Lhelr own buslness securely
and also Lo securely Lrade wlLh oLhers'. Pe also advocaLed LhaL 'Lhe lSMS
sLandards lSC/lLC 27001 and lSC/lLC 27002 (and prevlously 8S 7799-1 and 8S
7799-2) are a [ourney noL a desLlnaLlon' by whlch he meanL LhaL Lhey wlll
conLlnue Lo evolve along a paLh Lraced by evolvlng buslness needs - Lhe
sLandards wlll always be Lhe 'sLaLe-of-Lhe-arL' besL pracLlce for proLecLlng agalnsL
Loday's and Lomorrow's LhreaL envlronmenL.

1he evldence of Lhe success of Lhese sLandards ls Lo be seen everywhere around
Lhe globe for example hl-Lech lndusLrles ln !apan, hlgh-flnance ln Lurope, Mlddle-
easL and Lhe lar LasL, naLlonal uLlllLles, lnLernaLlonal Lelecoms, supply chalns,
ouLsourclng companles, lnLernaLlonal porLs auLhorlLles, heavy and llghL
manufacLurlng lndusLry, Lhrough Lo Lln mlnes ln SouLh Amerlca and managlng
Souq's ln Lhe Mlddle-LasL, ln facL almosL all buslness secLors, as well as belng
lmplemenLed by governmenLs, research organlsaLlons and lnsLlLuLlons and
charlLles. All Lhose companles LhaL have been enllghLened by Lhe facL LhaL
buslness proflLs are llnked Lo how well Lhey proLecL Lhelr crlLlcal asseLs, all Lhese
have Laken Lo adopL lSC/lLC 27001 and lSC/lLC 2702. ln facL lSC/lLC 27001 has
become Lhe 'common language and benchmark' for buslness securlLy.

3
1bls ls oo exteoJeJ sommoty of tbe looqet 50 poqe ottlcle tltleJ 1be lotbet of l5M5 5tooJotJs pobllsbeJ lo
Motcb, 2009. 1be lofotmotloo fot tbls ottlcles bos beeo kloJly JoooteJ by votloos qovetomeot sootces lo tbe uk
ooJ octoss tbe qlobe, ftom occteJltotloo ooJ cettlflcotloo boJles, ftom ootloool stooJotJs boJles ooJ stooJotJs
Jevelopets, ooJ ftom l5M5 osets.
1
loJepeoJeot coosoltoot lo tbe flelJ of lofotmotloo secotlty ooJ stooJotJs. toles bove locloJeJ oJvlsot to uk
qovetomeot, uN wotkloq pottles, otopeoo commlssloo, Ocu ooJ lotetootloool cbombets of commetce.
S
lo tbls ottlcle 1eJ nompbteys, tbe fotbet of l5M5 ooJ potet l5M5 wlll be oseJ lotetcbooqeobly.
64
1he full sLory has lLs good Llmes and lLs bad Llmes. 1he good Llmes were Lhe
serles of successful evenLs due ln parL Lo Lhe slgnlflcanL breakLhroughs LhaL were
made along Lhe way as well as Lhe varlous honours and lndusLry awards LhaL
were besLowed on 'Lhe faLher of lSMS'. 1he bad Llmes lncluded Lhe re[ecLlon of
Lhe lSC communlLy Lo recognlse Lhe lmporLance of lSMS sLandards as was
demonsLraLed ln Lhe dlsapproval of 8S 7799-1 ln 1996. Some well-known
organlsaLlons and Lhelr CLCs ln Lhe uSA and Lurope, assoclaLed wlLh corporaLe
securlLy user groups sald Lhlngs such as 'Lhe lSC securlLy communlLy ls noL yeL
maLure enough Lo geL Lo grlps wlLh Lhe requlremenLs of modern buslness needs
for lnformaLlon securlLy and LhaL lL would probably Lake aL leasL anoLher S years
for Lhem Lo caLch up and see Lhe llghL'
6
and 'Lhe uk has produced a wlnner of a
sLandard whlch many corporaLlons need - lL ls a shame LhaL lSC securlLy experLs
are so far behlnd Lhe Llmes and have Laken a 'noL lnvenLed here' aLLlLude
deprlvlng buslness of whaL Lhey need
7
'. 1hese seem awful lndlcLmenLs Lo make
buL Lhe facL ls LhaL lL was noL unLll 2000 LhaL lSC parLlally succeeded ln
recognlslng Lhe lmporLance of lSMS and whllsL buslnesses worldwlde crylng ouL
for Lhese sLandards - Lhe markeL could noL geL enough of lSMS sLandards. l have
referred Lo many breakLhroughs, whlch shaped Lhe phllosophy and paradlgms for
lSMS securlLy as we know lL Loday. Pere are some LhaL 'Lhe faLher of lSMS'
succeeded ln developlng and lnLroduclng: (l) Lhe noLlon of rlsk managemenL as a
crlLlcal elemenL lnLo esLabllshlng and malnLalnlng an lSMS, (ll) Lhe process
paradlgm, (lll) Lhe crlLerla for accredlLaLlon of bodles LhaL could underLake lSMS
audlLs and (lv) lnLernaLlonal cerLlflcaLlon.

WhaL follows are Lhe hlghllghLs of Lhe varlous sLages of lSMS sLandards and
cerLlflcaLlon developmenL. 1he full arLlcle menLloned ln Lhe fooLnoLe glves a
deLalled narraLlve of Lhese sLages.

Lets Start at the 8eg|nn|ng (|ate 80s)
We need Lo go back Lo Lhe laLe 1980's Lo Lrace one of Lhe sources of Lhls
developmenL. So leL's sLarL wlLh Lhe l-4 (lnLernaLlonal lnformaLlon lnLegrlLy
lnsLlLuLe), a 'club' of mulLl-cllenL organlsaLlons from around Lhe world, whlch meL
aL Lhe S8l (SLanford 8esearch lnsLlLuLe) offlces based aL Lhe unlverslLy of
Callfornla, SLanford. 1hls 'club', esLabllshed by Lhe lnLernaLlonally recognlsed

6
Motk Iobosoo, cO of ooe of top 100 compooles lo tbe u5A speokloq ot o cotpotote u5A coofeteoce lo llotlJo
lo 1997.
7
Iobo Nlqbtloqole, ultectot of cotpotote 5ecotlty, speokloq ot oo loJostty-wlJe u5 beotloq lo wosbloqtoo, Moy
1997. 8otb tbese stotemeots (1) ooJ (5) ote ftom o collectloo of ovet 100 socb stotemeots exptessloq
Jlsoppolotmeot ot l5O.
65
securlLy guru uonn arker, ln 198S, was an lnfluenLlal force of preemlnenL
lnformaLlon securlLy experLlse from around Lhe world, whlch meL Lo dlscuss and
progress many slgnlflcanL ldeas on lnformaLlon securlLy as well as researchlng
Lhese ldeas for Lhe beneflL of mulLl-cllenL organlsaLlons. Cne of Lhe ldeas LhaL l-4
dld research on was LhaL of 'basellne conLrols'. 1hls lnvolved engaglng
organlsaLlons around Lhe world Lo conslder whlch securlLy conLrols Lhey currenLly
deployed LhaL provlded a basellne of proLecLlon across Lhelr buslness acLlvlLles.
Cnce l-4 recelved feedback from Lhese organlsaLlons Lhey publlshed a reporL of
Lhose basellne conLrols LhaL were common Lo all organlsaLlons. 1ed Pumphreys
(worklng aL 81 ln Lhe uk aL Lhe Llme) and Cllve 8laLchford (from lCL, uk), as well
as represenLaLlves from 8oyal uuLch Shell (1he neLherlands) were Lhe maln
Luropean players ln Lhls developmenL. Luropean conLrlbuLlons Lo Lhls work were
qulLe slgnlflcanL especlally Lhe work of 1ed Pumphreys, whose vlslon of a uk
sLandard ln Lhls area sLarLed Lo be formulaLed aL Lhls Llme. CLher players acLlve
ln Lhls work were many leadlng companles and banks ln Lhe uSA who also added
many slgnlflcanL conLrlbuLlons on whaL corporaLlons and mulLl-cllenLs
organlsaLlons need Lo manage Lhelr buslnesses.

AfLer Lhls l-4 developmenL Lhe Loplc of 'basellne securlLy conLrols' became
fashlonable amongsL mulLlnaLlonal organlsaLlons as well as a number of
governmenLs deparLmenLs ln Lhe uSA, neLherlands and uk (u1l) who Look on
board slmllar ldeas. 1he l-4 work LogeLher wlLh Lhe supporL and enLhuslasm of
Lhe u1l and many uk experLs was Lhe drlver LhaL spurred 1ed Pumphreys potet
l5M5 on Lo auLhor lSMS sLandards, many parLs of Lhe lSMS meLa-sLandards
lnfrasLrucLure and Lo achleve whaL we have Loday Lhe lSC/lLC 2700x famlly of
sLandards and lnLernaLlonal cerLlflcaLlon pracLlce.

1he Iormat|ve ears (1990-199S)
AfLer Lhls l-4 developmenL potet l5M5 came back Lo Lhe uk wenL lnLo acLlon and
one Lhlng led Lo anoLher and Lhe lSMS sLandards work sLarLed Lo grow and
flourlsh.
66

u1l made a recommendaLlon lt ls tecommeoJeJ tbot oo occteJltotloo
ptoceJote fot l1 secotlty (slmllot to tbe exlstloq l5O 9001 Ooollty Assotooce
5tooJotJ) ls ptepoteJ ooJ JevelopeJ. 1bls wlll Jefloe o boselloe set of secotlty
stooJotJs ooJ wlll locloJe loJepeoJeot ooJlt of oo otqoolsotloos secotlty wltb
cettlflcotloo of lts ttostwottbloess 1hls recommendaLlon addresses Lwo lssues:
Lhe need for 8S7799-llke sLandards as well as Lhe need for common crlLerla Lype
sLandards.
1he ISMS ears (199S-1999)

67
AnoLher acLlvlLy ln Lhls perlod was Lhe developmenL of a uk accredlLaLlon
sLandard speclfylng Lhe accredlLaLlon requlremenLs for bodles operaLlng
assessmenL and cerLlflcaLlon/reglsLraLlon of organlzaLlons' lSMSs based on 8S
7799-2. 1hls sLandard was developed by 1ed Pumphreys under conLracL Lo u1l
and worklng wlLh 8oger 8rockway ukAS and was Lhen used by ukAS Lo accredlL
cerLlflcaLlon bodles ln Lhe uk and oLher parLs of Lhe world - 20 accredlLed
cerLlflcaLlon bodles by Lhe end of 2000. 1oday Lhls number has lncreased Lo 10S
lnvolvlng many more naLlonal accredlLaLlon bodles from Lurope, norLh Amerlca,
AusLralla and Asla. 1hls ukAS accredlLaLlon sLandard was Lhen publlshed by LA,
Lhe Luropean 8ody responslble for accredlLaLlon sLandards, as LA 7/03 and Lhls
Lhen made lLs way lnLo lSC/lLC ln 2006 and became lSC/lLC 27006. ln addlLlon,
Lhls Llme under conLracL Lo l8CA, 1ed Pumphreys developed Lhe scheme for
cerLlflcaLed lSMS audlLors.
ISMS User Groups and the ISC Cert|f|cate keg|ster (1998-2010)
Cnce 8S 7799-1 and 8S 7799-2 were galnlng ln popularlLy, noL only ln Lhe uk, buL
around Lhe globe lL was soon reallsed LhaL lL would be beneflclal Lo esLabllsh an
lnLernaLlonal lSMS user Croup. WlLh Lhe supporL of Lhe u1l, 1ed Pumphreys
founded such a group ln 1998 and aL Lhe same Llme esLabllshed an on-llne
8eglsLer of lSMS cerLlflcaLes boLh of whlch are sLlll ln operaLlon Loday. 1he
lnLernaLlonal lSMS user Croup grew rapldly and Loday Lhere are local ChapLers
now esLabllshed ln counLrles such as AusLralla, 8razll, lrance, Cermany, lndla,
lLaly, !apan, Spaln, Sweden and many oLher parLs of Lhe world. Llkewlse Lhe
8eglsLer of lSMS cerLlflcaLes grew ln popularlLy and provlded a focus for many
organlsaLlons Lo go Loward cerLlflcaLlon. 1he 8eglsLer of lSMS cerLlflcaLes Loday
can be found aL www.lso27001cerLlfcaLes.com.
1he Internat|ona| ears (2000-2010)
ln 2000, 1ed Pumphreys, Lhe Chalr of uk shadow-commlLLee of lSC/lLC
!1C1/SC27 lS133 achleved consensus Lo resubmlL 8S 7799-1 lnLo lSC. 1hls led Lo
Lhe accepLance of 8S 7799-1 as lSC/lLC 17799 pendlng an earller revlslon, whlch
subsequenLly resulLed ln a revlsed verslon belng publlshed ln 200S. Also ln 200S,
8Sl on behalf of Lhe uk shadow-commlLLee of lSC/lLC !1C1/SC27 lS133,
submlLLed 8S 7799-2. AL Lhe same Llme ln 200S we had Lhe flrsL lnLroducLlon by
Lhe SC27 WC1 convenor (1ed Pumphreys) of Lhe 2700x serles by numberlng 8S
7799-2 as lSC/lLC 27001 Lo be followed ln laLer years by Lhe renumberlng of
lSC/lLC 17799 as lSC/lLC 27002 and hls subsequenL launchlng of Lhe lSC/lLC
27000-2700S famlly. llnally ln 2007 1ed Pumphreys lnLroduced LA 7/03 lnLo
WC1, whlch Lhen became lSC/lLC 27006.
68
1he Cast of Uk Actors (1990-2010)
ln addlLlon Lo 'Lhe faLher of lSMS sLandards' Lhere have been many lmporLanL
players LhaL have worked wlLh and alongslde hlm ln hls sLandards worklng panels
all of whlch have played a role ln Lhls sLory (Lhls ls noL an exhausLlve llsL):
5tondords ond certificotion Po/icy ond user kequirements: Mlke Iooes, Nlqel
nlcksoo, Ceoff 5mltb, 1toJl 5botp, lotolmo MoJbvl ooJ loolloe 1otJoff (u1l),
koqet 8tockwoy, koqet 5tlllmoo ooJ Iooe 8eoomoot (ukA5), ueools wllletts (81),
klcbotJ wlosbottow (5emo Ctoop ooJ ukA), 5lmoo leoty (lkcA), Iobo woolJ,
uoto ltotectloo keqlsttot cltco 2000), 5teve 1bomos (neoJ of AlAc5 5ecotlty),
cbtls 5ooJt (lcl, cboltmoo of c8l lofotmotloo 5ecotlty looel, 8c5 l58), 8tloo
5peoce (A8l), Iobo lvlosoo (8c5)
5tondords {ond certificotion*). 5teve nlll* (loqlco), uovlJ locey (5bell), ueools
wllletts (81), Ceoff noyes (158), 5teve Iooes (M&5), Iobo lvlosoo (8c5), cbtls
looley (A8l), kob Mooltoo (uolllvet), klcbotJ wlosbottow (5emo Ctoop ooJ
ukA), 5teve lomftett (NotloowlJe), Iobo coott (lostltote of cbotteteJ
Accoootoots), wllllom llst* (cboltmoo of 8c5 5ecotlty), wllllom wblttoket (lloyJs
158), Mootlce 8lockmoo* (uNv), Ceoff 8tooks* (lkOA), keltb 8lockmote* ooJ
koy kotbetfotJ* (85l cettlflcotloo), Mottlo noqq, kobett 1emple ooJ loo ueoo
(81), uovlJ 8tewet (Commo), ulck ltlce, kobett coles (klMC), lesley kobetts (A8l
ooJ klMC), 5teve Motbews, cllff voos (c8l), wotteo Cteoves, letet kestell ooJ
uovlJ 8tooks (85l), keltb Osbotoe (lcl), 5teve kltk (looJoo cleotloq noose), AoJy
5mltb, Aoqellko llote (Cetmooy) ooJ mooy otbets.

ISO Management Systems January-February 2009 33
INTERNATIONAL
Visiting Professor Edward
Humphreys (FH University of
Applied Science, Hagenberg, Upper
Austria), is Convenor of ISO/IEC JTC
1, Information technology, subcom-
mittee SC 27, IT security techniques,
working group WG 1, Information
security management systems.
E-mail edwardj7@msn.com
Case studies show value
of ISO/IEC 27001 conformity
These testimonials show how three diverse organizations have benefited
from implementation and certification of ISO/IEC 27001 information
security management systems a gas
processing group in Abu Dhabi,
a Norwegian state-owned gaming
organization, and Indias largest
public sector energy infrastructure
company.
by Edward Humphreys
Or gani z at i ons
today are required
to conform or comply
with many different laws and
regulations, industry norms
and practices, internal audit-
ing standards and matters of
corporate governance.
SO/IC 27OO1:2OO5. Infor-
mation technology Secu-
rity techniques Information
security management systems
Requirements, has become
lhe benchmaik foi mosl infoi-
mation security management
system standards (ISMS) and
the International Standard
for achieving compliance with
such requirements. This is
because lhe slandaid is flexible
enough to meet the needs of
small, medium-sized and large
organizations with applica-
bility to all business sectors,
governments, academic and
charitable institutions (see
Figure 1, overleaf).
The International Standard
is ideally suited to meet the
needs of information security
goveinance a key aspecl
of corporate governance that
piolecls an oigani zali on`s
ISO Management Systems, www.iso.org/ims
34 ISO Management Systems January-February 2009
GASCO headquarters in Abu Dhabi.
Web www.gasco.ae
information assets (see Fig-
ure 2).
The following are three of
many case studies of organi-
zations that have certified to
SO/IC 27OO1. (See also aili-
cle Some 4 500 organizations
implement ISO/IEC 27001 for
information security, ISO
Management Systems. 1uly-
Augusl 2OO8).
Figure 1 ISO/IEC 27001: a flexible benchmark for
information management.
Figure 2 ISO/IEC 27001: ideally suited to meet
information security governance needs.
INTERNATIONAL
1
GASCO
Abu Dhabi
Gas Industries
Ltd.
ISO/IEC 27001 :
The ideal way
forward
Duiing lhe summei of 2OO8.
lhe T Division of Abu Dhabi
Gas ndusliies Lld (GASCO)
became the first oil and gas
company division in United
Aiab Imiiales lo be ceili-
fied in accordance with ISO/
IC 27OO1.
The certification was achieved
with senior management sup-
port, under the leadership of
General Manager Mr. Moham-
med Sahoo Al Suwaidi. covei-
ing implementation of state-
of-the-art information security
tools.
Al GASCO. we seaich foi besl
piaclices lo mainlain maikel
leadership, as part of our policy
of continual improvement. The
increasing need for informa-
lion exchange and T. pailicu-
larly in a climate of threats and
vulnerabilities in the sector,
underlined the importance of
information security manage-
menl. Since SO/IC 27OO1 is
the only globally recognized
SMS slandaid. and as GASCO
is implementing a range of
management system standards,
certification was the ideal way
forward.
External attacks
Ovei lime. we noliced exlei-
nal allacks on lhe nelwoik.
inleinal usei eiiois and a lack
of awareness of information
security among employees. The
company responded by build-
ing a qualified information
Adel Salem Alkaff is IT Division
Manager, GASCO
by Adel Salem Alkaff
Risk
management
Audit
Implementing
TflfgX`bY
controls
Information
fXVhe\gle\f^
management
Implementing
TflfgX`
bYfXVhe\gl
controls
ISMS audits
(internal and
external)
ISO/IEC 27001 and compliance
Business
cb_\Vl
fgeTgXZlTaW
objectives
Governance
(corporate)
ISO/IEC 27001
\aYbe`Tg\bafXVhe\gl
governance)
Audit and
certication
requirements
and
standards
Governance
regulations
Contractual
obligations
Laws
About GASCO
Abu Dhabi Gas Industries Ltd
(GASCO) processes natural and
associated gas from onshore
oil operations in the Emirate of
Abu Dhabi. The company was
incorporated in 1978 as a joint
venture between Abu Dhabi
National Oil Company (ADNOC)
(68 % shareholding), Shell and
Total (15 % each) and Partex
(2 %).
GASCO was established fol-
lowing the directive of His
Highness the late Sheikh
Zayed bin Sultan Al Nahyan,
President of the United Arab
Emirates and Ruler of Abu
Dhabi, to utilise Abu Dhabis
significant gas resources which
are converted into a wide
range of domestic products
exported worldwide.
INTERNATIONAL
2
security team to implement
incident management, user
awareness campaigns, and sup-
port best practice standards,
such as SO/IC 27OO1 and lhe
Information Technology Infra-
sliucluie Libiaiy (TL).
Iven lhough implemenling and
maintaining an ISMS requires
considerable dedication, the
system has full management
suppoil al GASCO. and we
plan fuilhei exlensions lo lhe
scope of the certification.
Enhanced awareness
mplemenling SO/IC 27OO1
has led to enhanced informa-
tion security awareness among
employees, improved security
operation efficiency, and has
helped increase understand-
ing of the need for continual
improvement.
ISO/IEC 27001 is
the only globally recognized
ISMS standard
Our company i s now seen
as the leader in information
secuiily wilhin lhe Abu Dhabi
Nalional Oil Company Gioup
(ADNOC). n addilion. going
through the certification proc-
ess helped us establish useful
international contacts with
oui ceilificalion body Lloyd`s
Regislei ualily Assuiance
Lld. (LRA). and wilh lead-
ing ISMS consultancies around
the world.
Norsk Tipping
AS
Dont gamble with
information security
by Hilde Grunt
Hilde Grunt is Security Advisor,
Norsk Tipping
ISO/IEC 27001-certified Norsk Tip-
ping is Norways leading gaming
company and member of the World
Lottery Association.
Slale-owned Noisk Tipping.
Noiway`s leading gaming com-
pany and member of the World
Lolleiy Associalion (WLA).
was certified according to ISO/
IC 27OO1 in 2OO8. some 11
years after gaining certifica-
tion to the Intertoto Security
Conliol Slandaid (a WLA
predecessor).
The objective of that earlier
certification was to enable
members to achieve a common
security standard, and provide
an approved security frame-
woik foi lhose who wished
to participate in international
lolleiies. WLA ceilincalion is
now a prerequisite for partici-
paling in lhe \iking Lollo. a
pan-Nordic numbers game. In
1997. Noisk Tipping became lhe
rst organization to be certied
according to this standard.
Since 1995. lhe WLA Secuiily
Conliol Slandaid has been
continuously revised by the
WLA Secuiily and Risk Man-
agemenl Commillee. Howevei.
SO/IC 27OO1 has now been
added to the the general infor-
mation security controls of the
WLA slandaid.
The lottery specific controls
rel at i ng t o l ot t ery draws,
inslanl lickels. handling of
prize money, etc., remained
unchanged f r om t he ol d
WLA slandaid. Now. lo gain
WLA ceilificalion. lhe lol-
tery or gaming company has
lo confoim lo bolh SO/IC
27OO1 and lhe lolleiy specific
requirements.
Major change
nclusion of SO/IC 27OO1
was a major change. The pre-
vious WLA-slandaid was an
industry standard, and the
WLA Secuiily and Risk Man-
agemenl Commillee idenli-
fied the controls needed to
deal wilh lolleiy iisks. Any
lottery or gaming company
seeking ceilificalion had lo
comply with all the controls
in lhe slandaid. Compaied lo
SO/IC 27OO1. lhe indusliy`s
former ISMS requirements
were much more simplistic.
Piepaialion foi ceilificalion
demanded a new approach and
a lhoiough ievision of Noisk
Tipping`s SMS.
Axel Kiogvig. Piesidenl and
CIO of Noisk Tipping. says
lhal SO/IC 27OO1 ceilifica-
tion represents a good quality
assurance when the objective
is to implement a management
system to ensure that the com-
pany`s infoimalion secuiily
iisk is mainlained al a defined
and acceptable level.
Annual safeguard
SO/IC 27OO1 ceilificalion
is an indicator that we are on
lhe iighl liack. and lhe annual
audil is a safeguaid lo keep us
focused throughout the year.
Mr. Krogvig emphasizes the
importance of maintaining
certi fi cati on as the means
of achieving lhe company`s
objectives, and not that certi-
fication becomes an objective
in itself.
There is always a danger that
implementing a standard will
cause unnecessary bureauc-
racy and not bring substantial
benefit to the organization.
More than giving value, the
standard can lead a life of its
own, justifying any measures
needed lo keep lhe ceilificale
hanging on the wall. One must
remain focused on the objec-
tives and implement an ISMS
that helps the processes to run
smoothly and efficiently, says
Mr. Krogvig.
Benefits
Accoiding lo Senioi \ice Pies-
idenl CT. Tiond Kailsen. SO/
IC 27OO1 ceilificalion has
given Noisk Tipping a common
information security language,
and this has created a new
security awareness throughout
the organization.
Different departments, such
as TC. sales and secuiily. now
have a common understanding
of iisk managemenl and iefei
lo lhe same fiamewoik of con-
trols. However, the standard
can be a challenge to imple-
ment since it is necessary to
cooidinale SO/IC 27OO1
requirements with numerous
other management system
requirements confronting the
company.
Among olhei benefils. Mi.
Karlsen says the standard pro-
vides a structured approached
to ISMS development and
associated controls and docu-
mentation. The fact that it is
an open standard also allows
comparison with other certi-
fied companies, regardless of
type of business.
Middle management cite peri-
odic audits performed by an
accredited body as a principal
benefil of SO/IC 27OO1 cei-
tification. The discipline of a
lhiid paily check on whelhei
we do as we say reminds us
nol lo poslpone oi foigel lasks
critical to the core business
processes amid the distractions
of the daily routine.
certification is the implemen-
tation of an ISMS that prevents
infoimalion secuiily exisling
solely in lhe TC and secuiily
depailmenls. by ulilizing exlei-
nal reviews as company-wide
quality assurance.
INTERNATIONAL
About Norsk Tipping
Norsk Tipping, Norways
leading gaming company, is
wholly owned by the Norwe-
gian State. Profits are divided
equally between the nations
sports and culture sectors.
Norsk Tipping is a member of
the World Lottery Association
(WLA), a global professional
association of state lottery and
gaming organizations from 76
countries and five continents
aimed at advancing the
interests of state-authorized
lotteries.
Hilde Grunt is responsible for
ISMS audits, security aware-
ness and training. She is also
Privacy Ombudsman in accor-
dance with the Personal Data
Act. She has been active in
the revisions and development
of the WLA Security Control
Standards.
Web www.norsk-tipping.no
Headquarters of ISO/IEC 27001-certified Norsk Tipping in Hamar, Norway.
Web www.norsk-tipping.no
Anolhei significanl benefil
mentioned by middle man-
ageis is lhe SO/IC 27OO1
requirement for management
to ensure that security is incor-
porated in the general manage-
ment processes.
In summary, we believe the
key benefil of SO/IC 27OO1
ISO/IEC 27001 certification
represents a good quality
assurance
Wilhoul doubl. SO/IC 27OO1
implementation has enabled
us to integrate information
securi ty management i nto
managing Noisk Tipping in
a way that ensures our busi-
ness objectives can be met at
a defined and agreed level of
infoimalion secuiily iisk.
Bharat Heavy
Electricals
Limited
A role model for
management in India
Bhaial Heavy Ilecliicals Lim-
iled (BHIL). ndia`s laigesl
energy infrastructure engineer-
ing and manufacturing enter-
prise, is the rst Indian public
sector organization to have
achieved the distinction of ISO/
IC 27OO1 ceilincalion.
The organization was audited
and certified by the Stand-
ardization, Testing and Quality
Ceilificalion (STC) Diieclo-
rate, part of the Department of
Information Technology of the
Minisliy of Communicalion
and Information Technology at
the Government of India.
STC has ieceived inleinalional
recognition of its ISMS certica-
tion scheme following accredi-
lalion by lhe Dulch Council
foi Acciedilalion (Raad vooi
Acciedilalie RvA). and is lhe
rst Indian accredited certica-
tion body in the country, and
outside the United Kingdom and
Netherlands, to have done so.
BHIL geneiales. liansmils
and maintains a huge amount
of design, engineering and
manufacturing data both in
electronic form and on paper.
With the entrenchment of IT in
core business processes, more
and more of that data is now
stored on electronic media
during the entire information
lifecycle.
Since this information is the
lifeline of BHIL`s enliie busi-
ness operations, its availability,
confidentiality and integrity
are critical for the survival of
the company.
Threats and vulnerabilities
Ixlianel conneclivily pio-
vi des communi cati on out-
si de the organi zati on and
vice-veisa. enabling BHIL lo
lalk wilh supplieis. pailneis.
vendors and customers, and
impoilanlly. connecling back
into legacy systems where
critical corporate informa-
tion lies.
Inf ormat i on securi t y had
always been important, but it
was not given a particularly
high priority because there had
been no serious security inci-
dents. However, threats and
vulnerabilities have increased
wilh exlianel conneclivily.
INTERNATIONAL
Author Arvind Kumar is Director,
Standardization, Testing and Quality
Certification Directorate,
Department of Information
Technology, Government of India.
E-mail arvind@mit.gov.in
by Arvind Kumar
3
BHIL l op managemenl
became aware of the need to
enhance information security,
and the challenge of imple-
menting an ISMS was assigned
lo ils T fialeinily. Coipoiale
information technology was
the driver for corporation-
wide implementation.
The information technology
nelwoik al BHIL consisls of
strong IT groups at all major
locations. These groups over-
see the local IT infrastructure
and woik lo meel all lhe T
needs of their parent units. The
coipoiale gioup looks aflei
corporate office IT require-
ments and also provides direc-
lion lo lhe company`s enliie
IT infrastructure.
About BHEL
M/S Bharat Heavy Electricals
Limited (BHEL) is the largest
engineering and manufactu-
ring enterprise in India in the
energy-related/infrastructure
sector with a network of 14
manufacturing divisions, four
power sector regional centres,
over 100 project sites, eight
service centres and 18 regio-
nal.
The company manufactures
over 180 products under 30
major product groups and
caters to the core power gene-
ration and transmission, indus-
try, transportation, telecommu-
nication and renewable energy
sectors of the Indian economy.
Headquarters of ISO/IEC 27001-certified Bharat Heavy Electricals Limited in
New Delhi, India.
Web www.bhel.com
Internal capability building
Si nce BHIL aspi ied lo a
fairly high level of maturity
for information security, the
company considered the merits
of employing the services of
an exleinal pailnei lo guide
it through the initial phase of
ISMS implementation.
BHIL selecled lhe T seivices
of STC. since we weie well
known foi pioviding piofes-
sional training and services
in infoimalion secuiily. STC
was iequiied lo liain BHIL
personnel i n the di fferent
aspects of information secu-
iily nelwoik and syslem
security, and ISMS and
also to help in building up the
capability needed to imple-
ment an ISMS.
The management decided that,
allhough lhose exleinal seiv-
ices were required at the outset,
the company should build its
own internal capabilities for the
entire ISMS implementation
process. They felt that internal
resources should be developed
because information security
implementation is not a once-
only event, but a continuous
process. Requirements change
along with changes in technol-
ogy and business needs. This
internal capability building
proved to be a major boost to
its ISMS implementation.
Starting point
BHIL`s opeialions exlend
over the entire country, with
functi on and practi ce di f-
fering from one location to
anolhei. As such. il was cleai
lhal BHIL could nol apply
for corporate certification,
and that the whole company
could not be covered as a
single entity.
Since most of the information
is generated by the manufac-
turing units and power sector
regions, it was in those areas
that we decided to implement
lhe SMS fiisl. Iouileen ma|oi
locations were identified and
divided into two phases of
seven each. The best practices
of each unit were identified,
and an information security
policy was formulated and
issued at corporate level.
Successful implementation
Iiom STC gui dance and
internal meetings, the follow-
ing requirements for successful
ISMS implementation were
developed:
Gaining top management
involvement at the units by
setting up a structured network
of committees and sub-com-
mittees. This was necessary
to achieve full awareness of
requirements and resources.
Cleaily. no oiganizalion-wide
initiative can succeed without
the involvement of senior
managers.
Developing employee aware-
ness of their role in information
security through education.
Iase-of-use veisus secu-
rity is an ongoing security
issue for many organizations.
It is a balancing act between
what the user community
wants, and the security policy.
Security is only as strong as
lhe weakesl link. and lhe full
involvement of employees in
the process is essential.
With that aim, specialized
liaining of key peisonnel was
provided at all locations identi-
ed for ISMS implementation
coveiing nelwoik and syslem
security, security processes
and management, and security
audits.
Security forum
BHIL decided lo oiganize a
Coipoiale nfoimalion Syslem
Secuiily Ioium wilh ils Coi-
porate Information System
Secuiily Officei (CSSO) as
chaiiman. An nfoimalion Sys-
tem Security Officer (ISSO)
was identified for each loca-
lion. All SSOs aie membeis
of lhe Coipoiale nfoimalion
Secuiily Ioium. The CSSO`s
role is to maintain and review
information security policy
and provide guidance for its
implementation.
While the company needed
common documentation, dif-
ferences in local practice were
accommodated in customized
versions to meet local needs.
Hence. BHIL decided lo have
ve levels of documentation.
The top level document, set-
ting out the ISMS policy, was
nalized jointly with unit IT
heads. appioved by lhe Chaii-
man and Managing Director
and issued as the corporate
information system security
policy. This was applicable to
the entire organization without
modication.
The other four levels ISMS
Manual. SMS Policies and
Guidelines. SMS Pioceduies
and SMS Ioimals could be
customized by the locations
conceined. All ieviews and
modifications to the ISMS
documentation became the
responsibility of the unit level
security forums.
Role model
As a iesull of lhese planning
and implementation processes,
BHIL became lhe nisl ndian
public sector company to imple-
ment and certify an ISMS in
confoimily lo SO/IC 27OO1.
covering 13 units and the cor-
porate IT department.
Information security is now
a pail of eveiy key business
process. Management confi-
dence in. and expeclalions of.
the IT groups has increased
many times. This has not only
impioved lhe iisk manage-
ment and contingency plan-
ning associated with informa-
tion resources, but has also
enhanced cuslomei and slake-
holder confidence.
Iiom oui poinl of view as
the certication body it was a
challenge to certify one of the
premium public sector organi-
zations in the country, with such
a diverse range of products
catering to the core sectors of
the Indian economy.
Since SO/IC 27OO1 ceilin-
cation there has been a sub-
stantial improvement in the
security management approach
al BHIL. The company has
become a role model for other
public sector organizations
in India under the national
e-governance initiative to pro-
tect the critical infrastructure
of the country.
INTERNATIONAL
Service
management
with a smiIe of
confidence
by Jenny Dugmore, Convenor,
ISO/IEC JTC 1/SC 7/WG 25, IT
Service management, and Ted
Humphreys, Convenor, ISO/IEC
JTC 1/SC 27/WG 1, Information
W
e hear of business having glo-
bal reach. The subjects of two
International Standards serv-
ice management and information securi-
ty amply highlight that fact: both are
mutually dependent, and both are key to
modern business performing effectively in
todays global economy. That is why the
synergy between the two ISO standards
which respectively address these issues has
generated considerable interest. Indeed,
ISO/IEC 27001:2005, Information tech-
nology Security techniques Information
security management systems Require-
ments, and ISO/IEC 20000-1:2005, Infor-
mation technology Service management
Part 1: Specification, complement one
another in important ways.
This article looks at these stand-
ards with an eye toward capturing what
makes them important for business suc-
cess and why together they constitute
a matching set of operational tools for
business.
lnformation security
management
Many organizations rely on a com-
plex supply chain and have outsourced
a wide range of services, processes and
facilities to external suppliers. Conversely,
many organizations are offering services
to clients and business partners. Wher-
ever such arrangements exist, informa-
tion is going to be accessed, shared and
processed. Organizations manage infor-
mation at different levels of sensitivity
and criticality, and this information is
subject to a range of threats and risks.
In short, information security is a fun-
damental part of the management and
delivery of services.
The ISO/IEC 27001 standard
provides a specification for organiza-
tions to develop an information secu-
rity management system (ISMS). This
enables them to establish, implement,
deploy, monitor, review, maintain and
improve an ISMS to meet the needs
of their business. Although this article
looks specifically at the service indus-
try, the standard is being used across all
market sectors.
ISO/IEC 27001 deploys the same
process model as other management sys-
tems, including ISO/IEC 20000-1. The
four phases specific to information secu-
rity are shown in Figure 1. This continual
improvement model aims to ensure that
information security management con-
tinues to be effective through use of an
appropriate system of security controls,
risk assessments and measurements.
ISO Focus May 2008 11
Main Focus
Company officers are
accountabIe
ISO/IEC 27001 requires organiza-
tions to ensure that they assess the risks
of their supply chain when using exter-
nal services and engaging with external
service providers. Even though an organ-
ization might transfer responsibility for
information processing to another party
via an outsourcing contract, the organi-
zation is still fully accountable for the
protection of the information. The con-
tract might delegate operational respon-
sibility for this protection, but the CEO
and directors of the organization will
ultimately be held accountable in the
event of a major breach. These officers
are at the top of the ladder of responsi-
bility to the company board, sharehold-
ers, clients and customers.
Used in a timely and proper manner,
such procedures can avert losses, dam-
age or harm to the organizations infor-
mation assets.
Another important issue is infor-
mation sharing, processing, distribution
and destruction. The supplier might be
handling a range of different types of
information on behalf of its clients,
such as personal data, customer details,
financial data, confidential reports and
other sensitive information. The sup-
plier is responsible for protecting this
information against unauthorized disclo-
sure, modification or deletion, and for
ensuring its availability when the client
needs access.
The controls in ISO/IEC 27001
mean organizations establish an effective
information processing system, which
preserves the confidentiality, integrity
and availability of client information.
These controls provide coverage for
both electronic and paper-based infor-
mation systems, which can include infor-
mation conveyed via voice, in written,
typed or printed form, through multime-
dia technology, by e-mail, fax, SMS or
Web sites, shared by memory devices,
and by other means. The controls range
from management policies and techno-
logical controls through to regulation
and legislative controls.
lnsider threats
Client information needs to be pro-
tected against internal as well as exter-
nal threats. Recent surveys, reports and
research show that a significant percent-
age of information security breaches are
caused by the insider threat both acci-
dental and intentional. Employees and
managers have privileges and access rights,
presenting insiders with more opportu-
nities and placing them in a position to
compromise a clients information.
Effective access control policy
is essential and should cover both the
external and the internal risks to the
organizations information assets. ISO/
IEC 27001 defines access control at dif-
ferent levels, namely, information and
applications, network services and oper-
ating system software.
As this short overview illustrates,
an organization needs to consider many
aspects of information security when
deciding to engage a service provider
to process its information assets. Com-
bining the information security con-
trols from ISO/IEC 27001 with a serv-
ice management system based on ISO/
IEC 20000 gives management the best
of both worlds a set of tools for mini-
mizing and managing information secu-
rity risks, while maximizing business
opportunities and service performance,
and at the same time ensuring business
continuity.
So what does ISO/IEC 20000
have to offer from a service manage-
ment perspective?
Service management
As we all know from our own
experiences as customers, a good serv-
ice is a huge benefit to customers, and
a bad service can trigger any number of
difficulties. We all remember a bad serv-
ice for far longer than a good one, and
rightly so ! We believe that as customers
we should be able to rely on good serv-
ice, whether we are catching a train or
shopping for food.
But service which is actually
very difficult to define is not just about
how an individual customer or client is
affected. Good service is the result of
efficient, effective and timely actions,
many of which may be completely invis-
ible to users of the service.
A serious security breech can cause
acute problems, especially for account-
able parties, but a bad service can incur
long-term chronic difficulties. To deliv-
er a good service requires clear direc-
tion from the highest level of manage-
ment not a view that service is what
the junior people do . Managers must
be accountable for service just as they
are accountable for security.
Service providers must also have
an agile and risk-averse approach to meet-
ing rapid changes in customer needs,
while maintaining good control of their
own suppliers. Here, technology plays
an important part.
ISO/IEC 20000 can be traced
back to a code of practice published in
the UK in 1995, at a time when the IT
industry was becoming more aware of
the importance of good service. That, in
fact, IT was not just about assembling the
right hardware and software. The code
of practice evolved into its current two
parts of conformity requirements. ISO/ Figure 1 The phases of information security
Implement
and deploy
ISMS
Monitor
and
review ISMS
Design
ISMS
Maintain
and
improve
ISMS
The ISO/IEC 27001 standard also
considers what security provisions should
be included in contracts and service lev-
el agreements, based on identified risks.
In addition to these requirements, both
the organization and its suppliers can
implement specified information security
controls. For example, the use of effec-
tive information security incident pro-
cedures enables the provider to report
back to the organization any potential
security breaches that have occurred.
Information security
is a fundamental part of
the management and
delivery of services.
12 ISO Focus May 2008
ITIL COBIT
Service
management
ISO/IEC 20000
series
IS
Quality
management
ISO 9000 series
I
Serv
manage m
ality
IT security
ISO/IEC 27000
series
About the authors
Dr. Jenny
Dugmore is
Director of
Service Matters,
a service man-
agement consul-
tancy company.
Her career spans
operational
senior manage-
ment, service
management and consultancy.
Dr. Dugmore chairs the BSI committee
that produced BS 15000, on which ISO/
IEC 20000 was based. She was the
Project Editor for the drafting of ISO/
IEC 20000, and is now Convenor of the
working group responsible for ISO/IEC
20000. Dr. Dugmore is on the itSMFs
ISO/IEC 20000 Certification Management
Board and on the UK Governments
ITIL Refresh Management Board.
In 2005 itSMF awarded her the Paul
Rappaport Lifetime Achievement
Award for her contribution to service
management.
Professor Ted
Humphreys has
been leading the
United
Kingdoms
activities
regarding the
ISO/IEC 27000
family of ISMS
standards and
the UK standards
BS7799 Parts 1 and 2 (which later
became ISO/IEC 27001 and ISO/IEC
27002) since 1990. He is also responsible
for many of the ISMS accreditation
and certification activities as well as
producing the standard EA 7/03.
He is an ISMS consultant providing
advice to organizations around the
world. He is also founder and Director
of the ISMS International User Group,
which promotes the global use of the
ISO/IEC 27000 family for ISMS
standards.
IEC 20000-2:2005, Information tech-
nology Service management Part
2 : Code of practice, continues to pro-
vide guidance on how to, with a wid-
er scope and greater maturity, keeping
pace as the service management indus-
try itself matured.
Wide appIicabiIity
ISO/IEC 27001 is not just about
risk management and assuring business
continuity, and ISO/IEC 20000 is not
just about customer satisfaction. Keep-
ing a technology-based service going
can easily amount to 80 % of the total
lifetime cost of owning a system, even if
the cost of security breeches is ignored.
Improvements can reduce the cost of a
service while increasing the quality of
the service.
Although technology is part of
service management, a common theme
in ISO/IEC 20000 is what people do
and how they can do it better . Require-
ments range from management account-
ability and commitment to service, con-
tinual improvements, and low-risk oper-
ational and service changes, through to
building up knowledge by ensuring all
customer requests are logged.
Many of the ISO/IEC 20000-1
requirements highlight what to achieve ,
giving each service provider flexibility
on how to do this, and ensuring wide
applicability for ISO/IEC 20000. Wide
applicability is central to the spirit and
intent of ISO/IEC 20000. It is directly
linked to the characteristics of todays
service management industry: a sprawl-
ing network of complex supply chains
and customer relationships. Few services
are now reliant on only one service pro-
vider, and very few even are reliant on
the activities of a single location. Most
involve supply chains that cross nation-
al boundaries, languages, specializations
and time zones.
Used in a timely and
proper manner, such
procedures can avert
losses, damage or harm
to the organizations
information assets. Figure 2 The context of the ISO/IEC 20000 series
se
in
an
a
v
th
in
a
Process
assessment
model (SPICE)
ISO/IEC 15504
S/W
Asset management
(SAM)
ISO/IEC 19770
ISO/ O IEC 1
Systems
engineering
ISO/IEC 15288
S/W
Reference model
ISO/IEC 12207
Ass
ISO
9001 for S/W
ISO/IEC 90003
Pr Proc oces esss
Governance
standards
Terms
Management
system
standards
Software
and systems
engineering
(process reference and process assessment)
Main Focus
Service
Strengthening the
reIationships
In the same way that the original
security standard, BS 7799, was the fore-
runner of the ISO/IEC 27000 series, the
publication of BS 15000 set off a surge
of interest and activity in the field of
standards for service management. This
field spans different groups within ISO/
IEC JTC 1/SC 7, Software and systems
engineering, but all current activities are
linked to the scope and target audience
for ISO/IEC 20000-1.
ISO/IEC 20000-1 will continue to
be a service management system standard
that can be used by itself or in conjunc-
tion with standards such as ISO 9001,
Quality management systems Require-
ments, and ISO/IEC 27001. Substantial
progress has been made in reviewing and
revising the first edition, with the next
version to be discussed at the SC 7 ple-
nary in May 2008. This includes updat-
ing and strengthening the relationship
between the ISO/IEC 20000 and ISO/
IEC 27000 series.
A major review has begun of ISO/
IEC 20000-2, which gives guidance on
the requirements of ISO/IEC 20000-1.
A new document, ISO/IEC 20000-3,
on scoping, applicability and conformi-
ty assessment under ISO/IEC 20000-1,
is also being developed. This will give
a detailed and practical explanation of
how to define the limits of service man-
agement, application of ISO/IEC 20000
and aspects of conformity. It is based on
a wide range of supply chain examples
for service providers, scoping what they
do, who their customers are and what
their suppliers do.
The plans for the ISO/IEC 20000
series are influenced by a desire to har-
monize standards and to understand
the relationships to other methods and
frameworks. Anyone who has wondered
how all the pieces fit together will real-
ize that this is a far from simple task.
Some of the more important relation-
ships for ISO/IEC 20000 are those shown
in Figure 2.
In addition, the ISO/IEC 27000
series of guidelines that support ISO/IEC
27001 is being extended to cover many
sector-specific and service-related appli-
cation areas, such as ISMS for e-govern-
ment services, critical infrastructure serv-
ices and outsourcing services.
Already, ISO/IEC JTC 1/SC 27,
IT security techniques, in conjunction
with the International Telecommunica-
tion Unions Telecommunication Stand-
ardization Sector (ITU-T) has prepared a
joint standard relating ISMS to telecom
services: ISO/IEC 27011, Information
technology Information security man-
agement guidelines for telecommunica-
tions. Other sector-specific ISMS stand-
ards are likely to be developed over the
coming years for example, for finan-
cial services and energy management
services, among others.
All these developments will ben-
efit from the increasing harmonization
between the ISO/IEC 27000 series and
the ISO/IEC 20000 series.
An incrementaI approach
Work has commenced on advice
for an incremental approach towards
achieving the requirements of ISO/
IEC 20000-1. This incremental approach,
with advice in stages of what to do first,
what to do next is based on subsets
of the full requirements. Figure 3 shows
one of several options being considered
for the stages.
In broad terms, the reactive stage
covers the most easily implemented pro-
cesses or sub-processes, which are usu-
ally also the ones that deliver benefits
quickly. Examples include the incident
management process, which is intend-
ed to minimize the impact on the cus-
tomers service of a defect, usually by
optimizing the speed at which the defect
is corrected.
The proactive stage includes
processes that may take longer to show
benefits and which may involve much
more fundamental implementation work.
An example is the configuration man-
agement process, which is intended to
define and control the components of
the service.
In the example shown in Figure
3, the final service stage is the full
integration of all processes, including
effective, efficient and well-understood
continual improvement.
If there is market interest, gold,
silver and bronze level documents
showing conformity requirements will
follow, with ISO/IEC 20000-1 as the
gold standard.
Process modeIs
The process reference model
(PRM) is a set of process definitions based
on process purpose and outcomes ,
together with an architecture describing
relationships between the processes. Estab-
lished examples of PRMs include ISO/
IEC 12207, Systems and software engi-
neering Software life cycle processes.
A proposed PRM for service manage-
ment, ISO/IEC 20000-4, will match the
scope of ISO/IEC 20000-1.
A PRM also provides the basis
for a process assessment model (PAM),
in which process capability is defined so
that it can be assessed over a series of
levels. A PAM for service management
has been proposed as part of SPICE, the
ISO/IEC 15504 series: ISO/IEC 15504-8,
Information technology Software proc-
ess assessment Part 8: An exemplar
process assessment model for IT serv-
ice management.
Similarly, ISO/IEC 27001 deploys
a set of processes for information security,
covering topics such as risk assessment
and treatment, selection of controls for
managing the risks, information security
Figure 3 An incremental approach to ISO/IEC 20000-1
Proactive
Reactive
Chaos
Continual improvement
ISO/IEC 20000-1
Service
management
system
Stage 3
Stage 2
Stage 1
metrics and measurements for measur-
ing the performance of the ISMS, inci-
dent management and business continu-
ity processes.
Fitting it aII together
As shown in Figure 4, support for
implementing ISO/IEC 20000-1 is provided
by the advice in ISO/IEC 20000-2 and ISO/
IEC 20000-3. The incremental approach
also supports ISO/IEC 20000-1.
The connection between ISO/
IEC 20000-1 and the process assessment
model, ISO/IEC 15504-8, is less obvious.
The link is actually via the process ref-
erence model, ISO/IEC 20000-4, which
will map to ISO/IEC 20000-1.
Best practice service manage-
ment is also being applied to production
of the series of standards. The output
of the change and configuration man-
agement processes will include map-
ping across the standards, methods
and frameworks in Figure 2. This will
include mapping ISO/IEC 27001 and
ISO/IEC 20000.
Rigorous approach
A strong link between the ISO/
IEC 27000 and ISO/IEC 20000 series
is the role played by the virtuous cycle
of Plan-Do-Check-Act. This is a unify-
ing link between all such management
system standards. Although the details
differ across the two sets of standards,
the requirements are compatible and
the theme for both is how do we do
this better ?
The synergy between the two goes
well beyond the P-D-C-A cycle, as is
shown in Figure 5. Both sets of docu-
ments include the importance of manage-
ment commitment, clarity on who does
what, and training and awareness.
Both also include the need for
documentation, monitoring and report-
ing. And other processes and requirements
are common to both, ranging from the
use of service-level agreements (SLAs)
through to incident management pro-
cesses. These features are common to
both because they underpin a rigorous
approach that is highly relevant to both
areas of best practice.
However, there are some differ-
ences. Although security issues perme-
ate all aspects of service management,
and sound service management is a
necessary basis for security, there are
relatively few requirements labelled as
security in the ISO/IEC 20000 series.
The security clause in ISO/IEC 20000
refers to the ISO/IEC 27000 series. As
would be expected, the ISO/IEC 20000
series includes some features that are not
in the ISO/IEC 27000 series, including
various aspects of supply chain manage-
ment, supplier management, business
The relationship between
security and service
management is so close
and important that many
organizations are adopting
both sets of standards.
Figure 4 The ISO/IEC 20000 series in development
Figure 5 Synergy between the ISO/IEC 27000 and ISO/IEC 20000 series
ISO/IEC 27000 series
Risk management
Asset management
Legal and regulatory compliance
Information security controls
New and changed services
Budgeting and accounting
Business relationship
Supplier management
Problem management
Configuration management
Change management
Release management
ISO/IEC 20000 series
Management commitment
Roles and responsibilities
Training and awareness
Documentation
Plan-Do-Check-Act
Effectiveness measures
Service reporting
SLAs and contacts
Continuity and availability
Capacity planning
Security requirements
Incident management
Mapping
Process
assessment
model
ISO/IEC 15504-8
(SPICE)
Conformance
Process
reference
model
ISO/IEC 20000-4
ISO/IEC 20000-2
Advice
Explains Part 1 requirements
ISO/IEC 20000-3
Advice
Scoping, applicability and conformity
Step 1
Step 2
Step 3
ISO/IEC 20000-1 requirements
S
i
n
g
l
e

s
t
e
p

a
p
p
r
o
a
c
h
I
n
c
r
e
m
e
n
t
a
l

a
p
p
r
o
a
c
h
Following the two World Water
Forums in Kyoto in March 2003 and
in Mexico in March 2006 the interna-
tional community committed to improv-
ing governance of drinking water and
wastewater services. Building capacity
with local governments is identified as
a priority in this effort.
The big chaIIenge
Standardization work started in
2002 within ISO technical committee
ISO/TC 224, Service activities relating
to drinking water supply systems and
wastewater systems Quality criteria
and performance indicators. The com-
mittee faced an important challenge: to
produce ISO standards dealing with water
services that can be used in developed
Main Focus
relationship management and config-
uration management. The differences
also reflect the fact that service man-
agement receives the output from soft-
ware and systems development, changes
to business plans and the introduction
of new services.
While the ISO/IEC 27000 series
includes explicit reference to risk man-
agement, the ISO/IEC 20000 series and
service management manage risks by the
integration of best practices for managing
the service, making very little explicit
reference to risk management.
Combining forces
The relationship between securi-
ty and service management is so close
and important that many organizations
are adopting both sets of standards for
their quality management. It is now com-
mon for a service provider to adopt one
of the sets, improve how they operate to
conform to the requirements, and then to
make further improvements to conform to
the other set. If conformity has involved
being certified, many organizations then
arrange for audits to both standards to
be done at the same time. In fact, when
the scope of each audit is the same, it is
now possible to have combined audits
and a single certificate. However, this
is still rare. Most service providers are
being awarded a separate certificate for
each standard, each certificate having a
related but different scope.
The common history of the two
standards is reflected in the rapid adop-
tion of training and qualifications in both
service management and security for
practitioners, consultants and auditors.
Procurement practices now frequently
require suppliers to be certified under
one or both of the standards.
The ISO/IEC 27000 and ISO/
IEC 20000 management system stand-
ards have a strong base of support in the
UK, and are experiencing rapid adoption
in other countries. Most notable among
these are China, Germany, India, Japan
and South Korea, with interest growing
in some 30 to 40 other countries. This
is no surprise, as these two standards
constitute a powerful tool for business-
es striving to compete in todays global
marketplace.
by Laurence Thomas, Secretary,
and Jean-Luc Redaud, Chair,
ISO/TC 224, Service activities
relating to drinking water supply
systems and wastewater systems
Quality criteria of the service
and performance indicators
W
ater constitutes a worldwide
challenge for the 21
st
century,
both in terms of management
of available water resources and in the
provision of access to drinking water
and sanitation for the worlds popula-
tion. In 2000, the United Nations recog-
nized that access to water is an essential
human right.
lmproving water
and wastewater
services
Pierre Granier
management systems
for small and medium-sized
enteprises
Although many large organizations have been quick to see the benefits
of ISO/IEC 27001:2005 the information security management system
standard many SMEs have been slow adopters because of a lack of
basic advice in its implementation. This will change with development
of a new ISO handbook to demystify the process, due for publication
in 2009.
by Edward Humphreys
SPECIAL REPORT
Visiting Professor
Edward Humphreys
(FH University of Applied Science,
Hagenberg, Upper Austria),
is Convenor of ISO/IEC JTC 1,
Information technology,
subcommittee SC 27, IT security
techniques, working group WG 1,
Information security management
systems.
E-mail edwardj7@msn.com
SPECIAL REPORT
Figure 1 Example of a typical information security gap analysis.
SO/IC 27OO1:2OO5. Infor-
mation technology Secu-
rity techniques Information
Requirements, is one of a
family of information security
management systems (ISMS)
standards (see box) for use by
all organizations regardless of
size and sector.
Well over 5 000 organizations
have already certified their
ISMS in conformity with ISO/
IC 27OO1. and many moie aie
in process of doing so testi-
mony to its broad applicability
in helping protect business
assets and information, and the
reason why the ISMS strandard
has become the common infor-
mation security language within
and between many different
types of enterprise.
However, while many large
oiganizalions have been quick
to see the benefits, many small
to medium sized enterprises
(SMIs) aie slill slow lo adopl
lhe slandaid because of a lack
of basic advice on its imple-
mentation.
Help will shortly be at hand
following the development of a
new SO handbook designed lo
provide much needed guidance
on SO/IC 27OO1 implemenla-
lion foi SMIs fiom all seclois.
due foi publicalion in 2OO9. This
article provides a preview.
Two approaches
The handbook will offei a
step-by-step or all-at-once
approach to implementation
dependi ng on l he SMI
iesouices available. l explains
that, irrespective of the size
and naluie of lhe SMI . SO/
IC 27OO1 implemenlalion
does not need to be costly or
resource intensive.
Step-by-step ISMS implemen-
lalion enables lhe SMI lo be
able to achieve a basic level
of cost-effective protection
wilhoul much effoil. And by fol-
lowing two to three more steps,
the organization can achieve a
fully SO/IC 27OO1-confoim-
ing ISMS when appropriate to
the business.
Basic protection
All oiganizalions need a base-
line of security to provide a
minimum level of protection.
Ioi example. viius allacks can
threaten any organization,
including SMIs. They should
have back-up syslems in place
to protect against information
loss or destruction, and ensure
physical protection of person-
nel data and equipment.
protection of personnel data
and company records.
Implementing a basic level of
protection is an appropriate
slailing poinl foi any SMI.
beginning with a simple gap
analysis to identify the protec-
tion already in place, and what
il lacks. Above is a lypical gap
analysis checklisl using lhe
conliols lisled in SO/IC
27OO2 (see Figure 1).
ISMS policy
An infoimalion secuiily policy
statement can be a one-page
document from senior manage-
ment listing policy objectives
and commitment, displayed in
lhe oiganizalion`s piemises.
This is a simple but effective
daily reminder to employees
of the importance of informa-
tion security.
Risk assessment
The ob|eclive of a iisk assess-
menl is lo idenlify lhe iisks
confionling an SMI so lhal an
appropriate set of information
security controls can be imple-
menled lo ieduce lhose iisks
to an acceptable level.
el iisk assessmenl is seen
by many SMIs as a foimida-
ble and lime-consuming lask
requiring substantial resources.
It does not need to be so. To
exlend SMI infoimalion pio-
tection beyond the baseline
level iequiies a iisk assessmenl
exeicise. Howevei. lhe sleps
involved are quite straight-
foiwaid as explained in lhe
foilhcoming SO handbook.
The baseline controls men-
tioned are designed to reduce
specific iisks such as anli-
virus software to reduce the
ISO/IEC 27002
Control Questions
Yes Partial No Comments
Do you have software
implemented in your
computers to detect,
prevent and recover from
a malicious code attack
(e.g. from a virus attack) ?
4 Not all the
computers
in the busi-
ness have
this software
installed.
Do all your staff know
about the dangers of
malicious code attack (e.g.
from a virus attack) and
are they trained in the use
of the software used to
detect, prevent and recover
from such attacks ?
4
Do you regularly update
the software used to
detect, prevent and recover
from a malicious code
attack (e.g. from a virus
attack) ?
4
SO/IC 27OO2:2OO5 piovides a
code of practice that describes
the necessary controls for basic
protection, including :
a policy for high level informa-
tion security management ;
user awareness ;
antivirus software ;
backup ;
access controls ;
phys i cal pr ot ect i on of
premises and commercially
sensitive paper-based les
and documents ;
SMEs are still slow
to adopt ISO/IEC 27001
SPECIAL REPORT
iisk of a viius allack. back-ups
lo minimize lhe iisk of dala
loss through system failures,
physical protection to lower
lhe iisk of equipmenl and
documentation theft.
Typical vulnerabilities identi-
fied by iisk assessmenl can
include :
On-line information theft
and fraud
This inclues on-line auction
frauds, phishing (e-mail
di sgui sed as offi ci al bank
communication), 419 scam
letters, and numerous other
deceptions designed to lure
users to part with personal
infoimalion. bank and ciedil
card details, social security
numbers or passwords.
System failures
These can can shut down an
SMI`s T syslem and disiupl
normal business activity for
days with possibly serious
effects on revenue and com-
petitiveness.
Software problems
These includes bugs, viruses,
out of date programs and
unauthorised access which
can compromise information
security.
Misuse of company resources
These can done by exleinal
useis oi SMI slaff. whelhei
accidental or intentional, and
The ISO/IEC 27000 family
The ISO/IEC 2700 family of information security management standards currently comprises four
publications :
ISO/IEC 27001:2005, Information technology Security techniques Information security management
systems Requirements
ISO/IEC 27002:2005, Information technology Security techniques Code of practice for information
security management
ISO/IEC 27005:2008, Information technology Security techniques Information security risk management
ISO/IEC 27006:2007, Information technology Security techniques Requirements for bodies providing
audit and certification of information security management systems
The principal standard, ISO/IEC 27001:2005, covers all types of organizations (e.g. commercial enterprises,
government agencies, not-for-profit organizations), and specifies the requirements for establishing, imple-
menting, operating, monitoring, reviewing, maintaining and improving a documented information security
management system within the context of the organizations overall business risks.
It specifies requirements for the implementation of security controls customized to the needs of indi-
vidual organizations or parts thereof.
ISO/IEC 27001:2005 is designed to ensure the selection of adequate and proportionate security
controls that protect information assets and give confidence to interested parties, and is intended to
be suitable for several different types of use, including the following :
use within organizations to formulate security requirements and objectives
use within organizations as a way to ensure that security risks are cost effectively managed
use within organizations to ensure compliance with laws and regulations
use within an organization as a process framework for the implementation and management of
controls to ensure that the specific security objectives of an organization are met
definition of new information security management processes
identification and clarification of existing information security management processes
use by the management of organizations to determine the status of information security manage-
ment activities
use by the internal and external auditors of organizations to determine the degree of compliance
with the policies, directives and standards adopted by an organization
use by organizations to provide relevant information about information security policies, directives,
standards and procedures to trading partners and other organizations with whom they interact for
operational or commercial reasons
implementation of business-enabling information security
use by organizations to provide relevant information about information security to customers.
ISO/IEC 27001
implementation does not
need to be costly
SPECIAL REPORT
can result in breaches of infor-
mation security.
Delayed response to security
incidents
Immediate reporting of any
polenlial secuiily iisks should
be iouline wilh measuies laken
to correct the problem before
it can have a negative impact
on the organization.
The iisk assessmenl should only
focus on those areas requiring
protection to avoid unnecessary
expendiluie on infoimalion
security solutions covering less
iisky aieas of lhe business.
Regardless of the measures
laken. il is impossible lo ieduce
infoimalion secuiily iisks lo
zeio. The SMI should imple-
ment the necessary controls to
ieduce lhe iisks lo an accepl-
able residual level without
overspending on information
security measures. There is a
point at which the benefits
gained are outweighed by the
cost of implementing more and
more security.
Managi ng i ts i nformati on
secuiily enables an SMI lo
make syslem impiovemenls
and upgrades when necessary
to protect its investment in
security. This involves regular
monitoring, and reviewing
any changes in operations
that might affect the level
of protection that has been
implemented.
If changes in business condi-
tions are significant enough to
increase information security
iisks. lhen lhe SMI will have
to consider changing the set
of ISMS controls to counter
lhe new iisks. Regulai ieviews
not only ensure the continuing
effectiveness of the system, but
can be far more cost effective
than more substantial periodic
system upgrades.
Better protection
In this article, I have high-
lighted some of the advice
given in the forthcoming ISO
handbook. l will also include
checklisls. scoiecaids and case
sludies lo help SMIs focus on
lhe key aspecls of piolecling
their business information
using SO/IC 27OO1 as lhe
ISMS tool. In essencethe new
handbook will help lo simplify
and demyslify SO/IC 27OO1
iequiiemenls and give SMIs
a clearer understanding of
how best to protect their busi-
nesses.
Maintaining an ISMS
Implementing the controls set
oul in SO/IC 27OO1 is an
important aspect of protect-
ing information, but just as
important is maintaining the
day-to-day effectiveness of
the ISMS. If the system is not
regularly managed then the
investment in security can be
wasted.
It is impossible to reduce
information security risks to
zero
The new handbook will
demystify
ISO/IEC 27001
85

SC27 WG2
86
Cryptograph|c Standards: Ach|evements, Current Act|v|t|es
and Iuture erspect|ves of SC 27]WG 2

ken[l naemura
*1
and 1akeshl Chlkazawa
*2

*1: lnsLlLuLe of lnformaLlon SecurlLy, ?okohama, !apan (naemura[llsec.ac.[p)
*2: lnformaLlon-Lechnology romoLlon Agency, 1okyo, !apan (L-chlka[lpa.go.[p)

Introduct|on
Whlle Lhe lnformaLlon SecurlLy ManagemenL SysLems and relevanL managemenL
sLandards provlde a fundamenLal framework and meLhodology for reallslng
lnformaLlon securlLy, Lhey musL be complemenLed wlLh Lechnlcal safeguards Lo
malnLaln confldenLlallLy, lnLegrlLy, avallablllLy and oLher ob[ecLlves of lnformaLlon
securlLy.

CrypLography based on advanced Lheory of maLhemaLlcs provldes for Lhe mosL
advanced Lechnologlcal means Lo meeL many of Lhese ob[ecLlves, e.g. Lhe
confldenLlallLy of Lrade secreLs and personal daLa over wlreless connecLlons or on
smarL cards, and Lhe lnLegrlLy of daLa and non-repudlaLlon of commerclal
LransacLlons. lL ls galnlng more and more lmporLance ln Lhe age of lnformaLlon and
communlcaLlon Lechnologles (lC1). lor example, dlglLal rlghLs managemenL needs
Lechnlques for encapsulaLlng Lhe conLenL and for LransmlLLlng Lhe key for
decrypLlon, publlc procuremenL procedures on Lhe lnLerneL need Lechnlques for
auLhenLlcaLlng Lhe bldders and valldaLlng Lhe Lenders, and legal requlremenLs for
preservlng Lax-relaLed and oLher buslness documenLs ln elecLronlc forms need
auLhenLlcaLlng Lhelr conLenL and Llme of creaLlon.

SC 27/WC 2 ls mandaLed Lo develop lnLernaLlonal sLandards of CrypLographlc
and SecurlLy 1echnlques" for confldenLlallLy, enLlLy auLhenLlcaLlon, non-repudlaLlon,
key managemenL, and daLa lnLegrlLy such as message auLhenLlcaLlon, hash-funcLlons
and dlglLal slgnaLures, whlch are Lo be uLlllzed ln varlous Lypes of buslness
appllcaLlons, whlle Lhe developmenL of sLandards almed aL speclflc appllcaLlons ls
ouLslde of lLs scope. ln oLher words, lL ls expecLed Lo produce generlc crypLographlc
sLandards servlng-as a cenLre of experLlse ln Lhls area-oLher sLandardlzaLlon
organlsaLlons worklng on more speclflc crypLographlc sLandards such as SC 17 on
smarL card appllcaLlons and lSC/1C 68/SC 2 on banklng appllcaLlons.

1hls arLlcle provldes a summary vlew of Lhe pasL, presenL and Lhe near fuLure of
lLs acLlvlLles.

87
8r|ef h|story of SC 27]WG 2
When SC 27 was formed ln 1990 as Lhe successor of lSC/1C 97/SC 20, lL was
clearly sLaLed LhaL Lhe sLandardlzaLlon of encrypLlon algorlLhms was ouL of lLs scope.
1he maln reason for Lhe excluslon was LhaL crypLography was orlglnally consldered
Lo belong Lo Lhe mlllLary area and noL for commerclal use, LhaL mosL crypLographlc
algorlLhms publlshed by LhaL Llme were noL maLure yeL, maklng lL very dlfflculL Lo
evaluaLe Lhelr securlLy, and LhaL Lhe developmenL of semlconducLors and compuLlng
Lechnologles seemed Lo make Lhe Lhen known algorlLhms vulnerable Lo aLLacks.

1hus one of Lhe earllesL sLandards SC 27 produced was lSC/lLC 9979 (rocedures
for Lhe reglsLraLlon of crypLographlc algorlLhms) publlshed ln 1991. 1he 8eglsLer,
whlch was malnLalned by Lhe naLlonal CompuLer CenLre uk, and subsequenLly by
8oyal Polloway of Lhe unlverslLy of London, conLalned 24 algorlLhms ln 2001.

under Lhe flrsL convenorshlp by Louls Culllou and Lhe second by Marl[ke de
SoeLe, SC 27/WC 2 produced varlous crypLographlc sLandards ln Lhe 1990s: e.g.
lSC/lLC 9796 (ulglLal slgnaLure schemes glvlng message recovery), 9797 (Message
auLhenLlcaLlon codes), 9798 (LnLlLy auLhenLlcaLlon), 10116 (Modes of operaLlon for
an o-blL block clpher algorlLhm), 10118 (Pash funcLlons), 11770 (key managemenL),
13888 (non-repudlaLlon) and 14888 (ulglLal slgnaLures wlLh appendlx). 1hey may be
sald Lo belong collecLlvely Lo Lhe flrsL generaLlon of Lhe SC 27/WC 2 sLandards.

ln Lhe meanLlme, Lhere were several changes occurrlng globally, whlch
evenLually affecLed Lhe scope of SC 27/WC 2. llrsLly, Lhe lnLerneL was made
avallable Lo commerclal appllcaLlons, causlng an exploslon of Lhe World-Wlde Web
servlces. Secondly, flnanclal and oLher appllcaLlons of smarL cards, moblle phones
and oLher lC1 devlces were expandlng. 1hlrdly, Lhere was a slgnlflcanL progress ln
Lhe academlc research of crypLanalysls" on Lhe securlLy of crypLographlc
algorlLhms. LasLly, Lhe pollLlcal background was undergolng a sea of change afLer Lhe
end of Lhe cold war.

lL was perhaps due Lo Lhese changes LhaL Lhe uS governmenL lnlLlaLed a
compleLely open procedure for esLabllshlng a new Advanced LncrypLlon SLandard
(ALS) replaclng Lhe uaLa LncrypLlon SLandard (uLS) for non-mlllLary governmenLal
appllcaLlons. ln addlLlon, Lhe CrganlsaLlon for Lconomlc Co-operaLlon and
uevelopmenL (CLCu) publlshed lLs Culdellnes for CrypLography ollcy ln 1997, ln
whlch one of Lhe elghL prlnclples was LlLled SLandards for crypLographlc meLhods"
and recommended LhaL (L)echnlcal sLandards, crlLerla and proLocols for
crypLographlc meLhods should be developed and promulgaLed aL Lhe naLlonal and
lnLernaLlonal level."
88

ln 1999 lL was agreed LhaL SC 27/WC 2 should sLarL Lhe work ln Lhls hlLherLo
prohlblLed area, and ln 2000 Lhe new pro[ecL 18033 (LncrypLlon algorlLhms) was
approved by lSC/lLC !1C 1. lollowlng Lhe progress of Lhe pro[ecL, lSC/lLC 9979 was
wlLhdrawn ln 200S.

Current act|v|t|es
SC 27/WC 2 ls currenLly responslble for produclng, updaLlng and/or malnLalnlng
19 sLandards ln Lhe area of crypLography and relaLed securlLy mechanlsms. 1here ls
no slngle way Lo classlfy Lhe pro[ecLs, buL Lhey may be placed ln Lwo dlagrams as
shown ln llg.1 and llg.2, where an arrow from A Lo 8 denoLes LhaL A makes use of 8
or LhaL A ls enabled by 8. lor example, confldenLlallLy ls an ob[ecLlve, or a goal, of
lnformaLlon securlLy, whlch may be reached Lhrough daLa secrecy and/or anonymlLy
as subgoals, whlch, ln Lurn, may be reallsed by use of encrypLlon, anonymous enLlLy
auLhenLlcaLlon and oLher mechanlsms.

llg. 1. 8elaLlonshlps beLween Lhe ob[ecLlves and Lhe 14 mechanlsm sLandards

89

llg. 2. SupporLlng and componenL mechanlsm sLandards

llg. 1 Lrles Lo show some relaLlonshlps beLween Lhe Lhree maln ob[ecLlves of
lnformaLlon securlLy and 14 pro[ecLs. arLly due Lo Lhe hlsLorlcal background
descrlbed above, a ma[orlLy of Lhem are concerned wlLh lnLegrlLy ln a broad sense,
l.e. auLhenLlclLy of enLlLy, daLa lnLegrlLy, and Lhe lnLegrlLy of acLlon and Llme. A
relaLlvely small number of pro[ecLs deal wlLh confldenLlallLy, lncludlng daLa secrecy
and anonymlLy, and no sLandards have been produced Lo aLLaln avallablllLy,
alLhough Lhere was a suggesLlon LhaL secreL sharlng mlghL be a candldaLe for
sLandardlzaLlon Lo saLlsfy cerLaln requlremenLs of avallablllLy and confldenLlallLy aL
Lhe same Llme.

1he flve oLher sLandards, shown ln llg. 2, are more or less common Lo Lhe
varlous goals and subgoals, elLher as supporLlng mechanlsms or as componenL
algorlLhms.

lSC/lLC 18033 (LncrypLlon algorlLhms) conslsLs of four parLs. arL 1 deflnes Lhe
baslc Lermlnology and clarlfles Lhe properLles of asymmeLrlc and symmeLrlc Lypes of
clphers. AsymmeLrlc clphers are also known as publlc key crypLosysLems, ln whlch
encrypLlon ls performed wlLh a publlc key and decrypLlon ls done wlLh lLs assoclaLed
prlvaLe key. SymmeLrlc clphers, whlch can be classlfled lnLo block clphers and
sLream clphers, are LradlLlonally called common key (or secreL key) crypLosysLems,
ln whlch boLh encrypLlon and decrypLlon are performed uslng a common secreL key.
ln addlLlon, Lhls parL of Lhe sLandard provldes lnformaLlon on Lhe crlLerla for
selecLlng algorlLhms for lncluslon ln Lhe sLandard from Lhe large varleLy of
crypLographlc Lechnlques publlshed and ln use. 1he crlLerla lnclude Lhe sLrengLh Lo
reslsL crypLanalyLlc aLLack, Lhe performance on a varleLy of Lyplcal Cus, Lhe naLure
of any llcenslng lssues and Lhe maLurlLy. arL 2 speclfles selecLed asymmeLrlc
clphers, whlle arLs 3 and 4 respecLlvely speclfy selecLed block clphers and sLream
clphers.

1ogeLher wlLh lSC/lLC 1S946 (CrypLographlc Lechnlques based on elllpLlc curves),
90
18031 (8andom blL generaLlon) and 18032 (rlme number generaLlon), Lhe
encrypLlon algorlLhm sLandard represenLs Lhe second generaLlon of SC 27/WC 2
sLandards.

lSC/lLC 19772 (AuLhenLlcaLed encrypLlon) ls a new sLandard publlshed ln 2009,
speclfylng meLhods for processlng a daLa sLrlng for Lhe purpose of daLa
confldenLlallLy, daLa lnLegrlLy and daLa orlgln auLhenLlclLy aL Lhe same Llme. ro[ecL
291S0 (SlgncrypLlon) ls under developmenL, almlng Lo aLLaln a slmllar seL of goals
wlLh cerLaln mechanlsms comblnlng dlglLal slgnaLure and encrypLlon Lechnlques.

ro[ecL 29192 (LlghLwelghL crypLography) was lnlLlaLed ln 2008, and ro[ecLs
20008 (Anonymous dlglLal slgnaLures) and 20009 (Anonymous enLlLy auLhenLlcaLlon)
ln 2009.

1hese recenL acLlvlLles slgnlfy Lhe beglnnlng of Lhe Lhlrd generaLlon ln Lhe hlsLory
of SC 27/WC 2.

Iuture perspect|ves
lL ls evldenL LhaL Lhe fuLure focus of Lhe SC 27/WC 2 acLlvlLles wlll depend on Lwo
maln forces: markeL needs and Lechnologlcal seeds. ln addlLlon, Lhe acLlve revlew of
exlsLlng sLandards wlll be requlred ln order Lo avold Lhe mechanlsms lncluded ln
Lhem become vulnerable Lo new Lypes of aLLacks.

Some of Lhe poLenLlal candldaLes for Lhe fuLure work lnclude: group-
based/orlenLed crypLography, such as secreL sharlng schemes and Lhreshold
crypLography, lmplemenLaLlon orlenLed crypLography, such as Lechnlques for
proLecLlng agalnsL slde channel aLLacks, new crypLographlc prlmlLlves, such as
hyper-elllpLlc curve crypLography and laLLlce-based publlc key crypLography, new
crypLographlc sysLems, such as lu-based schemes and cerLlflcaLeless (or Loken-
based) publlc key crypLography, appllcaLlon-orlenLed Lechnlques, such as
crypLography for dlglLal rlghLs managemenL and broadcasL encrypLlon, and oLher
lLems, such as achlevlng long-Lerm securlLy wlLh uncondlLlonal schemes and
quanLum key dlsLrlbuLlon sysLem.

Conc|us|on
SC 27/WC 2 has gone Lhrough Lwo generaLlons of sLandards developmenL. 1he
flrsL generaLlon of sLandards on enLlLy auLhenLlcaLlon, dlglLal slgnaLures and oLhers
were produced ln Lhe 1990s under a resLrlcLlon concernlng Lhe lnLernaLlonal
sLandardlzaLlon of encrypLlon algorlLhms. 1he second generaLlon of sLandards were
characLerlsed by Lhe developmenL of lSC/lLC 18033 and oLher sLandards ln Lhe area
91
of advanced crypLography. Many of Lhese sLandards are ln dlrecL use or used
lndlrecLly Lhrough relaLed sLandards produced by oLher organlsaLlons lncludlng
!1C 1/SC 17, lSC/1C 68/SC 2, l1u-1 and lL1l.

SC 27/WC 2 has sLarLed Lhe developmenL of lLs Lhlrd generaLlon of sLandards. lL
wlll conLlnue Lo produce crypLographlc sLandards of mechanlsms and algorlLhms
useful for meeLlng dlverslfled buslness needs for lnformaLlon securlLy.

1hese sLandards, however, may noL dlrecLly meeL markeL needs, Lhey wlll enable
more speclflc, appllcaLlon orlenLed Lechnlques, e.g., for flnanclal servlces, publlc
procuremenL procedures, smarL card appllcaLlons, elecLronlc LransacLlons, and
dlglLal rlghLs managemenL. lor Lhese reasons, lL ls lmporLanL LhaL SC 27/WC 2
conLlnue Lo work LogeLher wlLh oLher sLandardlzaLlon commlLLees and
organlsaLlons.
92

Standard|zat|on of modern cryptograph|c mechan|sms:
L|ghtwe|ght cryptography
8laal uomlngues
Armscor, uefence lnsLlLuLes, SouLh Afrlca

Introduct|on
Cne of Lhe exclLlng flelds of research ln crypLography ls LhaL of llghLwelghL
crypLography. 1he open llLeraLure research slnce Lhe 1980's ln crypLography has
lead Lo loLs of lnslghL lnLo how Lo deslgn secure crypLographlc mechanlsms. 1hls has
lead Lo lndusLry adopLlng crypLography as a powerful Lool Lo noL only proLecL daLa
agalnsL unauLhorlsed access, buL also auLhenLlcaLe users, slgn documenLs
elecLronlcally eLc.
CrypLography ls one of Lhe pracLlcally appllcable soluLlons LhaL requlre experLs from
Lhree flelds namely englneerlng, compuLer sclence, and maLhemaLlcs Lo work
LogeLher Lo come up wlLh soluLlons Lo real world problems. CrypLography as a
soluLlon Lo securlLy problems has evolved wlLh dlglLal Lechnology over Lhe pasL
LwenLy years, Lo some exLenL closely relaLed Lo Lhe ever lncreaslng demand for
more compuLlng power. CrypLography on plaLforms wlLh loLs of compuLlng power
has Lherefore grown wlLh Lhe same Lempo as Lhe avallable compuLlng power. 1he
same ls Lrue for crypLography ln hardware devlces.
Cver Lhe pasL decade a markeL has emerged LhaL requlres smaller devlces, many of
whlch run off baLLerles, and ln some cases even off no oLher power source oLher
Lhan an elecLromagneLlc fleld LhaL powers lL only for a brlef momenL. Lxamples of
Lhese are:
Cellular phones
Sensor neLworks
SmarL cards
ConLacLless smarLcards
8adlo frequency ldenLlflcaLlon Lags (8llu)

Along wlLh Lhe Lechnology Lhe number of people wlLh enough skllls Lo aLLack Lhese
devlces has also lncreased. 1hls leads Lo Lhe sLeallng lnformaLlon, clonlng devlces
used for access conLrol eLc. CrypLographlc research adopLed Lo Lhls qulckly by Laklng
a Lurn ln Lhe opposlLe dlrecLlon of lncreaslng compuLlng power by deslgnlng
93
crypLographlc mechanlsms LhaL requlre less resources Lo operaLe, yeL be safe
enough for Lhelr appllcaLlon. 1hls research has lead Lo whaL ls loosely known Loday
as llghLwelghL crypLography.
When no securlLy ls used ln small devlces, aLLackers generally have no problem
aLLacklng Lhose sysLems. erhaps Lhe mosL well known ls from Lhe laLe 1980's and
early 1990's when garage door openers and car alarm remoLe conLrols were
aLLacked by merely capLurlng Lhe code Lhe remoLe conLrol LransmlLs, and laLer
replaylng Lhe code Lo open Lhe door or dlsable Lhe alarm (LradlLlonally called a
replay aLLack). 1he keyloq clpher was deslgned for remoLe conLrols, and Lhe
Lechnology of Lhe Llme was very resLrlcLlve. ln reLrospecL keyloq can be seen as one
of Lhe flrsL llghLwelghL crypLography deslgns. 1here were also proprleLary clphers
developed for Lhe CysLer cards whlch conLrol access Lo LransporL sysLem and doors
Lo bulldlngs. 8oLh Lhese clphers were evenLually broken. lndusLry deslgned Lhese
clphers because Lhere were no sLandard clphers avallable LhaL could do Lhe [ob wlLh
Lhe flLLlng Lhe consLralnLs of Lhe plaLforms. Clearly Lhe markeL requlres publlshed,
well scruLlnlsed clphers whlch wlll noL lead Lo Lhe embarrassmenL of geLLlng broken
and leadlng Lo securlLy compromlses.
!1C 1 lnsLrucLed lLs subcommlLLee SC 27 Lo sLudy llghLwelghL crypLography ln 2006
(Lhen loosely Lermed low power crypLography) for posslble sLandardlzaLlon. 1he
sLudy perlod conLlnued unLll lLs CcLober 2008 meeLlng when SC 27 declded Lo lssue
a new work lLem proposal for sLandardlzaLlon of llghLwelghL crypLography.
Def|n|ng ||ghtwe|ght cryptography
Loosely deflned, llghLwelghL crypLography ls crypLography Lallored for consLralned
envlronmenLs. 1radlLlonally llghLwelghL crypLography ln Lhe academlc communlLy
was sLudled ln Lerms of 8adlo lrequency ldenLlflcaLlon 1ags (8llu). MosL llLeraLure
wlll Lherefore refer Lo CaLe LqulvalenLs (CL) as Lhe slze of an algorlLhm when
lmplemenLed ln hardware and ls wrlLLen ln wlLh Lhe appllcaLlon of 8llu ln mlnd.
8llus are very small wlLh very llLLle space lefL on Lhe chlp for a crypLographlc
algorlLhm.
Cnly conslderlng CLs Lo deflne llghLwelghL crypLography ls noL Lhe besL approach for
a number of reasons:
1. A low CL counL can be obLalned by rolllng up a block clpher, aL Lhe expense of
laLency. 1hls makes lL dlfflculL Lo compare dlfferenL lmplemenLaLlons.
2. ln some appllcaLlons, low power raLher Lhan low CL counL ls lmporLanL.
Speclflcally ln sensor neLworks where devlces run on baLLerles.
94
3. LlghLwelghL proLocols and slgnaLure schemes Lry Lo mlnlmlse Lhe number of
blLs LhaL musL be senL over Lhe channel, and CL counL does noL come lnLo
play aL all.
4. 1here are a number of sofLware orlenLed clphers whlch are sulLable for low
end processors, and Lhe noLlon of CL does noL come lnLo play when
conslderlng processors.

lnsLead, Lhe llghLwelghL crypLography sLandard under developmenL Lakes a dlfferenL
approach. llrsLly, lL dlsLlngulshes beLween crypLography LargeLed aL hardware
lmplemenLaLlons, and crypLography LargeLed aL sofLware lmplemenLaLlons. lL also
groups dlfferenL prlmlLlves lnLo dlfferenL parLs of Lhe same sLandard namely:
1. 8lock clphers
2. SLream clphers
3. Mechanlsms uslng asymmeLrlc Lechnlques
lor block and sLream clphers, CL counL ls consldered as Lhe maln measuremenLs,
wlLh LhroughpuL / area as Lhe addlLlonal measuremenLs. AL Lhe Llme of wrlLlng,
more comparaLlve measures are sLlll under developmenL Lo ald users Lo compare
dlfferenL hardware LargeLed block and sLream clphers.
lor sofLware LargeLed clphers, 8AM requlred durlng execuLlon of Lhe code and
program code slze are ofLen lmporLanL. lL ls Lrlcky Lo compare dlfferenL clphers falrly
ln Lhe sofLware envlronmenL Lhough, as lL ls hlghly dependenL on Lhe Lype of
processor belng consldered. AL Lhe Llme of wrlLlng, Lhls problem has noL been
compleLely solved.
1he maln polnL ls LhaL lL ls noL easy Lo deflne llghLwelghL crypLography ln a slngle
senLence, and probably noL falr elLher. 1here ls much more Lo llghLwelghL
crypLography LhaL has Lo be consldered Lo deflne lL preclsely.
1he matur|ty of ||ghtwe|ght cryptography
LlghLwelghL crypLography goL a loL of aLLenLlon because of Lhe emerglng 8llu
Lechnology. Clphers llke keyloq and Mlfalre have been around ln proprleLary form
for a whlle, buL Lhey were noL well sLudled ln Lhe open llLeraLure. lnsLead, Lhe
formal sLudy of llghLwelghL crypLography ls probably more concenLraLed durlng Lhe
lasL flve years. 1he LC8?1 ll pro[ecL (www.ecrypL.eu.org) ls also sLudylng
llghLwelghL crypLography formally. Cne can Lherefore argue LhaL llghLwelghL
crypLography ls noL all LhaL maLure yeL. Powever, Lhe ALS selecLlon process dld lead
Lo an evoluLlon of our undersLandlng speclflcally of block clphers, and Lhe eS18LAM
pro[ecL LhaL ls a parL of Lhe LC8?1 pro[ecL has lead Lo focussed sLudylng of sLream
95
clphers. Popefully Lhe same wlll be Lrue for Lhe SPA-3 compeLlLlon and lL ls hoped
LhaL llghLwelghL hash funcLlons wlll also emerge evenLually.
Clphers llke keyloq and Mlfalre have shown LhaL lndusLry ls ln serlous need (and has
been for qulLe a whlle now) of llghLwelghL crypLography for pracLlcal LhreaLs. SC 27
ls aLLempLlng Lo accommodaLe Lhls need by Lhls sLandardlzaLlon of whaL lL belleves
ls llghLwelghL crypLography mechanlsms LhaL ls maLure enough Lo flll Lhe securlLy
requlremenLs lndusLry has.
ract|ca| app||cat|ons of ||ghtwe|ght cryptography
As menLloned earller, Lhe mosL well known appllcaLlon of llghLwelghL crypLography
ls ln 8llu Lags. 1hese Lags are already ln use. AppllcaLlons are from as slmple as Lhe
replacemenL of barcodes, Lo more complex appllcaLlons such as paymenL sysLems,
Loll road sysLems, number plaLes on cars eLc. lL ls clear LhaL some of Lhese
appllcaLlons do requlre crypLographlc securlLy.
1ake for lnsLance Loll road sysLems. AuLomaLlc Lolllng of vehlcles ensures LhaL Loll
roads don'L slow Lrafflc down and cause Lrafflc [ams. Cn Lhe oLher hand, Lhe owner
of an 8llu Lag for auLomaLlc Lolllng wanLs Lo be assured LhaL he wlll noL be vlcLlm Lo
copylng of Lhe responses of hls 8llu Lag, endlng ln paylng Loll bllls he dld noL lncur.
lor Lhls Lo be secure, boLh a secure proLocol musL exlsL beLween Lhe lnLerrogaLor
and Lhe 8llu Lag, as well as a means Lo encrypL Lhe response LhaL ls LransmlLLed
over Lhe alr. SlgnaLure schemes may also come lnLo play ln such a securlLy deslgn.
AnoLher appllcaLlon of llghLwelghL crypLography ls ln sensor neLworks. A sensor may
run from baLLerles, and lL may be for long perlods. LlghLwelghL crypLography ln Lhls
case wlll be mechanlsms opLlmlsed Lo work wlLh as few operaLlons as posslble Lo
conserve baLLery power, yeL be safe for Lhelr appllcaLlon. Challenge-response
schemes wlLh as llLLle overhead as posslble are also lmporLanL, as Lransmlsslon
power domlnaLes over compuLaLlon power. 1he number of blLs LransmlLLed musL
Lherefore be mlnlmlsed.
1he oldesL appllcaLlons of llghLwelghL crypLography were ln garage door openers
and car lmmoblllsers. 1he code LransmlLLed Lo Lhe recelver musL be kepL safe from
eavesdropplng Lo ensure LhaL replay aLLacks are noL posslble. 1he cosL of Lhe remoLe
musL also be kepL as low as posslble, and Lherefore llghLwelghL crypLography LhaL
occuples as llLLle space as posslble on Lhe remoLe conLrol ls Lhe obvlous cholce.
LlecLronlc money comes as a replacemenL for old LlckeL sysLems used on publlc
LransporL. lL ls much more convenlenL Lo buy credlL whlch ls sLored on a cheap card
(cosL of Lhe card musL be much cheaper Lhan Lhe value of Lhe LransporL lL ls
provldlng). 1he publlc LransporL auLhorlLy wanLs Lo ensure LhaL lL ls Lhe only
96
auLhorlLy LhaL can "recharge" Lhe credlL on Lhe card, and also LhaL no one can clone
Lhe credlL on an exlsLlng card.
ln Lhe medlcal fleld, llghLwelghL crypLography plays an lmporLanL role ln 8ody Area
neLworks (8An). Modern medlclne can replace or enhance body funcLlons of falllng
organs. 1he devlces performlng Lhese funcLlons (llke for lnsLance pacemakers for Lhe
hearL) ofLen have 'Lweakable' parameLers. 1he paLlenL wanLs Lo be sure LhaL only hls
docLor can Lweak Lhe parameLers, and no one else.
Conc|us|on
lndusLry requlres llghLwelghL crypLography. LlghLwelghL crypLography ls an example
of a sclence LhaL ls sLlll young, buL Lhere are mechanlsms LhaL are maLure enough Lo
fulfll Lhe lndusLry requlremenL. SC 27 ls currenLly developlng a sLandard Lo ensure
LhaL lndusLry has soluLlons for lLs securlLy problems. ln Lhls sLandard, SC 27 deflnes
llghLwelghL crypLography, provldes meLhods Lo ald users Lo choose Lhe besL
mechanlsm for Lhelr appllcaLlon, and sLandardlzes mechanlsms, whlch SC 27
belleves are maLure enough for lndusLry use.
97
Us|ng ISC Secur|ty Standards |n
Internat|ona| ayment Card Systems
Mlke Ward and uavld Maln
MasLerCard lnLernaLlonal

Introduct|on
1hls arLlcle provldes an overvlew on how valuable Lhe lSC securlLy sLandards from
SC27 have been ln Lhe developmenL of lnLernaLlonal card paymenL sysLems. SLarLlng
many years ago wlLh magneLlc sLrlpe cards, evolvlng ln more recenL Llmes Lo card
paymenLs uslng LMv smarL card Lechnology.
8ackground on Card ayments
cord Poyments
aymenL card LransacLlons Lyplcally Lake place beLween Lwo parLles LhaL do noL
know one anoLher, for example a LourlsL paylng a hoLel blll. 1hls LransacLlon ls made
posslble by Lhe conLracLual relaLlonshlp LhaL exlsLs beLween Lhe bank LhaL lssued Lhe
card Lo Lhe cardholder and Lhe acqulrlng bank of Lhe merchanL. 1he relaLlonshlp
beLween an lssulng bank and an acqulrlng bank LhaL are from Lwo dlfferenL
counLrles ls esLabllshed by membershlp of an lnLernaLlonal paymenL sysLem, such as
Lhose provlded by Lhe members of LMvCo (Amerlcan Lxpress, !C8, MasLerCard and
vlsa). 1he paymenL sysLem provldes Lhe neLwork for auLhorlslng and clearlng of
cross-border paymenL LransacLlons and seLs Lhe rules of membershlp and operaLlon,
along wlLh an ofLen, complex seL of guaranLees.
cord Poyments 5ecurity
1he Lechnlques of card auLhenLlcaLlon and cardholder verlflcaLlon are cenLral Lo Lhe
securlng of card paymenL LransacLlons.
lor magneLlc sLrlpe cards, card auLhenLlcaLlon lnvolves
Lhe merchanL checklng Lhe accounL number, explry daLe, hologram, brandlng
and arLwork,
Lhe card lssuer checklng Lhe card verlflcaLlon code (Lhls ls a 3 dlglL crypLogram
compuLed uslng an lssuer key and wrlLLen onLo Lhe magneLlc sLrlpe of Lhe
card prlor Lo lssulng Lhe card Lo Lhe cardholder),
and cardholder verlflcaLlon lnvolves
Lhe merchanL comparlng a handwrlLLen slgnaLure wlLh Lhe speclmen slgnaLure
on Lhe slgnaLure panel of Lhe card,
Lhe card lssuer checklng Lhe ln enLered by Lhe cardholder.
98

An lmporLanL dlsLlncLlon beLween merchanL checklng and lssuer checklng ls LhaL for
Lhe laLLer Lhe LransacLlon musL be communlcaLed 'onllne' Lo Lhe lssuer raLher Lhan
belng processed locally 'offllne'. 1he processlng of onllne LransacLlons ls more
expenslve Lhan offllne LransacLlons, especlally ln Lhe case of ln verlflcaLlon where a
chaln of crypLographlc keylng relaLlonshlps and secure crypLographlc devlces are
needed ln order Lo LransmlL Lhe ln encrypLed beLween Lhe A1M or merchanL's ln
pad and Lhe lssulng bank's hosL securlLy module. 1o reduce Lhe number of onllne
LransacLlons, merchanL Lermlnals may be conflgured Lo only send LransacLlons
onllne lf Lhe moneLary amounL of Lhe goods or servlces belng purchased exceeds a
cerLaln llmlL.
l5O 5tondords
1he followlng securlLy-relaLed lnLernaLlonal SLandards from SC27 are used for ln
enLry devlces and ln proLecLlon for onllne Lransmlsslon:
lSC 9S64 8anklng - ln managemenL and securlLy
lSC 11S68 8anklng - key managemenL
lSC 13491 8anklng - Secure crypLographlc devlces
ln addlLlon Lhe followlng lnLernaLlonal SLandards are used for magneLlc sLrlpe cards
and for daLa Lransmlsslon from merchanL Lo card lssuer:
lSC/lLC 7810 ldenLlflcaLlon cards - hyslcal characLerlsLlcs
lSC/lLC 7811 ldenLlflcaLlon cards - 8ecordlng Lechnlque
lSC/lLC 7812 ldenLlflcaLlon cards - ldenLlflcaLlon of lssuers
lSC/lLC 7813 ldenLlflcaLlon cards - llnanclal LransacLlon cards
lSC 8S83 8ank card orlglnaLed messages - lnLerchange message speclflcaLlons
- ConLenL for flnanclal LransacLlons
LMV ICC ayment Spec|f|cat|ons
whot is Mv?
1he abbrevlaLlon 'LMv' sLems from Lhe Lhree key players when Lhe speclflcaLlons
were flrsL developed, 'Luropay, MasLerCard and vlsa' and lL ldenLlfles a serles of
Lechnlcal speclflcaLlons for smarL deblL and credlL card paymenLs. 1he flrsL ma[or
verslon of Lhe speclflcaLlons was publlshed ln 1996 and known as LMv'96. 1hls
verslon was followed by LMv v3.1.1 ln 1998, LMv v4.0 (also known as LMv2000) ln
2000, LMv v4.1 ln 2004 and mosL recenLly LMv v4.2 publlshed ln 2008. uurlng Lhls
perlod an organlsaLlon called LMvCo LLC had been esLabllshed Lo manage Lhe
speclflcaLlons. LMvCo currenLly comprlses Amerlcan Lxpress, !C8 lnLernaLlonal,
99
MasLerCard lnLernaLlonal and vlsa lnLernaLlonal (Luropay havlng become parL of
MasLerCard).

Mv security
WlLh Lhe lnLroducLlon of smarL paymenL cards comes Lhe posslblllLy for far more
effecLlve card auLhenLlcaLlon meLhods (CAMs) and cardholder verlflcaLlon meLhods
(CvMs) Lhan wlLh magneLlc sLrlpe Lechnology. SLarLlng wlLh LMv'96 LMv has
lnLroduced
Lhree Lypes of offllne CAM - sLaLlc daLa auLhenLlcaLlon, dynamlc daLa
auLhenLlcaLlon and comblned dynamlc daLa auLhenLlcaLlon,
a muLual dynamlc onllne CAM, and
an offllne CvM based on ln verlflcaLlon performed by Lhe card wlLh opLlonal
ln enclphermenL.

1he offllne CAMs use 8SA publlc key crypLography. SLaLlc daLa auLhenLlcaLlon
requlres Lhe merchanL Lermlnal Lo verlfy a card-sLored dlglLal slgnaLure compuLed by
Lhe lssuer on sLaLlc card daLa prlor Lo lssuance. 1he dynamlc daLa auLhenLlcaLlon
Lechnlques requlre Lhe merchanL Lermlnal Lo verlfy a dynamlc dlglLal slgnaLure
generaLed by Lhe card ln a challenge-response proLocol. uynamlc daLa
auLhenLlcaLlon has sLronger securlLy Lhan sLaLlc daLa auLhenLlcaLlon buL also
requlres LhaL Lhe card have an 8SA prlvaLe key along wlLh 8SA processlng capablllLy.
SlgnaLures are creaLed and verlfled uslng 8SA and SPA-1 as deflned ln lSC/lLC 9796-
2 and lSC/lLC 10118-3 respecLlvely.
lor Lhe dynamlc onllne CAM, LMv uses Messages AuLhenLlcaLlon Codes (MACs).
LMv enables Lhe card Lo send a crypLogram vla Lhe merchanL Lermlnal Lo Lhe lssuer,
who can Lhen verlfy Lhls crypLogram (Lhe lssuer derlves Lhe card key from an lssuer
masLer key) and can respond Lo Lhe card wlLh an auLhorlsaLlon response crypLogram
and oLher secured messages. Lxamples of oLher secured messages are commands Lo
block or unblock Lhe card or Lo change Lhe ln on Lhe card. 1he block/unblock
commands requlre lnLegrlLy and auLhenLlclLy whereas Lhe ln change command
addlLlonally requlres confldenLlallLy. SC27 lnLernaLlonal sLandards are used
exLenslvely. MACs are creaLed and verlfled accordlng Lo lSC/lLC 9797-1 and lSC
16609. uaLa ls encrypLed and decrypLed uslng lSC/lLC 18033-3 (2-key 1rlple uLS)
and lSC/lLC 10116 (LC8 mode and C8C mode).
Cffllne ln verlflcaLlon can be performed elLher by submlLLlng Lhe cardholder-
enLered plalnLexL ln Lo Lhe card for verlflcaLlon or by submlLLlng Lhe ln
enclphered under a card's publlc key. Cffllne enclphered ln was lnLroduced ln LMv
100
3.1.1 (1998) and, as wlLh uuA, requlres Lhe card Lo have an 8SA prlvaLe key along
wlLh 8SA processlng capablllLy. LncrypLlon uses random paddlng and an 8SA
Lransform as deflned ln lSC/lLC 18033-2.

luture vo/ution of Mv
As LMv evolves, new Lechnologles wlll be embraced. Cne currenL lLem ls for
conLacLless paymenL cards and moblle devlces, whlch conLlnue Lo use Lhe same
klnds of securlLy servlces and sLandards as exlsLlng conLacL cards.
ln Llme Lhe exlsLlng 8SA publlc key Lechnology wlll reach a key lengLh llmlLaLlon and
wlll need exLendlng or replaclng. 1he expecLed approach ls Lo use LlllpLlc Curve
CrypLography based on Lhe SC27 14888 and 18033-2 sLandards, wlLh a hash
algorlLhm also expecLed Lo be sLandardlsed by SC27.
lor more lnformaLlon abouL LMvCo, Lhe LMv speclflcaLlons and Lo download Lhe
speclflcaLlons, please see Lhe LMvCo webslLe aL www.emvco.com.

101
LCk1 II Luropean Network of Lxce||ence for Crypto|ogy
8arL reneel
kaLholleke unlverslLelL Leuven and l881
uepL. LlecLrlcal Lnglneerlng-LSA1/CCSlC,
kasLeelpark Arenberg 10 8us 2446, 8-3001 Leuven, 8elglum
barL.preneel[esaL.kuleuven.be

LC8?1 ll (Luropean neLwork of Lxcellence for CrypLology hase ll) ls funded wlLhln
Lhe lnformaLlon and CommunlcaLlon 1echnologles (lC1) rogramme of Lhe Luropean
Commlsslon's SevenLh lramework rogramme (l7). 1he flrsL phase of LC8?1 ran
from 2004-2008, whlle Lhe second phase ls runnlng from 2008-2012. 1he eleven
core parLners of LC8?1 ll are k.u.Leuven (cordlnaLor), 8.u.8ochum, unlv. 8rlsLol,
LnS, LlL, lrance 1elecom, l8M 8esearch Zurlch, 8oyal Polloway unlv of London,
1.u.Llndhoven, 1.u.Craz and unlv. of Salerno. LC8?1 ll has also 29 assoclaLe
members, Lhe compleLe llsL can be found ln [1].

1he ob[ecLlves of LC8?1 ll are Lo malnLaln and sLrengLhen Lhe excellence of
Luropean research and lndusLry ln Lhe areas of crypLology and obLaln a durable
lnLegraLlon among Lhe parLners. 1he crypLographlc research wlLhln LC8?1 ll ls
organlzed ln Lhree vlrLual labs: SymLab (symmeLrlc Lechnlques), MA?A (publlc key
algorlLhms and proLocols), and vAMl8L (secure and efflclenL lmplemenLaLlons).
Lach of Lhese labs ls organlzed ln several worklng groups. ln addlLlon Lo workshops
and research meeLlngs for sclenLlflc collaboraLlon, LC8?1 ll organlzes schools Lo
Lraln researchers ln advanced crypLographlc Lechnlques. LC8?1 ll also reaches ouL
Lo users of crypLography: each year, Lhe pro[ecL publlshes a reporL on algorlLhms
and key lengLhs [2]. 1hls reporL offers concreLe recommendaLlons on crypLographlc
algorlLhms and key lengLhs, lL Lakes lnLo accounL Lhe fasL developmenLs ln Lhe
academlc research and also reporLs on progress ln sLandardlzaLlon.

LC8?1 ll also reaches ouL Lo sLandardlzaLlon bodles, one of Lhe Lasks of Lhe pro[ecL
ls Lo acL as an lnLerface beLween sLandardlzaLlon bodles on Lhe one hand, and Lhe
crypLographlc research communlLy on Lhe oLher hand. ln Lhe conLexL of Lhls
lnLerface wlLh sLandardlzaLlon bodles, Lhe LC8?1 ll pro[ecL has esLabllshed a
CaLegory C llalson wlLh lSC/lLC !1C1/SC27/WC2. 1he LC8?1 ll pro[ecL can offer
sclenLlflc comparlsons of Lhe securlLy level of crypLographlc algorlLhms and
proLocols. A securlLy evaluaLlon can deLermlne wheLher Lhere exlsL any
crypLographlc aLLacks, and how large Lhe securlLy margln ls Lo Lhe mosL advanced
aLLacks, lL can also conslder securlLy reducLlons LhaL reduce Lhe securlLy of Lhe
algorlLhm or proLocol Lo a maLhemaLlcal problem LhaL ls belleved Lo be hard, lL can
102
also assess Lhe dlfflculLy Lo proLecL lmplemenLaLlons agalnsL slde channel aLLacks. A
performance evaluaLlon can deLermlne Lhe speed of Lhe algorlLhm or proLocol ln
sofLware and hardware. lor sofLware benchmarklng, an open evaluaLlon plaLform
has been creaLed under Lhe name e8ACS [3]. We are convlnced LhaL Lhese
comparlson efforLs are very helpful Lo prepare an area for sLandardlzaLlon.

8eLween 2004 and 2008, LC8?1 has organlzed Lhe eS18LAM pro[ecL Lo evaluaLe
Lhe securlLy and performance of sLream clphers, Lhls open compeLlLlon has been
exLremely successful: 36 submlsslons were recelved from all over Lhe world, afLer an
lnLenslve evaluaLlon process LhaL also lncluded deslgn lLeraLlons, seven sLream
clphers were recommended as promlslng candldaLes for furLher research and
sLandardlzaLlon [4]. ln addlLlon, a much deeper undersLandlng has been developed
of Lhe sLrengLhs and weaknesses of sLream clphers. We belleve LhaL Lhe ouLcome of
Lhe eS18LAM pro[ecL ls exLremely valuable Lo any sLandardlzaLlon body LhaL wanLs
Lo sLandardlze modern sLream clphers.

CurrenLly LC8?1 ll ls very acLlve ln Lhe area of crypLographlc hash funcLlons, afLer
crypLanalyLlc breakLhroughs ln Lhe lasL flve years, nlS1 (naLlonal lnsLlLuLe for
SLandards and 1echnology) had declded Lo organlze beLween 2008 and 2012 an
open compeLlLlon for a new crypLographlc hash sLandard SPA-3. 1he LC8?1 ll
pro[ecL has been lnvolved heavlly ln Lhls compeLlLlon, by submlLLlng deslgns and by
conLrlbuLlng Lo Lhe evaluaLlon Lhrough workshops and research meeLlngs. lL ls clear
LhaL Lhe resulLs of Lhese efforLs wlll also lmpacL Lhe work of SC27/WC2. AnoLher
area of currenL lnLeresL ln whlch research and benchmarklng acLlvlLles are belng
organlzed ls llghLwelghL crypLography, Lhls ls also a work lLem ln SC27/WC2. ln Lhe
area of publlc key crypLography, LC8?1 ll ls currenLly sLlmulaLlng research on
palrlng-based crypLography and laLLlces, lL ls llkely LhaL boLh Loplcs wlll become
maLure for sLandardlzaLlon ln Lhe nexL years.

1he LC8?1 ll pro[ecL ls very pleased abouL lLs consLrucLlve collaboraLlon wlLh
lSC/lLC SC27/WC2, we belleve LhaL an lnLeracLlon beLween sLandardlzaLlon and
research ls muLually beneflclal and can resulL ln beLLer sLandards and more relevanL
academlc research.
keferences
[1] LC8?1 ll pro[ecL webpage hLLp://www.ecrypL.eu.org
[2] LC8?1 ll ?early 8eporL on AlgorlLhms and keyslzes (2009-2010),
hLLp://www.ecrypL.eu.org/documenLs/u.SA.13.pdf
[3] e8ACS: LC8?1 8enchmarklng of CrypLographlc SysLems, hLLp://bench.cr.yp.Lo/
[4] 8obshaw, M.!.8., 8llleL, C. (eds.): new SLream Clpher ueslgns. LnCS, vol. 4986,
Sprlnger, Peldelberg (2008)
103

SC27 WG3
104
Current Act|v|t|es
and Iuture erspect|ves of SC 27]WG 3
Mlguel 8ann
lSC/lLC !1C 1/SC 27/WC 3 Convenor
Lpoche and Lsprl, CLC

Abstract
wC J ptovlJes o boJy of expettlse fot stooJotJlzotloo of ctltetlo ooJ metboJs fot
secotlty evolootloo ooJ cettlflcotloo. Mocb bos beeo ocbleveJ sloce tbe beqlooloq of
tbe stooJotJlzotloo octlvltles lo tbls oteo, bot mocb mote ls JemooJeJ by tbe toplJ
expoosloo of tbe ose ooJ complexlty of lofotmotloo tecbooloqy.
1bls ottlcle btlefly Jesctlbes tbe cotteot wotk oteo of wC J, locloJloq pobllsbeJ os
well os Jeveloploq wotk, bow tbot wotk oteo telotes to otbet stooJotJlsotloo
octlvltles botb wltblo 5c 27 ooJ ootslJe, ooJ Jlscosses poteotlol fotote Jltectloos fot
wC J.
8ackground
1he 1erms of 8eference WC 3 currenLly sLaLes:
l5O/lc l1c 1/5c 27 w6 l - 5ecurity evo/uotion criterio terms of reference
5tooJotJs fot l1 secotlty evolootloo ooJ cettlflcotloo of l1 systems,
compooeots, ooJ ptoJocts. 1bls wlll locloJe cooslJetotloo of compotet
oetwotks, JlsttlboteJ systems, ossocloteJ oppllcotloo setvlces, blomettlcs,
etc.,
1btee ospects moy be JlstloqolsbeJ.
o) evolootloo ctltetlo,
b) metboJoloqy fot oppllcotloo of tbe ctltetlo,
c) oJmlolsttotlve ptoceJotes fot evolootloo, cettlflcotloo, ooJ occteJltotloo
scbemes,
1bls wotk wlll teflect tbe oeeJs of televoot sectots lo soclety, os tepteseoteJ
tbtooqb l5O/lc Notloool 8oJles ooJ otbet otqoolsotloos lo llolsoo, exptesseJ
lo stooJotJs fot secotlty fooctlooollty ooJ ossotooce,
Accooot wlll be tokeo of teloteJ l5O/lc ooJ l5O stooJotJs fot poollty
moooqemeot ooJ testloq so os oot to Jopllcote tbese effotts.
105
WG 3 Scope and pro[ect character|sat|on
1he need for securlLy ln Lhe use of l1 can be descrlbed from Lwo perspecLlves. Cn
Lhe flrsL hand users need relevanL and approprlaLe securlLy funcLlonallLy able Lo
meeL securlLy ob[ecLlves (based upon ldenLlfled LhreaLs and mandaLed pollcles).
users also need confldence ln LhaL Lhe deployed securlLy soluLlons are effecLlve ln
lmplemenLlng Lhe pollcles and counLerlng Lhe percelved LhreaLs. Such confldence
enables users Lo balance l1 securlLy, non-l1 securlLy measures and oLher
requlremenLs ln an efflclenL manner. lL also enables Lhe user Lo Lake Lhe resldual
rlsks lnLo accounL when deallng wlLh rlsk managemenL aL hlgher organlzaLlonal
levels.
WC 3 ln parLlcular deals wlLh Lhe assessmenL Lechnologles for measurlng Lhe
relevance and effecLlveness of l1 securlLy measures. users may choose Lo evaluaLe
Lhe offered securlLy ln avallable producLs Lhemselves, buL more ofLen use Lhlrd parLy
assessmenL as a more cosL effecLlve opLlon.
1he WC 3 1erms of 8eference deflne Lhe scope of Lhe sLandardlzaLlon work
performed aL Lhls worklng group, and help Lo clarlfy Lhe appllcablllLy of a parLlcular
sLandardlzaLlon lnlLlaLlve, and Lo Lhe undersLandlng of Lhe currenL caLalogue of
pro[ecLs.
lrom Lhe perspecLlve of Lhe LargeL of evaluaLlon (1CL), and cerLlflcaLlon, Lhe
coverage ls qulLe open, from componenLs, Lo producLs and furLher Lo lnclude
sysLems. 1hls range may be covered by general sLandards, wlLh absLracL LargeL of
evaluaLlon paradlgms, llke Lhe lSC/lLC 1S408, buL may also requlre producL Lype
speclflc sLandards, where generallzaLlon may be losL ln favour of effecLlveness and
lmmedlaLeness of appllcablllLy of Lhe requlremenLs, meLhodology and guldance.
8oLh approaches are recognlzed Lo be complemenLary, and equally useful.
Cnce Lhe LargeL of evaluaLlon and cerLlflcaLlon ls clear, Lhree aspecLs may be
dlsLlngulshed:
a) LvaluaLlon crlLerla, whlch lncludes paradlgms, funcLlonal and assurance
requlremenLs,
b) MeLhodology for appllcaLlon of Lhe crlLerla, whlch may be for Lhe evaluaLlon
and LesLlng of Lhe 1CL, or meLhodology guldance for Lhe developmenL of a
compllanL 1CL,
Whlle Lhe scope of WC 3 does noL cover sLandardlzaLlon ln Lhe area of
developmenL pracLlces, many aspecLs of 1CL securlLy are lnherlLed from Lhese
pracLlces, hence Lhe opporLunlLy Lo provlde a vlew from Lhe perspecLlve of
Lhe evaluaLlon crlLerla appllcaLlon.
106
c) AdmlnlsLraLlve procedures for evaluaLlon, cerLlflcaLlon, and accredlLaLlon
schemes.
Any lnLernaLlonal sLandard wlLhln Lhe WC 3 realm wlll be characLerlzed Lhen by:
a) 8y Lhe Lype of 1CL LhaL lL applles Lo,
b) WheLher lL conLalns evaluaLlon crlLerla (LC), meLhodology for evaluaLlon and
LesLlng (ML), guldance for developmenL (Cu), or admlnlsLraLlve procedures
for evaluaLlon, cerLlflcaLlon and accredlLaLlon schemes (A).
noLe LhaL Lechnlcal reporLs may explore aspecLs of appllcaLlon and complemenLary
areas wlLhln and around Lhe WC 3 Loplcs, and may noL sLrlcLly meeL Lhls
characLerlsaLlon.
Current act|v|t|es
On qenero/ l1 products.
Lva|uat|on cr|ter|a for I1 secur|ty (1S048)
WlLh Lhe noLlce of publlcaLlon of 1S408-1 (n8603), lSC/lLC 1S408 concluded lLs
second revlslon, wlLh lLs flrsL pre-revlew planed for 2011.
WC 3 has publlshed Lhls laLesL revlslon ln close collaboraLlon wlLh Lhe Common
CrlLerla uevelopmenL 8oard (CCu8), Lo ensure LhaL developmenL work ln boLh
bodles provldes a coherenL caLalogue of sLandards Lo Lhe markeL.
1he laLesL edlLorlal flxes of Lhe Common CrlLerla v3.1 release 3 have been provlded
Lo Lhe WC 3, whlch are belng processed as a uefecL 8eporL (n8120) Lo correcL Lhe
correspondlng 1S408 parLs.
lurLhermore, Lhe CCu8 anLlclpaLes a number of relaLlvely mlnor changes Lo Lhe
Common CrlLerla Lo be developed for lncorporaLlon ln Lhe nexL annual release. 1he
changes mosLly relaLe Lo Lhe area of Auv and wlll be drafLed by !une 2010, Lo be
supplled Lo WC3 ln a form sulLable for revlew and lncorporaLlon as corrlgenda.
Methodo|ogy for I1 secur|ty eva|uat|on (1804S)
1he second edlLlon of Lhls lnLernaLlonal SLandard was publlshed ln 2008, wlLh lLs
flrsL pre-prevlew planned for 2011.
1hls evaluaLlon meLhodology pro[ecL runs LlghLly coupled wlLh lSC/lLC 1S408 for
conLenL, calendar and close coordlnaLlon wlLh Lhe CCu8.
Gu|de for the preparat|on of Secur|ty 1argets and rotect|on rof||es (1S446)
Many people conslder Lhls 1echnlcal 8eporL Lo be a very good lnLroducLlon Lo
lSC/lLC 1S408. lL also provldes pracLlcal guldance Lo Lhe process of preparlng for
evaluaLlon. lLs second revlew was publlshed ln 2009, allgnlng lLs conLenL Lo lSC/lLC
1S408:2009.
107
kespons|b|e Vu|nerab|||ty D|sc|osure (29147)
lSC/lLC 29147 alms Lo provlde a meLhodology for Lhe dlsclosure and managemenL
of vulnerablllLy alerLs Lo be used by all lnLeresLed parLles. 1hose parLles would
lnclude Lhe dlscoverer, vendor, and vulnerablllLy lnformaLlon servlces. lL would
lnclude meLhods Lo deLermlne rlsk, formaL for dlscloslng vulnerablllLy lnformaLlon,
and meLhods for organlzaLlons Lo gaLher and process Lhe dlsclosed lnformaLlon. lL ls
currenLly ln Wu sLage.
Cn spec|f|c product types: cryptograph|c modu|es
Secur|ty requ|rements for cryptograph|c modu|es (19790)
1hls pro[ecL covers securlLy funcLlonal and compllance LesLlng requlremenLs for
crypLographlc modules, and closely follows Lhe llS 140-2. lL was publlshed ln 2006,
and laLer amended ln 2008 wlLh Lechnlcal corrlgenda.
A revlslon has sLarLed, ln concurrenL developmenL wlLh Lhe publlcaLlon of llS 140-
3, currenLly ln Wu sLage.
1est requ|rements for cryptograph|c modu|es (247S9)
1he purpose of Lhls sLandard publlshed ln 2008 ls Lo descrlbe Lhe meLhodology Lo be
used by accredlLed laboraLorles Lo LesL wheLher a glven crypLographlc module
conforms Lo Lhe requlremenLs of lSC/lLC 19790. lL lncludes deLalled procedures,
lnspecLlons, and LesLs LhaL Lhe LesLer musL follow, and Lhe expecLed resulLs LhaL
musL be achleved for Lhe crypLographlc module Lo saLlsfy Lhe lSC/lLC 19790
requlremenLs. lL ls envlsaged Lo be updaLed afLer Lhe currenL revlslon of 19790.
Cn spec|f|c product types: trusted p|atform modu|es
1rusted p|atform modu|e (11889)
lSC/lLC 11889 was publlshed ln 2009, ln Lhe course of LransposlLlon from a ubllcly
Avallable SpeclflcaLlon (AS) Lo an lnLernaLlonal SLandard submlLLed by Lhe 1rusLed
CompuLlng Croup (1CC). lSC/lLC 11889-1 deflnes Lhe 1rusLed laLform Module
(1M) a devlce LhaL enables LrusL ln compuLlng plaLforms ln general. lSC/lLC 11889
ls broken lnLo parLs Lo make Lhe role of e ach documenL clear. Any verslon of Lhe
sLandard requlres all parLs Lo be a compleLe sLandard.
On specific techno/oqies
Ver|f|cat|on of cryptograph|c protoco|s (29128)
1hls sLandard wlll provlde a Lechnlcal base for Lhe assessmenL of Lhe securlLy of
crypLographlc proLocols. lL wlll descrlbe deslgn evaluaLlon crlLerla for Lhese
proLocols, as well as meLhods Lo be applled ln a verlflcaLlon process for such
proLocols. 1he sLandard wlll provlde deflnlLlons of dlfferenL proLocol assurance
levels. 1he dlscrlmlnanLs for each proLocol assurance level wlll lnclude a
108
speclflcaLlon of Lhe deslgn of Lhe proLocol, speclflcaLlon Lechnlques for Lhe operaLlng
envlronmenL, securlLy ob[ecLlves and properLles, and evldence LhaL Lhe proLocol
operaLlng ln Lhe envlronmenL achleves lLs ob[ecLlves or saLlsfles lLs properLles. 1he
pro[ecL ls currenLly aL Cu sLage.
A Iramework for secur|ty eva|uat|on and test|ng of b|ometr|c techno|ogy (19792)
1hls sLandard, publlshed ln 2009, speclfles Lhe speclflc sub[ecLs Lo be addressed
durlng a securlLy evaluaLlon of a blomeLrlc sysLem. lL covers Lhe blomeLrlc-speclflc
aspecLs and prlnclples Lo be consldered durlng Lhe securlLy evaluaLlon of a blomeLrlc
sysLem. lL does noL address Lhe non-blomeLrlc aspecLs whlch mlghL form parL of Lhe
overall securlLy evaluaLlon of a sysLem uslng blomeLrlc Lechnology (e.g.
requlremenLs on daLabases or communlcaLlon channels). CurrenL spread of
blomeLrlc Lechnology probably wlll demand an early revlew of Lhls sLandard, Lo
accommodaLe progress ln Lhe fleld.
Secure software deve|opment and eva|uat|on under ISC]ILC 1S408 and ISC]ILC
1840S
1hls recenLly launched pro[ecL wlll provlde meLhodology guldance for Lhe developer
and Lhe evaluaLor on how Lo use Lhe aLLack paLLerns as a Lechnlcal reference polnL
durlng Lhe 1CL developmenL llfe cycle and ln an evaluaLlon of Lhe 1CL secure
sofLware under lSC/lLC 1S408 and 1804S, by addresslng a number of Loplcs.
1he developmenL of Lhls documenL wlll also lnvesLlgaLe wheLher speclflc elemenLs
from lSC/lLC 1S026 (and lLs revlslon) are appllcable Lo Lhe guldellnes belng
developed ln Lhe 18 wlLhln Lhe conLexL of lS 1S408 and 1840S. lL ls expecLed an
lncrease of Lhe effecLlveness ln Lhe reducLlon of vulnerablllLles for producLs
developed and evaluaLed accordlng Lo Lhls 1echnlcal 8eporL.
On qenero/ systems
A framework for I1 secur|ty assurance (1S443)
1he ob[ecLlve of Lhls 1echnlcal 8eporL ls Lo presenL a varleLy of assurance meLhods
and assurance approaches Lo gulde Lhe l1 SecurlLy rofesslonal ln Lhe selecLlon of an
approprlaLe assurance meLhod (or comblnaLlon of meLhods) Lo achleve confldence
LhaL a glven l1 securlLy producL, sysLem, servlce, process or envlronmenLal facLor
saLlsfles lLs sLaLed securlLy assurance requlremenLs. 1hls reporL examlnes assurance
meLhods and approaches proposed by varlous Lypes of organlsaLlons wheLher Lhey
are approved or de-facLo sLandards.
ubllshed ln 200S, lL has noL found sufflclenL supporL Lo be updaLed yeL.
109
Secur|ty Assessment of Cperat|ona| Systems (19791)
1hls 1echnlcal 8eporL provldes guldance and crlLerla for Lhe securlLy evaluaLlon of
operaLlonal sysLems. lL provldes an exLenslon Lo Lhe scope of lSC/lLC 1S408, by
Laklng lnLo accounL a number of crlLlcal aspecLs of operaLlonal sysLems noL
addressed ln lSC/lLC 1S408 evaluaLlon. 1he prlnclpal exLenslons LhaL are requlred
address evaluaLlon of Lhe operaLlonal envlronmenL surroundlng Lhe 1CL, and Lhe
decomposlLlon of complex operaLlonal sysLems lnLo securlLy domalns LhaL can be
separaLely evaluaLed. 1he second revlew, recenLly publlshed, allgns lLs conLenL wlLh
LhaL of lSC/lLC 1S408.
Systems Secur|ty Lng|neer|ng - Capab|||ty Matur|ty Mode| (21827)
1hls sLandard was based on a AS submlsslon from lSSLA and lLs second edlLlon was
publlshed ln 2008.
1he scope encompasses Lhe sysLem securlLy englneerlng acLlvlLles for a secure
producL or a LrusLed sysLem addresslng Lhe compleLe llfecycle of: concepL deflnlLlon,
requlremenLs analysls, deslgn, developmenL, lnLegraLlon, lnsLallaLlon, operaLlon,
malnLenance end de-commlsslonlng, requlremenLs for producL developers, secure
sysLems developers and lnLegraLors, organlzaLlons LhaL provlde compuLer securlLy
servlces and compuLer securlLy englneerlng, and applles Lo all Lypes and slzes of
securlLy englneerlng organlzaLlons from commerclal Lo governmenL and Lhe
academe.
Secure System Lng|neer|ng r|nc|p|es and 1echn|ques (29193)
1hls 1echnlcal 8eporL, currenLly ln Wu, wlll provlde guldance on Lhe prlnclples, besL
pracLlces and Lechnlques for secure-sysLem deslgn for lnformaLlon and
communlcaLlon sysLems, complemenLlng already exlsLlng deslgn processes wlLh
securlLy speclflc englneerlng aspecLs. 1he audlence wlll lnclude sysLem archlLecLs
and deslgners. lurLhermore Lhe 1echnlcal 8eporL wlll provlde reference lnformaLlon
Lo sysLem developers and evaluaLors.
New areas for future work
On specific techno/oqies
1omper protection requirements ond evo/uotion
1he area of anLl-Lamperlng aspecLs of proLecLlon has been dlscussed before ln SC 27.
AL Lhe Llme of LhaL dlscusslon Lhe lssue of WC 2 1erms of 8eference was dlscussed ln
vlew of Lhe facL LhaL WC 2 was Lo be responslble for boLh crypLographlc and non-
crypLographlc securlLy mechanlsms. AL Lhe same Llme, WC 2 noLed LhaL lL lacked
access Lo sufflclenL experLlse ln Lhe fleld of non-crypLographlc proLecLlon
mechanlsms. 1C 68 has publlshed sLandards (lSC/lLC 13491) ln Lhls area. lrom SC 27
perspecLlve, anLl-Lamperlng lssues are of relevance Lo pro[ecL 19790.
110
Powever, anLl-Lamperlng measures may also have Lhelr appllcaLlon ln oLher areas of
Lhe l1 securlLy fleld (proLecLlon of hardware resources, LransporL devlces for
passwords and crypLographlc keys, blomeLrlc sensor devlces eLc). 1he WC 3 has
launched a SLudy erlod ln Lhls area, wlLh no acLlons concluded yeL.
On specific product types
1he CCu8 ls ln Lhe process of creaLlng consorLla (lnvolvlng schemes, lndusLry (boLh
developers and evaluaLors), and users/oLher lnLeresLed parLles) Lo work on Lhe
developmenL of proLecLlon proflles and supporLlng documenLs ln deflned Lechnlcal
areas. Some lnlLlal areas lnclude:
ulsk LncrypLlon
uS8 daLa sLorage devlces
LnLerprlse SecurlLy ManagemenL
llrewalls
CperaLlng SysLems
uaLabases
8rowsers
Secure sofLware developmenL - Lools and Lechnlques
1hese works may conclude wlLh Lhe publlcaLlon of producL Lype speclflc roLecLlon
roflles, wlLh companlon evaluaLlon meLhodology, whlch may be sub[ecL of
publlcaLlon as lSC/lLC sLandards and Lechnlcal reporLs.
lnlLlaLlves from newly esLabllshed llalson channels may Lrlgger new pro[ecLs ln
speclflc producL Lypes, llke smarL cards.
On systems
Cloud compuLlng, crlLlcal lnfrasLrucLures and complex l1 sysLems ln general have noL
been addressed by WC 3, and Lhelr securlLy evaluaLlon ls probably a maLLer for Lhe
lmmedlaLe WC 3 acLlvlLy.
111
ACkCNMS
CC Common CrlLerla, equlvalenL Lo lSC/lLC 1S408
CCu8 Common CrlLerla uevelopmenL 8oard, a body wlLhln CC8A
CC8A Common CrlLerla 8ecognlLlon ArrangemenL
CLM Common CrlLerla LvaluaLlon MeLhodology [1804S]
uLS uaLa LncrypLlon SLandard
LAL LvaluaLlon Assurance Level [lSC/lLC 1S408]
PMAC [keyed] Pashlng for Message AuLhenLlcaLlon [Code] [lL1l 8lC 2104]
roLecLlon roflle [lSC/lLC 1S408]
88AC 8ole 8ased Access ConLrol
SSL-CMM SysLems SecurlLy Lnglneerlng - CapablllLy MaLurlLy Model [lSC/lLC 21827]
S1 SecurlLy 1argeL [lSC/lLC 1S408]
1CC 1rusLed CompuLlng Croup
1CL 1argeL of LvaluaLlon
1M8 lSC 1echnlcal ManagemenL 8oard
1M 1rusLed laLform Module
112
ISC 1S408, the Common Cr|ter|a kecogn|t|on Arrangement,
and the ro|e of SC27
uavld MarLln, CCu8 and SC27 WC3 Llalson
Many l1 producLs conLaln funcLlonallLy LhaL ls expecLed Lo meeL end-user securlLy
requlremenLs, elLher as a dlrecL parL of lLs prlmary role (e.g. a flrewall) or ln supporL
of LhaL prlmary role (e.g. A daLabase holdlng senslLlve daLa). 1hose responslble for
procurlng and bulldlng sysLems lnvolvlng such producLs wlll Lherefore seek
assurances from Lhe developers/vendors LhaL Lhe producLs provlde Lhe approprlaLe
securlLy funcLlonallLy and LhaL Lhe producLs have also been deslgned and bullL ln a
way LhaL Lhe securlLy funcLlonallLy wlll operaLe boLh rellably and robusLly. rovldlng
such assurance on an lndlvldual basls, or even on a per-naLlon basls vla naLlonal
evaluaLlon schemes ls noL a pracLlcal opLlon for anyLhlng oLher Lhan a few hlgh
volume/speclallsed requlremenLs. WhaL vendors and users need ls an assurance
scheme LhaL ls common across many naLlons and whlch provldes muLual recognlLlon
of resulLs (so LhaL an evaluaLlon and cerLlflcaLlon by one naLlonal scheme can be
readlly recognlsed by Lhe oLher naLlons).
1he lnLernaLlonal Common CrlLerla for lnformaLlon 1echnology SecurlLy LvaluaLlon
(CC) and Lhe companlon documenL Lhe Common MeLhodology for lnformaLlon
1echnology SecurlLy LvaluaLlon (CLM), are used by Lhe cerLlflcaLlon schemes LhaL
operaLe under Lhe Common CrlLerla 8ecognlLlon ArrangemenL (CC8A) Lo offer Lhe
cosL effecLlve way for developers/sponsors of securlLy relaLed l1 producLs Lo offer
confldence for Lhelr users worldwlde. 1he CC8A and lLs subcommlLLees provldes Lhe
framework for ensurlng conslsLency and quallLy of evaluaLlons (ln con[uncLlon wlLh
oLher quallLy assessmenL organlsaLlons coverlng Lhe work of evaluaLlon laboraLorles
under lSC/lLC 1702S), whlle Lhe CC and CLM (LogeLher wlLh oLher supporLlng
documenLs where requlred) seL Lhe common requlremenLs. ConLlnual work, Lhrough
regular meeLlngs, and oLher lnLerchanges ls used boLh Lo harmonlse Lhe appllcaLlon
and Lo furLher develop Lhe sLandards.
8y publlshlng equlvalenL verslons of Lhe CC8A documenLs as lSC/lLC 1S408 (Lhree
parLs) and lSC/lLC 1804S respecLlvely, lSC lncreases boLh Lhe appeal and Lhe usage
of Lhe sLandards (some naLlons requlre reference Lo lSC sLandards). noLe however
LhaL Lhe cerLlflcaLlon needs Lo be performed under Lhe CC8A ln order for muLual
recognlLlon Lo apply.
1he role of SC27, and speclflcally Lhe WC3 subgroup ls very much greaLer however
Lhan one of slmply reformaLlng and publlshlng equlvalenL verslons. 1he worklng
group lLself comprlses a wlde body of experLs and, Lhrough naLlonal represenLaLlon
and consulLaLlon mechanlsms (voLlng eLc.), Lakes lnpuL from an even greaLer range
of experLs. 1helr oplnlon ls of sufflclenL lmporLance LhaL Lhe Common CrlLerla
113
uevelopmenL 8oard (CCu8), whlch oversees Lhe developmenL of Lhe CC and CLM,
appolnLs a llalson offlcer and conslders Lhe llalson sLaLemenLs Lo/from SC27/WC3 aL
every meeLlng. As new verslons of Lhe crlLerla are developed and as Lechnlcal lssues
relaLlng Lo Lhe usage of Lhe sLandards arlse, Lhe SC27 WC3 are consulLed for Lhelr
oplnlons and lnpuL.
Cver lLs 10 plus year llfe Lhe CC8A has grown, so LhaL lL now comprlses 26 naLlons,
wlLh half of Lhese able Lo lssue cerLlflcaLes. More Lhan 1200 cerLlflcaLes have been
lssued and Lhe level of lnLeresL boLh ln cerLlfylng producLs and ln becomlng a
member of Lhe CC8A conLlnues Lo grow.
As general sofLware producLs also conLlnue Lo become boLh larger and more
complex, and as Lhe markeL demands lncreaslngly rapld, and effecLlve, assurance
mechanlsms LhaL can comprehenslvely cover a wlder range of producLs, Lhe CCu8 ls
currenLly revlewlng Lhe besL way Lo provlde Lhls assurance and ls seeklng Lo
repllcaLe Lhe undoubLed success of Lhe smarLcard communlLy (smarLcards and
slmllar devlces form Lhe largesL slngle grouplng of cerLlflcaLes and Lhe work of Lhe
communlLy [lncludlng developers, governmenL, evaluaLlon faclllLles, and end users],
provldes a means by whlch Lhe naLlons lnvolved are able Lo obLaln an even greaLer
degree of muLually recognlsed assurance) across oLher Lechnlcal areas. 1hrough
conLlnual llalson wlLh SC27 WC3 Lhe wlder needs of lSC, as an lnLernaLlonal
sLandards body wlll be malnLalned LhroughouL Lhls work.
As a relaLlvely new llalson offlcer (havlng only aLLended one meeLlng so far), my
personal vlew ls LhaL Lhe SC27 WC3 group, well supporLed by Lhe varlous
admlnlsLraLlon sLaff and Lools, provldes an effecLlve and useful mechanlsm for
galnlng lnLernaLlonal consensus ln Lhe fleld. l congraLulaLe SC27 on aLLalnlng lLs 20
Lh

8lrLhday and look forward Lo Lhe conLlnuaLlon of lLs work across Lhe nexL 20 years!

114
ISC]ILC 19790 Secur|ty kequ|rements for Cryptograph|c Modu|es
8andall LasLer (l) and !ean lerre Cuemard (ll)
(l) ultectot ctyptoqtopblc MoJole vollJotloo ltoqtom (cMvl), uolteJ 5totes
uepottmeot of commetce, Notloool lostltote of 5tooJotJs ooJ 1ecbooloqy
(ll) k&1 Jltectot, cblef 5ecotlty Offlcet, Au5 uefeoce ooJ 5ecotlty

ln lnformaLlon 1echnology Lhere ls an ever-lncreaslng need Lo use crypLographlc
mechanlsms such as Lhe proLecLlon of daLa agalnsL unauLhorlsed dlsclosure or
manlpulaLlon, for enLlLy auLhenLlcaLlon and for non-repudlaLlon. 1he securlLy and
rellablllLy of such mechanlsms are dlrecLly dependenL on Lhe crypLographlc modules
ln whlch Lhey are lmplemenLed.
1hls lnLernaLlonal SLandard provldes for four lncreaslng, quallLaLlve levels of securlLy
requlremenLs lnLended Lo cover a wlde range of poLenLlal appllcaLlons and
envlronmenLs. 1he crypLographlc Lechnlques are ldenLlcal over Lhe four securlLy
levels. 1he securlLy requlremenLs cover areas relaLlve Lo Lhe deslgn and
lmplemenLaLlon of a crypLographlc module. 1hese areas lnclude crypLographlc
module speclflcaLlon, crypLographlc module lnLerfaces, roles, servlces, and
auLhenLlcaLlon, sofLware/flrmware securlLy, operaLlonal envlronmenL, physlcal
securlLy, physlcal securlLy - non-lnvaslve aLLacks, senslLlve securlLy parameLer
managemenL, self-LesLs, llfe-cycle assurance, and mlLlgaLlon of oLher aLLacks.

1he overall securlLy raLlng of a crypLographlc module musL be chosen Lo provlde a
level of securlLy approprlaLe for Lhe securlLy requlremenLs of Lhe appllcaLlon and
envlronmenL ln whlch Lhe module ls Lo be uLlllsed and for Lhe securlLy servlces LhaL
Lhe module ls Lo provlde. 1he responslble auLhorlLy ln each organlzaLlon should
ensure LhaL Lhelr compuLer and LelecommunlcaLlon sysLems LhaL uLlllse
crypLographlc modules provlde an accepLable level of securlLy for Lhe glven
appllcaLlon and envlronmenL. Slnce each auLhorlLy ls responslble for selecLlng whlch
approved securlLy funcLlons are approprlaLe for a glven appllcaLlon, compllance wlLh
Lhls lnLernaLlonal SLandard does noL lmply elLher full lnLeroperablllLy or muLual
accepLance of compllanL producLs. 1he lmporLance of securlLy awareness and of
maklng lnformaLlon securlLy a managemenL prlorlLy should be communlcaLed Lo all
concerned.
lnformaLlon securlLy requlremenLs vary for dlfferenL appllcaLlons, organlzaLlons
should ldenLlfy Lhelr lnformaLlon resources and deLermlne Lhe senslLlvlLy Lo and Lhe
poLenLlal lmpacL of a loss by lmplemenLlng approprlaLe conLrols. ConLrols lnclude,
buL are noL llmlLed Lo:
115
physlcal and envlronmenLal conLrols,
access conLrols,
sofLware developmenL,
backup and conLlngency plans, and
lnformaLlon and daLa conLrols.
1hese conLrols are only as effecLlve as Lhe admlnlsLraLlon of approprlaLe securlLy
pollcles and procedures wlLhln Lhe operaLlonal envlronmenL.
1hls lnLernaLlonal SLandard ls derlved from nlS1 lederal lnformaLlon rocesslng
SLandard (llS) u8 140-2
Cn !uly 17, 199S, Lhe naLlonal lnsLlLuLe of SLandards and 1echnology (nlS1 uSA)
esLabllshed Lhe CrypLographlc Module valldaLlon rogram (CMv) LhaL valldaLes
crypLographlc modules Lo lederal lnformaLlon rocesslng SLandards. 1he CMv ls a
[olnL efforL beLween nlS1 and Lhe CommunlcaLlons SecurlLy LsLabllshmenL Canada
(CSLC). 1he naLlonal lnsLlLuLe of SLandards and 1echnology (nlS1) admlnlsLers Lhe
naLlonal volunLary LaboraLory AccredlLaLlon rogram (nvLA). nvLA provldes
accredlLaLlon servlces Lhrough varlous laboraLory accredlLaLlon programs (LAs),
whlch are esLabllshed on Lhe basls of requesLs and demonsLraLed need. Lach LA
lncludes speclflc LesL or callbraLlon sLandards and relaLed meLhods and proLocols
assembled Lo saLlsfy Lhe unlque needs for accredlLaLlon ln a fleld of LesLlng or
callbraLlon. nvLA accredlLs publlc and prlvaLe laboraLorles based on evaluaLlon of
Lhelr Lechnlcal quallflcaLlons and compeLence Lo carry ouL speclflc callbraLlons or
LesLs. vendors of crypLographlc modules can use Lhe lndependenL laboraLorles LhaL
are accredlLed by nvLA for CrypLographlc and SecurlLy 1esLlng (CS1) for Lhe LesLlng
of modules for conformance Lo lederal lnformaLlon rocesslng SLandard 140-2,
5ecotlty kepoltemeots of ctyptoqtopblc MoJoles.
As of !une 10, 2010, Lhe CMv has lssued over 132S valldaLlon cerLlflcaLlons LhaL
represenL over 2800 crypLographlc modules. 1here are currenLly 17 nvLA
accredlLed CS1 LaboraLorles locaLed ln S counLrles: uSA, Canada, Cermany, Spaln,
!apan and 1alwan 8CC. AddlLlonal uSA and lnLernaLlonal laboraLorles are ln Lhe
process of accredlLaLlon. 1he modules were submlLLed for LesLlng from over 30S
vendor's locaLed world wlde.
1he developmenL and publlshlng of lSC/lLC 19790 bullds on Lhls foundaLlon and ls a
LesLamenL of Lhe value of Lhe sLandard and LesLlng.

116
Secur|ty attr|butes extens|on and re|at|on w|th dependab|||ty
Anne CoaL-8ames, Clk8 ro[ecL Manager,
lrench neLwork and lnformaLlon SecurlLy Agency
!ean Calre, uepuLy ClSC, 8A1

1here ls a sLraLeglc quesLlon Lo conslder a sysLem followlng one aspecL or Lo
conslder lL ln lLs whole. lor example, relaLlons beLween securlLy
1
and dependablllLy
flnd dlfferenL answers. Some Lhlnk LhaL Lhese domalns are noL compllanL LogeLher
and cannoL be addressed on Lhe same hand, oLher see Lhem synerglc, each
conLrlbuLlng Lo Lhe oLher's success. A loL of llLeraLure exlsLs abouL Lhls quesLlon, buL,
synLheLlcally, whaL abouL lL?
l. nistory
lrom an hlsLorlcal polnL of vlew, dependablllLy (also called lMuS) alms Lo avold LhaL
sysLem fallures lead Lo caLasLrophlc evenLs (safeLy/harmlessness) and focuses on
accldenLal causes. (e.g. human faulL, componenL dysfuncLlon) or envlronmenLal
causes (e.g. aLmospherlc condlLlons). MalevolenL acLs are noL consldered, concepLs
and Lechnlques seLup for lMuS are noL adapLed Lo malevolence LreaLmenL, even lf
sLandards general vocabulary enables Lo Lake Lhem lnLo accounL. lor example,
dependablllLy:
1) uoes noL conslder confldenLlallLy,
2) refers, for ensurlng messages lnLegrlLy, error deLecLlon codes (e.g.
checksum), noL reslsLanL faced Lo an lnLelllgenL aLLack.

1hese cholces are based on assumpLlon LhaL Lhe sysLem ls closed, wlLh non
malevolenL acLors. 1hls slmpllfles Lhe confldenLlallLy quesLlon. 1hls assumpLlon has
some well known llmlLs. lor example, Lhe LransporL lMuS referenLlal lncludes Lwo
CLnLLLC sLandards, l'Ln S01S9-1 eL l'Ln S01S9-2, abouL communlcaLlons beLween
componenLs. Cne for closed sysLems (no hosLlle agenLs), Lhe oLher for opened
sysLems, and seL some old crypLographlc prlmlLlves (noL adapLed Lo 1C/l) as
mandaLory.

Cn Lhe oLher hand, lSS comes from Lhe need Lo ensure confldenLlallLy faced Lo a
malevolenL envlronmenL, ln a sysLem preservaLlon loglc (reference Lo Lhe flrsL 8ell-
Laadula securlLy model). LxLended Lo lnLegrlLy and avallablllLy, lSS alms Lhe
preservaLlon of Lhese aLLrlbuLes, ln an lmmunlLy perspecLlve.

1
SafeLy = harmlessness, accenL on (caLasLrophlc) consequences for Lhe sysLem users
SecurlLy = lmmunlLy, accenL on preservaLlon of sysLem properLles, agalnsL exLernal agresslons (hosLlle source)

117

Culckly, lL appears LhaL concreLe sysLems, and noL only crlLlcal lnfrasLrucLures, wlll
have Lo fulfll dependablllLy and lSS requlremenLs, leadlng Lo Lhe quesLlon how Lo
LreaL Lhem LogeLher?" And shorLly, Lhe analysls demonsLraLes LhaL all Lhelr boLh
aLLrlbuLes are llnked (see [LAAS]).

lSS focuses on avallablllLy, lnLegrlLy, and confldenLlallLy. uependablllLy focuses abouL
avallablllLy, lnLegrlLy, buL also abouL rellablllLy, safeLy, and malnLalnablllLy. So Lhey
share aL leasL Lhe avallablllLy and lnLegrlLy preoccupaLlons. lf Lhese aLLrlbuLes are
masLered ln Lhe framework of a securlLy approach, Lhey wlll probably conLrlbuLe Lo
dependablllLy, on Lhe perlmeLer addressed by lSS.

1he lnLegrlLy of Lhe sysLem conLrlbuLes Lo lLs rellablllLy, Lhe llkellhood of a corrupLed
sysLem fallure belng, ln prlnclple, hlgher LhaL Lhose of a sane sysLem (or whaL abouL
vlrus?), and consequenLly, llmlLlng Lhe sysLem fallure llkellhood, lL llmlLs Lhe
llkellhood LhaL Lhe sysLem assaulLs lLs envlronmenL and users, lncreaslng so Lhe
sysLem safeLy. Cn Lhe same way, lf sysLem malnLalnablllLy ls ensured ln
dependablllLy approach, lL wlll conLrlbuLe Lo Lhls sysLem avallablllLy and lnLegrlLy,
from an lSS polnL of vlew.

ln Lhe sLrlcL lSS framework, confldenLlallLy ls already anLagonlsL wlLh avallablllLy (see
break glass prlnclple for healLh daLa). Lnsure senslble daLa confldenLlallLy has a cosL
on volume and Llme efflclency, and add Lo funcLlonal complexlLy, agalnsL needs for
rellablllLy and robusLness assoclaLed Lo dependablllLy.
118
ll. comporison between concepts ond termino/oqies
Cne angle sLone on Lhls debaLe ls locaLed around Lhe concepLs and vocabulary of
each domaln. 1hls polnL ls lllusLraLed ln Lhe dlagram below, LhaL proposes poLenLlal
correspondences beLween dependablllLy concepLs
2
on Lhe Lop, and lSS concepLs
3
on
Lhe boLLom of Lhls plcLure:
Analysls of lSS sLandards relaLed Lo lncldenL managemenL shows Lhe followlng
lssues:
uependablllLy faulL / error Lerms do noL appear ln lSS sLandards, evenL Lhose
abouL conLlnulLy managemenL (8S 2S999) or lncldenL managemenL (18044),
for example faulL ls never used,
lallure appears once ln lSC 27031, as synonym of dlsasLer,

2
lor dependablllLy, ao octot commlts o foolt, ooJ lottoJoces oo ettot lo tbe system (compooeot ot
Jocomeototloo), (ooJ tbe system ls leJ lo oo oosecote / oostoble stote), tbot leoJs to o follote lo tbe system
bebovloot.
3
lncident . sltootloo tbot mlqbt be, ot coolJ leoJ to, o bosloess Jlstoptloo, loss, emetqeocy ot ctlsls j85
25999] ot "lssoes to be oJJtesseJ jlocloJe ptepototloo ooJ Jeolloq wltb ] socb os lc1 secotlty loclJeots,
locloJloq follotes jl5O 270J1]
uisruption . lotettoptloo of ootmol bosloess opetotloos ot ptocesses wblcb coo tooqe ftom sbott tetm to
looqet tetm ooovolloblllty (8525999)
119
CfLen, lSS concepLs covers Lwo or more dependablllLy concepLs (dlsasLer and
dlsrupLlon are as well Lhe orlglnaLlng evenL (faulL) Lhan Lhe fallure caused by
Lhe evenL),
Lrror ls used as acLlon or resulL of an acLlon, buL noL ln Lhe meanlng of stotos
of o system.

Cn Lhe oLher hand, we can esLabllsh some parallels beLween lSS measures and Lhe
four, faulL managemenL modes deflned by dependablllLy prlnclples, llsLed below.

Some examples of securlLy measures can be assoclaLed aL each faulL managemenL
mode:

Iau|t
manageme
nt mode
Def|n|t|on 1hreats management
examp|es
Vu|nerab|||ty
management examp|es
laulL
prevenLlon
prevenL Lhe
occurrence or
lnLroducLlon of
faulLs
ALLack modelllng
(prevenLlon or
forecasLlng ?)
SpeclflcaLlon revlew
deslgn and codlng rules
formal developmenL
sysLem valldaLlon
laulL
removal
reduce Lhe
number and
severlLy of faulLs
hyslcal perlmeLer
proLecLlon
sysLem valldaLlon, debug
(8ohr bug), bug flxlng
120
Iau|t
manageme
nt mode
Def|n|t|on 1hreats management
examp|es
Vu|nerab|||ty
management examp|es
laulL
Lolerance
Avold servlce
fallures ln Lhe
presence of faulLs
SysLem redundancy,
back-up, dlverslLy,
survlvablllLy
8ecoverablllLy (mandel
rebooL node)
dlverslLy
survlvablllLy
fallover Lo sLandby
laulL
forecasLlng
esLlmaLe Lhe
presenL number,
Lhe fuLure
lncldence, and
Lhe llkely
consequences of
faulLs
8lsk analysls / lmpacL
& llkellhood
evaluaLlon
Aglng bug

lll. Perspectives ond conc/usions
1hls shorL analysls of gaps beLween lSS and dependablllLy concepLs shows luxury
LhaL dependablllLy could brlng Lo lSS, and reclprocally. And Lhls noL only on lncldenL
managemenL lssues, one of Lhe lSS ma[or concepLs.

And lL ls Lhere, ln basemenL concepLs, LhaL Lhe maln common polnLs and Lhe maln
dlfferences beLween Lhe Lwo domalns are locaLed. Lven lf avallablllLy, rellablllLy,
conLlnulLy, and safeLy aLLrlbuLes deflnlLlon are all dlfferenL, lSS and dependablllLy
have a common goal, masLerlng rlsks. WhaLever Lhe consldered sysLem, sLakes are
Lhe same: llmlL Lhe lmpacLs of a sysLem fallure on enLlLy acLlvlLy, people, economlc
resulL, envlronmenL, repuLaLlon, and oLher buslness lmpacLs.

1he Lable below proposes some examples of securlLy fallures on sysLem consldered
as proLecLed" from a safeLy polnL of vlew, leadlng Lo slgnlflcanL lmpacLs.

lallure 1ype 1argeL SysLem lmpacL
AvallablllLy PealLh lnformaLlon Medlcal errors
lanL producLlon
plannlng sysLem
roducLlon sLop, sales decrease, no
revenue
8anklng paymenL
sysLem
enalLles for paymenL delays,
flnanclal losses
121
lallure 1ype 1argeL SysLem lmpacL
lan conLrol sysLem CorrupLed producLs come-back
(economlcal cosL, repuLaLlon)
lnLegrlLy:
corrupLlon by vlrus
lndusLrlal sysLem LnvlronmenL polluLlon, sLocks exploslon,
nelghbours damages
ConfldenLlallLy:
economlc
lnLelllgence
Searchlng resulLs
lnformaLlon
MarkeL loss, company krach,
llcenclemenL des salarles
8ellablllLy 8anklng sysLem for
flnanclal rlsk
calculaLlon
Lrror ln flnanclal rlsk calculaLlon, over-
rlsks, acuLe reference values loss,
flnanclal loss

ln all cases, Lhe ma[or dlfference beLween Lhe Lwo approaches ls LhaL lSS focuses on
Lhe sysLem Lo proLecL, when dependablllLy focuses also Lo lmmedlaLe and concreLe
poLenLlal lmpacLs on lLs envlronmenL of Lhe sysLem, once damaged
4
. ln all cases,
seLup an lSS approach conLrlbuLes Lo sysLems rellablllLy and dependablllLy, and
[olnLly llmlL rlsks leadlng Lo lmpacLs on companles, envlronmenL, people, and Lhe
whole socleLy.

lv. luture: new concepts
1radlLlonal lSS concepLs enable Lo bulld exLremely sure sysLems (e.g.
conLrol/command sysLem), wlLhln cerLaln llmlLs, llke hlgh cosL, llmlLed funcLlons and
efflclency. 1hese sysLems, and Lhelr bulldlng concepLs, are noL yeL sufflclenL for
Loday sLakes of complexlLy, sysLem openlng, and sophlsLlcaLed LhreaLs
professlonallsm.

We have Lo pass-over unlque vlew concepLs, focused on faulL prevenLlon, and deflne
new securlLy prlnclples, chooslng on sysLem adapLaLlon faced Lo lLs envlronmenL,
evenLs lL ls ln confllcLed wlLh.

Answer Lo Lhese quesLlons can be broughL by Lhe concepLs so called survlvablllLy
and reslllence. uependablllLy ls a help Lo go from Lhe lnformaLlon Assurance
vlslon of Lhe sysLems securlLy, Lowards Lhe Mlsslon Assurance vlslon.

lL enables Lo reach Lhe aspecLs reslllence and survlvablllLy
S
of Lhe sysLem and

4
Can we say that for ISS the system imploses, for dependability,it explodes ?)
S
Survivability : the degree to which a system is able to withstand attack and still function at a certain level (IA
newsletter vol12 n4 Fall 2009, par Karen Goertzel Mercedes
122
organlsaLlon wlLh requlred argumenLs.

6
All Lhese dlsclpllnes are complemenLary, noL anLagonlsL.
7

SecurlLy or safeLy or survlvablllLy consLlLuLe only parLlal vlslon of Lhe sysLem and lLs
requlremenLs. lor a full vlslon, for undersLandlng survlvablllLy, englneers and
consulLanLs have Lo conslder securlLy and safeLy.

As showed above, masLerlng rlsks creaLes real needs for esLabllshlng brldges
beLween securlLy and relaLed dlsclpllnes. We are sure LhaL SC27, as cenLre of
excellence ln lnformaLlon securlLy, wlll succeed Lo lnLegraLe securlLy relaLed
concepLs provldlng added value Lo buslness, ln lLs general lnLernaLlonal sLandards.

Resilience may be defined as the ability of a system or organization to react to and recover from disturbances
at an early stage, with minimal effect on the dynamic stability (Hollnagel, Woods and Leveson 2006)
6
Illustration from MG. Richards (MIT) 2009 survivability-attributes-extensions
7
See also, WalLer Schn (Cn8S) CrlLlcal sysLem securlLy and cybercrlme, Lowards global securlLy
123
Lva|uat|on Cr|ter|a for I1 Secur|ty
rofessor, CenLre ulrecLor, Sveln !ohan knapskog
CenLre for CuanLlflable CuallLy of Servlce ln CommunlcaLlon SysLems (C2S),
norweglan unlverslLy of Sclence and 1echnology (n1nu), 1rondhelm, norway
u8L: hLLp://www.q2s.nLnu.no/people

1 Introduct|on
SecurlLy ls lncreaslngly seen as one of Lhe baslc quallLles for lC1 servlces. WlLhouL
adequaLe securlLy, a number of poLenLlal servlce users wlll decllne Lhe use of neL-
based servlces, whlch Lhey oLherwlse would have found Lo be effecLlve and useful.
Servlce provlders musL be able Lo convlnce users of Lhe facL LhaL lnformaLlon whlch
ls exchanged as a parL of Lhe servlce relaLed procedures and whlch may be seen as
senslLlve, e.g. for economlcal or personal reasons ls noL golng asLray or falllng vlcLlm
of any klnd of abuse or mlsuse. Powever, lL ls noL aL all easy Lo descrlbe and
characLerlze lC1 securlLy ln quanLlLaLlve and absoluLe Lerms - Lhe answer Lo Lhls
challenge may perhaps be soughL wlLh oLher means. lL may be LhaL adequaLe
assurance besL can be obLalned by lC1 producL and/or sysLem securlLy evaluaLlon
performed by personnel wlLh adequaLe compeLence, preferably performlng Lhelr
skllled duLles ln a securlLy evaluaLlon laboraLory owned and run by an
admlnlsLraLlvely and economlcally lndependenL Lhlrd parLy. A securlLy evaluaLlon
alms aL provldlng developers, manufacLurers, vendors and end users allke a
common framework for undersLandlng and descrlblng Lhe securlLy challenges Lhey
all are faclng, and Lo use Lhls framework Lo Lhelr advanLage as a Lool Lo descrlbe
Lechnlcal and organlzaLlonal measures necessary Lo meeL Lhe securlLy challenges.
2 ISC]ILC IS 1S408, art 1]3 - Lva|uat|on Cr|ter|a for I1 Secur|ty
LvaluaLlon of Lhe securlLy of lC1 sysLems for non-mlllLary appllcaLlons has been
performed slnce Lhe beglnnlng of Lhe 1980s, based on Lhe crlLerla publlshed ln Lhe
uS sLandard enLlLled 1rusLed CompuLer SecurlLy LvaluaLlon CrlLerla" (1CSLC,
colloqulally Lermed 1he Crange 8ook"). 1owards Lhe end of Lhe decade, also
Canada and a group of Luropean counLrles, encompasslng unlLed klngdom,
Cermany, lrance and Lhe neLherlands, had begun Lhe developmenL and publlcaLlon
of evaluaLlon crlLerla lnLended for use ln Lhelr respecLlve naLlonal schemes for lC1
securlLy evaluaLlon and cerLlflcaLlon. 8oLh Lhe Canadlan and Luropean crlLerla was
somewhaL dlfferenL from Lhe 1CSLC ln sLrucLure and conLenL, slnce Lhelr lnLenLlons
were Lo more sLrongly emphaslze producL evaluaLlons Lhan whaL had unLll Lhen
been Lhe prevalenL mode of operaLlon used by Lhe uS evaluaLlon scheme, malnly
LargeLlng hollsLlc assessmenL of cenLrallzed compuLer planLs. As soon as producL
124
evaluaLlon becomes Lhe maln focus area, lL falls more naLural Lo regard securlLy
funcLlonallLy and securlLy assurance as Lwo lndependenL securlLy aspecLs, whlch can
be speclfled lndependenLly, aL leasL Lo a cerLaln (some wlll argue falrly hlgh) degree.
1he lnLroducLlon of Lhls plvoLal prlnclple opened up for a far more flexlble
evaluaLlon reglme, wlLh slgnlflcanL poLenLlal for Llme savlng procedures for Lhe
acLual evaluaLlon performance, and Lhe posslblllLy for fuLure procedures openlng up
for developmenL of secure producLs by reuslng prevlously evaluaLed producLs as
bulldlng blocks when composlng a more complex producL or sysLem. 1he Canadlan
and Luropean lnlLlaLlves spurred furLher developmenL of Lhe uS crlLerla, and ln Lhe
early 1990s, a documenL enLlLled Mlnlmum SecurlLy luncLlonallLy 8equlremenLs"
(MSl8) was released Lo Lhe publlc. 1hls was Lhe forerunner of a compleLely revlsed
seL of crlLerla for Lhe uS scenarlo, Lhe lederal CrlLerla" whlch was lnLended Lo
compleLely replace Lhe Crange 8ook". 1he lederal CrlLerla" lncorporaLed Lhe
prlnclple of lndependence beLween securlLy funcLlonallLy and assurance, and was ln
LhaL respecL an obvlous and consclous adapLaLlon Lo Lhe developmenL Lrlggered by
Canada and Lurope Lowards a new evaluaLlon paradlgm. An lllusLraLlon of Lhe early
developmenL of Lhe dlfferenL emerglng lnlLlaLlves ls glven ln flg. x.1.

llg. 1 1lme relaLlons beLween naLlonal and Luropean crlLerla lnlLlaLlves

ln parallel wlLh Lhe LranslLlon from 1he Crange 8ook" Lo Lhe lederal CrlLerla", a
developmenL process was sLarLed ln lSC, managed by Lhe newly esLabllshed Sub-
CommlLLee 27 "SecurlLy 1echnlques" (SC 27). 1he sLandardlzaLlon efforL plcked up
198 199 199
US
Urange
Canadian CTCPEC
European
national and
ISU
NIST
ITSEC
Federal
ISU
Common
Criteria
CC
V.1.0
CC
V.2.0
CDJDIS
199
125
on Lhe dlrecLlon lndlcaLed by Lhe developmenL of Lhe aforemenLloned naLlonal and
Luropean lnlLlaLlves wlLhln Lhe fleld. lL became obvlous LhaL a slgnlflcanL number of
lndependenL, posslbly dlverglng, sLandards ln Lhls area could lead Lo a subopLlmal
slLuaLlon boLh for developers, vendors and end users of secure lC1 producLs and
sysLems. lL would be ln Lhe besL lnLeresL for all parLles lnvolved LhaL a world wlde
lnLernaLlonally recognlzed reglme for evaluaLlon, could be esLabllshed, so LhaL Lhe
markeL operaLors would have Lhe necessary confldence LhaL Lhere would be
sufflclenL end user demand for sLandardlzed scope and quallLy of securlLy measures
ln lC1 producLs. AL Lhe SC 27 meeLlng ln SLockholm ln Aprll 1990, a dedlcaLed
Worklng Croup (WC 3) was esLabllshed wlLh Lhe mandaLe Lo work for Lhe fuLure
lnLernaLlonal sLandardlzaLlon wlLhln Lhe area. naLurally, Lhe sLarLlng polnL of Lhe
work were Lo be Lhe exlsLlng publlshed crlLerla, and Lhe goal was Lo ldenLlfy Lhe
parLs of Lhese whlch represenLed Lhe besL currenL pracLlce for securlLy evaluaLlon,
boLh ln prlnclple, meLhod and Lechnlque, and Lo comblne Lhese parL lnLo a
conslsLenL seL of securlLy evaluaLlon crlLerla whlch would be unlversally recognlzed
as Lhe new sLandard.
As ls shown ln llg. 1, Lhe naLlons acLlvely lnvolved ln Lhe developmenL of evaluaLlon
crlLerla conLlnued Lhelr work wlLh Lhe crlLerla ln parallel wlLh Lhe lSC worklng group.
AfLer a presenLaLlons of Lhe newly publlshed uS lederal CrlLerla ln Lurope ln 1993, a
pro[ecL for a [olnL uS, Canadlan and Luropean 1ask lorce named Lhe Common
CrlLerla LdlLorlal 8oard (CCL8) was esLabllshed Lo coordlnaLe and furLher develop
Lhe parLs of Lhe exlsLlng dlfferenL crlLerla documenLs wlLh Lhe wldesL supporL, wlLh
Lhe alm Lo produce one common seL of documenLs whlch could be used as lnpuL Lo
Lhe lnLernaLlonal sLandardlzaLlon process managed by Lhe SC 27/WC 3. 1he pro[ecL
acLlvlLy of Lhe CCL8 was fully coordlnaLed wlLh Lhe sLandardlzaLlon process ln SC
27/WC 3, boLh Llme and conLenL wlse Lhrough a CaLegory C Llalson whlch ls
slgnlfylng Lechnlcal cooperaLlon on a mlnuLe deLall level. 1he resulLlng sLandard [1,
2, 3], commonly referred Lo as Lhe Common CrlLerla (CC) was flnally publlshed ln
1999, afLer havlng collecLed ma[orlLy supporL from Lhe voLlng members of lSC and
lLC acLlve ln Lhe subcommlLLee lSC/lLC !1C 1/ SC 27. Slnce Lhen, several revlsed
verslons have followed. AL Lhe Llme of wrlLlng, Lhe lasL verslons of Lhe sLandard are
from 2008 (parLs 2 and 3) and 2009 (parL 1).
3 Lva|uat|on Mode|
lC1 securlLy evaluaLlon ls a Lechnlcal dlsclpllne, and needs Lo follow Lhe general
guldellnes for (Loday's) besL englneerlng pracLlce" wlLhln Lhe fleld. 1here are Lwo
maln dlrecLlons or pracLlces for lC1 securlLy evaluaLlons - one ls Lermed ptoJoct
evolootloo whlle Lhe oLher ls referred Lo as system evolootloo. A ptoJoct evolootloo
ls performed for a producL, whlch ls sLlll slLLlng on Lhe shelf of a manufacLurer or a
126
vendor, and Lhe fuLure operaLlve envlronmenL for Lhe producL can be assumed, buL
lL ls noL known. A producL evaluaLlon can be performed boLh concurrenLly, l.e.
runnlng ln parallel wlLh Lhe developmenL of Lhe producL, and as a separaLe process
afLer Lhe developmenL ls flnlshed. A system evolootloo on Lhe oLher hand, ls
performed on an lC1 sysLem, whlch ls a composlLe producL or seL of producLs
lnsLalled ln Lhelr normal operaLlng envlronmenL, whlch ls assumed known ln every
necessary deLall. hyslcal, personnel and organlzaLlonal condlLlons can be
parameLerlzed and Laken lnLo conslderaLlon durlng a sysLem evaluaLlon.
llgure x.2 shows Lhe general model of an evaluaLlon slLuaLlon. 1he 1argeL of
LvaluaLlon (1CL) ls developed under Lhe lnfluence of a seL of generlc securlLy
requlremenLs speclfled ln a roLecLlon roflle () and/or speclflc securlLy
requlremenLs speclfled ln a SecurlLy 1argeL (S1). 8oLh Lhe and S1 are developed ln
accordance wlLh Lhe crlLerla (CC). 1he requlremenLs for Lhe evaluaLlon process lLself
are also found ln Lhe CC. 1hese wlll ln lLs Lurn be senL Lo an evaluaLlon Lask force,
LogeLher wlLh Lhe necessary documenLaLlon, l.e. Lhe documenLaLlon of Lhe deLalled
Lechnlcal procedures ln Lhe dlfferenL producL developmenL phases, Lhe producL
manuals for Lhe lnsLallaLlon and malnLenance of Lhe producL ln lLs operaLlng
envlronmenL and Lhe user manuals for Lhe 1CL.
llgure 2 Ceneral model for evaluaLlon [1]
127
An evaluaLlon reporL ls produced as parL of Lhe evaluaLlon Lask. 1he reporL can be
used as basls for a subsequenL cerLlflcaLlon process, buL lL ls also naLurally requlred
by Lhe user or owner of Lhe 1CL. ln an ldeal world, daLa could be collecLed ln Lhe
operaLlve phase of Lhe llfeLlme of Lhe 1CL, and Lhe securlLy relevanL parL of such
daLa could be fed back Lo Lhe dlfferenL developmenL sLages of fuLure verslons of Lhe
producLs Lo lmprove Lhe proLecLlon offered by Lhe lmplemenLed securlLy
counLermeasures agalnsL experlenced LhreaLs presenL ln Lhe operaLlonal
envlronmenL of Lhe 1CL. Powever, how Lo organlze such closed llfe cycle loops ln a
commerclal seLLlng ls sLlll an open lssue.
4 Secur|ty requ|rements
1he 1CL lncorporaLes securlLy measures derlved from Lhe securlLy ob[ecLlves of Lhe
1CL. 1he securlLy ob[ecLlves musL be saLlsfled by Lhe collecLlon of Lhe securlLy
requlremenLs derlved from dlfferenL sources, such as:

Lhe securlLy pollcy of Lhe organlzaLlon
ldenLlflable LhreaLs
laws
regulaLlons

ln addlLlon, Lhe knowledge and experLlse found ln Lhe envlronmenL whlch could be
used Lo explolL weak or mlsslng securlLy counLermeasures or unknown
vulnerablllLles of Lhe 1CL musL be somehow assessed. uocumenLaLlon of Lhe
securlLy ob[ecLlves ls done on a relaLlve absLracL level of Lhe speclflcaLlon hlerarchy.
1he 1CL deslgn speclflcaLlon and Lhe 1CL lmplemenLaLlon documenLaLlon are Lhe
nexL levels of deLall, and conLaln Lhe necessary concreLlzaLlon and speclflcaLlon of
securlLy requlremenLs. Some securlLy requlremenLs needs Lo be LesLed Lo be able Lo
declde whaL securlLy counLermeasures ln Lhe form of securlLy servlces and
mechanlsms are relevanL. lL ls lmporLanL Lo be aware of Lhe facL LhaL even Lhough
speclfled funcLlonal properLles and behavlor can be LesLed Lo Lhe full, Lhe absence of
unwanLed properLles or behavlor can never be exhausLlvely LesLed.
S Def|n|t|on of Assurance [3]
Assurance ls based on a seL of SecurlLy Assurance 8equlremenLs (SA8s) whlch are
formulaLed ln a sLandardlzed language Lo ensure exacLness and faclllLaLe
comparablllLy beLween evaluaLlon resulLs. 1he SecurlLy 1argeL for a 1CL provldes a
sLrucLured descrlpLlon of Lhe evaluaLlon acLlvlLles Lo deLermlne correcLness of Lhe
SA8s.
128
1he SA8s serve as sLandard LemplaLes wlLh whlch one can express assurance
requlremenLs for 1CLs. ln [3], Lhe seL of assurance componenLs are caLalogued, and
Lhe componenLs are organlzed lnLo famllles and classes. Seven pre-deflned
assurance packages whlch are called LvaluaLlon Assurance Levels (LALs) are llsLed.
lf Lhe SA8s are meL, assurance ln Lhe correcLness of Lhe 1CL ls esLabllshed, and Lhe
1CL ls Lherefore less llkely Lo conLaln vulnerablllLles whlch can be explolLed by
aLLackers. 1he amounL of assurance LhaL Lhe correcLness of Lhe 1CL ls as clalmed, ls
deLermlned by Lhe scope, depLh and rlgor of Lhe examlnaLlons whlch are performed
accordlng Lo Lhe componenLs requlred Lo maLch Lhe SA8s.

6 8u||d|ng conf|dence |n the eva|uat|on process
1he confldence LhaL Lhe securlLy counLermeasures deslgned and bullL lnLo Lhe 1CL ls
as effecLlve and approprlaLe as clalmed by Lhe manufacLurer and/or vendor, and
LhaL Lhey are correcLly lmplemenLed musL be deduced from Lhe deLalled knowledge
of Lhe producL or sysLem. 1he general knowledge musL encompass Lhe deflnlLlon,
consLrucLlon, lmplemenLaLlon, and ln Lhe ldeal case, also Lhe operaLlon of Lhe 1CL.
ln a producL evaluaLlon paradlgm, Lhe lnformaLlon of Lhe operaLlng envlronmenL ls
normally noL accesslble and Lhe knowledge of Lhe operaLlng phase can Lherefore noL
be lncluded ln Lhe evaluaLor knowledge base. 1he evaluaLor can make assumpLlons
of Lhe fuLure operaLlng envlronmenL of Lhe 1CL, and base hls assessmenL on Lhe
reallsm of Lhese assumpLlons. 1he confldence LhaL Lhe LoLallLy of Lhe securlLy
properLles of Lhe 1CL lndeed ls adequaLe for lLs lnLended purpose musL ln any case
be Lransferred from Lhe evaluaLor (afLer Lhe laboraLory lLself ls saLlsfled LhaL hls ls
Lhe case) Lo Lhe end user. Cn of Lhe maln argumenLs for uslng a common seL of
evaluaLlon crlLerla ls LhaL lL may conLrlbuLe Lo Lhe common undersLandlng of Lhe
evaluaLlon process wlLh lLs capablllLles and llmlLaLlons, and for Lhe dlfferenL roles
Lhe dlfferenL acLors are presumed Lo play, boLh ln connecLlon wlLh Lhe evaluaLlon
lLself and Lhe Lransfer of securlLy confldence.
7 Crgan|z|ng the requ|rements |n the CC
1he securlLy requlremenLs descrlbed ln Lhe CC are hlerarchlcally ordered. 1he Lop
level ls called o closs, encompasslng funcLlonal or assurance componenLs sharlng o
commoo loteot, buL wlLh dlfferenL coverage for Lhe securlLy ob[ecLlves. 5ecotlty
objectlves are expressed by lomllles. A fomlly ls deflned for Lhose securlLy
componenLs whlch alm Lo saLlsfy slmllar objectlves, buL wlLh varylng degree of
lmporLance and Lhoroughness expressed by compooeots. A compooeot ls a mapplng
of a seL of secotlty tepoltemeots, whlle Lhe lowesL level ln Lhls hlerarchy ls oo
elemeot. Ao elemeot descrlbes aLomlc securlLy requlremenLs, l.e. requlremenLs
where furLher sub-dlvlslon would probably noL lead Lo any meanlngful evaluaLlon
resulL.
129
An LvaluaLlon Assurance Level (LAL) ls characLerlzed by:
5cope , whaL parLs of Lhe lC1 sysLem are securlLy relevanL and Lherefore musL be
lncluded ln Lhe evaluaLlon.
ueptb, Lhe evaluaLlon ls performed ln varylng deLall ln deslgn and
lmplemenLaLlon, and Lhe appurLenanL documenLaLlon for each caLegory.
klqot, Lhe evaluaLlon ls performed wlLh varylng emphasls on sLrucLure and
formallLy.
1he requlremenL for funcLlonal securlLy componenLs from one or more of Lhe
funcLlonal classes wlll be expressed ln a and/or a S1. 1he sum of Lhe componenLs
characLerlze Lhe securlLy relevanL capablllLles of Lhe 1CL, where relevance ls glven
by Lhe necessary and adequaLe measures Lo be Laken Lo saLlsfy Lhe securlLy
ob[ecLlves sLaLed for Lhe 1CL (producL or sysLem). 1he user wlll be able Lo deLecL Lhe
securlLy behavlor of Lhe 1CL by dlrecL lnLeracLlon wlLh Lhe 1CL vla lLs exLernal
lnLerfaces or by observlng Lhe 1CL's response Lo exLernal sLlmull. 1he seL of securlLy
funcLlonallLy classes ls consldered 'open', ln Lhe sense LhaL lL can be exLended by
new or amended classes whenever needed, e.g. Lrlggered by new or changed
requlremenLs Lo meeL boLh conLemporary and fuLure demands.
8 rotect|on rof||es (s)
A roLecLlon roflle () ls a generlc securlLy speclflcaLlon conLalnlng a seL of
securlLy requlremenLs, elLher Laken from Lhe CC or expllclLly expressed ln a separaLe
securlLy speclflcaLlon whlch can be assumed Lo be adequaLely addresslng Lhe
securlLy ob[ecLlves of a cerLaln Lype of appllcaLlons. A descrlbes boLh funcLlonal
securlLy requlremenLs as a comblned llsL of funcLlonal securlLy classes, famllles or
componenLs, as well as assurance requlremenLs compllanL wlLh a glven LAL. ln
addlLlon Lo Lhe securlLy requlremenLs, a wlll also conLaln a raLlonale for Lhe
securlLy ob[ecLlves whlch are speclfled and Lhe correspondlng securlLy requlremenLs
whlch are found necessary and adequaLe Lo saLlsfy Lhese ob[ecLlves.
uslng exLended componenL deflnlLlons allow users Lo speclfy funcLlonal and
assurance componenLs noL already deflned ln Lhe CC arL 2 or arL 3 documenLs.
1hls can be necessary lf users (developers) come Lo Lhe concluslon LhaL Lhe exlsLlng
componenL seLs are noL qulLe adequaLe for Lhe lnLended usage, e.g. lf speclflc new
LhreaL scenarlos emerge.
When speclfylng Lhe securlLy assurance requlremenLs for an LAL, only one
componenL from each assurance famlly wlll be chosen. 1he assurance componenLs
are sLrlcLly hlerarchlcal - a componenL from Lhe same famlly wlLh a hlgher number
wlll lnclude all assurance elemenLs presenL ln componenLs wlLh a lower number.
130
lor each famlly used, Lhe descrlbes Lhe acLlons Lhe developer (or manufacLurer)
and evaluaLor wlll have Lo perform Lo esLabllsh Lhe necessary confldence LhaL Lhe
securlLy measures for Lhe 1CL acLually are saLlsfacLorlly esLabllshed. A vlLal parL of a
ls a paragraph conLalnlng Lhe raLlonale for Lhe securlLy ob[ecLlves chosen for Lhe
1CL, whaL funcLlonal and assurance requlremenLs whlch have been derlved Lo
obLaln Lhese, and whaL sLrengLh of Lhe chosen securlLy mechanlsms are Lo be used.
9 rotect|on prof||e reg|str|es
A ls assumed Lo be reusable. 1o dlssemlnaLe Lhe knowledge of whlch s LhaL
already are developed, an open reglsLry of s has been developed [4]. Lnd users,
organlzaLlons, companles or speclal lnLeresL groups can use Lhls reglsLer of s
dlrecLly lf Lhe enLrles Lhereln are found Lo adequaLely address Lhelr securlLy needs. A
prevlously reglsLered (poLenLlally evaluaLed and cerLlfled) may also serve well as
a sLarLlng polnL for Lhe furLher developmenL of new s whlch may cover Lhe
securlLy needs for oLher, posslbly relaLed, appllcaLlon areas wlLh sllghLly dlfferenL or
exLended securlLy requlremenLs. A whlch ls llsLed ln Lhe reglsLer wlLh sLaLus
evolooteJ has been evaluaLed based on Lhe same crlLerla as oLher lC1 producLs or
sysLems, l.e. Lhe CC, parL 2 and 3.
10 Secur|ty 1arget
A SecurlLy 1argeL (S1) ls an lmplemenLaLlon-dependenL sLaLemenL of securlLy needs
for a speclflc ldenLlfled 1CL. An S1 may be based on one or more s Lo show LhaL
Lhe S1 conforms Lo Lhe securlLy requlremenLs expressed ln Lhose s. 1he S1
descrlbes Lhe securlLy ob[ecLlves of Lhe 1CL, and demonsLraLes LhaL Lhe speclfled
counLermeasures are sufflclenL Lo fulflll Lhe securlLy requlremenLs derlved from Lhe
ob[ecLlves. SecurlLy ob[ecLlves are commonly deLermlned by Lhe sum of securlLy
pollcy declslons, formal rules and regulaLlons and ldenLlfled LhreaLs ln Lhe operaLlng
envlronmenL. CounLermeasures whlch fulflll Lhe securlLy requlremenLs wlll counLer
all ldenLlfled LhreaLs. lor pracLlcal reasons, Lhe counLermeasures are dlvlded ln Lwo
groups: a) Lo fulflll Lhe securlLy requlremenLs for Lhe 1CL, and b) Lo fulflll Lhe
securlLy ob[ecLlves for Lhe operaLlonal envlronmenL. Cnly Lhe counLermeasures
lmplemenLed Lo fulflll Lhe securlLy requlremenLs for Lhe 1CL wlll be sub[ecL Lo
evaluaLlon. CounLermeasures agalnsL LhreaLs ldenLlfled ln Lhe operaLlng
envlronmenL musL be lmplemenLed based on assumpLlons. 1helr correcLness and
sLrengLh wlll noL be evaluaLed.
An S1 wlll be sub[ecL Lo a separaLe evaluaLlon, uslng Lhe S1 evaluaLlon crlLerla
speclfled ln [3], Clause ASL prlor Lo Lhe acLual 1CL evaluaLlon. 1he purpose of Lhe S1
evaluaLlon ls Lo deLermlne Lhe sufflclency of Lhe 1CL and Lhe operaLlng
envlronmenL.
131
11 Common Lva|uat|on Methodo|ogy (CLM)
1he Common MeLhodology for lnformaLlon 1echnology SecurlLy LvaluaLlon (CLM)
[S] ls a companlon documenL Lo Lhe CC . 1he CLM descrlbes Lhe mlnlmum acLlons Lo
be performed by an evaluaLor ln order Lo conducL a CC evaluaLlon, uslng Lhe crlLerla
and evaluaLlon evldence deflned ln Lhe CC. 1here are dlrecL relaLlonshlps beLween
Lhe CC sLrucLure whlch are class, famlly, componenL and elemenL and Lhe sLrucLure
of Lhe CLM expressed as acLlvlLles, sub-acLlvlLles and acLlons. Lach evaluaLlon,
wheLher of a or S1/1CL follows Lhe same process, whlch has four maln evaluaLor
Lasks:
lnpuL Lask
ouLpuL Lask
evaluaLlon sub-acLlvlLles
demonsLraLlon of Lhe Lechnlcal compeLence Lo Lhe evaluaLlon auLhorlLy

ln an evaluaLlon, Lhere are four baslc roles:
ueveloper
Sponsor
LvaluaLor
LvaluaLlon (and cerLlflcaLlon) auLhorlLy

1he sponsor ls responslble for commlsslonlng and supporLlng Lhe evaluaLlon. lL
esLabllshes Lhe dlfferenL agreemenLs for Lhe evaluaLlon and ensures LhaL Lhe
evaluaLor ls provlded wlLh Lhe evaluaLlon evldence. 1he developer produces Lhe 1CL
and ls responslble for provldlng Lhe evldence requlred for Lhe evaluaLlon. 8oles are
supposed Lo be fully lndependenL, boLh organlzaLlonally and economlcally, wlLh one
posslble excepLlon - one organlzaLlon may acL ln boLh Lhe developer and sponsor
roles. 1he evaluaLor performs Lhe evaluaLlon Lasks requlred ln Lhe conLexL of an
evaluaLlon. 1he enLlLy recelves Lhe evaluaLlon evldence from Lhe developer on
behalf of Lhe sponsor or dlrecLly from Lhe sponsor, performs Lhe evaluaLlon sub-
acLlvlLles and provldes Lhe resulLs of Lhe evaluaLlon assessmenL Lo Lhe evaluaLlon
auLhorlLy. 1he evaluaLlon auLhorlLy esLabllshes and malnLalns Lhe scheme, monlLors
Lhe evaluaLlon conducLed by Lhe evaluaLor, and lssues cerLlflcaLlon/valldaLlon
reporLs as well as cerLlflcaLes based on Lhe evaluaLlon resulLs provlded by Lhe
evaluaLor.
1he evaluaLlon process may be preceded by a preparaLlon phase where lnlLlal
conLacL ls made beLween Lhe sponsor and Lhe evaluaLor. 1he lnLenL of Lhls phase ls
Lo perform a feaslblllLy analysls Lo assess Lhe llkellhood of a successful evaluaLlon.
132
1he overall verdlcL of an evaluaLlon ls poss lf and only lf all Lhe verdlcLs afLer each of
Lhe sub-acLlvlLles are also poss. lf Lhe verdlcL for any of Lhe evaluaLor acLlon
elemenLs ls fall, Lhen Lhe verdlcLs for Lhe correspondlng assurance componenL,
assurance class, and overall verdlcL are also fall.
1he lnLenL of uslng a common evaluaLlon meLhodology even ln a commerclally
compeLlLlve markeL ls Lo Lhe largesL posslble degree obLaln evaluaLlon resulLs whlch
are comparable and repeaLable, and Lo keep cosLs aL a reasonable and predlcLable
level.
12 Industr|a| and soc|eta| |mpact of IS 1S408
1he purpose of havlng an lnLernaLlonal sLandard by whlch Lo assess securlLy of l1
producLs ls raLher obvlous. 1he evaluaLlon process ls Llme consumlng and cosLly. 1he
cosL comes from boLh Lhe Llme spenL and Lhe expecLaLlon of very hlgh securlLy
compeLence requlremenLs on Lhe professlonals performlng Lhe evaluaLlon. 1o
allevlaLe Lhe lmpacL of Lhese mechanlsms as much as posslble, lL ls vlLal LhaL Lhe
evaluaLlon process lLself ls sLreamllned Lo have hlgh efflclency and rellable resulLs
whlch can be lnLerpreLed and reused ln all counLrles and every markeL secLor. 1he
laboraLorles performlng Lhe acLual evaluaLlon and Lhe publlc auLhorlLles managlng
Lhe naLlonal evaluaLlon schemes need Lo be aL an lnLernaLlonally comparable and
accepLable quallLy and capaclLy level. naLlons havlng been acLlvely parLlclpaLlng ln
Lhe developmenL of Lhe crlLerla sLandard have managed Lhls ln a cooperaLlve
fashlon by esLabllshlng 1he common CrlLerla 8ecognlLlon AgreemenL (CC8A)", Lhe
orlglnal LexL of whlch ls downloadable from [6]. 1he group of naLlons already
esLabllshed as cooperaLlve members assess Lhe naLlonal evaluaLlons schemes and
evaluaLlon faclllLles ln counLrles, whlch would llke Lo [oln Lhe communlLy, and
Lhereby guaranLee conslsLency and quallLy of Lhe Lechnlcal and managerlal schemes
whlch are accepLed as new members of Lhe communlLy. Worklng wlLh common
sLandards, boLh for Lechnlcal and managerlal aspecLs of securlLy evaluaLlon,
lmproves Lhe efflclency and cosL-effecLlveness and ellmlnaLes Lhe danger of havlng
Lo perform dupllcaLe evaluaLlons of l1 producLs as well as proLecLlon proflles. A
conslderable number of lndusLrlally developed counLrles have [olned Lhe CC8A,
Lhereby creaLlng a common undersLandlng of Lhe Lechnlcal aspecLs of Lhe evaluaLlon
process, as well as a unlfled markeL for l1 securlLy cerLlfled producLs. 1he l1
developers lnLeresL ln Lhls Lype of evaluaLlon scheme ls Lo obLaln cerLlflcaLes for
Lhelr l1 producLs Lo lncrease Lhe assurance Lhe end users need of Lhe facL LhaL Lhe
besL englneerlng pracLlces has been employed when deslgnlng and lmplemenLlng
approprlaLe securlLy funcLlonallLy of Lhe producL ln quesLlon. 1he user communlLles
beneflL form Lhe CC8A lndlrecLly by havlng Lhe opporLunlLy Lo consulL Lhe daLabase
of prevlously evaluaLed l1 producLs when searchlng for secure bulldlng blocks for l1
133
producLs under developmenL, evaluaLed Lo a cerLaln assurance level, or Lhe
asslsLance of consulLlng prevlously reglsLered proLecLlon proflles whlch wlll
frequenLly also be evaluaLed. ln Lhe end, all of Lhese arrangemenLs have a common
goal for all parLlclpaLlng parLles - Lo lmprove Lhe quallLy of securlLy provldlng
producLs and servlces ln Lhe ever expandlng cyberspace.
keferences
[1] lSC/lLC 1S408-1:2009. lnformaLlon 1echnology - SecurlLy
1echnlques- LvaluaLlon CrlLerla for l1 SecurlLy - arL 1: lnLroducLlon and
Ceneral Model.
1echnlques- LvaluaLlon CrlLerla for l1 SecurlLy - arL 2: SecurlLy luncLlonal
ComponenLs.
1echnlques- LvaluaLlon CrlLerla for l1 SecurlLy - arL 3: SecurlLy Assurance
ComponenLs.
[4] hLLp://www.commoncrlLerlaporLal.org/pp.hLml
[S] lSC/lLC 1804S:2008. lnformaLlon 1echnology - SecurlLy
1echnlques- MeLhodology for l1 securlLy evaluaLlon
[6] hLLp://www.commoncrlLerlaporLal.org/flles/operaLlngprocedures/cc-
recarrange.pdf
134
ASSUkANCL LANDSCAL
8

Iohn nopk|nson
lSSCS-rac ClSS lS l1C Cu8, SecurlLy SLraLeglsL
Chalrman CAC-!1C1/1Cl1, Chlef 1echnlcal Cfflcer, lSSLA

IN1kCDUC1ICN
AssoclaLed wlLh any producL or servlce, ln addlLlon Lo Lhe feaLures or funcLlons
provlded, ls Lhe LrusL and confldence LhaL Lhe producL or servlce wlll funcLlon as
adverLlsed and provlde Lhe lnLended resulLs, or Lhe producL or servlce wlll be
replaced or recondlLloned. 1hls confldence and LrusL ls generally referred Lo as
Assurance", parLlcularly wlLhln Lhe lnformaLlon and CommunlcaLlons 1echnology
(lC1) SecurlLy realm.

WlLhln lC1 SecurlLy, Assurance, does noL provlde any addlLlonal securlLy servlces or
safeguards, lL raLher refers Lo Lhe securlLy of Lhe producL or servlce and LhaL Lhe
producL or servlce fulfllls Lhe requlremenLs of Lhe slLuaLlon, saLlsfles Lhe SecurlLy
8equlremenLs. 1hls may appear Lo be a less Lhan lmporLanL aspecL aL flrsL slghL,
parLlcularly when Lhe cosL of provldlng or obLalnlng Assurance ls facLored ln.
Powever, lL should never be forgoLLen LhaL, whlle Assurance does noL provlde
addlLlonal securlLy servlces or safeguards, lL does serve Lo reduce Lhe uncerLalnLy
assoclaLed wlLh vulnerablllLles, and Lhus Lhe need for addlLlonal securlLy servlces or
safeguards. ln Lhls manner cosL savlngs may accrue. 1hus Assurance does provlde a
very lmporLanL elemenL when performlng a SecurlLy 8lsk AssessmenL, and durlng
Lhe 8lsk ManagemenL phase of deLermlnlng lf addlLlonal safeguards are requlred
and seLLlng prlorlLles.

WlLhln lC1 SecurlLy, SofLware pays a vlLal role. lL forms an lmporLanL parL of mosL lf
noL all SecurlLy Mechanlsms. 1he assoclaLed SofLware Assurance ls also vlLal,
perhaps even more so ln Lhe case of sofLware as so many securlLy breaches occur
vla Lhe avenue of sofLware breaches.
1nL ASSUkANCL CASL
Assurance ln and of lLself, ln all cases, ls a complex Loplc, no more so Lhan ln Lhe
case of SofLware Assurance. Cenerally speaklng, assoclaLed wlLh any producL or
servlce ls an Assurance Case. 1hls Assurance Case provldes Lhe confldence and LrusL

8
CopyrlghL /ll1, 2007
135
LhaL Lhe user of Lhe producL or servlce may have ln Lhe securlLy of Lhe producL or
Servlce. 1he Assurance Case Lhen ls an overall package of Assurance relaLed Lo Lhe
producL or servlce.

1he Assurance Case may be represenLed ln many ways and many forms, buL ofLen lL
ls lnsLanLlaLed ln Lhe name and logo of Lhe producL vendor or servlce provlder. 1he
Assurance Case ls supporLed by a number, one or many, Assurance C|a|ms LhaL form
a parL of Lhe Assurance Case. 1hese Assurance Clalms may be overLly presenLed as
parL of Lhe producL or servlce, or Lhey may be less obvlous and form parL of Lhe
supporLlng documenLaLlon.
ASUkANCL CLAIM
Assurance Clalms are ofLen represenLed as Marks or Symbols" LhaL may be applled
Lo Lhe producL or servlce9. Marks and Symbols come ln many Lypes ranglng form
reglsLered and cerLlfled Marks LhaL lnclude 1hlrd arLy" LesLlng and cerLlflcaLlon of
Lhe producL or servlce, Lo Symbols LhaL lnclude Lhe reglsLered Logo of Lhe producL or
sub-assembly. Symbols are ofLen used for Lhe purpose of auLhenLlcaLlng" Lhe
orlgln of Lhe producL or servlce.

As an example, lf one Lurns over a lapLop or noLebook compuLer, and Lhelr power
supplles, one wlll see a serles of Marks relaLed Lo Lhe elecLrlcal and elecLronlc safeLy
and lnLerference of Lhe producL. 1hese are Assurance Clalms. 1hey Lell Lhe user
LhaL Lhe producL has been LesLed and ls safe Lo use. ln some cases Lhey may lnclude
llmlLaLlons on use, such as Lhe llmlLs on volLage range usage of Lhe power supply.
AnoLher klnd or Mark, more correcLly a Symbol, may also be seen on many of Lhese
producLs, buL ls usually locaLed lnslder Lhe lapLop. 1hls symbol denoLes Lhe
processor chlp used ln Lhe LapLop, e.g. lnLel lnslde". Agaln Lhls ls anoLher Lype of
Assurance Clalm. 1ogeLher, Lhese and oLher Lypes of Assurance Clalms go Lo make
up Lhe Assurance Case assoclaLed wlLh Lhe, ln Lhls case, producL.

Assurance Clalms come ln many dlfferenL Lypes and can be used ln many dlfferenL
ways. 1hey are ofLen for dlfferenL purposes. ln Lhe example above, Lhe Symbol
used Lo denoLe Lhe Lype of processor chlp ln Lhe lapLop ls an example of ass
1hrough Assurance"10. 1hls form of Assurance Clalm ls lnLended for Lhe flnal
purchaser of Lhe assembled producL, l.e. you and l, noL dlrecLly Lhe lnLegraLor of Lhe

9 Naiks anu Symbols aie most often associateu with piouucts.
1u See IS0IEC TR 1S44S-S foi moie uetails.
136
parLs Lo creaLe Lhe flnal producL. lL ls used by Lhe lnLegraLor as a parL of Lhe overall
lapLop Assurance Case. CLher Assurance Clalms of Lhe processor chlp's Assurance
Case would be LargeLed dlrecLly Lo Lhe lnLegraLor, and are noL llkely Lo be presenLed
Lo Lhe flnal producL user.

1he form, sLrucLure and naLure of Lhe Assurance Clalm Lhen ls usually dependenL
upon Lhe user of LhaL Assurance Clalm and Lhelr needs. ln Lhe examples glven
above, Symbols are frequenLly used, aL leasL ln parL, Lo ensure Lhe auLhenLlclLy of
Lhe producL or servlce. 1he flnal user can be assured LhaL Lhe producL or servlce ls
auLhenLlc. Powever, Lhls ls dependenL upon Lhe user belng able Lo ldenLlfy a
forgery, whlch may noL be easy, and upon Lhe owner of Lhe Symbol prosecuLlng
forgerles vlgorously. lf Lhese Lwo acLlons do noL occur, Lhen Lhe value of Lhe
Assurance Clalm provlded by Lhe Symbol ls undermlned.

ln Lhe case of Marks Lhe slLuaLlon ls a llLLle dlfferenL. Cenerally Marks are owned
and reglsLered by an lndependenL organlzaLlon. Cenerally Lhere are 1hlrd arLy
1esLlng LaboraLorles LhaL ensure compllance wlLh Lhe requlremenLs of Lhe Mark.
Marks are also rlgorously defended and any fraudulenL use of Lhe Mark ls
prosecuLed. roducLs conLalnlng false Marks wlll be wlLhdrawn from sale.

Marks and Symbols are one Lype of Assurance Clalm. 1hey use an lcon Lo represenL
Lhe clalm. CLher Lypes of Assurance Clalm use naLural language Lo express Lhe clalm
ln words and ln some cases maLhemaLlcal or chemlcal noLaLlon may be used. 1he
form of expresslon depends largely upon Lhe lnLended reclplenL of Lhe Assurance
Clalm and Lhelr needs. Powever, parLlcularly when uslng naLural language,
conslderable care ls needed when consLrucLlng Lhe Assurance Clalm.

Assurance Clalms should noL be open ended. Many Assurance Clalms are assoclaLed
wlLh llmlLaLlons. lor example Lhe clalm may llmlLed by a LemperaLure range of
appllcablllLy. AlLernaLlvely Lhe clalms may be llmlLed by Lhe way ln whlch Lhe
producL or servlce ls used. CuLslde Lhese llmlLaLlons Lhe Assurance Clalms ls noL
consldered Lo be of value.

AnoLher Lrap Lo be avolded ls a negaLlve clalm. A LrlLe example of Lhls ls Lhe
sLaLemenL LhaL 1he Lock ness MonsLer does noL exlsL". 1hls klnd of sLaLemenL ls
lmposslble Lo prove, one can only prove LhaL Lhe Lock ness MonsLer exlsLs, noL LhaL
lL does noL. 1hls brlng us Lo anoLher lmporLanL properLy of Assurance Clalms, Lhey
musL be provable. ln Lhe example above lL ls lmmaLerlal wheLher one belleves"
LhaL Lhe Lock ness MonsLer exlsLs or LhaL lL does noL, Lhls ls a maLLer of bellef,
137
however ln Lerms of proof lL ls noL posslble Lo prove LhaL lL does noL. Assurance
Clalms are abouL roofs, noL bellefs, and Lhus negaLlve clalms musL be avolded.

As an example relaLed Lo sofLware of whaL has been dlscussed ln Lhe proceedlng
paragraphs, an Assurance Clalm LhaL a sofLware producL ls secure would be a poor
clalm and of llLLle value. lL has no llmlLaLlons placed upon lL and nor can lL be
proven. Powever, and Assurance Clalm LhaL Lhe sofLware producL conLalned no
explolLable buffer overflows" would be a good Assurance Clalm as Lhls clalm can be
subsLanLlaLed by Assurance Arguments and supporLed by Assurance Lv|dence.

As can be see form Lhe precedlng, consLrucLlng Assurance Clalms ls noL necessarlly
an easy nor slmple Lask. 1he Assurance Clalm should Lo Lake lnLo accounL Lhe needs
of Lhe flnal user and Lhelr Lechnlcal experLlse. Some flnal users can learn Lo 1rusL
and Pave Confldence ln" a Mark or Symbol wlLhouL Lhe necesslLy of deallng wlLh
complex Lechnlcal maLerlals. Powever oLhers are unllkely Lo be saLlsfled wlLh [usL
Lhe Mark or Symbol parLlcularly lf Lhe producL or servlce ls Lo be lnLegraLed lnLo
anoLher producL or sysLem. ln Lhese cases Lhey need Lhe Lechnlcal deLalls.
ASSUkANCL AkGUMLN1S
Assurance ArgumenLs subsLanLlaLe Lhe Assurance Clalm. 1here may be a slngle
Assurance ArgumenL or several Lo subsLanLlaLe Lhe Assurance Clalm. ln some cases
a slngle Assurance ArgumenL may be used Lo subsLanLlaLe mulLlple Assurance
Clalms.

Assurance ArgumenLs can be consLrucLed ln mulLlple ways, however lL ls lmporLanL
Lo remember LhaL Lhey are Lhe proofs offered Lo subsLanLlaLe Lhe Assurance
Clalmed and Lherefore should be sLrucLured ln Lhe approprlaLe manner.

As an example of an Assurance ArgumenL, ln Lhe example used earller of an
Assurance Clalm LhaL a sofLware producL conLalned no explolLable buffer
overflows", Lhe Assurance ArgumenL offered Lo subsLanLlaLe Lhls clalm mlghL be LhaL
Lhe sofLware producL made been sub[ecLed Lo sLaLlc analysls by a Lool deslgned Lhe
LesL for explolLable buffer overflows. rovlded LhaL a repuLable and well recognlzed
Lools was used, Lhls argumenL mlghL consLlLuLe adequaLe roof".

ln Lhe case of a Mark, Lhe Assurance ArgumenL LhaL subsLanLlaLes Lhe Assurance
Clalm represenLed by Lhe Mark ls Lhe requlremenLs and deLalls of Lhe LesLlng
assoclaLed wlLh Lhe use of Lhe Mark.

138
ln Lhe case of a Symbol Lhe slLuaLlon ls somewhaL dlfferenL. ln Lhls case Lhe
Assurance ArgumenL ls subsLanLlaLed by Lhe repuLaLlon of Lhe organlzaLlon LhaL
owns Lhe Symbol or whom Lhe Symbol represenLs. lL may also be subsLanLlaLed by
Lhe warranLles and guaranLees offered by Lhe producL or servlce vendor LhaL are
assoclaLed wlLh Lhe producL or servlce.

CLher Assurance ArgumenLs LhaL subsLanLlaLe Assurance Clalms, parLlcularly wlLh
regard Lo securlLy or safeLy may relaLe Lo Lhe securlLy englneers who deslgned Lhe
producL or servlce, and Lhelr professlonal compeLence Lo do Lhe [ob. 1he argumenL
may sLaLe LhaL Lhe securlLy englneer(s) were professlonally cerLlfled under Lhe
lnLernaLlonal SysLems SecurlLy rofesslonal CerLlflcaLlon Scheme (lSSCS), for
example.

AnoLher klnd of Assurance ArgumenL may relaLe Lo Lhe processes used Lo deslgn Lhe
producL and ln lLs producLlon, or Lhe processes used Lo provlde Lhe servlce. ln Lhls
case Lhe argumenL would llkely relaLe Lo Lhe level of maLurlLy of Lhose processes, or
Lhe maLurlLy proflle of Lhe processes, perhaps uslng lSC/lLC 21827 1he SysLems
SecurlLy Lnglneerlng CapablllLy MaLurlLy Model (SSL-CMM).

An Assurance ArgumenL can be consLrucLed based on an evaluaLlon and LesLlng of
Lhe producL. 1hls approach ls ofLen used for securlLy relaLed producLs, parLlcularly
under Lhe SecurlLy LvaluaLlon or Common CrlLerla scheme, lSC/lLC 1S408. ln Lhls
case Lhe Assurance ArgumenL ls based upon Lhe roLecLlon roflle of Lhe producL
and Lhe LvaluaLed Assurance Level achleved11.

As can be seen, Assurance ArgumenLs can be consLrucLed ln many dlfferenL ways
and drawn from many dlfferenL sources. ln Lhe examples glven above, Lhe
Assurance ArgumenLs have been based upon:
1esLlng and evaluaLlon of Lhe producL or servlce,
1he repuLaLlon of Lhe suppller,
1he professlonal compeLence of Lhe englneers performlng Lhe work, and
1he maLurlLy of Lhe processes used.

CLher sources LhaL could be used lnclude:
1he meLhods used ln Lhe deslgn of Lhe producL or servlce,
1he Lools used ln Lhe deslgn of Lhe producL,

11 Foi moie infoimation see IS0IEC 1S4u8 (All Paits), oi
www.CommonCiiteiiaPoital.oig
139
1he Lools used ln Lhe performance of Lhe servlce, and
Many oLher poLenLlal sources.

All of Lhe above can be used Lo subsLanLlaLe Lhe Assurance Clalm. Whlch ones are ln
facL used ln a parLlcular lnsLance largely depends upon Lhe needs of Lhe assurance
reclplenL and how Lhey wlll make use of Lhe Assurance Case assoclaLed wlLh Lhe
producL or servlce.
ASSUkANCL LVIDLNCL
1he Assurance ArgumenL ls supporLed by Assurance Lvldence. Agaln Lhere are many
forms of Assurance Lvldence LhaL can be used. Powever, whaL ls lmporLanL abouL
Lhe evldence ls LhaL lL ls demonsLrable, repeaLable and defenslble.

Some examples of Assurance Lvldence relaLed Lo Lhe examples used earller ln Lhls
paper are glven ln Lhe followlng bulleLs:
3) 1he Mark - Lhe resulLs of LesLs performed on Lhe producL and Lhe sampllng
Lechnlques used,
4) 1he Symbol - Lhe organlzaLlons pasL hlsLory and LesLlmonlals form saLlsfled
cusLomers,
S) rofesslonal compeLence - Lhe cerLlflcaLe number of Lhe professlonal, and Lhe
syllabus LhaL Lhe professlonal ls LesLed agalnsL,
6) rocess MaLurlLy - Lhe resulLs of appralsals of Lhe organlzaLlons processes,
7) lndependenL LvaluaLlon - Lhe SecurlLy 1argeL of Lhe sysLem and Lhe
LvaluaLlon resulLs, and
8) 1ools and MeLhods - Lhe lndependenL LesLlng of Lhe Lools and Lhelr
evaluaLlon, LesLlng and repuLaLlon for compleLeness, robusLness and
effecLlveness.

CCNCLUSICN
As can be seen Lhe assurance landscape ls relaLlvely complex. Assurance needs Lo
be approached form Lhe reclplenLs or users requlremenLs perspecLlve, and how Lhey
wlll make use of Lhe assurance. Assurance can Lake many forms and be presenLed ln
mulLlple dlfferenL ways. lor example a slngle Assurance ArgumenL may have
mulLlple Assurance Clalms assoclaLed wlLh lL, one a Mark for use by cerLaln klnds of
assurance consumer and a second clalm ln naLural language for dlfferenL klnds of
assurance consumers.

140
Sources of assurance and assurances Lypes van be many and varled. Some sources
are beLLer aL provldlng cerLaln Lypes of assurance Lhan oLhers. Whlch ls Lo be used
depends upon Lhe assurance needs, buL generally more Lhan one source of
assurance ls requlred. lor more lnformaLlon on Lhls Loplc, see lSC/lLC 18 1S443-3.

Cenerally speaklng, Assurance Clalms ln Lhe form of Marks or Symbols wlll be
represenLed on Lhe producL lLself. Some narraLlve Assurance Clalms may be
represenLed on Lhe producL, however narraLlve Assurance Clalms are more llkely Lo
be found ln Lhe supporLlng documenLaLlon. ln Lhe case of servlces, Assurance
Clalms are almosL always conLalned ln Lhe supporLlng documenLaLlon.

As for Assurance ArgumenLs, Lhese may be lncluded ln Lhe documenLaLlon, buL are
more llkely Lo made avallable upon requesL. Assurance Lvldence ls generally
avallable only upon requesL. As has been sald several Llmes before how are where
Lhe Assurance Case ls presenLed largely depends upon Lhe needs and requlremenLs
of Lhe assurance reclplenL or user.
SUMMAk
ln summary, Lhe assurance landscape ls made up of four elemenLs:
1he Assurance Case, whlch ls Lhe LoLal package of assurance assoclaLed wlLh Lhe
producL or servlce,
1he Assurance Clalm(s), whlch are Lhe acLual sLaLemenLs of Lhe assurance
assoclaLed wlLh Lhe producL or servlce,
1he Assurance ArgumenL(s), whlch are Lhe proofs LhaL subsLanLlaLe Lhe clalms,
and
1he Assurance Lvldence(s), whlch are Lhe maLerlals LhaL supporL Lhe proofs.

141
ISC]ILC 19792 - 1he f|rst b|ometr|c pro[ect |n SC 27
nlls 1ekampe (former edlLor of lSC/lLC 19792)
n.1ekampe[LuvlL.de

1oday, blomeLrlc sysLems have conquered markeLs ln whlch lLs securlLy
characLerlsLlcs have Lo flL lnLo an overall securlLy concepL. Speclflcally ln
governmenLal appllcaLlons (e.g. border conLrol) blomeLrlc appllcaLlons and
componenLs are embedded lnLo sysLems whlch securlLy aspecLs have Lo undergo an
lndependenL securlLy evaluaLlon.
lL ls Lhe maln focus of worklng group 3 of lSC/lLC SC 27 Lo provlde developers and
evaluaLors of componenLs and sysLems ln l1 securlLy wlLh evaluaLlon crlLerla.
romlnenL examples of sLandards LhaL have been developed ln Lhls conLexL lnclude
lSC/lLC 1S408 (Common CrlLerla for lnformaLlon 1echnology SecurlLy LvaluaLlon)
and lSC/lLC 19790 (SecurlLy requlremenLs for crypLographlc modules).
1he evaluaLlon of blomeLrlc devlces and sysLem can - as a general rule - be
conducLed ln Lhe same way as for any oLher l1 securlLy producL evaluaLlon. Pavlng
sald LhaL, lL appears loglcal Lo use Lhe exlsLlng sLandards from SC 27 for Lhe
evaluaLlon of blomeLrlc sysLems. Powever, blomeLrlc sysLems have cerLaln
characLerlsLlcs LhaL need speclal conslderaLlon ln Lhe course of a securlLy evaluaLlon.
1he lnLernaLlonal SLandard lSC/lLC 19792 - SecurlLy LvaluaLlon of 8lomeLrlcs -
speclfles Lhe speclflc aspecLs Lo be addressed durlng a securlLy evaluaLlon of a
blomeLrlc sysLem.
1hereby, lSC/lLC 19792 does noL alm Lo deflne a concreLe meLhodology for Lhe
securlLy evaluaLlon of blomeLrlc sysLems buL lnsLead focuses on prlnclpal
requlremenLs. As such, lLs requlremenLs are lndependenL of any evaluaLlon or
cerLlflcaLlon scheme and wlll need Lo be lncorporaLed lnLo and adapLed before belng
used ln Lhe conLexL of a concreLe scheme.
1he areas LhaL need speclal conslderaLlon are represenLed by Lhe overall sLrucLure
of Lhe sLandard:
1) Clauses 4 and S of lSC/lLC 19792 glve an overvlew of all Lerms, deflnlLlons and
acronyms used. 1hls ls essenLlal ln order Lo provlde evaluaLors wlLh Lhe
common vocabulary used by Lhe blomeLrlc communlLy" and serves Lo avold
mlsundersLandlngs.
2) Clause 6 lnLroduces Lhe overall concepL for securlLy evaluaLlons of blomeLrlc
sysLems. 1hls concepL reflecLs LhaL a securlLy evaluaLlon of a blomeLrlc
142
sysLem shall ln prlnclple be carrled ouL as any oLher securlLy evaluaLlon buL
be augmenLed by Lhe speclal aspecLs provlded ln Lhe followlng clauses of
lSC/lLC 19792.
3) Clause 7 descrlbes sLaLlsLlcal aspecLs of securlLy-relevanL error raLes.
8lomeLrlc sysLems do noL work as predlcLable or deLermlnlsLlcally as oLher
mechanlsms for user auLhenLlcaLlon LhaL are known ln lnformaLlon securlLy
(e.g. a ln based mechanlsm). 1he error raLes of blomeLrlc sysLems reflecL
Lhls facL and serve as a general lndlcaLor for Lhe performance of a blomeLrlc
sysLem. Whlle general performance aspecLs do noL fall lnLo Lhe scope of
lSC/lLC 19792 some of Lhe error raLes have a slgnlflcanL lmpacL on Lhe
securlLy LhaL a blomeLrlc sysLem can provlde. lL ls essenLlal LhaL each securlLy
evaluaLlon of a blomeLrlc sysLem comprlses a LesL of Lhe securlLy relevanL
error raLes. lSC/lLC 19792 refers Lo and adopLs LesL requlremenLs LhaL have
been deflned by SC 37 ln lSC/lLC 1979S-1 ln Lhls area and deflnes a
comprehenslve seL of requlremenLs LhaL a LesL ln Lhls are shall meeL.
4) Clause 8 deals wlLh Lhe vulnerablllLy assessmenL of blomeLrlc sysLems and
deflnes a seL of common vulnerablllLles LhaL shall be consldered durlng each
securlLy evaluaLlon. 1hose lnclude:
S) erformance llmlLaLlons: 1hls vulnerablllLy handles Lhe quesLlon wheLher
Lhe error raLes of Lhe blomeLrlc sysLem are sulLable for lLs appllcaLlon
case.
6) ArLefacL of blomeLrlc characLerlsLlcs: 1hls vulnerablllLy deals abouL Lhe
facL LhaL blomeLrlc characLerlsLlcs can be spoofed and how Lhls facL shall
be consldered ln an evaluaLlon.
7) ModlflcaLlon of blomeLrlc characLerlsLlcs: 1hls vulnerablllLy deals abouL
Lhe facL LhaL some blomeLrlc characLerlsLlcs can lnLenLlonally be changed
and how Lhls facL shall be consldered ln an evaluaLlon.
8) ulfflculLy of conceallng blomeLrlc characLerlsLlcs: 1hls vulnerablllLy
supporLs Lhe prevlous Lwo and deals wlLh Lhe quesLlon, how dlfflculL lL ls
for an aLLacker Lo obLaln a blomeLrlc characLerlsLlc.
9) SlmllarlLy due Lo blood relaLlonshlp: 1hls vulnerablllLy addresses Lhe facL
LhaL some blomeLrlc characLerlsLlcs are slmllar for blood-relaLlves.
10) Speclal blomeLrlc characLerlsLlcs: 1hls vulnerablllLy handles speclal
blomeLrlc characLerlsLlcs for whlch Lhe blomeLrlc sysLem may show a
deLerloraLlon ln lLs securlLy relevanL error raLes.
143
11) SynLheslsed wolf blomeLrlc samples: 1hls vulnerablllLy asks wheLher lL ls
posslble Lo generaLe blomeLrlc samples for whlch Lhe blomeLrlc sysLem
may show a deLerloraLlon ln lLs securlLy relevanL error raLes.
12) PosLlle LnvlronmenL: 1hls vulnerablllLy asks wheLher changes Lo Lhe
characLerlsLlcs of Lhe envlronmenL of Lhe blomeLrlc sysLem can lead Lo a
deLerloraLlon ln lLs securlLy relevanL error raLes.
13) rocedural vulnerablllLles around Lhe LnrolmenL rocess: 1he enrolmenL
process esLabllshes Lhe baslc LrusL ln Lhe ldenLlLy of Lhe users of Lhe
blomeLrlc sysLem. A procedural vulnerablllLy ln Lhls process can
compromlse Lhe securlLy of Lhe blomeLrlc sysLem over lLs enLlre llfecycle.
14) Leakage and alLeraLlon of blomeLrlc daLa: 1hls vulnerablllLy sLands as a
placeholder for all general vulnerablllLles LhaL may lead Lo a leakage or
alLeraLlon of lmporLanL daLa.
1he descrlpLlons lnclude hlnLs and requlremenLs for an evaluaLor performlng
a vulnerablllLy assessmenL. 1hose common vulnerablllLles shall be consldered
durlng each securlLy evaluaLlon buL of course Lhey can only provlde Lhe basls
for vulnerablllLy assessmenLs and can never be consldered belng compleLe.
1S) Clause 9 descrlbes Lhe evaluaLlon of prlvacy aspecL lncludlng crlLerla for a
secure deleLlon of blomeLrlc daLa and a blndlng of blomeLrlc daLa Lo a
concreLe appllcaLlon.
As lSC/lLC 19792 ls lndependenL of any speclflc evaluaLlon scheme lL could serve
as a framework for Lhe developmenL of concreLe evaluaLlon and LesLlng
meLhodologles Lo lnLegraLe Lhe requlremenLs for blomeLrlc evaluaLlons lnLo
exlsLlng evaluaLlon and cerLlflcaLlon schemes. Cn lLs own Lhe sLandard can serve
as a sLarLlng polnL for a securlLy evaluaLlon and provlde general guldance Lo
evaluaLors.
lSC/lLC 19792 has been Lhe flrsL blomeLrlc pro[ecL ln SC 27 and has shown how
lmporLanL Lhe cooperaLlon beLween SC 27 and SC 37 ls for Lhe success of
blomeLrlc pro[ecLs ln sLandardlzaLlon. Whlle aspecLs of securlLy are ouL of scope
for Lhe work of SC 37 lL ls essenLlal for Lhe work ln SC 27 Lo uLlllze Lhe blomeLrlc
experLlse of SC 37. lL can be clearly sLaLed LhaL lSC/lLC 19792 would noL have
been flnlshed aL Lhe currenL level of quallLy wlLhouL Lhe consLanL and
consLrucLlve supporL of Lhe experLs of SC 37. As a slde effecL Lhe work on lSC/lLC
19792 also deslgned Lhe Llalson channel beLween SC 27 and SC 37 and smooLhed
Lhe way for Lhe ongolng cooperaLlon beLween boLh SCs ln many oLher areas.
144
ISC]ILC 21827 Systems Secur|ty Lng|neer|ng -
Capab|||ty Matur|ty Mode| (SSL-CMM)
!ohn Popklnson
lSSCS-rac ClSS lS l1C Cu8, SecurlLy SLraLeglsL
Chalrman CAC-!1C1/1Cl1, Chlef 1echnlcal Cfflcer, lSSLA
LffecLlve and efflclenL developmenL, managemenL and operaLlons of lnformaLlon
and CommunlcaLlon 1echnology (lC1) requlres aLLenLlon Lo 1he eople, 1he rocess
and 1he 1echnology. lL ls generally agreed wlLhln Lhe securlLy communlLy LhaL Lhey
are [usL as appllcable Lo securlLy of any Lype, ln oLher words lL ls also necessary Lo
focus on Lhe eople aspecL, Lhe rocess aspecLs and Lhe 1echnology aspecLs of
securlLy. Lqually as lmporLanL as havlng Lhe approprlaLe ob[ecLlves and Code of
pracLlce for lnformaLlon securlLy managemenL, Lhe processes LhaL Lhe organlzaLlon
ls uslng need Lo be Lhe approprlaLe ones for Lhe organlzaLlon's slLuaLlon and Lhey
need Lo have Lhe capablllLles and be as maLure as Lhe organlzaLlon's slLuaLlon
warranLs. lL also should be noLed LhaL processes run ln parallel wlLh Lhe llfecycle
and operaLlons and Lhus an assessmenL of processes provldes a vlew also ln parallel.
All oLher assessmenL Lechnlques Lake a snap shoL ln Llme aL some momenL alone Lhe
llfecycle or operaLlons.

Many sLandards are avallable LhaL focus on Lhe 1echnology aspecLs of securlLy,
many oLhers address Lhe people lnvolved and people aspecLs of securlLy, however
very few focus on Lhe rocess aspecLs. Whlle a few sLandards Louch on Lhe process
dlmenslon, only one Lype of sLandard permlLs Lhe organlzaLlon Lo examlne Lhe
processes and Lhe capablllLles and maLurlLy of Lhose processes. 1hese sLandards are
generally know as CapablllLy MaLurlLy Models, or CMMs for shorL. Cf Lhe CMMs
LhaL are avallable boLh wlLhln Lhe lSC and lLC communlLles and ouLslde, only one
sLandard focuses on securlLy excluslvely, LhaL belng Lhe SysLems SecurlLy
Lnglneerlng - CapablllLy MaLurlLy Model (SSL-CMM) lSC/lLC 21827.

1he SSL-CMM ls also unlque wlLhln Lhe CMM communlLy as lL ls Lhe only CMM LhaL
exlsLs ln essenLlally Lhe same form boLh wlLhln Lhe lSC CMM seL of sLandards and ln
Lhe non-lSC CMM seL of sLandards.

CMMs of Lhe conLlnuous model varleLy are hlghly flexlble. 1hey permlL Lhe user Lo
selecL Lhe level of capablllLy and Lhus maLurlLy LhaL Lhey wlsh Lo elevaLe Lhe process
Lo LhaL ls conslsLenL wlLh Lhe needs of Lhe organlzaLlon. All organlzaLlons have
dlfferenL slLuaLlons and envlronmenLs and Lhus Lhelr needs are dlfferenL. A
sLandard lncludes Lhls faclllLy provldes opLlmum flexlblllLy.

145
CMMs do conLaln a seL of processes, Lhey need Lo ln order Lo esLabllsh a base llne Lo
work from. Powever Lhe seL of process provlded ln Lhe SSL-CMM are lnLended Lo
be ad[usLed Lo Lhe seL of processes LhaL Lhe organlzaLlon already has ln place, noL
Lhe oLher way around. lf Lhe organlzaLlon does noL have a formal process ln a
parLlcular area, and deLermlnes LhaL lL needs one, Lhen Lhey mlghL wlsh Lo conslder
adopLlng Lhe process conLalned ln 21827, buL Lhere ls no requlremenL Lo do so. 1hls
level of flexlblllLy faclllLaLes Lhe use of Lhe SSL-CMM ln con[uncLlon wlLh oLher
sLandards such as lSC/lLC 1333S, lSC/lLC 17799, lSC/lLC 27001, Lo name buL a few,
as well as many 8eglonal and naLlonal sLandards.

ln addlLlon Lo helplng Lhe user organlzaLlon assess Lhe currenL level of capablllLy and
maLurlLy of Lhelr securlLy processes, 21827 provldes guldance on elevaLlng Lhe
maLurlLy of Lhe processes Lo a hlgher level, should Lhe organlzaLlon deLermlne Lhls
needs Lo be done. WlLhln reason, any lndlvldual process can be elevaLed Lo any
maLurlLy level deslred wlLhouL regard Lo Lhe maLurlLy of any oLher process. A few
resLrlcLlons do exlsL ln Lerms of Lhe relaLlve maLurlLy levels of dependenL processes,
buL Lhese Lake Lhe form of guldance, and common sense ls ofLen Lhe besL gulde.

AL flrsL slghL Lhe breakdown and organlzaLlon of Lhe processes wlLhln 21827 may
seem somewhaL sLrange. Powever, lL should be born ln mlnd LhaL Lhe organlzaLlon
and sLrucLure of Lhe processes, ln addlLlon Lo belng opLlmal for securlLy, has had Lo
Lake ln Lo conslderaLlon flexlblllLy for Lhe user organlzaLlon and rocess
lmprovemenL Lheory and pracLlce. 1hus aL flrsL slghL lL may seem sLrange Lo have
four processes LhaL address Lhe securlLy rlsk dlsclpllne, buL Lhls was done Lo
faclllLaLe flexlblllLy for Lhose organlzaLlons LhaL do noL have an overall securlLy rlsk
process, and Lhere ls no resLrlcLlon ln comblnlng Lhe four processes LogeLher, should
LhaL be more sulLed Lo Lhe user.

1he experlence of organlzaLlons havlng made use of Lhe SSL-CMM has been LhaL
Lhey have reaped many beneflLs from enhanced, more efflclenL and effecLlve
securlLy processes glvlng more rellable and conslsLenL resulLs. lor Lhose
organlzaLlons developlng producLs LhaL are Lo be evaluaLed Lhey obLaln much of Lhe
documenLaLlon Lhey need for Lhe evaluaLlon process are a parL of Lhelr normal
processes once Lhey reach moderaLe levels of maLurlLy. 1he SSL-CMM ls noL only
lnLended for organlzaLlon LhaL have a hlgh lnLeresL or need for securlLy, buL raLher
all organlzaLlons LhaL need securlLy ln some manner shape or form can obLaln
conslderable beneflLs from lLs use, conslderable reLurn on lnvesLmenL. 1he beneflLs
have been found Lo be slmllar Lo Lhose achleved wlLh lmplemenLaLlon and use of
oLher CMMs.
146
rofessor Mats Ch||n - An ob|tuary

rofessor MaLs Chlln of SLockholm, Sweden passed away
ln AugusL 2009 aL Lhe age of 66 years.
MaLs leaves behlnd hls beloved wlfe ChrlsLlna, daughLers
Llsa and Mla and Lhelr famllles, hls son Lars, ChrlsLlna's
son lredrlk from her earller marrlage and hls famlly, and
hls broLher er and hls wlfe Anna-Llsa.
MaLs Chlln was Lhe chemlsL who became an
lnLernaLlonally hlghly respecLed lnformaLlon securlLy
experL wlLh Lhe world as hls arena. Pe was also Lhe warm
and proud husband and faLher, Lhe skllled brldge parLner,
Lhe experlenced wlne connolsseur, Lhe experL on
mushrooms, LrusLed frlend and generous hosL.
MaLs had an M.Sc. ln chemlsLry from Lhe 8oyal lnsLlLuLe of 1echnology ln SLockholm,
and was appolnLed ad[uncL professor of l1 SecurlLy aL SLockholm unlverslLy. MaLs
became lnvolved ln Lhe compuLer securlLy area aL Lhe beglnnlng of Lhe 1980s,
worklng for Lhe Swedlsh naLlonal uefence 8esearch LsLabllshmenL, Lhe Swedlsh
uefence SLaff and flnally Lhe Swedlsh uefence MaLerlel AdmlnlsLraLlon (lMv),
where he held a poslLlon as SLraLeglc SpeclallsL ln Lhe area of lnformaLlon and l1
SecurlLy. upon [olnlng lMv ln 1989 he became lnvolved ln Lhe Swedlsh naLlonal l1
programme, whlch lnvolved assessmenL of l1 securlLy evaluaLlon crlLerla and Lhe
poLenLlal for a Swedlsh CerLlflcaLlon Scheme. AL Lhe same Llme MaLs Chlln became
acLlve ln Lhe lnLernaLlonal sLandards subcommlLLee lSC/lLC !1C 1/SC 27 (l1 SecurlLy),
and ln parLlcular lLs WC 3 (SecurlLy LvaluaLlon CrlLerla Worklng Croup.
1hroughouL Lhe 90s MaLs Chlln was a Swedlsh CovernmenL offlclal ln Lhe Senlor
Cfflclals Croup - lnformaLlon SecurlLy (SCC-lS) aL Lhe Lu Commlsslon and became
acLlve ln esLabllshlng Lhe Luropean MuLual 8ecognlLlon framework for l1 securlLy
cerLlflcaLlon. Pe Lhen became lnvolved ln Lhe harmonlsaLlon work leadlng Lo Lhe
lnLernaLlonal arrangemenL for muLual recognlLlon of l1 securlLy cerLlflcaLes (CC8A).
uurlng 2003-200S he was a member of Lhe Swedlsh CablneL Cfflce's Commlsslon
lnvesLlgaLlng naLlonal lnformaLlon SecurlLy pollcles and prlorlLles, lncludlng a
recommendaLlon Lo esLabllsh Lhe Swedlsh CerLlflcaLlon 8ody for l1-securlLy aL lMv
based upon lSC/lLC 1S408 (Lhe Common CrlLerla). uurlng 2007-2009 MaLs Chlln
was chalr of Lhe ManagemenL CommlLLee of Lhe CC8A.
147
MaLs was acLlvely engaged ln Lhe work of WC3 from lLs sLarL. Pe was appolnLed as
Lhe WC3 Clossary LdlLor aL Lhe flrsL WC 3 meeLlng ln Munlch ln CcLober 1990. As
usual, MaLs was clearly Lhlnklng sLraLeglcally, slnce by volunLeerlng as Clossary
LdlLor lL esLabllshed hls poslLlon as a parLlclpanL raLher Lhan merely an observer.
MaLs aLLended Lhe WC 3 meeLlngs Lhrough Lhe 90s. Pe sLrongly supporLed Lhe
consensus approach LhaL resulLed ln Lhe esLabllshmenL of lSC/lLC 1S408 as
Lechnlcally ldenLlcal Lo Lhe Common CrlLerla.
Pe replaced Sveln knapskog from norway as Convenor of SC 27/WC 3 ln Aprll 2000,
and Lhen served as Convenor unLll shorLly before hls deaLh ln 2009.
MaLs was an excellenL Convenor of WC 3, wlLh Lhe ablllLy Lo chalr meeLlngs
paLlenLly, effecLlvely, buL flrmly and Lo schedule. Pe had Lhe useful ablllLy Lo Lhlnk
abouL Lhe nexL quesLlon whllsL speaklng abouL Lhe currenL one. As Convenor, MaLs
Look speclal care Lo ensure LhaL all delegaLes, even Lhose who were noL fluenL
Lngllsh speakers, goL Lhelr say ln dlscusslons. As a resulL, he almosL always achleved
a consensus resulL.
MaLs was equlpped wlLh a large porLlon of humour and curloslLy LhaL was comblned
wlLh an lncredlble ablllLy Lo read and absorb large amounLs of complex lnformaLlon.
AL Lhe same Llme, he had greaL analyLlcal skllls and could see Lhe blgger plcLure
amongsL all Lhe deLalls. As a good llsLener, belng well arLlculaLed and wlLh an old
school genLleman's manner, he was genulnely lnLeresLed ln oLher people and Lhelr
vlews. ConsequenLly, he became a LrusLed Convener and close frlend Lo people
from all over Lhe world.
We are all graLeful LhaL we had Lhe chance Lo meeL and learn Lo know such a warm
and lncluslve person as MaLs. Pe provlded lnvaluable conLrlbuLlons Lo SC 27/WC 3,
Lhe CC8A, SCC-lS, Lhe Swedlsh SLandards lnsLlLuLe, Lhe Swedlsh CC Scheme and
many oLher organlsaLlons.
MaLs Chlln's presence wlll be deeply mlssed.

uag SLrman, lMv, Sweden
Mlke nash, Camma Secure SysLems LlmlLed, uk

148

SC27 WG4
149
Lstab||sh|ng Informat|on Secur|ty kead|ness
- a standard approach
ur Meng-Chow kang, ClSS, ClSA
Convener, WC 4
ln 200S, wlLh Lhe developmenL of Lhe lSC/lLC 27001 and relaLed sLandards, SC 27
managemenL declded LhaL Lhere ls a need Lo have Worklng Croup (WC) 1 focus on
Lhe seL of sLandards (commonly known as Lhe 2700x serles) LhaL provldes Lhe
framework essenLlal for Lhe lmplemenLaLlon of Lhe lSC/lLC 27001 sLandard and lLs
relaLed cerLlflcaLlon scheme. CLher sLandards LhaL provlde guldance and
speclflcaLlons for lmplemenLaLlon of speclflc seL of securlLy conLrols, for example,
Lhe neLwork SecurlLy sLandards, shall Lhen move Lo a dlfferenL WC for developmenL
and malnLenance. AL Lhe same Llme, lSC/lLC !1C 1 managemenL and several
naLlonal 8odles (n8) requesLed SC 27 Lo evaluaLe sLandards needs Lo address some
of Lhe new lndusLry developmenL and concerns, such as CybersecurlLy, CuLsourclng,
and oLher securlLy-relaLed l1 servlces. 1hese requlremenLs evenLually led Lo Lhe
formaLlon of a new WC ln SC 27, known as WC 4, enLlLled SecurlLy ConLrols and
Servlces SLandards Worklng Croup", whlch was formally endorsed aL Lhe 17
Lh
SC 27
lenary ln Madrld ln Aprll 2006. 1he flrsL WC 4 meeLlng was held ln Clenburn, SouLh
Afrlca ln Lhe auLumn of 2006. AL Lhls wrlLlng, WC 4 has [usL compleLed lLs 8
Lh

meeLlng ln Malaysla.
ro[ecLs underLaken ln WC 4 lnclude Lhose lnherlLed from WC 1's prevlous scope of
work (prlor Lo SepLember 2006) ln supporL of Lhe lmplemenLaLlon of lSC/lLC 2700x
relaLed conLrols, and newly sLudled and approved Lhrough !1C 1. 1he laLLer lncludes,
for example, Lhe Culdellnes for CybersecurlLy (lSC/lLC 27032), whlch lnvolves, ln
addlLlon Lo esLabllshlng lSMS ln organlzaLlons, Lhe secure provlslonlng of
lnLerneL/Cyberspace relaLed appllcaLlons and servlces, and secure collaboraLlve
lnformaLlon sharlng Lo effecLlvely respond Lo emerglng CybersecurlLy lncldenLs (as
descrlbed ln Lhe currenL drafL of Lhe sLandard).
1hls arLlcle dlscusses Lhe sLandards framework adopLed ln WC 4 Lo make sense ouL
of Lhe collecLlon of sLandards LhaL Lhe WC has lnherlLed and requesLed Lo develop,
as well as for esLabllshlng Lhe roadmap of new sLandards down Lhe road.
WG 4 re|ated standards framework
1o provlde a hlgh level undersLandlng of how WC 4's sLandards supporLs Lhe
comblned scope of Lhese Lwo areas of requlremenLs, WC 4 pro[ecLs are caLegorlzed
and sLrucLured uslng a defence-ln-depLh framework as shown ln I|gure 1. 1he
framework covers Lhree dlsLlncL areas of requlremenLs, namely: (1) Lhe need Lo
prepare and respond Lo emerglng securlLy lssues, (2) Lhe need Lo manage and
150
prevenL Lhe occurrence of known securlLy lssues, and (3) Lhe need Lo manage,
lncludlng lnvesLlgaLe lnformaLlon securlLy lssues and lncldenLs LhaL have occurred,
due Lo fallure of Lhe lnformaLlon securlLy sysLem, varlous forms of aLLacks, or a
naLural dlsasLer. WlLhln each area of Lhe framework, Lhere are a number of securlLy
requlremenLs and relaLed sLandards, lncludlng exlsLlng and new pro[ecLs/Loplcs.

llgure 1: 1hree maln areas of needs for securlLy conLrols and servlces
ln a defence-ln-depLh framework

1he maln focus of Lhe WC 4 sLandards framework ls Lo provlde lnformaLlon securlLy
readlness ln Lhe organlzaLlon. As deplcLed ln I|gure 1, organlzaLlons flrsL need Lo be
prepared Lo respond Lo emerglng rlsk lssues. 1hese are lssues LhaL have noL
occurred prevlously, buL may be ldenLlfled Lhrough close monlLorlng and analysls of
occurrlng evenLs. 1he absence or lack of readlness Lo deal wlLh emerglng rlsk lssues
means LhaL any occurrence of a new rlsk could poLenLlally surprlse Lhe organlzaLlon
and cause slgnlflcanL lmpacLs on lLs lnformaLlon securlLy. 1he sLandards ln Lhls area
are Lo help organlzaLlon ldenLlfy and deLecL emerglng rlsk lssues LhaL are relevanL Lo
Lhem, and esLabllsh programs of acLlvlLles so LhaL people and sysLems could respond
more effecLlvely upon Lhe occurrence of Lhose rlsk lssues.
lncldenLs LhaL have been encounLered before are caLegorlzed as known rlsk lssues.
1hese are lssues LhaL exlsLlng or new securlLy conLrols may be deployed or
developed Lo reduce Lhelr lmpacL lf noL avold Lhelr occurrence. WC 4 sLandards ln
Lhls area lnclude Lhose speclfled ln Lhe lSMS code of pracLlce sLandard (lSC/lLC
27002) requlrlng furLher elaboraLlon of requlremenLs and provlslon of
lmplemenLaLlon guldance. 1he noLlon of addresslng known lssue ls also abouL
151
lmprovlng securlLy readlness. We already know how such rlsk lssues would unfold or
lmpacL Lhe organlzaLlon, we Lherefore should noL allow Lhem Lo surprlse us when
Lhey maLerlallze. 8y managlng and addresslng Lhese known lssues, organlzaLlons
would esLabllsh capablllLles and conLrols Lo avold Lhelr occurrence and Lhe posslble
lmpacLs of Lhose rlsk lssues. CrganlzaLlon could Lhen focus lLs resources ln
ldenLlfylng changes ln Lhe rlsk envlronmenL, and make Lhe necessary preparaLlon for
Lhose changes.
llnally, havlng lSMS and Lhe necessary securlLy conLrols agalnsL known as well as
emerglng rlsks do noL guaranLee LhaL Lhe organlzaLlon ls compleLely safe and secure
agalnsL securlLy aLLacks and breaches. no sysLems can be perfecL. lallure should
Lherefore be anLlclpaLed, especlally when operaLlng ln a consLanLly changlng
envlronmenL. ln Lhls regards, lL ls necessary for organlzaLlons Lo also geL ready for
poLenLlal mlshaps so LhaL Lhey may be handled and managed ln Lhe mosL effecLlve
and efflclenL manner posslble. Such preparaLlon should lnclude measures Lo
faclllLaLe afLer-Lhe-facL collecLlon of resldual daLa and audlL Lralls Lo supporL Lhe
forenslc lnvesLlgaLlon process and faclllLaLe learnlng and lmprovemenL.
I|gure 2 deplcLs Lhe allgnmenL of Lhose exlsLlng and fuLure Loplcs Lo Lhe Lhree
caLegorles of securlLy conLrols and servlces requlremenLs shown ln I|gure 1.

llgure 2: Mapplng of exlsLlng and new pro[ecLs/proposals Lo Lhe Lhree areas of
needs
152

Whlle Lhe number of sLandards ln WC 4's porLfollo has lncreased Lo cover Lhe key
requlremenLs areas over Lhe pasL four years, Lhere are sLlll gaps ln fulfllllng Lhe
ob[ecLlves of Lhe framework as well as meeLlng Lhe needs of lmplemenLaLlon of
speclflc areas of conLrols ln lSC/lLC 27002. AL Lhe elghLh meeLlng ln Malaysla ln Aprll
2010, some delegaLes had suggesLed Loplcs ln Lhe known rlsks caLegory such as
vulnerablllLy managemenL, securlLy operaLlons managemenL, and securlLy evenLs
log managemenL for conslderaLlon ln Lhe near fuLure for developmenL.
As securlLy conLrols and servlces are also requlred for supporLlng Lhe
lmplemenLaLlon of crypLographlc mechanlsms, and oLher Lechnlcal securlLy
capablllLles, WC 4's scope of work ln Lhe area of managlng known rlsks ls Lherefore
noL llmlLed Lo Lhose as deflned ln lSC/lLC 27002, buL also WC 2, and poLenLlally WC
3 and WC S ln Lhe near fuLure. 1he sLrucLure, based on emerglng (or unknown),
known and afLermaLh of rlsk lssues, LhaL ls adopLed ln WC 4 for caLegorlzaLlon of Lhe
varlous sLandards Lherefore provlde a comprehenslve perspecLlve on lLs scope of
work, as well as a baslc sLrucLure for ldenLlfylng sLandards requlremenLs Lowards
fuLure developmenLs.
Conc|ud|ng kemarks
Managlng lnformaLlon securlLy ls an ongolng underLaklng ln organlzaLlons, ln vlew of
Lhe changlng naLure of lnformaLlon securlLy rlsks. SC 27 promoLes a managemenL
sysLem approach, Lhrough Lhe use of lSC/lLC 27001 lSMS lncorporaLlng a cycllcal
sysLems process of lan-uo-Check-AcL (uCA) Lo ensure new rlsks are ldenLlfled
whlle known rlsks are managed ln a conLlnuous lmprovemenL manner. 1he
approach ls supporLed by addlLlonal sLandards addresslng Lhe conLrols requlremenLs
and servlces needs, ln all Lhe Lhree sLages of lnformaLlon securlLy rlsks developmenL,
from preparlng for Lhe emerglng (or unknown), addresslng Lhe known, Lo
lnvesLlgaLlng Lhe occurrence of lnformaLlon securlLy lncldenLs.
1hls arLlcle focuses on Lhe sLandards framework underlylng Lhe scope of work of WC
4 ln SC 27. SupporLlng, lmplemenLlng, and operaLlng securlLy conLrols and servlces
requlre crypLographlc and securlLy mechanlsms, lncludlng ldenLlLy, prlvacy, and
blomeLrlc relaLed mechanlsms, proLocols and sysLems, and Lhe needs for Lhelr
securlLy evaluaLlon and assurances, whlch are areas of focus by WC 2, WC S, and
WC 3, respecLlvely. 1he work of WC 4 ls Lherefore noL an end by lLself.
ueveloplng sLandards are noL wlLhouL challenges elLher. WlLh numerous sLandards
organlzaLlons underLaklng Lhls ma[or endeavor ln parallel, much coordlnaLlon,
lnformaLlon sharlng, and collaboraLlon are necessary Lo mlnlmlze dupllcaLlon of
efforLs and maxlmlze Lhe use of llmlLed resources. Llalson Lherefore plays a crlLlcal
153
role ln addresslng Lhls concern. lurLhermore, whlle many counLrles/economles have
represenLaLlon ln SC 27 (and oLher sLandards organlzaLlons), Lhe sysLems of
sLandards developmenL are based around members' conLrlbuLlons of resources and
conLenLs, and ma[orlLy voLe of consensus Lo ensure falrness ln Lhe process. As such,
Lhls may noL necessarlly meeL all Lhe requlremenLs of Lhe user communlLles or allgn
wlLh Lhelr respecLlve vlews or deslred approach. arLlclpaLlon and communlcaLlons
by and amongsL members, coupled wlLh Lhe use of Lhe lSMS approach of conLlnuous
lmprovemenLs are key success facLors Lo ensure conLlnue usablllLy of securlLy
sLandards Lo Lhe members.
154
Informat|on Secur|ty & 8us|ness Cont|nu|ty
- IC1 kead|ness of an Lnterpr|se
hlllp Sy
12
, ClSA AlS
!une 11, 2010

1 8ackground
lnformaLlon securlLy has fasL become an lmporLanL parL of mosL enLerprlses' rlsk
managemenL agenda, Lhanks Lo Lhe wldespread awareness and adopLlon of lSC/lLC
27001 and 27002 sLandards, as well as lLs rlslng slgnlflcance ln corporaLe
governance. MosL organlzaLlons are spendlng conslderable amounL of money
bulldlng up Lhelr defences, lncludlng safeguardlng Lhelr enLerprlse neLworks wlLh
flrewalls and lnLruslon deLecLlon / proLecLlon devlces, securlng Lhelr daLa cenLres
wlLh 2-facLors physlcal access conLrol sysLem, and screenlng Lhelr employees before
slgnlng employmenL conLracLs. Powever Lhe openness of lnLerneL, Lhe acceleraLlng
raLe of new Lechnologles emergence, and Lhe rlslng Lrend of compuLer fraud presenL
Lo us a buslness world where any buslness may become Lhe nexL vlcLlm due Lo noL
belng ready Lo cope wlLh newly emerglng securlLy LhreaLs.
Meanwhlle, Lhe need for buslness conLlnulLy managemenL (8CM), lncludlng lncldenL
preparedness, dlsasLer recovery plannlng, and emergency response and
managemenL, has been recognlzed and supporLed wlLh speclflc domalns of
knowledge, experLlse, and sLandards developed and promulgaLed ln Lhe recenL
years.
13
As lnformaLlon and communlcaLlon Lechnology (lC1) has become an lnLegral
parL of many of Lhe acLlvlLles whlch are elemenLs of Lhe crlLlcal lnfrasLrucLures ln all
organlzaLlonal secLors, wheLher publlc, prlvaLe or volunLary, mosL organlzaLlons
have become ever more rellanL on rellable, safe and secure lC1 lnfrasLrucLures and
servlces.
ln vlew of Lhese needs, lSC/lLC !1C 1 SC 27 WC 4 has been Lasked Lo develop Lhe
lSC/lLC 27031 SLandard - Culdellnes for lnformaLlon and CommunlcaLlon
1echnology (lC1) 8eadlness for 8uslness ConLlnulLy and 1he lnLernaLlonal SLandard
Lasks aL provldlng Lhe guldance for plannlng and malnLalnlng lC1 lnfrasLrucLure and
servlces requlred for effecLlve and efflclenL response Lo Lhose focuslng evenLs,

12
hlllp Sy ls a rlnclpal ConsulLanL speclallzed ln lnformaLlon securlLy and buslness conLlnulLy / dlsasLer
recovery. Pe ls Lhe secreLary Lo SC27 WC4 and ro[ecL Co-edlLor for lSC/lLC 27031 and 24762.
13
lSC 1C 223 has been Lasked Lo develop relevanL lnLernaLlonal sLandards for Lhe conLlnulLy managemenL
of buslness and organlzaLlons, lncludlng lSC 22301 and 22399.
155
lncludlng emergency slLuaLlons [1]. 1hls ls besL supplemenLed wlLh Lhe lSC/lLC
24762:2008 SLandard - Culdellnes for lC1 ulsasLer 8ecovery Servlces (also
developed by SC 27 WC 4), whlch guldes Lhe user ln seLLlng up Lhe lnfocomm
Lechnology dlsasLer recovery (lC1 u8) capablllLy, lrrespecLlve wheLher Lhe
organlzaLlon provldes Lhe servlce ln-house or Lhrough ouLsourclng arrangemenL.
2 IC1 kead|ness for 8us|ness Cont|nu|ty (Ik8C)
ln plannlng for buslness conLlnulLy, Lhe requlremenLs for lnformaLlon processlng and
communlcaLlon faclllLles need Lo be effecLlvely planned and lmplemenLed so LhaL
Lhey are ready Lo supporL Lhe buslness conLlnulLy managemenL requlremenLs Lo
ensure lnformaLlon and servlce avallablllLy. ln plannlng for 8CM, Lhe fallback
arrangemenLs for lnformaLlon processlng and communlcaLlon faclllLles become
essenLlal for ensurlng lnformaLlon avallablllLy durlng dlsasLer and for Lhe compleLe
recovery of acLlvlLles over a perlod of Llme.
ln Lhe conLexL of lSC/lLC 27031, Lhe scope of buslness conLlnulLy ls also expanded Lo
lnclude preparedness for focuslng evenLs such as lC1 securlLy lncldenLs and fallures
of lC1 sysLems. [1] lC1 conLlnulLy ls a cruclal elemenL of an overall 8CM sLraLegy and
wlll help an organlzaLlon survlve a crlsls. CusLomers are more llkely Lo deserL
suppllers lf Lhey are noL lmmedlaLely responslve Lo sysLem problems. As parL of Lhe
lmplemenLaLlon and operaLlon of an lnformaLlon securlLy managemenL sysLem
(lSMS) [2] and 8CMS (buslness conLlnulLy managemenL sysLem) respecLlvely, lL ls
crlLlcal Lo develop and lmplemenL a readlness plan for Lhe lC1 servlces Lo help
ensure buslness conLlnulLy. l88C provldes a meanlngful way Lo deLermlne Lhe sLaLus
of an organlzaLlon's lC1 servlces ln supporLlng lLs buslness conLlnulLy ob[ecLlves by
addresslng Lhe quesLlon ls our lC1 capable of respondlng" raLher Lhan ls our lC1
secure".
lSC/lLC 27031 descrlbes Lhe concepLs and prlnclples of lC1 8eadlness for 8uslness
ConLlnulLy, and provldes a framework of meLhods and processes for any
organlzaLlon - prlvaLe, governmenLal, and non-governmenLal - lrrespecLlve of slze,
Lo ldenLlfy and speclfy all aspecLs (such as performance crlLerla, deslgn, and
lmplemenLaLlon) for lmprovlng lLs lC1 readlness Lo ensure buslness conLlnulLy. lL
also enables an organlzaLlon Lo measure performance parameLers LhaL correlaLe Lo
lLs l88C ln a conslsLenL and recognlzed manner.
[3] ln order for an organlzaLlon Lo achleve lC1 8eadlness for 8uslness ConLlnulLy, lL
needs Lo puL ln place a sysLemaLlc process Lo prevenL, predlcL and manage lC1
dlsrupLlon and lncldenLs whlch have Lhe poLenLlal Lo dlsrupL lC1 servlces. 1hls can
be besL achleved by applylng Lhe lan-uo-Check-AcL (uCA) cycllcal sLeps as parL of
a managemenL sysLem ln lC1 8eadlness for 8uslness ConLlnulLy (l88C). ln Lhls way
l88C supporLs 8CM by ensurlng LhaL Lhe lC1 servlces are as reslllenL as approprlaLe
156
and can be recovered Lo pre-deLermlned levels wlLhln Llmescales requlred and
agreed by Lhe organlzaLlon.
As parL of Lhe 8CM process, l88C refers Lo a managemenL sysLem whlch
complemenLs and supporLs an organlzaLlon's 8CM and/or lSMS program, Lo lmprove
Lhe readlness of Lhe organlzaLlon Lo:
- respond Lo Lhe consLanLly changlng rlsk envlronmenL,
- ensure conLlnuaLlon of crlLlcal buslness funcLlons supporLed by Lhe relaLed lC1
servlces,
- be ready Lo respond before an lC1 servlce dlsrupLlon occurs, upon deLecLlon of
one or a serles of relaLed evenLs LhaL become lncldenLs, and
- Lo respond and recover from lncldenLs/dlsasLers and fallures.

1he flgure below lllusLraLes how l88C and 8CM lnLeracL wlLh each oLher Lo help Lo
caLer for an organlzaLlon's lC1 readlness.

157

l88C ls based around Lhe followlng key prlnclples:
- lncldenL revenLlon - roLecLlng lC1 servlces from LhreaLs, such as
envlronmenLal and hardware fallures, operaLlonal errors, mallclous aLLack, and
naLural dlsasLers, ls crlLlcal Lo malnLalnlng Lhe deslred levels of sysLems
avallablllLy for an organlzaLlon,
- lncldenL ueLecLlon - ueLecLlng lncldenLs aL Lhe earllesL opporLunlLy wlll mlnlmlze
Lhe lmpacL Lo servlces, reduce Lhe recovery efforL, and preserve Lhe quallLy of
servlce,
- 8esponse - 8espondlng Lo an lncldenL ln Lhe mosL approprlaLe manner wlll lead
Lo a more efflclenL recovery and mlnlmlze any downLlme. 8eacLlng poorly can
resulL ln a mlnor lncldenL escalaLlng lnLo someLhlng more serlous,
- 8ecovery - ldenLlfylng and lmplemenLlng Lhe approprlaLe recovery sLraLegy wlll
ensure Lhe Llmely resumpLlon of servlces and malnLaln Lhe lnLegrlLy of daLa.
undersLandlng Lhe recovery prlorlLles allows Lhe mosL crlLlcal servlces Lo be
relnsLaLed flrsL. Servlces of a less crlLlcal naLure may be relnsLaLed aL a laLer Llme
or, ln some clrcumsLances, noL aL all, and
- lmprovemenL - Lessons learned from small and large lncldenLs should be
documenLed, analyzed and revlewed. undersLandlng Lhese lessons wlll allow Lhe
organlzaLlon Lo beLLer prepare, conLrol and avold lncldenLs and dlsrupLlon.

3 IC1 D|saster kecovery (Dk) Serv|ces
Many organlzaLlons are aL a loss wheLher Lhey should seL up Lhe lnfocomm
Lechnology dlsasLer recovery (lC1 u8) capablllLy ln house or selecL from Lhe many u8
servlce provlders ln Lhe markeL. 1he basls of such declslon and/or selecLlon varled
from organlzaLlon Lo organlzaLlon as currenLly Lhere ls no benchmark for Lhe
provlslon of lC1 u8 servlces.
1he lSC/lLC 24762 sLandard was publlshed ln 2008 afLer gone Lhrough sLages of
revlew, commenLs and resoluLlon. lL covers faclllLles and servlces capablllLy ln
provldlng fallback and recovery supporL Lo an organlzaLlon's lC1 sysLems and applles
Lo boLh ln-house as well as ouLsourced lC1 u8 servlces. lL alms Lo asslsL end-user ln
elLher seLLlng up Lhe own ln house lC1 u8 servlce capablllLy, or selecLlng Lhe besL flL
lC1 u8 servlce provlders by provldlng a basls Lo dlfferenLlaLe servlce provlders.
1he lnLernaLlonal SLandard speclfles Lhe requlremenLs LhaL servlce provlders musL
possess so LhaL Lhey can provlde a LrusLed operaLlng envlronmenL and help
companles secure and recover crlLlcal daLa durlng crlsls. 1hese requlremenLs lnclude
Lhe lmplemenLaLlon, LesLlng and execuLlon aspecLs of dlsasLer recovery.
158
1he lnLernaLlonal SLandard ls based on a mulLl-Ller framework comprlslng elemenLs
lncludlng pollcles, performance measuremenL, processes and people, whlch are key
ln bulldlng up Lhe requlred supporLlng lnfrasLrucLure and servlces capablllLy. lL also
recommends Lhe servlce provlder Lo lmprove lLs capablllLy and keep relevanL by
golng Lhrough recommended conLlnuous lmprovemenL pracLlces. A guldellne for
selecLlon of recovery slLes ls also lncluded ln Lhe sLandard.
4 Conc|us|on
1o esLabllsh Lhe lC1 readlness of 8uslness ConLlnulLy, an organlzaLlon wlll be
equlpped wlLh approprlaLe lC1 lnfrasLrucLure, effecLlve lncldenL prevenLlon,
deLecLlon and response process, as well as verlfled plans on lC1 dlsasLer recovery.
SupplemenL Lhls programme wlLh a quallLy and effecLlve dlsasLer recovery faclllLles
and servlces wlll furLher enhance Lhe organlzaLlon's reslllence, and hence ln Lurn
lmprove lLs goodwlll and LrusLworLhlness.
keferences
[1] lSC/lLC !1C1 SC27 nS726 documenL - new Work lLem roposal on lC1 8eadlness
for 8uslness ConLlnulLy
[2] lSC/lLC 27001:200S - lnformaLlon Lechnology - SecurlLy Lechnlques - lnformaLlon
securlLy managemenL sysLems - 8equlremenLs
[3] lSC/lLC !1C1 SC27 n8622 documenL - lSC/lLC lCu 27031 - lnformaLlon
Lechnology - SecurlLy Lechnlques - Culdellne for lnformaLlon and CommunlcaLlon
1echnology 8eadlness for 8uslness ConLlnulLy
159
Informat|on Secur|ty Inc|dent Management |s renewed as Internat|ona|
Standard
?oshlhlro SaLoh, PewleLL-ackard !apan

1he documenL lSC/lLC 18 18044 lnformaLlon securlLy lncldenL managemenL ls
already publlshed as Lechnlcal reporL, buL lL ls belng renewed as new lnLernaLlonal
sLandard lSC/lLC 2703S. AL Lhe renewal sLage, people mlghL wanL Lo know abouL
whaL was changed. lL ls slmple and Lhe conLenLs of Lhe documenL are resLrucLured
for lmprovemenL of clarlflcaLlon and useful lnformaLlon ls added. 1he ma[or
addlLlons are example approaches Lo Lhe caLegorlzaLlon and classlflcaLlon of
lnformaLlon securlLy lncldenLs, examples of lnformaLlon securlLy lncldenLs and Lhelr
causes, and cross-reference Lable of lSC/lLC 27001/27002 vs lSC/lLC 2703S as
annexes. 1hese are lnLeresLed Loplcs, however, l would llke Lo lnLroduce ln Lhls
arLlcle malnly whaL was noL changed aL Lhe renewal sLage. WhaL was noL changed ls
baslc concepL. 1he sLandard documenL deflnes lnformaLlon securlLy evenL and
lnformaLlon securlLy lncldenL as follows:
Ao lofotmotloo secotlty eveot ls oo lJeotlfleJ occotteoce of o system, setvlce ot
oetwotk stote loJlcotloq o posslble bteocb of lofotmotloo secotlty pollcy ot follote of
sofeqootJs, ot o ptevloosly ookoowo sltootloo tbot moy be secotlty televoot.
Ao lofotmotloo secotlty loclJeot ls loJlcoteJ by o sloqle ot o setles of oowooteJ ot
ooexpecteJ lofotmotloo secotlty eveots tbot bove o slqolflcoot ptoboblllty of
comptomlsloq bosloess opetotloos ooJ tbteoteoloq lofotmotloo secotlty.
1he lmporLance of deflnlng an evenL ls descrlbed laLer, buL Lhe meanlng of lncludlng
unexpecLed ln Lhe deflnlLlon of Lhe lncldenL ls explalned now.
lf someLhlng brlngs Lhe damage aL Lhe organlzaLlon, lL ls a maLLer of course Lo cope
as an unwanLed Lhlng ln lL. lf a bad Lhlng ls generaLed wlLhouL expecLlng lL, lL ls
synonymous wlLh unwanLed. Powever, Lhere ls anoLher case of unexpecLed Lhlng. lL
ls LhaL a resulL ls noL bad. lor example, lL ls orlglnally naLural LhaL Lhe damage ls
glven when noLhlng Look measures for lL when someLhlng occurred. Powever, lL dld
noL reach for Lhe damage because someLhlng was lucky. lL ls Lhe case. When Lhe
same cause occurred ln Lhe fuLure lf Lhe organlzaLlon cope for Lhe unexpecLed evenL
LhaL dld noL reach Lhe damage, lL ls easy Lo come Lo prevenL Lhe damage. 1he
organlzaLlon should LreaL lL as Lhe slgn of Lhe posslble lncldenL. lL ls Lhe reason why
we lncluded noL only unwanLed" buL also unexpecLed".
160
1he followlng ls suggesLed ln Lhe documenL afLer havlng deflned Lerms as above. lL
ls necessary Lo geL a response procedure Lo Lhe lncldenL and Lhe sysLem ready flrsL.
Powever, as a resulL, response ls laLe when lL ls laLe LhaL Lhe on-slLe person
concerned recognlzes many evenLs occurrlng rouLlnely as an lncldenL even lf Lhe
sysLem, whlch can supporL qulckly esLabllshes an lncldenL. lf a reporL ls laLe even lf a
flre deparLmenL acceleraLes response afLer he recelves communlcaLlon no maLLer
how much, as a resulL, he seems noL Lo be able Lo shorLen Llme from flre ouLbreak
Lo Lhe spoL arrlval of Lhe flreman. lL ls necessary Lo pay aLLenLlon Lo a former evenL
recognlzed Lo be an lncldenL wldely.
Powever, lL ls noL slmple. 8ecause lL ls Loo much lf every evenLs are reporLed from
on-slLe persons Lo Lhe lncldenL response Leam. Cne ldea ls LhaL on-slLe persons
should reporL even a Lrlfle lncldenL wlLhouL heslLaLlon and all are sorLed by Lhe
Leam. AnoLher ldea ls LhaL on-slLe persons should reporL afLer assorLlng evenLs by
uslng Lhe crlLerla prepared by Lhe Leam of Lhe evenLs Lo be reporLed. lL ls dlfflculL Lo
make Lrade off beLween Lhe avoldance of overlooklng by on-slLe persons and
reduclng Lhe work-load by Lhe Leam.
1here ls noL Lhe clear answer abouL lL, buL lL ls lmporLanL concepL LhaL an evenL ls
changed Lo an lncldenL because Lhe probablllLy LhaL an evenL LhreaLens lnformaLlon
securlLy rlses. lL ls also lmporLanL Lo Lhlnk LhaL evenL lLself does noL change, and how
Lo LreaL Lhe evenL as Lhe organlzaLlon changes Lhen. lf an evenL called Lhe smoke ls a
Lhlng by Lhe open-alr flre, lL ls a slmple evenL. 1he smoke by Lhe flre becomes Lhe
lncldenL. vanlLy does noL change, and lL ls necessary Lo change a vlewpolnL.
1here ls anoLher suggesLlon ln Lhe documenL. 1he lncldenL response leLs a response
procedure based on a prlor plan flll up, and lL ls baslc Lo cope aL Lhe Llme of lncldenL
ouLbreak. Powever, on Lhe oLher hand, a procedure Lo cope by Lhe meLhod excepL
Lhe procedure ls necessary when Lhe procedure LhaL Lhe organlzaLlon prepared for
beforehand does noL comply wlLh Lhe facL of Lhe lncldenL. 8ecause lL ls noL posslble
for Lhe slLuaLlon LhaL raLher ls unexpecLed Lo carry lL ouL only ln Lhe range LhaL Lhe
organlzaLlon assumed beforehand by correspondence flexlbly. 1herefore lL ls
necessary LhaL lL ls posslble by excepLlon measures by Lhe [udgmenL of Lhe person ln
charge when lL meL wlLh Lhe unexpecLed slLuaLlon.
uslng Lhe word of excepLlon measures, lL may be LhoughL LhaL lL ls rare. Powever, lL
ls noL rare ln facL. WlLh Lhe response procedure based on a prlor plan, lL ls prepared
wlLh based on assumed lncldenL scenarlo. ln LhaL case, lL ls naLural ln Lhe flrsL place
abouL Lhe cause of Lhe lncldenL LhaL lL assumed Lo do an anLl-prevenLlon measure,
and Lhe occurrence of such lncldenL mlghL be mlnlmlzed. 1herefore Lhe posslblllLy
LhaL ls a Lhlng noL assumed ls raLher hlgh ln Lhe Lhlng becomlng Lhe lncldenL. lL ls Lhe
reason why a procedure when an excepLlon occurred should be ready. When lL ls
161
noL clear, Lhe person ln charge Lhlnks wlLh Lhe besL of lnLenLlons, and havlng dealL
may be goL rld of as vlolaLlon of predeflned procedure laLer. Anyone may noL do Lhe
besL measures for all even lf oneself wlll be vlolaLed. Lverybody ls noL Lddle Murphy
ln 8everly Pllls Cop and 8ruce Wlllls ln ule Pard.
lL may seem LhaL lL may become ouL of conLrol when excepLlon measures ls allowed.
Powever Lhere ls Lhe case sLudy ln P8C (Plgh 8ellablllLy CrganlzaLlon), such as
Lmergency 8escue CenLer and nuclear ower lanL, where lL ls demanded LhaL
safeLy needs Lo be malnLalned even lf an unexpecLed Lhlng ls generaLed. ln Lhe P8C,
on-slLe persons are monlLorlng evenL as a slgn of Lhe lncldenLs carefully and Lhe
persons ln charge are keeplng Lhe LhoughL LhaL Lhere ls noL a cholce excepL Lhe
predeflned procedure fully. 1he P8C calls lLs posLure mlnd-full" and lL ls sald LhaL
Lhere musL be mlnd-full" ln Lhe P8C.
1he baslc concepL of evenL and lncldenL" and Lhlnk of unexpecLed" has come from
Lhe ldea of Lhe managlng unexpecLed ln P8C. lL ls succeeded Lo 2703S by 18044.
1he excepLlon measure ls sllghLly emphaslzed, buL a predeflned procedure musL be
enforced off course lf Lhe assumpLlon of lL can be applled.
All conLrlbuLors for Lhls lnLernaLlonal sLandard all wanL lL Lo help esLabllsh
lnformaLlon securlLy lncldenL managemenL ln a mlndful way ln your organlzaLlon.

Billions at stake
A number of standards are being
developed for information security with-
in ISO/IEC/JTC 1/SC 27. In particular,
the working groups WG 1 and WG 4 are
developing standards relating to infor-
mation security management for appli-
cation across a diverse set of industries
such as telecoms, healthcare, energy sup-
ply, finance, insurance and supply chain.
These industries are often critical ele-
ments of national infrastructure.
originates from exposure to something
which may result in personal injury or
death, the loss of information, damage
to property and so on.
Safety and security often occupy
the same space. For example, the securi-
ty of the data in a patients health record
system may have an impact on the health
and safety of the patient. Or the security
of the data in a system used for air traf-
fic control may have an impact on the
ability of air traffic controllers to main-
tain safety.
by Prof. Edward Humphreys,
Convenor, ISO/IEC JTC 1/SC
27/WG 1, Requirements,
security services and guidelines,
and Convenor, Dr. Meng Chow
Kang, ISO/IEC JTC 1/SC 27/
WG 4, Security controls and
services.
W
hile the safety world tends
to discuss hazards, we in the
information security world
are more likely to talk about risks. In
both areas, some argue that their domain
Information security :
Risks or hazards
ISO/IEC/JTC 1/SC 27
is developing standards
for industries that are
often critical elements of
national infrastructure.
Several examples over the last
18 years demonstrate that if the infor-
mation security of these essential indus-
tries is compromised, society is placed
at risk. In the 1980s and 1990s, the UK
in particular London suffered many
such infrastructure attacks, all of which
were intentionally initiated. And in recent
years, natural disasters such as the South-
east Asian tsunami and earthquakes in
Japan and China also caused significant
impacts on human safety and the avail-
ability of information systems.
Todays risks can, in worst case
scenarios, lead to complete shutdown
of businesses, property damage running
into millions if not billions of dollars,
disruption of critical services and infra-
structure, and loss of life.
Network security
It is clear that IT systems them-
selves are not always the problem ; the
larger threat is often from people, includ-
ing external users such as visitors, custom-
ers and partners, and the growing problem
of insider threats from employees.
The information standards being
developed in ISO/IEC/JTC 1/SC 27/WG
1 and WG 4 are based on the assumption
that an organization applying these stand-
ards carries out a proper risk assessment
to address the problems raised above.
ISO Focus June 2009 29
Main Focus
About the authors
Prof. Ted
Humphreys
(ISMS Research
Professor Korea
University) has
been leading the
United King-
doms activities
regarding the
ISO/IEC 27000
family of Infor-
mation Security Management System
(ISMS) standards and the British stand-
ards BS7799 Parts 1 and 2 (which
formed the basis for ISO/IEC 27001 and
ISO/IEC 27002) since 1990. He is also
responsible for many of the ISMS
accreditation and certification activities
as well as producing the standard EA
7/03. He is an ISMS consultant provid-
ing advice to organizations around the
world. He is also founder and Director
of the ISMS International User Group,
which promotes the global use of the
ISO/IEC 27000 family for ISMS stand-
ards.
P
H
(
P
U
b
U
d
r
I
f
ti S it M
SC 27/WG 4 has published stand-
ards addressing the provision of disaster
recovery services (ISO/IEC 24762), net-
work security (ISO/IEC 18028), intrusion
detection systems (ISO/IEC 18043), and
information security incident manage-
ment (ISO/IEC TR 18044). While some
of these standards are under revi-
sion, WG 4 is also develop-
ing standards on cyberse-
curity (ISO/IEC 27032)
in collaboration with
ITU-T. The security
of networks and ICT
devices is now crucial
to the safety of societies
around the world.
Business continuity
WG 4 is also producing a stand-
ard to address ICT readiness for busi-
ness continuity (ISO/IEC 27031), and the
working group is collaborating with other
committees to develop business continu-
ity standards. In 2009, WG 4 has further
Managing information
security
by Sandrine Tranchard,
Communication Officer,
ISO Central Secretariat
With more and more
organizations implementing
management systems
(ISMS) as part of their risk
management strategy, the
publication of a new ISO/IEC
standard giving an overview of
ISMS is particularly timely.
ISO/IEC 27000:2009,
Information technology
Security techniques
management systems
Overview and vocabulary,
will assist organizations of
all types to understand the
fundamentals, principles and
concepts to improve protection
of their information assets.
Applicable to all types and
sizes of organization (e.g.
commercial enterprises,
government agencies, non-
profit organizations), ISO/IEC
27000:2009 supplements
the ISO/IEC 27000 family of
standards by providing an
introduction to information
security management and
defining related terms.
Today, an organizations
information assets are
dependent upon information
and communications
technology. The technology
assists in facilitating the
creation, processing, storing,
transmitting, protection and
destruction of information.
As the extent of the
interconnected global business
environment expands, so does
the requirement to protect
information as it is exposed to
a wider variety of threats and
vulnerabilities.
Dr. Meng
Chow Kang is
Director of
Information
Security for
China and APJ
regions (Asia-
Pacific and
Japan) for Cisco
Systems, Inc.
He has been a
practicing information security profes-
sional for more than 20 years, with field
experience spanning from technical to
management in the various security and
risk management roles in the Singapore
government, major multi-national finan-
cial institutions, and security and tech-
nology providers. Dr. Kang has been
contributing to the development and
adoption of international standards relat-
ing to information security since 1998,
and is the founder of the Regional Asia
Information Security Standards (RAISS)
Forum. He is currently Convenor of
ISO/IEC JTC 1/SC 27/WG 4, Security
controls and services.
embarked on new standards projects relat-
ing to the security of outsourcing (ISO/
IEC 27036) and the management of dig-
ital evidence (ISO/IEC 27037).
SC 27/WG 1 has published ISO/
IEC 27001 to address the establishment,
implementation, monitoring and review
of information security
management sys-
tems (ISMS). The
ISMS is appli-
cable to all siz-
es and types of
organizations
from small to
very large and
from low- to high-
tech. SC 27/WG 1 has
produced and published a
standard on ISMS risk management as
well as the accreditation of an organiza-
tions ISMS implementation. In addition,
they have jointly produced and published,
with ITU-T, telecoms security require-
ments on security controls in support of
ISMS implementations.
D
C
D
I
S
C
r
P
J
S
H
ti i i f ti
30 ISO Focus June 2009
Preventing theft and unauthorized modification
of electronic data
by Maria Lazarte, Communication Officer,
ISO Central Secretariat
To protect the confidentiality and integrity of data being transferred
or stored, ISO and IEC have jointly developed a new standard which
defines authenticated encryption mechanisms that provide an optimum
level of security.
With the rise of electronic transactions involving sensitive information,
such as the transfer of bank data or personal identity information,
this standard responds to a growing need for increasingly demanding
security requirements. says Prof. Chris Mitchell, Project Editor of the
new ISO/IEC standard.
The standard, ISO/IEC 19772, Information technology Security
techniques Authenticated encryption, specifies six encryption methods
(based on a block cipher algorithm) that can be used to ensure :
Data confidentiality (protecting against unauthorized disclosure of data)
Data integrity (enabling recipients to verify that the data has not been
modified)
Data origin authentication (helping recipients to verify the identity of the
data).
Prof. Mitchell explains, It has recently become widely recognized that
using encryption on its own (or even combining encryption and Message
Authentication Codes in non-optimal ways) can be dangerously weak, as
shown by recently demonstrated practical attacks on implementations
of widely used security protocols such as IPsec and SSH. There are
thus excellent reasons to believe that it is better to rely on a single
comprehensive data protection method.
The mechanisms specified in the standard have been designed to
maximize the level of security and provide efficient processing of data
for optimum results.
The standard includes mechanisms that can be applied to ensure the
integrity of data even when not encrypted (e.g. to prevent modifications
of e-mail addresses, sequence numbers, etc.).
ISO/IEC 19772 will give confidence to users that their data is safe. Not
only will it be useful for protecting information, but also for furthering
the development of online transactions and e-businesses, and other
applications involving sensitive data, concludes Prof. Mitchell.
Threats change
constantly, increasing
in complexity as more
information systems
become interconnected
to exchange and share
information.
The evolving nature
of risks
Other application- and sector-
specific guidelines and standards are being
developed to support ISMS implementa-
tions, for example regarding information
security governance and the protection
of critical national infrastructure.
These standards are aimed at
addressing the threats and impacts that
organizations face today. Of course threats
and risks change constantly, increasing in
complexity as more information systems
become interconnected to exchange and
share information. ISO/IEC JTC 1/SC 27
continuously monitors the future risk
landscape, aiming to build preventive
security measures that help organiza-
tions manage the risks emerging with
business growth while at the same time
increasing use of more advanced infor-
mation technology systems.
Other subcommittees within JTC 1
are also developing standards that have
security as a sub-component, such as
SC 37 on biometric standards. Security
standardization work is, in most cases,
conducted in collaboration with SC 27,
a member of the Joint Technical Col-
laboration Group on management sys-
tem standards, which includes those
dealing with ISO 9001 for quality, ISO
14001 for environment and ISO 28000
on food safety.
Despite sometimes overwhelming
challenges, help is available to organi-
zations through the toolbox of stand-
ards published or under development by
ISO/IEC JTC 1/SC 27.
ISO Focus June 2009 31
165

SC27 WGS

166
1echno|og|es for pr|vacy, |dent|ty management
and b|ometr|cs
kol koooeobetq
1
, l5O/lc I1c 1/5c 27/wC 5 cooveoet, ltofessot of Moblle 8osloess
& Moltllotetol 5ecotlty, Coetbe uolvetslty ltookfott (Cetmooy), www.m-cbolt.oet

l1 SecurlLy ls becomlng more and more of a people's problem", ls noL only a quoLe
from l1 securlLy ploneer 8oger needham (unlverslLy of Cambrldge , uk), buL a Lrend
wlLh ma[or buslness relevance and a dual-faced challenge.
CrganlsaLlons need Lo geL more efflclenL ln ldenLlfylng and addresslng users and
cusLomers, e.g. by maklng sure, LhaL a compeLenL polnL wlLhln Lhe organlsaLlon
knows whlch user has whlch access rlghLs on whlch corporaLe resources.
nowadays employees very ofLen have a hlsLorlcally grown pleLhora of ldenLlflers
and access rlghLs. CfLen lL ls dlfflculL Lo know and manage, who has Lhe
auLhorlzaLlon Lo do whaL. So when someone leaves an organlsaLlon lL ls usually
dlfflculL Lo revoke auLhorlzaLlons, accounLs and access rlghLs Lo avold laLer mlsuse of
corporaLe sysLems and corporaLe lnformaLlon. LsLabllshlng an efflclenL framework
for corporaLe access managemenL wlLh rellable accounLablllLy ls noL a Lrlvlal Lask.
A popular Lrend here ls slngle slgn-on", baslcally Lhe unlflcaLlon of all accounLs and
access rlghLs on one sysLem per organlsaLlon, Lo whlch users auLhenLlcaLe
Lhemselves and whlch Lhen provldes access Lo Lhe resources needed, e.g. a
cusLomer daLabase or a prlnLer.
A slmllar unlflcaLlon approach ls popular ln deallng wlLh cusLomers, e.g. when a
Lelecom unlfles cusLomers' accounLs Lo provlde a slngle blll for dlfferenL buL relaLed
servlces.
CurrenLly very ofLen a provlder offers landllne Lelephony, moblle Lelephony, and
lnLerneL access - and sends a dlfferenL blll for each. Whereas Lhls may cause
unnecessary cosLs and complexlLy, Lhe unlflcaLlon of Lhose accounLs LhaL refer Lo Lhe
same cusLomer also offer Lhe chance Lo provlde more cusLomlzed and personallzed

1
Dr. ka| kannenberg (www.m-cha|r.net) has been acLlve ln SC 27 slnce 1992, malnly ln WC 3.
200S he became Co-edlLor of Wu 24760, Co-8apporLeur of Lhe SC 27 SLudy erlod on ldenLlLy
managemenL and 8apporLeur of Lhe SC 27 SLudy erlod on prlvacy. Slnce March 2007 he serves as
Convener of WC S. 2002 kal was appolnLed as rofessor for Moblle Commerce and MulLllaLeral
SecurlLy aL Lhe ueparLmenL for 8uslness lnformaLlcs aL CoeLhe unlverslLy ln lrankfurL (Cermany).

167
bundled servlces whlle ralslng Lhe securlLy, servlce quallLy, and cusLomer
saLlsfacLlon.
A relaLed lnsLrumenL Lo blnd accounLs Lo a slngle person and Lo enhance Lhe
assurance for user auLhenLlcaLlon are blomeLrlc Lechnlques whlch use unlque
physlologlcal and behavloural of a person, e.g. flngerprlnLs or lrls scan lnformaLlon,
Lo securely ldenLlfy LhaL person.
1he unlflcaLlon of accounLs and access rlghLs can be a double-edged sword for users
and servlce provlders allke. users usually llke Lhe added convenlence of slngle-slgn-
on sysLems, uslng one slngle password for a number of log-lns and access accounLs.
CrganlsaLlons on Lhe oLher hand see Lhe beneflL of slngle slgn-on sysLems ln a beLLer
conLrol and managemenL of access rlghLs. Powever, as Lhe number of appllcaLlons
for one lndlvldual lncreases, addlng numerous moblle devlces or new Web servlces
Lo Lhelr dally llfe, Lhe rlsk of daLa mlsuse lncreases as well.
1he ldea of [usL havlng Lo provlde a flngerprlnL lnsLead of Lyplng a compllcaLed
password every mornlng ls fasclnaLlng. Powever, Lhe more senslLlve lnformaLlon
geLs posslbly accessed wlLh Lhls one ldenLlfler, Lhe hlgher Lhe rlsk for Lhe user Lo fall
vlcLlm Lo ldenLlLy fraud and ulLlmaLely experlence loss or damage.
A slmllar scenarlo applles Lo Lhe servlce provlder. When lL comes Lo personal
lnformaLlon sLored on compuLer sysLems, prlvacy concerns need Lo be Laken
serlously. lL may well be useful for a clLlzen Lo have an accounL wlLh Lhe Lax offlce Lo
deal wlLh Lhe annual Lax declaraLlon onllne, and lL may be useful Lo llnk Lhls wlLh
some lnformaLlon on Lhe cosLs pald for medlcal servlces, buL e.g. a compleLe
unlflcaLlon of all Lhe daLa and proflles sLored by Lhe Lax offlce, Lhe hosplLal, and Lhe
healLh lnsurance would need Lo be managed closely and ls unaccepLable ln many
culLures - besldes Lhe facL LhaL lL may vlolaLe prlvacy regulaLlons.
AL Lhe same Llme blomeLrlc lnformaLlon can be useful Lo make logln more secure
and more convenlenL, buL assesslng Lhe secure appllcaLlon of such lnformaLlon ln
compuLer sysLems ls noL Lrlvlal and ls sub[ecL of lnLenslve research.
8lomeLrlc lnformaLlon of an lndlvldual may conLaln senslLlve medlcal, geneLlc, or
healLh lnformaLlon and, Lherefore, would poLenLlally cause greaL harm lf used
lnapproprlaLely or lf lL would fall lnLo Lhe hands of unauLhorlzed persons or even
crlmlnals.
As a resulL, users wanL more conLrol over Lhelr ldenLlLy and over personal
lnformaLlon, whlch ls collecLed and sLored on Lhem, and Lhey wanL Lo know who
mlghL use Lhe daLa and for whaL purpose lL ls Lransferred Lo whom. 1hey also wanL

168
Lo be able Lo use Lechnologles for anonymlLy and pseudonymlLy ln order Lo manage
wheLher and how Lhey are ldenLlfled ln whlch conLexLs.
Conslderlng Lhe promlslng new ways ln whlch we use Lechnologles ln our dally llfe
and Lhe lmporLanL challenge Lo handle an lndlvldual's ldenLlLy and personal
lnformaLlon approprlaLely ln Lhe process, SC 27 has esLabllshed WC S on lJeotlty
Moooqemeot ooJ ltlvocy 1ecbooloqles ln May 2006. CurrenLly WC S ls acLlve ln 9
pro[ecLs wlLh more belng expecLed.
llnal CommlLLee urafL 2474S 8lomettlc lofotmotloo ptotectloo ls Lo provlde
guldance for Lhe proLecLlon of blomeLrlc LemplaLes under varlous requlremenLs
for confldenLlallLy, lnLegrlLy, avallablllLy and renewablllLy/revocablllLy durlng
sLorage and Lransfer. lL also descrlbes Lhe relaLlonshlp beLween Lhe blomeLrlc
reference and oLher personally ldenLlflable lnformaLlon, provldes Lhe
requlremenLs for Lhe secure and prlvacy-compllanL managemenL and processlng
of blomeLrlc lnformaLlon, and also clarlfles Lhe responslblllLy of Lhe blomeLrlc
sysLem owner.
CommlLLee urafL 24760A ftomewotk fot lJeotlty moooqemeot addresses Lhe
secure, rellable, and prlvacy respecLlng managemenL of ldenLlLy lnformaLlon
conslderlng LhaL ldenLlLy managemenL ls lmporLanL for lndlvlduals as well as
organlzaLlons, ln any envlronmenL and regardless of Lhe naLure of Lhe acLlvlLles
Lhey are lnvolved ln.
lnLernaLlonal SLandard 24761 Aotbeotlcotloo cootext fot blomettlcs deflnes Lhe
sLrucLure and Lhe daLa elemenLs of AuLhenLlcaLlon ConLexL for 8lomeLrlcs
(AC8lo), whlch ls used for checklng Lhe valldlLy of Lhe resulL of a blomeLrlc
verlflcaLlon process execuLed aL a remoLe slLe. 1hls lS 24761 allows any AC8lo
lnsLance Lo accompany any daLa lLem LhaL ls lnvolved ln any blomeLrlc process
relaLed Lo verlflcaLlon and enrolmenL. 1he speclflcaLlon of AC8lo ls appllcable noL
only Lo slngle modal blomeLrlc verlflcaLlon buL also Lo mulLlmodal fuslon.
CommlLLee urafL 29100 ltlvocy ftomewotk ls Lo provlde a hlgh-level framework
for Lhe proLecLlon of personally ldenLlflable lnformaLlon (ll) wlLhln lC1 sysLems
and Lo esLabllsh a common prlvacy Lermlnology, a descrlpLlon of Lhe acLors and
Lhelr roles, an undersLandlng of prlvacy safeguardlng requlremenLs, and a
reference Lo known prlvacy prlnclples.
CommlLLee urafL 29101 ltlvocy tefeteoce otcbltectote ls Lo provlde a conslsLenL,
hlgh-level approach Lo Lhe lmplemenLaLlon of prlvacy safeguardlng requlremenLs
Lo safeguard Lhe processlng of ll ln lC1 sysLems and Lo provlde guldance for
plannlng, deslgnlng and bulldlng lC1 sysLem archlLecLures LhaL more effecLlvely
faclllLaLe Lhe prlvacy of lndlvlduals by prevenLlng Lhe lnapproprlaLe use of an
lndlvldual's ll.

169
CommlLLee urafL 2911S otlty ootbeotlcotloo ossotooce ftomewotk (also l1u-1
x.eaa) alms aL enhanclng LrusL and confldence ln auLhenLlcaLlon by provldlng
ob[ecLlve and vendor neuLral guldellnes for auLhenLlcaLlon assurance e.g. by
uslng speclfled Levels of AuLhenLlcaLlon (LoAs) and provldlng guldance
concernlng conLrol Lechnologles, processes, and managemenL acLlvlLles, as well
as assurance crlLerla, LhaL should be used Lo mlLlgaLe auLhenLlcaLlon LhreaLs ln
order Lo lmplemenL Lhose LoAs.
Worklng urafL 29146A ftomewotk fot occess moooqemeot ls Lo deflne and
esLabllsh a lramework for Access ManagemenL (AcM) based on Lhe roles an
enLlLy may use Lo access lnformaLlon sysLems. lL focuses on Lhe secure
managemenL of Lhe processes Lo access lnformaLlon and Lhe lnformaLlon
assoclaLed wlLh Lhe accounLablllLy of an enLlLy wlLhln some conLexL.
Worklng urafL 29190 ltlvocy copoblllty ossessmeot ftomewotk ls Lo provlde
organlsaLlons wlLh hlgh-level guldance abouL how Lo assess Lhe maLurlLy of Lhelr
ablllLy Lo manage and achleve prlvacy-relaLed ouLcomes. lL conslders LhaL Lhe
lssue of prlvacy managemenL ls a mulLl-faceLed one wlLh mulLlple prlvacy
sLakeholders" (parLles who have an lnLeresL ln Lhe way Lhe organlsaLlon ln
quesLlon manages prlvacy) lmposlng very dlfferenL requlremenLs and wlLh
dlfferenL lnformaLlon needed on dlfferenL hlerarchy levels.
Worklng urafL 29191 kepoltemeots oo telotlvely ooooymoos oollokoble
ootbeotlcotloo ls Lo provlde a model of parLlally anonymous unllnkable
auLhenLlcaLlon wlLh ldenLlLy escrow and Lo deflne lLs requlremenLs. lL ls almed Lo
provlde guldance Lo Lhe use of group slgnaLures and relevanL mechanlsms for Lhe
purpose of daLa mlnlmlzaLlon and user convenlence. AL Lhe same Llme lL ls Lo
allow Lhe users Lo conLrol Lhelr anonymlLy wlLhln Lhe group of reglsLered users by
chooslng deslgnaLed escrow agenLs.
ln addlLlon WC S malnLalns Lwo SLandlng uocumenLs: A 8oadmap (Su 1) and an
Cfflclal rlvacy uocumenLs 8eferences. LlsL (Su 2).

AC8|o, the f|rst Internat|ona| Standard on on||ne b|ometr|c ver|f|cat|on,
and |ts harmon|zat|on act|v|t|es w|th other standards bod|es
?AMAuA Asahlk, 1oshlba SoluLlons CorporaLlon
LdlLor of lSC/lLC 24761

lo tbe ptocess of stooJotJlzloq l5O/lc 21761 Aotbeotlcotloo cootext fot blomettlcs
(Ac8lo), o lot of expetts of 5c 27 ooJ otbet stooJotJs boJles bove soppotteJ me.
1bot moJe my mloJ to wtlte tbls ottlcle lo otJet to tecotJ tbe soppott tbe expetts
bove qlveo to me ooJ to exptess my qtotltoJe to tbem.
1echn|ca| |ssues |n on||ne b|ometr|c ver|f|cat|on
8lomeLrlc verlflcaLlon ls noL used for servlces ln open neLwork envlronmenLs, such
as onllne shopplng. lL ls because Lhere are Lhree ma[or Lechnlcal lssues as follows:
lssue 1. lf blomeLrlc verlflcaLlon ls execuLed on Lhe oLher slde of an open neLwork,
Lhere ls no evldence Lo LrusL Lhe resulL of Lhe blomeLrlc verlflcaLlon.
lssue 2. lf blomeLrlc LemplaLes are sLored and compared wlLh blomeLrlc samples
LransmlLLed Lhrough an open neLwork, elLher of Lhem may be leaked or
counLerfelLed.
lssue 3. Slnce Lhe modallLy (flngerprlnL, veln, eLc.) of blomeLrlc verlflcaLlon ls
deLermlned by Lhe servlce provlder whlch uses blomeLrlc verlflcaLlon, Lhe users
may have Lo prepare mulLlple blomeLrlc producLs Lo use mulLlple modallLles.
1o solve Lhese lssues, AC8lo was proposed.
AC8|o, a so|ut|on to on||ne b|ometr|c ver|f|cat|on
lSC/lLC 24761 AC8lo speclfles a sLrucLure of daLa whlch each blomeLrlc producL ln a
blomeLrlc verlflcaLlon sysLem generaLes and whlch can assure Lhe resulLs of
blomeLrlc verlflcaLlon. ln oLher words, AC8lo provldes evldence of resulLs of
blomeLrlc verlflcaLlon. 1o be more speclflc, AC8lo ls a dlglLally slgned or
auLhenLlcaLed daLa conLalnlng Lhe lnformaLlon of Lhe blomeLrlc producL, Lhe
challenge Lo prevenL replay aLLacks, Lhe lnformaLlon whlch shows Lhe conslsLency of
Lhe LransmlLLed daLa beLween blomeLrlc producLs ln blomeLrlc verlflcaLlon, and Lhe
cerLlflcaLe of Lhe blomeLrlc LemplaLe lf Lhe blomeLrlc producL sLores and uses Lhe
blomeLrlc LemplaLe. llgure 1 lllusLraLes Lhe ouLllne of Lhe daLa sLrucLure of AC8lo
and how AC8lo ls used ln Lhe lnLerneL ln Lhe fuLure.

171

llgure 1 - An example of sysLems ln whlch AC8lo ls used
Supports from the SC 27 experts
A conLrlbuLlon from !apan n8 was submlLLed Lo SLudy erlod on AuLhenLlcaLlon of
blomeLrlc daLa for Lhe SC 27 lorLaleza meeLlng held ln CcLober 2004 ln 8razll. 1he
conLrlbuLlon was 8lomeLrlc AuLhenLlcaLlon ConLexL (8AC), whlch laLer was renamed
Lo AuLhenLlcaLlon ConLexL for 8lomeLrlcs (AC8lo).
hllllp P. (hll) Crlffln, Lhe uS n8 Pead of uelegaLlon and Lhe 8lomeLrlcs SLudy
erlod 8apporLeur, proposed LhaL 8AC be recommended Lo SC 27. AL Lhe vlenna,
AusLrla SC 27 meeLlng ln May 200S, SC 27 resolved LhaL 8AC be proposed as an nWl.
hll, who also served as Lhe llalson offlcer Lo lSC/1C 68 Lhen, hlghly appreclaLed Lhe
8AC concepL, due Lo Lhe need for 8AC ln Lhe developlng lSC 19092 blomeLrlc
lnformaLlon securlLy managemenL sLandard. Pe sLrongly supporLed Lhe use of 8AC
as Lhe evenL log audlL record resulLlng from blomeLrlc enrollmenL and verlflcaLlon ln
banklng or flnanclal sysLems where a hlgh level of securlLy ls requlred. 1hls was
lncluded ln Lhe lSC 19092 sLandard, along wlLh Lhe use of 8AC Lo augmenL slmple
blomeLrlc comparlson wlLh a securlLy pollcy-based blomeLrlc comparlson declslon.
ln Lhe flrsL Wu, 8AC was wrlLLen ln a sLyle slmllar Lo lSC/lLC 1978S-1 C8Lll arL 1,
uslng prose Lo descrlbe lLs absLracL daLa elemenLs, and 8AC dld noL speclfy ASn.1
module. hll conLrlbuLed Lhe lnlLlal elemenLs of Lhe ASn.1 module ln AC8lo Lo
lmprove Lhe auLomaLlon of blomeLrlc verlflcaLlon processlng. Pls conLrlbuLlons are
reflecLed Lo Lhe AC8lo lnLernaLlonal SLandard.
hll has conLlnued Lo supporL and advlse AC8lo acLlvlLles even afLer he lefL SC 27 ln
2007. Pe has champloned Lhe AC8lo work ln oLher sLandards forums, lncludlng Lhe
recenL revlslon of Lhe AnSl x9.84 securlLy sLandard ln AnSl x9, and ln securlLy
educaLlon work ln Lhe lnLernaLlonal lnformaLlon SysLems SecurlLy AssoclaLlon (lSSA).

172
nlls 1ekampe of Cermany n8 was Lhe 8apporLeur of Lhe Advlsory Croup on
8lomeLrlcs. AL every meeLlng, AC8lo was dlscussed ln Lhls Advlsory Croup ln addlLlon
Lo Lhe sesslon of AC8lo lLself. nlls had aLLended almosL every sesslon of AC8lo and
glven a loL of useful advlces.
4. narmon|zat|on w|th the SC 37 experts
very serlous (LhlrLeen) commenLs came from SC 37 as a llalson sLaLemenL on Lhe 1sL
Wu (lssued ln AugusL 200S), expresslng lLs concerns on Lhe AC8lo pro[ecL. 1he 1sL
Wu was noL clear enough abouL whaL AC8lo lnLended Lo sLandardlze. 1herefore lL
mlghL have led Lo mlsundersLandlng slnce lL appeared Lo be very slmllar Lo lSC/lLC
1978S-1 C8Lll arL 1 and appeared Lo speclfy yeL anoLher lnLernaLlonal SLandard,
lgnorlng Lhe lmpacLs on SC 37 pro[ecLs.
AL Lhe SC 37 kyoLo meeLlng ln !anuary 2006, SC 37 Chalrman lernando odlo and
WC 2 Convenor rof.. ?oung 8ln kwon gave Lhe AC8lo pro[ecL a chance Lo explaln
AC8lo Lo Lhe experLs of SC 37/WC 2 whlch sLandardlzes blomeLrlc Lechnlcal
lnLerfaces. 1hey undersLood Lhe lnLenslon of AC8lo and declded Lo found a Speclal
Croup on AC8lo (SC on AC8lo) Lo revlew Lhe succeedlng drafLs of AC8lo. 1hls was
Lhe beglnnlng of Lhe harmonlzaLlon beLween SC 37 acLlvlLles and Lhe AC8lo pro[ecL.
AL kyoLo, Alessandro 1rlglla of Lhe uS n8 posed a dlfflculL problem: AC8lo should be
applled Lo mulLlmodal fuslon blomeLrlcs. lL Look abouL half a year Lo solve Lhls
problem. ln SepLember 2006, Lhe answer was examlned by Alessandro, Creg
Cannon, and lred Perr of Lhe uS n8. 8ecause of Lhls challenge, Lhe resulLlng AC8lo
speclflcaLlon can compleLely deal wlLh mulLlmodal fuslon.
AL Lhe SC 37 London meeLlng ln !uly 2006, Lhe SC on AC8lo was held. AfLer Lhe
dlscusslon on AC8lo, Lhe AC8lo pro[ecL requesLed Lhe SC on AC8lo Lo make Lhe
lnLernaLlonal SLandards speclfled ln SC 37/WC 2 handle AC8lo ln Lhe fuLure. 1he
resulL was beyond expecLaLlon. lL was concluded, wlLh a sLrong leadershlp from !ohn
LarmouLh, Lo propose an nWl Lo amend Lhe lSC/lLC 19784-1 8loAl speclflcaLlon,
whlch speclfles Lhe Al for 8loAl lmplemenLaLlons and Lhe Servlce rovlder
lnLerface for sLandard lnLerfaces wlLhln a blomeLrlc sysLem. ln addlLlon, securlLy
feaLures of encrypLlon and lnLegrlLy were lncluded.
AfLer Lhe dlscusslon ln Lhe SC 37 WelllngLon meeLlng ln !anuary 2007, lL was agreed
LhaL lL was necessary Lo dlvlde Lhe work lnLo Lhree pro[ecLs: lSC/lLC 19784-1 Amd.3,
lSC/lLC 24709 Amd.1, and lSC/lLC 1978S-4. As lSC/lLC 24709 Amd.1 was dependenL
on lSC/lLC 19784-1 Amd.3, and as lSC/lLC 24709 ls dependenL on lSC/lLC 19784-1,
lSC/lLC 24709 Amd.1 was suspended unLll Lhe compleLlon of lSC/lLC 19784-1
Amd.3. ln lSC/lLC 19784-1, blomeLrlc daLa ls lnpuL and ouLpuL ln Lhe daLa sLrucLure
called C8Lll 8l8 deflned ln lSC/lLC 1978S-1. 1he Al wlLh securlLy feaLures was Lo
be speclfled ln lSC/lLC 19784-1 Amd.3 slnce no speclflcaLlon on securlLy feaLures

173
was deflned ln lSC/lLC 1978S-1. As a resulL, lL was concluded LhaL Lhe sLrucLure of
Lhe SecurlLy 8lock, whlch conLalns lnformaLlon relaLed Lo Lhe securlLy feaLures for
C8Lll, would be speclfled ln lSC/lLC 1978S-4.
LaLer, afLer Lhe SC 37 1el Avlv meeLlng, AC8lo became Lhe underlylng formaL for Lhe
C8Lll SecurlLy 8lock. ln 2010, Lhese Lwo pro[ecLs were compleLed (sub[ecL Lo flnal
sLandardlzaLlon and publlcaLlon). lL could noL be accompllshed wlLhouL Lhe efforL
and supporL of !ohn, lred, and Alessandro.
ln addlLlon, !ohn lnLroduced !ean-aul Lemalre, a member of Lhe l1u-1 SC 17
CuesLlon on ASn.1 and Lhe lSC/lLC Convenor on ulrecLorles, Lo Lhe AC8lo pro[ecL.
!ean-aul checked Lhe ASn.1 module of AC8lo and provlded lnvaluable advlce on
how Lo lmprove Lhe ASn.1 module.
ln SC 37, blomeLrlc performance LesLlng and reporLlng ls sLandardlzed ln WC S. 1he
AC8lo pro[ecL asked WC S Lo speclfy machlne readable formaL for LesLlng and
reporLlng aL Lhe SC 37 8erlln meeLlng ln !uly 2007 slnce Lhe machlne readable LesL
reporL enables Lo glve lnformaLlon abouL producLs used ln blomeLrlc verlflcaLlon lf lL
ls packed ln AC8lo lnsLances (daLa ob[ecLs compllanL Lo Lhe speclflcaLlon of AC8lo).
1he requesL was accepLed and lSC/lLC 29120 serles were approved afLer Lhe 8erlln
meeLlng. aLrlck CroLher of uS n8 Look Lhe edlLorshlp of Lhe serles and reflecLed Lhe
conLrlbuLlon from Lhe AC8lo pro[ecL Lo Lhe drafL LexLs whlch are now ln Lhe Cu
sLage. 1he AC8lo pro[ecL wlll conLlnue Lo supporL Lhe work unLll Lhe lnLernaLlonal
SLandards are approved .
S. Supports from the SC 17 experts
ln some models of blomeLrlc verlflcaLlon, lC cards play a very lmporLanL role, for
example, Lo sLore blomeLrlc LemplaLes. 1herefore lL has been LhoughL Lo be very
lmporLanL for AC8lo Lo descrlbe examples of lSC/lLC 7816 command sequences
used Lo generaLe AC8lo lnsLances slnce lSC/lLC 7816 speclfles Lhe sLandard seL of
commands Lo operaLe lC cards. Slnce Lhe edlLor of AC8lo ls a non experL of lC cards
and Lhus had dlfflculLy Lo preclsely undersLand lSC/lLC 7816, Lhe concreLe examples
of commands whlch ?C8lMC1C ?oshlkazu and SAkAMC1C Shlzuo of SC 17 !apan
n8 had made Lo supporL Lhe AC8lo pro[ecL have been a greaL help. 1he frulL ls seen
ln Annex 8 of lSC/lLC 24761.
ln Lhe process of maklng command sequences, lL was found LhaL Lhe currenL
speclflcaLlon of lSC/lLC 7816 was noL approprlaLe enough Lo generaLe AC8lo
lnsLances lf Lhe card was capable of comparlng blomeLrlc LemplaLes wlLh blomeLrlc
samples. now ln SC 17, a new command 8C (erform 8lomeLrlc CperaLlon) ls belng
sLandardlzed Lo lmprove Lhe blomeLrlc operaLlons on lC cards. ln Lhe near fuLure,
Lhe generaLlon of AC8lo ls planned Lo be speclfled ln Lhe 8C command.

174
6. narmon|zat|on w|th I1U-1 SG 17 experts
ln l1u-1 SC 17, Lhere have been a cerLaln number of sLandardlzaLlon acLlvlLles
relaLed Lo blomeLrlcs. Lspeclally Lhe ob[ecLlve of x.1084 1eleblomeLrlcs sysLem
mechanlsm and LhaL of x.1089 1eleblomeLrlcs auLhenLlcaLlon lnfrasLrucLure (1Al)
were closely relaLed Lo LhaL of AC8lo. x.1084 has speclfled an exLenslon of 1LS
(1ransporL Layer SecurlLy) Lo blomeLrlc verlflcaLlon and x.1089 has speclfled an
auLhenLlcaLlon lnfrasLrucLure, uslng a range of blomeLrlc cerLlflcaLes, for remoLe
auLhenLlcaLlon of human belngs.. 1he AC8lo pro[ecL has dlscussed Lhe
harmonlzaLlon wlLh Lhe edlLors, lSC8L ?oshlakl of x.1084 and Wel !lwel of x.1089,
for several Llmes. As a resulL, boLh l1u-1 recommendaLlons reference AC8lo as a
normaLlve sLandard whlch has enhanced Lhe lnLegrlLy of Lhe 1eleblomeLrlcs
sLandard seL. Slnce Lhe lmporLance of blomeLrlcs ln LelecommunlcaLlon ls lncreaslng,
more collaboraLlve work ls expecLed ln Lhe nexL verslon of Lhe documenLs.
At tbe eoJ of tbls ottlcle, l woolJ llke to exptess my qtotltoJe oqolo to oll tbe expetts
wbo kloJly sboteJ tlme fot Jlscossloo wltb me to moke Ac8lo o bettet lotetootloool
5tooJotJ. l bove beeo vety boppy to be wltb tbem.
l olso woolJ llke to tbook.
ltof.. NAMukA keojl, tbe cooveoot of 5c 27/wC 2, fot bls kloJ soppott wbeo
Ac8lo wos boto ooJ oo lofoot,
ltof.. kol koooeobetq, tbe cooveoot of 5c 27/wC 5, fot fostetloq Ac8lo to oo
lotetootloool 5tooJotJ,
letoooJo loJlo, tbe 5c J7 cboltmoo, fot Jltectloq tbe botmoolzotloo wltb votloos
ptojects lo 5c J7,
ltof.. oooq 8lo kwoo, tbe cooveoot of 5c J7/wC, fot ottooqloq tbe botmoolzotloo
wltb 5c J7/wC 2, especlolly wltb 5C oo Ac8lo,
lbllllp 5totbom, tbe cooveoot of 5c J7/wC 5, fot tokloq cote of tbe telotloo
betweeo l5O/lc 29120 setles ooJ Ac8lo.
keferences
lSC/lLC 7816-4, ldenLlflcaLlon cards - lnLegraLed clrculL cards - arL 4:
CrganlzaLlon, securlLy and commands for lnLerchange
Commands for securlLy operaLlons
ersonal verlflcaLlon Lhrough blomeLrlc meLhods

175
lSC/lLC 19784-1, lnformaLlon Lechnology - 8lomeLrlc appllcaLlon programmlng
lnLerface - arL 1: 8loAl speclflcaLlon
lSC/lLC 19784-1 AMLnuMLn1 3, lnformaLlon Lechnology - 8lomeLrlc appllcaLlon
programmlng lnLerface - arL 1: 8loAl speclflcaLlon AMLnuMLn1 3 - SupporL for
lnLerchange of cerLlflcaLes and securlLy asserLlons, and oLher securlLy aspecLs
lSC/lLC 1978S-1, lnformaLlon Lechnology - Common 8lomeLrlc Lxchange lormaLs
lramework - arL 1: uaLa elemenL speclflcaLlon
lSC/lLC 1978S-4 - lnformaLlon 1echnology - Common 8lomeLrlc Lxchange
lormaLs lramework - arL 4: SecurlLy 8lock formaL speclflcaLlons
lSC/lLC Cu 29120-1, Machlne readable LesL daLa for blomeLrlc LesLlng and
reporLlng - arL 1: LesL reporLs
lSC/lLC Cu 29120-3, Machlne readable LesL daLa for blomeLrlc LesLlng and
reporLlng - arL 3: LesL cerLlflcaLes
lSC 19092, llnanclal Servlces - 8lomeLrlcs - SecurlLy framework
l1u-1 x.1084, 1eleblomeLrlcs sysLem mechanlsm - arL 1: Ceneral blomeLrlc
auLhenLlcaLlon proLocol and sysLem model proflles for LelecommunlcaLlons
sysLems
l1u-1 x.1089, 1eleblomeLrlcs auLhenLlcaLlon lnfrasLrucLure (1Al)
AnSl x9.84, 8lomeLrlc lnformaLlon ManagemenL and SecurlLy for Lhe llnanclal
Servlces lndusLry

176
IIDIS
Pans Pedbom (karlsLad unlverslLy, Sweden,
Llalson Cfflcer from llulS Lo SC 27/WC S)

llulS (luLure of ldenLlLy ln Lhe lnformaLlon SocleLy, www.fldls.neL) ls a
mulLldlsclpllnary neLwork of Lxcellence (noL) lnlLlally funded by Lhe 6
Lh
Luropean
8esearch lramework rogramme. 1he alm of llulS ls Lo fosLer lnLegraLlon of
research ln Lhe ldenLlLy and ldenLlLy managemenL area such as Lhe role of ldenLlLy
and ldenLlflcaLlon and lnLeroperablllLy of ldenLlLy and ldenLlLy managemenL
Lechnologles and concepLs. As parL of Lhls work llulS esLabllshed a Llalson wlLh
lSC/lLC !1C 1/SC 27/WC S Lo dlssemlnaLe lLs flndlngs lnLo Lhe sLandardlzaLlon world
as well as Lo broaden our own horlzons and geL new vlews and commenLs on our
flndlngs. SC 27/WC S was chosen for a number of reasons: Lhe plaln and
LransparenL processes of lSC/lLC sLandardlzaLlon, Lhe compeLence LhaL we observed
among Lhe naLlonal experLs and Lhe global ouLreach of SC 27 and lLs WCs. All ln all
we feel LhaL Lhe cooperaLlon has been very successful and beneflclal for llulS and
we feel LhaL we have boLh been able Lo glve guldance as well as belng lnfluenced
durlng Lhe whole process.

ICCS congratu|ates SC 27 on |ts 20th b|rthday!
Zdenek 8lha [Masaryk unlverslLy 8rno, Czech 8epubllc,
Llalson Cfflcer Lo SC 27/WC S from lCCS]

lCCS (rlvacy and ldenLlLy ManagemenL for CommunlLy Servlces, www.plcos-
pro[ecL.eu) ls proud Lo have esLabllshed Lhe llalson wlLh lSC/lLC !1C1/SC 27/WC S
and Lo supporL WC S's pro[ecLs, especlally Lhe rlvacy ArchlLecLure (29101). lCCS ls
an lnLernaLlonal research pro[ecL, wlLh a speclal focus on moblle communlLles. 1he
lCCS consorLlum conslsLs of eleven parLners from seven dlfferenL counLrles,
supporLed by Lhe Lu as a parL of Lhe 1rusL & SecurlLy Croup wlLhln Lhe 7Lh 8esearch
lramework rogram. lL conLalns speclallsLs from Lhe flelds of sclence, research and
lndusLry. 1he ob[ecLlve of Lhe pro[ecL ls Lo advance Lhe sLaLe of Lhe arL ln
Lechnologles LhaL provlde prlvacy-enhanced ldenLlLy and LrusL managemenL feaLures
wlLhln complex communlLy-supporLlng servlces LhaL are bullL on nexL CeneraLlon
neLworks and dellvered by mulLlple communlcaLlon servlce provlders. lCCS'
approach ls Lo research, develop, bulld Lrlal and evaluaLe an open, prlvacy-
respecLlng, LrusL-enabllng ldenLlLy managemenL plaLform LhaL supporLs Lhe
provlslon of communlLy servlces by moblle communlcaLlon servlce provlders.

177

SC27Platinum Book201010

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SC27Platinum Book201010

Uploaded by

Copyright:

Available Formats

SC27 laLlnum 8ook

1weoty eots of l5O/lc I1c 1/5c27

You might also like