Welcome to SC27 SD11: 2019 ISO/IEC JTC 1/SC27 is an international recognized centre of information security, cybersecurity and privacy protection expertise serving the needs of many business sectors as well as governments. Its work covers both management standards as well as technical standards. The work of ISO/IEC JTC 1/SC27 is in direct response to business, government and consumer requirements information security standards. The information in SD11 reflects some of the many achievements and developments of SC27 since its establishment in April 1990. These achievements have flourished as a direct result of changes in market and business needs, greater interest in management systems security, changes in risks, changes in technology, ubiquitous deployment of wireless and mobile computing and communications, societal security, economic changes and the impact of new regulations and legislation. The work of SC27 enables organizations to engage in preventive actions to protect their information and for business availability and continuity and to avoid business continually needing to apply corrective action to resolve security compromises and failures of yesterday and the past. It is more economically sound for the ISO/IEC community to work towards preventive actions rather than corrective actions. In particular such protection is required to maintain operational conditions within business environments within and across industry sectors, for economic growth and national and global sustainability, as well as for critical infrastructure purposes in times of crisis and disasters. th In May 2015 SC 27 celebrated its 25 birthday – a great occasion to recognize many of the achievements of SC 27. In September 2015 SC 27 was honoured with the prestigious Lawrence D. Eicher Award, which is given each year to the ISO technical committee or subcommittee that has distinguished itself in making significant contributions to the development of International Standards. SC 27 continues to engage in standardisation work at the forefront of the marketplace, embracing the requirements of new and emerging technologies and business innovations. The latest developments include work on the security and privacy requirements of the IoT (Internet of Things), Big Data security, Distributed Ledger Technology and security, trustworthiness and applications involving privacy technology. SC 27 together with its National Standards Body members and its liaison partners ensures that its standardisation products provide the best solutions for industry and business. Dr. Edward Humphreys SC 27 Communications Officer June 2019 • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • • MEETING HISTORY • • • • • • • • • • • • • • • • WG1 Products Standard ISO/IEC 27000 Title Status Overview and vocabulary 5th ed. 2018 ISO/IEC 27001 Information security 2nd ed. management systems – 2013 Requirements ISO/IEC 27002 Code of practice for information security controls ISO/IEC 27003 Information security management system -guidance Abstract This International Standard describes the overview and the vocabulary of information security management systems, which form the subject of the ISMS family of standards, and defines related terms and definitions. This International Standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented information security management system within the context of the organization’s business activities and the risks it faces. 2nd ed. 2013 (revision WD3) This International Standard offers a collection of commonly accepted information security control objectives and controls and includes guidelines for implementing these controls. 2nd ed. 2017 This International Standard provides further information about using the PDCA model and give guidance addressing the requirements of the different stages on the PDCA process to establish, implement and operate, monitor and review and improve the ISMS. 1 WG1 Products Standard Title Status ISO/IEC 27004 Information security management 2nd ed. Monitoring, measurement, 2016 analysis and evaluation 3rd ed. ISO/IEC 27005 Information security risk management 2018 (revision WD1) Abstract This International Standard provides guidance on the specification and use of measurement techniques for providing assurance as regards the effectiveness of information security management syste