SECURITY STANDARDS

ICAO

ICAO MRTD

International standards bodies - ISO, ITU-T, ETSI

ISO

ISO conformity assessment

ISO 27K and BS 7799 related

BS 7799 Part 1 'Code of practice for information security management' evolved into ISO 17799 and into ISO 27002, Part 2 'ISMS specifications' was further extended into the 2700X family

ISO 15408 Common Criteria (and related)

Common Criteria is a framework in which computer system users can specify their security functional and assurance requirements (SFRs and SARs respectively) in a Security Target (ST), and may be taken from Protection Profiles (PPs). Vendors can then implement or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims.

CC versions and main documents

CC:2022 is the last version. CC V3.1 R5 version is the last from the 3.1 series, and may optionally be used for evaluation starting no later than the 30th of June 2024. STs conformant to CC:2022 based on PPs certified according to CC3.1 will be accepted up to the 31st of December 2027. CC:2022 has 5 parts. The corresponding CEM:2022 consists of one part.

CC v3.1 has 3 parts.

Other info

Security evaluation standards

NATO

Security techniques

ISO Biometrics

ISO blockchain and DLT standards

ISO TC 307 blockchain and distributed ledger technology - Chairperson (until end 2019): Mr Craig Dunn

Blockchain: distributed ledger system with confirmed blocks organized in an append-only, sequential chain using cryptographic links. Consensus: agreement among nodes that a transaction is valid and that there is a consistent set and ordering of the transactions stored in the distributed ledger. Distributed ledger: ledger that is shared and synchronized in a distributed manner

Structure

Standards and work in progress

Other

ISO crypto standards

Refer to crypto-timestamping

Hashing and MAC

Encryption

Authentication

Trusted Platform Module

The TPM is a security chip connected to the CPU that provides isolated storage of encryption keys and of Platform Configuration Registers (PCRs). These PCRs hold hash values, which can only be updated by extending them. An extension consists of appending the current register value to the input, hashing it and storing the resulting hash in the register. The registers are complemented by a 'measurement log' which consists of a list of items that have been executed. Replaying the log should result in the same value as stored in the register. This can be used to record the boot process of a platform by 'extending' every piece of code to be executed into a register before the code is loaded. The first item loaded, the bootloader, cannot be measured in this way and is therefore referred to as the 'root of trust for measurement'. Remote attestation allows a platform to report the measurements collected during boot.

Signing

Basics
Long term signature
Blind signature
Anonymous signatures

Other

Management

Assurance and testing

Biometric protection

Authenticated encryption

Generation

ISO smart card standards

Also CEN and ETSI/3GPP are very influencial in this field.

ISO other standards

Identity

Other

  • ISO 17021:2006 Certification bodies (e.g. for ISO/IEC 27001)
  • ISO 10181 Security Framework (including access control) - corresponds to X.800 series
  • ISO 12931:2012 Performance criteria for authentication solutions used to combat counterfeiting tools (from ISO/TC 246 Anti-counterfeiting tools)
  • ISO 15947 IDS
  • ISO 22857 Protection of medical information
  • ISO/PAS 28001:2006 Security management systems for the supply chain - Best practices from implementing supply chain security
  • ISO/PAS 28001:2006 Security management systems for the supply chain - Guidelines for the implementation of ISO/PAS 28000
  • ISO/IEC 29003 Identity proofing
  • ISO/IEC CD 29184 Information technology - Online privacy notices and consent (see also Kantara)
  • ISO 31000 Risk Management
  • CD 13569 Banking - information security guidelines
  • IS 18028 Network security
  • IS 18043 Intrusion detection systems
  • IS 18044 Incident management
  • CD 13569 Banking - information security guidelines
  • Historical: TR 13335 GMITS - guidelines for the management of IT security
    • IS 13335-1 MICTS - Concepts and models for managing and planning ICT security (contains reworked GMITS parts 1 and 2)
    • IS 13335-2 MICTS - Information security risk management (contains reworked GMITS parts 3 and 4, part 5 went to 18028)

ISO other standards - TTP and related

  • ISO 14516 Guidelines for TTP services
  • ISO 19626 Trusted communication platform for electronic documents - legally provable way of dematerialisation, Jasmine Jaegyong Chang, 2017
  • ISO 21188:2018 Public key infrastructure for financial services — Practices and policy framework

ISO other standards - healthcare

  • ISO 17090-1 Health informatics - PKI - digital certificates in the medical domain, security and interoperability
  • ISO 17090-2 Health informatics - PKI - the application of digital certificates
  • ISO 17090-3 Health informatics - PKI - management aspects
  • ISO TS 21547:2010 Health informatics - Security requirements for archiving of electronic health records - Principles
  • ISO TR 21548:2010 Health informatics - Security requirements for archiving of electronic health records - Guidelines

ISO other standards - transport and vehicle related

  • ISO/TR 12859:2009 ITS System Architecture - Privacy aspects in ITS standards and systems
  • ISO/TS 24534-5:2008 Automatic vehicle and equipment identification -- Electronic Registration Identification (ERI) for vehicles -- Part 5: Secure communications using symmetrical techniques

ISO other standards - IT governance

  • ISO/IEC 38500:2015 Information technology — Governance of IT for the organization

ISO other standards - devices

  • ISO/SAE 21434 Road Vehicles – Cybersecurity Engineering Standard

ISA - International Society of Automation

ITU-T

EU standards and related matters

Europe's Standard Development Organisations are CEN, CENELEC and ETSI. Regarding security standards, there is the SOG-IS group. Furthermore there's Enisa.

ENISA - certification schemes

CEN

CENELEC

ETSI

EU standards were particularly successful in mobile communication such as GSM. These standards were originally driven through CEPT (European Conference on Post and Telecommunications Administrations). In 1988, ETSI took over, and in 2001 GSM standardisation was transferred to the global 3GPP. Areas covered by ETSI: For ETSI security and crypto standards refer to ETSI security standards.

For the different types of ETSI standards refer to the ETSI standards information page.

SOG-IS

Aim

Coordinate the standardisation of Common Criteria protection profiles and certification policies between European Certification Bodies.

Selected EU Member States participate in SOG-IS - Senior Officials Group Information Systems Security. The SOG-IS agreement was produced in response to the EU Council Decision of March 31st 1992 (92/242/EEC) in the field of security of information systems, and the subsequent Council recommendation of April 7th (1995/144/EC) on common information technology security evaluation criteria. SOG-IS participants subscribe to the MRA, the Mutual Recognition Agreement of Information Technology Security Certificates.

Scope

Scope is Publishes Joint Interpretation Library (JIL) Interpretations for Security Certification according to eIDAS Regulation 910/2014. Relevant for eIDs and related material.

Participants

SOG-IS participants can be: Participants include a.o.:

Other

GSMA

Standards from consortia

Global de-facto standards and related matters

Emerging: BS 1008:2208 Evidential weight and legal admissibility of electronic information

IETF

Refer also to cryptostandards.

Other

US standards and related matters

NIST

Selection

ANSI - American National Standards Institute