International standards bodies - ISO, ITU-T, ETSI


ISO conformity assessment

ISO 27K and BS 7799 related

BS 7799 Part 1 'Code of practice for information security management' evolved into ISO 17799 and into ISO 27002, Part 2 'ISMS specifications' was further extended into the 2700X family

ISO 15408 Common Criteria (and related)

Common Criteria is a framework in which computer system users can specify their security functional and assurance requirements (SFRs and SARs respectively) in a Security Target (ST), and may be taken from Protection Profiles (PPs). Vendors can then implement or make claims about the security attributes of their products, and testing laboratories can evaluate the products to determine if they actually meet the claims.
  • International Common Criteria Conference
  • AU - DOD - Infosec - including CC product evaluation reports
  • UK - CESG
  • UK - BT as CLEF
  • UK - LogicaCMG as CLEF - also in Australia
  • DE - BSI
  • DE - Tuvit - Beyond CC - "SQ - Security Qualification"
  • NL - TNO - CommonCriteria mirror - includes the Common Evaluation Method
  • US - Common Criteria - NIST
  • US - Common Criteria - toolbox for CC PP's - free download (Windows only)
  • US - Common Criteria - Mutual Recognition - via NIAP (National Information Assurance Partnership
  • US - VISA's version of a CC "Predefined Protection Profile - look also for VOP (Visa Open Platform)"
  • Corsec - Common Criteria accreditation (also FIPS 140-2)
  • UK - ITSEC
  • Open Source - Sardonix portal for auditing open source applications - sponspored by DARPA
  • US - CSC - participant in TTAP Trusted Technology Assessment Program
  • Security evaluation standards


    Security techniques

    ISO Biometrics

    ISO blockchain and DLT standards

    ISO TC 307 blockchain and distributed ledger technology - Chairperson (until end 2019): Mr Craig Dunn

    Blockchain: distributed ledger system with confirmed blocks organized in an append-only, sequential chain using cryptographic links. Consensus: agreement among nodes that a transaction is valid and that there is a consistent set and ordering of the transactions stored in the distributed ledger. Distributed ledger: ledger that is shared and synchronized in a distributed manner


    Standards and work in progress


    ISO crypto standards

    Refer to crypto-timestamping

    Hashing and MAC



    Trusted Platform Module

    The TPM is a security chip connected to the CPU that provides isolated storage of encryption keys and of Platform Configuration Registers (PCRs). These PCRs hold hash values, which can only be updated by extending them. An extension consists of appending the current register value to the input, hashing it and storing the resulting hash in the register. The registers are complemented by a 'measurement log' which consists of a list of items that have been executed. Replaying the log should result in the same value as stored in the register. This can be used to record the boot process of a platform by 'extending' every piece of code to be executed into a register before the code is loaded. The first item loaded, the bootloader, cannot be measured in this way and is therefore referred to as the 'root of trust for measurement'. Remote attestation allows a platform to report the measurements collected during boot.


    Long term signature
    Blind signature
    Anonymous signatures



    Assurance and testing

    Biometric protection

    Authenticated encryption


    ISO smart card standards

    Also CEN and ETSI/3GPP are very influencial in this field.

    ISO other standards



    ISO other standards - TTP and related

    ISO other standards - healthcare

    ISO other standards - transport and vehicle related

    ISO other standards - IT governance

    ISO other standards - devices

    ISA - International Society of Automation


    EU standards and related matters

    Europe's Standard Development Organisations are CEN, CENELEC and ETSI. Regarding security standards, there is the SOG-IS group.




    EU standards were particularly successful in mobile communication such as GSM. These standards were originally driven through CEPT (European Conference on Post and Telecommunications Administrations). In 1988, ETSI took over, and in 2001 GSM standardisation was transferred to the global 3GPP. Areas covered by ETSI: For ETSI security and crypto standards refer to ETSI security standards.

    For the different types of ETSI standards refer to the ETSI standards information page.



    Coordinate the standardisation of Common Criteria protection profiles and certification policies between European Certification Bodies in order to have a common position in the fast growing international CCRA group. Coordinate the development of protection profiles whenever the European commission launches a directive that should be implemented in national laws as far as IT-security is involved

    Selected EU Member States participate in SOG-IS - Senior Officials Group Information Systems Security. The SOG-IS agreement was produced in response to the EU Council Decision of March 31st 1992 (92/242/EEC) in the field of security of information systems, and the subsequent Council recommendation of April 7th (1995/144/EC) on common information technology security evaluation criteria. SOG-IS participants subscribe to the MRA, the Mutual Recognition Agreement of Information Technology Security Certificates. Participants are: More info:



    Standards from consortia

    Global de-facto standards and related matters

    Emerging: BS 1008:2208 Evidential weight and legal admissibility of electronic information



    US standards and related matters



    ANSI - American National Standards Institute