Standardization efforts

FIRST has established liaison relationship with ISO and ITU-T.


FIRST established a number Category C liaison relationship with ISO/IEC JTC 1/SC 27. The relationship is established with Working Group 3 (WG3) and WG4. Damir Rajnovic ( is appointed as a liaison officer. You can read more about SC 27 activities at SC 27 home page.

The list of all standards that are developing within JTC 1/SC 27 are visible here.

Currently Vendor SIG is actively working and/or monitoring the following ISO activities:

  • ISO 27010 - Guidance for Information Security Management for Inter-sector Communications
  • ISO 27032 - Guidelines for Cybersecurity
  • ISO 27035 - Information Security Incident Management
  • ISO 27037 - Evidence Acquisition Procedure for Digital Forensics
  • ISO 29147 - Responsible Vulnerability Disclosure

Further information on ISO related activities can be found at: ISO activities page (FIRST members only).


FIRST is in the process of establishing liaision relationship with ITU-T. In particular FIRST is focused in the work done within Study Group 17, Question 4 (SG17/Q4). Study Group 17 is working on recomendations related to security while Question 4 is focused on Cybersecurity. Damir Rajnovic ( is appointed as a liaison officer.

The main piece of work within Q4, in 2009-2012 study period, is centered around CYBEX framework. FIRST is contributing its CVSS as one of the components to the CYBEX framework. In addition to CVSS, FIRST is offering combined expertise of its members as a unique source of expertise in handling computer and computer related incident.

FIRST is also investigating how to work with ITU-T to further goals of Resolution 58 Encourage the creation of national computer incident response teams, particularly for developing countries

More information on on CYBEX related activities can be found at ITU-T SG17/Q4 CYBEX Framework