ISO Activities

FIRST established a number Category C liaison relationship with ISO/IEC JTC 1/SC 27. The relationship is established with Working Group 3 (WG3) and WG4. Damir Rajnovic (gaus.rajnovic at is appointed as a liaison officer. You can read more about SC 27 activities at SC 27 home page. The list of all standards that are developing within JTC 1/SC 27 are visible here.

If you would like to contribute to any ISO activity within ISO/IEC JTC 1/SC 27/WG 3 or WG4 that is not listed here please contact Damir Rajnovic ( to investigate access to the relevant documents.

To access all public documents in WG3 visit The Official BSI IST/33/-/3 Home Page. No such page is known to exist for WG4.

Contributing to activities that are outside of WG3 or WG4 may be possible in some instances but that has to be investigated on a case-by-case basis.

There are several ways you can submit your comments to ISO:

  • Your organization may have a person who is already involved in the standardization effort so you can work with that person.
  • You can work with your national standardization body.
  • You can send you comments to Vendor SIG liaison.

Whichever avenue you choose to use it is very important not to send the identical comments via multiple avenues. It is acceptable to use multiple avenues for passing your comments and it is certainly fine if these comments are similar in nature, but do not copy-and-paste them. Failure to follow this guideline may result in complete disregard of your contributions.

Currently the following ISO activites are being tracked

ISO ActivitiesLeadMaling list
New work item - "Vulnerability Handling Processes" Damir Rajnovic
none defined
ISO 29147 - Responsible Vulnerability Disclosure Damir Rajnovic
ISO 27035 - Information Security Incident Management Yurie Ito
ISO 27010 - Guidance for Information Security Management for Inter-sector Communications Damir Rajnovic none defined
ISO 27032 - Guidelines for Cybersecurity Damir Rajnovic
ISO 27037 - Evidence Acquisition Procedure for Digital Forensics Steve Collins


Future Meetings

ISO/IEC JTC 1/SC 27 - Security techniques Future Meetings (full calendar available in meeting calendar of ISO/IEC JTC 1/SC 27):

  • 2011 April 11-15, Singapore
  • 2011 November, Kenya
  • 2012 May 07-11, Stockholm, Sweden

Vulnerability Handling Processes

This new work item is proposed at the 2010 meeting in Berlin and national boides must vote if they would accept this work or not. Its scope is given as follows:

  • This International Standard (IS) gives guidelines for how to process and resolve potential vulnerability information reported by individuals or organizations that find a potential vulnerability in a product or online service.
  • This International Standard is applicable to all parties involved in handling vulnerabilities. The International Standard is related to ISO/IEC 29147 Information technology Security techniques Vulnerability disclosure. This IS interfaces with elements described in ISO/IEC 29147 at the point of receiving potential vulnerability reports, and at the point of distributing vulnerability resolution information.
  • The IS will also take into consideration the relevant elements of ISO/IEC 15408-3 Evaluation criteria for IT security Part 3: Security assurance components in 13.5 Flaw remediation (ALC_FLR).

The New Work Item Proposal and accompanying attachment are currently the only documents available.

We expect voting results around end of December 2010.

ISO 29147 - Responsible Vulnerability Disclosure

This is a new standard. The editor is Faud Khan (Alcatel-Lucent).

Documents related to this effort can be found here. They are in inverse chronologica order (oldest at the top).

Kyoto, 2008-Apr:

  • SC 27 N6763 WG3 N949 Contents and scope (PDF file, 60Kb)

Limasol, 2008-Oct:

  • SC 27 N7267 1stWD 29147 RVD (PDF file, 280Kb) (FIRST members only)
  • WG3 N967 - Disposition of Comments on 1st WD 29147

Beijing, 2009-May:

Redmond, 2009-Nov:

  • SC 27 N7267 3rdWD 29147 RVD (PDF file, 136Kb) (FIRST members only)
  • Liaison Statement from FIRST
  • WD 29147 - Disposition of Comments on 3nd WD 29147
  • Liaison Statement to FIRST

Malaka, 2010-Apr:

Berlin, 2010-Oct:

Related work in ITU-T

ITU-T produced recommendation X.1206 (04/2008) A vendor-neutral framework for automatic notification of security related information and dissemination of updates. The summary of ITU-T X1206 follows:

Recommendation ITU-T X.1206 provides a framework for automatic notification of security related information and dissemination of updates. The key point of the framework is that it is a vendor-neutral framework. Once an Asset is registered, updates on vulnerabilities information and patches or updates can be automatically made available to the users or directly to applications regarding the Asset.

As such it can be viewed as complementary to ISO29147.

ISO 27035 - Information Security Incident Management

This is about 'upgrading' the already existing Technical Report (TR 18044) into a full standard.

Related documents to ISO 27035:

  • 27N6750 1stWD 27035 (TR18044) (PDF file, 418Kb)

Redmond, 2009-Nov:

  • SC 27 N7566 2ndCD ISO27035 (PDF file, 448Kb) (FIRST members only)

Related work in ITU-T

ITU-T produced recommendation E.409 (05/2004) Incident organization and security incident handling: Guidelines for telecommunication organizations. This work seems to cover the same area as what ISO 27035 tries to address.

ISO 27010-1 Guidance for Information Security Management for Inter-sector Communications

Acting Project Co-editors (Benoit Poletti and Charles Provencher). This will be (at least) four part standard. The parts are as follows:

  • ISO 27010-1 Guidance for Information Security Management for Inter-sector Communications
  • ISO 27010-2 Communication and Alerting Protocol and Mechanisms
  • ISO 27010-3 Participation and Partnership Levels and Agreements
  • ISO 27010-4 Compounded effects of multi-sectorial incidences or failures

From the Summary of ISO27010-1:

Information is an asset of important value that should be (or must be) securely managed and exchanged between relevant organizations. It should be delivered in time to address business issues and to make better decisions, even more so if it is critical to the organization.

Adequate information security management for inter-sector communications is strongly recommended to face the following challenges; failure to do so could impact normal business conditions and cause disruptions during incidents:

  • New threats and vulnerabilities perspective
  • System and network increased dependencies
  • Contractual, legal and business evolution and limits
  • Adequate communications models establishment
  • Attack and reaction processes coordination
  • Ongoing governance

The term “inter-sector communications” could be defined as a managed dissemination of predefined types of information, reviewed and approved for release, transmitted to selected and relevant organizations, independently from public and/or private sectors.

Involved organizations in inter-sector communications need to be aware of their environment, such as their industrial sector and their partner’s to Support with awareness and rehabilitation

    • Establish formal flows of information between organizations
    • Prepare for the outbreak of hazards
    • Take appropriate actions to prevent or limit damages

In ISO 27010-2 the proposal is to use the “OASIS CAP V.1.1” (Common Alerting Protocol) add “IT Security Profile” to it.

Related work in ITU-T

ITU-T produced the recommendation X.1303 (09/2007) Common alerting protocol (CAP 1.1) and, as such, is/should be closely related to ISO 27010-2.

ISO 27032 - Guidelines for Cybersecurity

Project editor (K. Nakao, A. Cheang)

Documents related to this effort can be found here. They are in inverse chronologica order (oldest at the top).

Redmond, 2009-Nov:

From the Introduction to ISO27032:

This standard provides an overview of the unique security challenges on the Internet, or Cyberspace, within the scope of Cybersecurity as defined. This standard differentiates Cybersecurity from Critical Information Infrastructure Protection (CIIP), Internet security, network security, ICT security, and information security in general, thereby highlighting the unique roles of and a set of best practices applicable to users (including Internet-using organizations and governments) and service providers for improving Cybersecurity.

An important aspect of Cybersecurity is the need for efficient and effective information sharing, coordination and incident handling amongst different organizations, users, governments (such as law enforcement agencies), and service providers in a secure and reliable manner that protects also the privacy of individuals concerned. Many of these entities may reside in different geographical locations and time zones, and are likely to be governed by a different regulatory regime. This standard provides a basic framework for achieving such purposes of information sharing, coordination, and incident handling.

The framework includes basic elements of considerations for establishing trust, necessary processes for coordination and information exchange and sharing, and technical requirements for systems integration and interoperability.

ISO 27037 - Evidence Acquisition Procedure for Digital Forensics

Acting Project Co-editors (M. Daud, K.-S. Lee)

Related documents (in inverse chronologica order, i.e. oldest are at the top) to ISO 27037:

Redmond, 2009-Nov:

Malaka, 2010-Apr:

From the Summary of ISO27037:

This International Standard provides detailed guidance that describes the process for recognition and identification, collection and/or acquisition and preservation of digital data which may contain information of potential evidential value. This document includes physical and documentary activities deemed necessary in supporting inter-jurisdictional recognition of collected and/or acquired potential digital evidence.

This standard covers potential digital evidence that is collected and/or acquired regardless of the type of media involved. It shall also cover potential digital evidence acquired from sources that shall include but not limited to static data, data in transit (e.g. over networks) and volatile data (e.g. RAM).

This standard shall not replace specific legal requirements of a particular jurisdiction. Instead, this standard may serve as a practical guideline for first responder in investigations involving potential digital evidence and may facilitate exchange of potential digital evidence between jurisdictions.

Internet Infrastructure Vendors SIG