This document provides the overview of information security management systems (ISMS). It also provides terms and definitions commonly used in the ISMS family of standards.
Source: https://www.iso.org/obp/ui/#iso:std:iso-iec:27000:ed-5:v1:en
The goal of a non-repudiation service is to generate, collect, maintain, make available and verify evidence concerning a claimed event or action in order to resolve disputes about the occurrence or non occurrence of the event or action.
Non-repudiation services establish evidence; evidence establishes accountability regarding a particular event or action. The entity responsible for the action, or associated with the event, with regard to which evidence is generated, is known as the evidence subject.
This part of ISO/IEC 13888 serves as a general model for subsequent parts specifying non-repudiation mechanisms using cryptographic techniques. ISO/IEC 13888 provides non-repudiation mechanisms for the following phases of non-repudiation:
— evidence generation;
— evidence transfer, storage and retrieval; and
— evidence verification.
Source: https://www.iso.org/obp/ui/#iso:std:iso-iec:13888:-1:ed-3:v1:en
This document specifies key derivation functions, i.e. functions which take secret information and other (public) parameters as input and output one or more “derived” secret keys.
Source: https://www.iso.org/obp/ui/#iso:std:iso-iec:11770:-6:ed-1:v1:en
This part of ISO/IEC 11770 specifies key establishment mechanisms for multiple entities to provide procedures for handling cryptographic keying material used in symmetric or asymmetric cryptographic algorithms according to the security policy in force.
Source: https://www.iso.org/obp/ui/#iso:std:iso-iec:11770:-5:ed-1:v1:en
This part of ISO/IEC 11770 defines key management mechanisms based on asymmetric cryptographic techniques. It specifically addresses the use of asymmetric techniques to achieve the following goals.
a) Establish a shared secret key for use in a symmetric cryptographic technique between two entities A and B by key agreement.
b) Establish a shared secret key for use in a symmetric cryptographic technique between two entities A and B via key transport.
c) Make an entity's public key available to other entities via key transport.
Source: https://www.iso.org/obp/ui/#iso:std:iso-iec:11770:-3:ed-3:v1:en
This document defines key establishment mechanisms using symmetric cryptographic techniques.
This document addresses three environments for the establishment of keys: Point-to-Point, Key Distribution Centre (KDC), and Key Translation Centre (KTC).
Source: https://www.iso.org/obp/ui/#iso:std:iso-iec:11770:-2:ed-3:v1:en
This part of ISO/IEC 9797 specifies the following MAC algorithms that use a secret key and a universal hash-function with an n-bit result to calculate an m-bit MAC based on the block ciphers specified in ISO/IEC 18033-3 and the stream ciphers specified in ISO/IEC 18033-4:
a) UMAC;
b) Badger;
c) Poly1305-AES;
d) GMAC.
Source: https://www.iso.org/obp/ui/#iso:std:iso-iec:9797:-3:ed-1:v1:en
This part of ISO/IEC 9797 specifies three MAC algorithms that use a secret key and a hash-function (or its round-function) with an n-bit result to calculate an m-bit MAC. These mechanisms can be used as data integrity mechanisms to verify that data has not been altered in an unauthorized manner. They can also be used as message authentication mechanisms to provide assurance that a message has been originated by an entity in possession of the secret key.
Source: https://www.iso.org/obp/ui/#iso:std:iso-iec:9797:-2:ed-2:v2:en
With the advent and rise of AI there is a risk that machine-to-machine decisions will be made with black-box inputs determined without input transparency to humans. In order to enable ethics-based AI, individuals will require the means to influence and determine the values, rules and inputs that guide the development of personalized algorithms and Artificial Intelligence. They will need an agent that can negotiate their individual rights and agency in a system of shared social norms, ethics and human rights that also foresee and helps the individual mitigate ethical implications of data processing. This approach will enable individuals to safely organize and share their personal information at a machine-readable level and enable a personalized AI to act as a proxy for machine-to-machine decisions. A key goal for the creation of this standard is to educate government and commercial actors why it is in their best interests to create the mechanisms for individuals to train Personal AI Agents to move beyond asymmetry and harmonize personal data usage for the future.
Standard: P7006 - Standard for Personal Data Artificial Intelligence (AI) Agent
Description: This standard describes the technical elements required to create and grant access to a personalized Artificial Intelligence (AI) that will comprise inputs, learning, ethics, rules and values controlled by individuals.
Development Status: Under development
TC CYBER is recognized as a major trusted centre of expertise offering market-driven cyber security standardization solutions, advice and guidance to users, manufacturers, network, infrastructure and service operators and regulators. ETSI TC CYBER works closely with stakeholders to develop standards that increase privacy and security for organizations and citizens across Europe and worldwide. We provide standards that are applicable across different domains, for the security of infrastructures, devices, services, protocols, and to create security tools and techniques.
Some of our latest standards have been in network security (implementing the NIS Directive TR 103 456, the Middlebox Security Protocol TS 103 523 series, a survey of network gateways TR 103 421), cryptography for access control and personally identifying information (Attribute-Based Encryption TS 103 458 and TS 103 532), Critical Security Controls (the TR 103 305 series), protecting PII in line with GDPR (TR 103 370), Quantum-Safe Key Exchanges (TR 103 570), and more. You can see a full list on our standards page.
In addition to TC CYBER, other ETSI groups also work on standards for cross-domain cybersecurity, the security of infrastructures, devices, services and protocols and security tools and techniques. They address the following areas and more information can be found in the related technologies pages:
The Focus Group on Cybersecurity (CSCG) will support CEN and CENELEC to explore ways and means for supporting the growth of the Digital Single market. To this end, the CSCG will analyse technology developments and develop a set of recommendations to its parent bodies for international standards setting ensuring a proper level playing field for businesses and public authorities.
The Group will preparing a European roadmap on cybersecurity standardization and will actively support global initiatives on cybersecurity standards that are compliant with EU requirements in view of development of trustworthy ICT products, systems and services.
In 2016, the Focus Group looked into the different usages/ meanings of the 'cybersecurity' word by various stakeholders in different standards and finalized a document Definition of Cybersecurity consisting of an overview of overlaps and gaps of those definitions with a view of moving towards a common understanding of the cyber security domain.
This document provides guidelines for information security risk management in an organization. However, this document does not provide any specific method for information security risk management. It is up to the organization to define their approach to risk management, depending for example on the scope of an information security management system (ISMS), context of risk management, or industry sector. A number of existing methodologies can be used under the framework described in this document to implement the requirements of an ISMS. This document is based on the asset, threat and vulnerability risk identification method that is no longer required by ISO/IEC 27001. There are some other approaches that can be used.
This document does not contain direct guidance on the implementation of the ISMS requirements given in ISO/IEC 27001.
This document is relevant to managers and staff concerned with information security risk management within an organization and, where appropriate, external parties supporting such activities.
