Which ISO/IEC committee is responsible for the 27000-series information security standards?
ISO/IEC JTC 1/SC 27 — Information security, cybersecurity and privacy protection — a sub-committee of the Joint Technical Committee on Information Technology.
* The SC 27 reporting tree: ISO and IEC jointly own JTC 1, whose SC 27 subcommittee and its working groups author the entire 27000 series. *
The reporting chain:
ISO + IEC
│
JTC 1 (Information Technology)
│
SC 27 (Information security, cybersecurity and privacy protection)
│
WGs (Working Groups for specific topics)
SC 27 was created in 1989, secretariat is DIN (Germany). It owns the entire ISO/IEC 27000-series, but its scope is broader:
- Security requirements capture
- Management of information / ICT security (ISMS standards)
- Cryptographic mechanisms (key management, digital signatures)
- Security support documentation
- Identity management, biometrics, privacy
- Conformance assessment
- Security evaluation criteria
Tip: The German secretariat is the reason BSI engineers have outsized influence on the ISO 27k series — many ISO 27k authors are also BSI Grundschutz authors. This explains why the ISO 27k and BSI worlds are conceptually so close.
Go deeper:
ISO/IEC JTC 1/SC 27 (Wikipedia) — the subcommittee's working groups (WG1-WG5), DIN secretariat and the 27k series it owns.