ISO Fo c u s The Magazine of the International Organization for Standardization Volume 2, No. 9, September 2005, ISSN 1729-8709
• Gathering of standard makers • World Trade Report 2005 highlights ISO’s key role ISO Fo c u s The Magazine of the International Organization for Standardization Volume 2, No. 9, September 2005, ISSN 1729-8709 Contents
1 Comment Ziva Patir, ISO Vice-President (technical management), Securing the safety of our society 2 World Scene Highlights of events from around the world 3 ISO Scene Highlights of news and developments from ISO members
• Gathering of standard makers 4 Guest View • World Trade Report 2005 highlights ISO’s key role Tamotsu Nomakuchi, President and CEO of Mitsubishi Electric Corporation ISO Focus is published 11 times 7 Main Focus a year (single issue : July-August). It is available in English. Annual subscription 158 Swiss Francs d o Individual copies 16 Swiss Francs Standar s for a safer w rld
Publisher Central Secretariat of ISO (International Organization for Standardization) 1, rue de Varembé CH-1211 Genève 20 Switzerland Telephone + 41 22 749 01 11 Fax + 41 22 733 34 30 E-mail [email protected] • World Standards Day – Standards for a safer world Web www.iso.org • Advisory Group on security Manager : Anke Varcin • Improved ISO/IEC 17799 heralds new series on information Editor : Elizabeth Gasiorowski-Denis security management systems • Biometrics : global challenges and customer needs Artwork : Pascal Krieger and Pierre Granier • Container security seals ISO Update : Dominique Chevaux • Safer ships : lifesaving and fire protection at sea Subscription enquiries : Sonia Rosas • Safe machine operations ISO Central Secretariat • High ambitions for a new robot safety standard Telephone + 41 22 749 03 36 • Providing fire containment standards for today and tomorrow Fax + 41 22 749 09 47 • Image safety – new biological risks in the IT age E-mail [email protected] • Consumers depend on safety standards • Protecting vital sites with new clean fire extinguishing systems © ISO, 2005. All rights reserved. • Management of food safety in the supply chain The contents of ISO Focus are copyright • Managing security in the whole supply chain and may not, whether in whole or in part, be reproduced, stored in a retrieval 38 Developments and Initiatives system or transmitted in any form or • Putting Passion into Practice – the Standard Makers’ third ISO by any means, electronic, mechanical, photocopying or otherwise, without Conference written permission of the Editor. 43 New this month ISSN 1729-8709 • World Trade Report 2005 highlights ISO’s key role Printed in Switzerland • ISO 9000 and leading agricultural seed researcher and producer
Cover photo : Marc Elder, Australia. 45 Coming up
ISO Focus September 2005 Comment Securing the safety of our society
ecurity is understood as the antidote have also expanded to the management System enables. It is encouraging to note of danger, risk, damage, injury or of security or the tools deployed globally that an extensive array of security-relat- Sdeath – whether they result from to ensure it, such as biometrics or secur- ed standards exist or are under develop- human negligence or violence, industrial ing the global supply chain. In this way, ment, thanks to the strong partnership activities or from natural disasters – and we can contribute to improving the level between government and inter-govern- it implies that dire measures need to be of security worldwide and disseminate mental organizations on the one side, and taken in order to prevent or reduce the good practices, whilst avoiding creating the private sector on the other. occurrence of such threats. new technical barriers to trade. So as we think about standards On 11 September 2001, the world for security, we must consider our strate- Standards for a safer world experienced a tremendous “ wake-up “ At ISO, we have both gic plan, whose vision is to bring a pos- call ”. It has today become clear that itive contribution to sustainable devel- there must be a change in the way secu- an obligation and a tool opment, and implies making a balance rity issues are dealt with, including the to contribute effectively between our present needs and the well need for an evolution of the respective to the global effort being of future generations. By opti- roles of government, the private sector mizing resources and, above all, using and society, as well as for the behav- of providing greater International Standards, we will be in a iour of citizens. security to society.” position to contribute effectively to glo- While acts of terrorism have bal security efforts and achieve a safer drawn the world’s attention to counter- Our Advisory Group on Securi- and more secure world for all people, ing human malevolence, security is not ty has recently submitted its final report from all walks of life in society – today restricted to this aspect ; it addresses a with 15 recommendations for implemen- and tomorrow. wide spectrum of measures to help prevent tation. These recommendations provide One thing has become very clear. the daily occurrence of injuries, caused a strategic and systematic approach that We need to continue working together by everything from physical accidents will allow us to respond effectively to in order to create a safer world. At ISO, at home, at work or in transportation to the evolving needs of society. we have both an obligation and a tool to aggressions, environmental deteriora- Moreover, our stakeholders expect contribute effectively to the global effort tion or hazardous activities, from unsafe standards, where they are needed, to of providing greater security to society. toys for children to the safety in cars as be delivered in a matter of months, not Let us meet the challenge together. well as other threats related to the evo- years. The need for effective solutions lution of society. With the pervasiveness at short notice requires the use of exist- of ICT and our growing dependence on ing products and processes and adapting their reliable operation, IT security has them for security purposes. For exam- also become a major concern. ple, our Advisory Group on Security The need for International Stand- identified many existing International ards has grown with the globalization Standards for products and test methods and broadening of the concern for secu- that could be used in relation to securi- rity and of the scope of standardization ty. There is also an opportunity to adapt itself. ISO, the IEC and ITU have decid- existing products and technologies from ed to devote this year’s World Standards the Defense Industry for civilian secu- Day to the theme, “ Standards for a saf- rity solutions. er world ”. As highlighted in the WSD Finally, with the development of message on page 7, the event is designed trade and the fact that both natural dis- to raise awareness to the extent of this asters and violence know no frontier, contribution, where it impacts and the international solidarity and collabora- scale of its importance. tion is indispensable. Developing and Ziva Patir Indeed, in ISO, we are not only still implementing internationally accepted ISO Vice-President (technical actively producing and updating stand- standards for security requires, more than management) and Director-General, ards related to the safety of consumer ever, the involvement of the world com- Standards Institution of Israel products or industrial equipment, but we munity : this is precisely what the ISO
ISO Focus September 2005 1 World Scene
Pacific Area Standards work in standardization at culture, from forest manage- with AIDMO, on the provision Congress national, regional and interna- ment to food safety, from the of training services and material tional levels. promotion of the use of the ISO to the Arab region in relation to The 28 th meeting of the Pacific The meeting was hosted by 14000 series to consumer infor- the promotion of standardization. Area Standards Congress mation and protection. (PASC), a forum to strengthen Japanese Industrial Standards international standardization Committee (JISC), ISO member Cooperation within programmes for countries in the for the country. Excellence in education EuroAsian countries Asia-Pacific region, was held in supported by ISO Nagoya, Japan, between 21 and Codex Alimentarius standards 23 June 2005. Commission addresses The Arab Academy in Alexan- ISO President Masami Tanaka relations with ISO dria, in collaboration with EOS, attended the event, and provided The Codex Alimentarius Com- the Egyptian member of ISO, an update on ISO’s progress mission held its 28 th session in organized on 27-29 June a towards Horizon 2010, the ISO Rome from 4 to 9 July 2005. regional conference entitled Code of Ethics, the ISO Five It had explicitly on its agenda “ Quality in education : the path th Year Action Plan for Develop- the issue of its relations with to excellence ”. Attended by The 27 meeting of the the ing Countries, and the ISO ISO. Delegates recognized and over 250 participants from 10 Euro-Asian Council for Stand- Policy of Global Relevance. welcomed the expanding countries, it focused on examples ardization, Metrology and Certi- collaboration and the need for and modalities for implement- fication (EASC), an intergovern- close coordination. ing quality management in mental body of the Common- educational institutions. wealth of Independence States ISO Secretary-General, Alan (CIS), was held in Chisinau, the Bryden, presented the broadening Indeed, education is both a key to economic development and, Republic of Moldova, on 20 to scope of ISO’s activity in the area 22 June 2005. of food products and foodstuffs, concerning higher education, a covering test and analytical subject for increasing interna- Presentations included updates methods, management aspects, tional competition. National on EASC work in the area of such as ISO 22000 and related schemes for the accreditation of harmonization of technical reg- standards on food safety manage- faculties and curricula are ulations and interstate standard- ment and product traceability, or expanding, as was illustrated by ization, metrology, conformity the toolbox of ISO standards on the examples of Italy and assessment and accreditation. Egypt. More and more, these The PASC meeting highlighted conformity assessment. Mrs. Béatrice Frey, Head, schemes promote the use of the Bureau of the Secretary-General, the importance of the strong The relevance of this work to the ISO 9000 series as the core ele- relations and synergies between WTO Agreement on the Appli- ISO Central Secretariat, gave a ment of management systems presentation on the progress ISO, IEC and the ITU and cation of Sanitary and Phytosan- for educational institutions. encouraged the organizations to itary Measures (SPS Agreement), made to date of the ISO Strate- continue to work towards closer which ISO had had the opportu- gic Plan 2005-2010 and identi- collaboration, with particular nity to present to the WTO SPS fied areas where members of focus on the issue of intellectu- Committee a few days previously, EASC could play an important al property rights policy. was also underlined, Alan Bryden role. She also noted that an increasing number of EASC A special session was held on took the opportunity of the Codex meeting to also meet Mr. Jacques members are interested in adopt- “ Standards for a Safer World,” ing ISO standards and translat- which included presentations Diouf, the Director General of the Food and Agriculture Organ- ing them into Russian, in an addressing the 2004 tsunami effort to avoid duplication and disaster and recommendations ization. This latter organization (Left to right) Alan Bryden, Secretary- is, with WHO, one of the two General of ISO ; Dr. Mahmoud Eisa, unnecessary barriers to trade. encouraging standards develop- President, Egyptian Organization for ment experts to work closer parent organizations of the Standardization and Quality Control In examining the draft “Agree- with seismology and tsunami Codex Alimentarius Commission. (EOS) ; Dr. Sherif El-Araby, Dean, Pro- ment on the fundamentals of ductivity and Quality Institute, Arab harmonization of technical reg- experts. It was agreed that shar- The current and potential Academy for Science and Technology. ing between PASC members of collaboration between FAO and ulations in the CIS member information on early warning ISO is important in domains The ISO Secretary-General’s key states ”, EASC members recog- systems and disaster recovery that range from agricultural note address focused on the use of nized the importance of greater could be crucial in the areas of equipment to sustainable agri- ISO 9001 and the specific Interna- harmonization and adopted 60 environment, accessibility, tional Workshop Agreement relat- interstate standards that have (Left to right) Jacques Diouf, Director been harmonized with Interna- unexpected serious events, and General of the FAO with Alan Bryden, ed to education (IWA 2), as well as metrology. Secretary-General of ISO. on ISO 10015 which provides tional and European standards. In parallel to the meeting, Guidelines for the satisfaction Mr. Gregory Elkin, Head of Professor Masami Tanaka was of training needs in organizations. the Federal Agency on technical presented with the Inaugural On the occasion, Alan Bryden regulation and metrology of the PASC Meritorious Service signed a MoU with the Arab Russian Federation, ISO member Award for 2005 for his out- Academy, represented by its for the country, was elected standing work as PASC Stand- President, Prof. Dr. Gamal El President of EASC. ing Committee Chair from 1995 Din Mokhtar Moktar, to initiate For more information, contact to 2000 and for his tireless collaboration, in coordination Béatrice Frey : [email protected]
2 ISO Focus September 2005 ISO Scene
SII celebrates New ISO working group (Australia) and the secretariat on risk management is to be provided by JISC On the occasion of the 60 th (Japan). It is charged with anniversary of standardization ISO has established a working developing a document that in Israel, the Standards Institu- group designed to develop gen- provides principles and practical tion of Israel (SII) organized, eral guidelines for principles guidance on risk management. in the last week of May, a and implementation of risk The future guidelines are envis- series of events to underline management. aged to apply to all organiza- and promote its contribution to Risk management is a key busi- tions, regardless of type, size, national economic develop- ness tool within both the private activities and location, and ment and to international and public sector around the should apply to all type of risk. standardization. In particular, world. Sound and effective an international conference on implementation of risk manage- “ Standardization and Quality ” ISO Secretary-General was attended by over 350 visits PSI participants from more than 20 countries. Keynote presentations were made by Dr. Torsten Bahke, Director of DIN Deutsches © ISO Institut für Normung and ISO New technical committee Vice-President (policy) as well on nanotechnologies as by Dr. Mark Hurwitz, Presi- dent and CEO of The American ISO has established a new National Standards Institute technical committee on nan- (ANSI). ISO Secretary-General otechnologies (TC 229). The highlighted the ISO Strategic decision was among those Plan 2005-2010. An update Following his participation in taken by the organization’s was given on developments the SII conference on standard-
Technical Management Board in ISO/TC 176, Quality man- © ISO ization and quality, ISO Secre- (TMB) at its June 2005 meeting agement and quality assur- ment is part of best business tary-General visited PSI, the in Geneva, Switzerland. ance, and ISO/TC 207, Envi- practice at a corporate and stra- Palestine Standards Institute, The scope of the committee ronmental management, tegic level as well as a means of which has recently upgraded identifies specific standardiza- together with presentations improving operational activities. its membership in ISO to tion work such as classification, of the need and prospects for It is widely understood that, to correspondent member. integrated management be truly effective, risk manage- terminology and nomenclature, High level contacts with Gov- systems standards. ment must become part of the basic metrology, characteriza- ernment Officials and repre- culture of the tion, including calibration and sentatives of the Palestinian organization certification, risk and environ- economy were organized, as and be part of mental issues. Test methods well as visits to several indus- everyday busi- include approaches for deter- trial plants in Ramallah and ness practice. mining physical, chemical, Bethlehem, covering several structural and biological There are sectors : food processing and properties of materials or a number of beverages, stone products, tele- devices for which the perform- risk-related coms, as well as the Palestinian ance, in the chosen application, standards pub- Trade Board and an incubator is critically dependent on one lished by ISO for IT start ups. PSI, which or more dimension of <100nm. and other covers standardization, metrol- Test methods for applications, standards bod- ogy and certification, has and product standards are to ies as well as Other events were associated increased its staff to almost 90, come within the scope of the many standards that refer to risk to make the celebration com- and is providing a wide range technical committee. management processes, but there plete and communicative : an of services and assistance to is no central ISO document that The proposal for the new field open house at the SII facilities, the Palestinian economy. provides a consistent approach. of technical activity was sub- the presentation of the Israel PSI wishes to enhance its role Although the concept of risk mitted by the British Standards National Quality Awards and as the “ go between ” its stake- terminology has been defined in Institution (BSI), ISO member an International Conference on holders and international ISO/IEC Guide 73, there is not for United Kingdom, who has homeland security held in standardization. Increased and yet a clear concept of risk or the been assigned the secretariat, Jerusalem. targeted participation in ISO, with Dr. Peter Hatto (United management of risk. The celebrations were hosted as well as associated training Kingdom) acting as its Chair. There is a need to develop an by Ziva Patir, Director-General needs were considered during International Standard which ISO/TC 229 is required to of SII and ISO Vice-President the discussions of the ISO provides the concept of and submit within a maximum of (technical management). Secretary-General with the 18 months a draft business guidelines for implementing Chairman of PSI, Eng. Mazen plan for review by the TMB. risk management.. Sonokrot, who is the Minister Its first meeting is expected to The working group, under the for Economy, and the Director be held in November 2005. TMB, will be chaired by SA General, Mazen Abusharia.
ISO Focus September 2005 3 Guest View Tamotsu Nomakuchi © Mitsubishi Electric Corp. r. Tamotsu Nomakuchi is ISO Focus : How does Mit- President and Chief subishi Electric, that designs DExecutive Officer of and develops equipment and Mitsubishi Electric Corporation. products for personal, public Dr. Tamotsu Nomakuchi, who and industrial use in a broad received his MSc from Kyoto range of industries, ensure and University, began his career as demonstrate the safety of both a research scientist at Mitsubishi its users and its workforce ? Electric’s Central Research What benefits do you see for Laboratory in 1965. In 1975, he your Company from Interna- received his PhD in Engineering tional Standards to support from Osaka University. design, marketing, trade and communication in this area ? Dr. Nomakuchi was elected corporate vice president, General Tamotsu Nomakuchi : To tack- Manager of Information le the issue of safety within the Technology R&D Center in 1995 company, we have established and promoted to corporate senior company-wide procedures asso- vice president, Corporate Research and Development in ciated with quality assurance that 1997. After serving as executive ensure strict compliance – both vice president, Information inside and outside the company System and Network Services, he – with any quality-related laws, became President and Chief standards or technical criteria, Executive Officer of Mitsubishi Electric including product safety. We look to Corporation in April 2002. establishing safety and reliability by " Standards must be making full use of related technologies internationally and the International Standards during ISO Focus : If you were to describe the acknowledged, the developing, designing and manufac- Mitsubishi Electric Group in a nut- turing processes. shell, what would you say? to ensure compatibility In addition, we have established Tamotsu Nomakuchi : Mitsubishi and guarantee product safety management activity and Electric was established in 1921 and interoperability." quality diagnosis as company-wide reg- now has consolidated sales of about ulations so as to ensure product safety, 32 billion US dollars. The company is and to take action to prevent the occur- es even stronger. The company focus- expanding its business in the follow- rence of product defects as well as any es on such areas as satellites, elevators ing fields : energy and electric systems, recurrence of such. We have also stream- and escalators, automotive electric and industrial automation systems, infor- lined product safety regulations with- electronic products and factory auto- mation and communication systems, in each business group and for factory mation products. electronic devices and home applianc- lines, and, through regular and periodic es. The company has about 100 000 Mitsubishi Electric is in the inspections of product safety manage- employees in its consolidated global process of becoming a conglomerate ment, we have striven to make sure our terms, and operates in over 34 coun- of highly competitive electric-electron- products are safe. tries. Mitsubishi Electric is especially ic businesses, with its unity stemming To give a specific example : in committed to making strong business- from interconnecting synergies. the area of home appliances, we ensure
4 ISO Focus September 2005 ISO Focus : With the growing conver- Tamotsu Nomakuchi : In recent years, gence of ICT and electronics, how do there has been a tendency for businesses you view the cooperation between IEC, to spread into new areas and to develop ITU and ISO, developed in the context internationally. In view of this evolu- of the World Standards Cooperation ? tion, standards must be international- IEC and ISO have successfully joined ly acknowledged so as to ensure com- forces in the area of Information Tech- patibility between operating techniques © Mitsubishi Electric Corp. Mitsubishi Electric Corporation Headquarters, in Tokyo, Japan. safety through risk assessment based on ISO/IEC Guide 51, Safety aspects – Guidelines for their inclusion in stand- ards, ISO 14121, Safety of machinery – Principles of risk assessment, and ISO 12100, Safety of machinery – Basic con- cepts, general principles for design. As the top-ranking standard within safety standards in the home appliances field, we have put in place the fail-safe design standard, that reestablishes any malfunc- tion to bring it in line with the standard’s safety criteria. This standard seeks to ensure development of reasonably safe, free-from-hazard products that may cause injury or damage to users. Large-scale display systems.
and systems and to guarantee interop- erability between systems. It is our sin- cere hope and expectation that IEC, © Mitsubishi Electric Corp. © Mitsubishi Electric Corp. ITU and ISO will cooperate and pro- mote together, under the framework of World Standards Cooperation (WSC), activities that help develop Internation- al Standards and to establish evaluation criteria. This will result in the creation of standards that enable compatibility and interoperability. Information and communication technologies (ICT) are foundation tech- nologies that support many social activi- ties, and have led the growth and devel- opment of the Internet. In this field as Machine-room-less elevator AXIES. well, International Standards have played a major role. nologies (cf. JTC1) and in the area of Due to the massive spread of conformity assessment where they have the Internet, information systems are developed a comprehensive tool box of now largely inter-connected, enabling International Standards and Guides the rapid distribution of individual and relating to first, second and third party organizational information. In such an
© Mitsubishi Electric Corp. conformity assessment. Would you environment, measures to enable infor- Laser processing machines. encourage further synergies ? mation security are essential.
ISO Focus September 2005 5 Communications Satellite Platforms DS2000. Guest View
ISO/IEC 15408 – the stand- Toxicity), we have established and ard that enables objective evaluation promoted specific targets in the fol- of the quality of information security lowing areas: effective utilization – sets out seven grade evaluation lev- of resources; efficient use of ener- els ; in certain cases today, procure- gy ; and reduced use of substanc- ment at private and government lev- es potentially harmful to the envi- els is contingent upon acquisition of ronment. In November 2004, ISO Standards for a safer world the ISO/IEC 15408 certification. Our 14001 was revised and, in response company has been awarded ISO/IEC to this revision, we will continue 15408 certification for systems in the to increase and promote our contri- financial field ; acquisition of this cer- bution to the environment. For our tification for products and systems company, environmental manage- may in the future become necessary ment is of the utmost importance; in other fields, as well. © Mitsubishi Electric Corp. we must fulfil our social respon- An information security man- sibility. We have reduced the envi- agement system (ISMS) based on ISO/IEC increasingly important to our industry in ronmental impact by making full use of 17799, Information technology – Security the future. In order to address this issue, it our company’s technologies and prod- techniques – Code of practice for infor- is essential for all standardization bodies ucts. Secondly, we have developed an mation security management, has been to streamline their rules and regulations environmental business by giving feed- introduced and promoted in Japan together when working with IPRs relating to tech- back and know-how to businesses and with the country’s personal data protec- nical standards. We welcome the recent clients. Such activities result in a syner- tion Act. Much in the same way that ISO studies that have reviewed patent policies gy between environmental management 9000 and ISO 14000 have been broadly among ISO, IEC and ITU. These studies and environmental business. utilized, ISMS will become increasingly mark the beginning of a new era. Our company promotes univer- accepted in the future. We are eager for ISO, IEC and sal design and ecology, and provides “ We are eager for ISO, ITU to continue making efforts to create top products that are both user-friendly guidelines related to patent policies and and eco-friendly. With the concept of IEC and ITU to continue frequently asked questions (FAQs) with universal design, hyper-eco products making efforts to create a view to helping in their implementa- and hyper cycle technology after use , guidelines related to patent tion, as well as to investigate measures we are striving to improve the safety for overcoming obstacles that restrict and user-friendliness of our products, policies and frequently the spread and use of technical stand- as well as to reduce their impact on the asked questions.” ards because of IPR-related competi- environment. tion-restrictive practices. We look for- ISO Focus : The incorporation of pat- ward to seeing measures such as clari- ISO Focus : What new areas of stand- ented technologies in standards is fication of reasonable and non-discrim- ardization would the Mitsubishi Elec- crucial, especially in the area of infor- inatory (RAND) conditions, investiga- tric Group like to see coming out of mation technologies. ISO and IEC tion of IPRs in the early stage of devel- ISO ? have a common policy on this matter oping standards, and/or the confirmation Tamotsu Nomakuchi : For sustaina- [i.e. that International Standards may of intent to join patent pools. ble development at a global level, it is contain patented technologies, but vital to reduce the environmental burden that they should be made available ISO Focus : How have ISO Internation- through toxic substances control, energy under reasonable and non-discrimi- al Standards – such as ISO 14000 for saving, and the promotion of recycling. natory (RAND) conditions] and are environmental management – helped As I mentioned above, Mitsubishi Elec- working on the convergence of our Mitsubishi Electric to grow and progress tric Group puts stress on this point and is policy with that of ITU. What are your as well as to implement its procurement developing continuous activities. In this views on this ? policy ? area, where all countries and firms are Tamotsu Nomakuchi : In most cases, tech- Tamotsu Nomakuchi : Regarding ISO required to conduct cooperative activities nical standards in the area of information 14001, operation of the PDCA (Plan, Do, based on a general agreement, necessity technologies include intellectual property Check and Act) Cycle in accordance with for International Standards will be rapid- rights (IPRs), which may perhaps encour- the ISO standard is extremely helpful ly getting higher. We would greatly like age competition-restrictive practices by for improving performance and ensur- to expect ISO’s continued leadership, in taking advantage of IPRs with a view to ing observance of the law. With regard cooperation with IEC and ITU as well using them in an adverse way. We there- to performance, from the viewpoint of as other standards organizations. fore recognize that this issue will become MET (M : Material, E : Energy and T :
6 ISO Focus September 2005 Main Focus World Standards Day Message 14 October 2005 Standards for a safer world
e all want to live and fire, ensuring that equip- in a safer, more ment does not have sharp edg- Wsecure world. But es or moving parts, and protec- earthquakes and hurricanes, tion against the effects of elec- floods, transportation and tromagnetic emissions on the domestic accidents, epidemics human body. and industrial disasters still Just a few of the many account for many thousands fields where ISO Internation- of deaths and injuries each al Standards ensure safety year, in addition to material Mr. Renzo Tani, Prof. Masami Tanaka, Mr. Yoshio Utsumi, include construction, transpor- and social damage. Interna- IEC President ISO President ITU Secretary-General tation, safety in the home or at tional Standards offer widely accepted the workplace. From safety in and recognized solutions to prevent and • Measurement of the effects of nucle- buildings, including emergency, fire and respond to these threats. The role that ar radiation or electromagnetic emis- alarm systems, to standards that help to standards can play in preventing or mit- sions on the human body ; protect car drivers and passengers (such igating such human and material losses • Means to monitor illicit trafficking of as child restraint systems, anti-locking is increasingly recognized and their use radioactive material ; braking systems and airbags), to vari- is rising as a consequence. ous aspects of food safety and quality • Biometric technology for identifying “ Standards for a Safer World ” (including a new food safety manage- people and protecting access to sen- is the theme of this year’s Worlds Stand- ment system), to machinery safety stand- sitive areas ; ards Day to be celebrated on 14 Octo- ards, ISO standards help make the world ber 2005. The International Standards • Effective communications following a safer place. For its part, ITU is taking produced by the world’s leading inter- a natural disaster or during an emer- a leading role in the area of cybersecuri- national standards-setting organizations gency ; ty, developing standards that will help to – International Electrotechnical Com- • Cybersecurity and protection of the combat cyber crime, including protection mission, the International Organization integrity of fixed and mobile commu- against identity theft. In the non-cyber for Standardization and the Internation- nication networks. world, ITU is working on standards that al Telecommunication Union – provide will allow the prioritization of calls in a valuable safety net. IEC, ISO and ITU standards devel- a disaster situation. This means that in The three organizations’ proce- oped at the international level are avail- an emergency, telecommunications net- dures and areas of expertise ensure that able for use at the national and regional works can be effectively cleared of non- the world’s leading experts from indus- levels to meet societal, market and regu- urgent calls. The new phenomenon of try, government, academia and society latory needs. They assist in disseminat- telemedicine, whereby doctors and sur- work together to develop International ing best practices and new technologies, geons located in different facilities can Standards that contribute to building a while avoiding new barriers to trade that communicate and administer treatment safer, more secure world. Their Interna- national security and safety regulations remotely, is also possible thanks to ITU’s tional Standards are thus based on a dou- may create. real-time multimedia standard. ble level of consensus : amongst stake- For those technologies involving Implementation of IEC, ISO and holders and across countries. electricity, electronics and related tech- ITU International Standards at the national and/or regional level are help- The IEC, ISO and ITU offer a nologies, the IEC produces both prod- ing make the world a safer place. The portfolio of thousands of Internation- uct-specific standards (for example, for standards currently under development al Standards specifically focusing on electrical batteries or laptop computers) by the three organizations address the safety and security and relating to such and system standards (for example, func- new safety and security challenges of the diverse areas as : tional electrical safety in a factory sys- tem). Product standards enable goods to 21 st century. Together, the IEC, ISO and • Products, systems and the global sup- be certified to internationally recognized ITU are working to produce the “ Stand- ply chain ; safety standards. Typical hazard abate- ards for a Safer World ”. • Medical technologies and telemedi- ment measures include protection against cine ; electric shock, excessive temperatures Biography of the artist Overleaf
ISO Focus September 2005 7 Main Focus
Biography of Mark Elder by its security-relevant technical com- Advisory Group mittees and it was considered that this on security needed to be supplemented by a more strategic, top-down perspective. As a con- sequence, and recognizing that similar considerations had been undertaken in t its meeting in September 2003, the International Electrotechnical Com- the ISO Council, recognizing that mission (IEC), it was agreed to establish A events in recent years had placed a joint ISO/IEC Strategic Advisory Group the subject of security high on the list on security to provide ongoing strategic of government priorities as well as a oversight of security-related standardi- concern of the general public, requested zation work in both ISO and IEC. The that an inventory be developed of ISO group has also been asked to charter a standards relevant to the field of secu- subgroup to develop guidance for ISO rity and that the Technical Management and IEC committees on the inclusion of Board (TMB) also be engaged in this security aspects in standards. activity. As a consequence, the TMB As part of its deliberations, the Trained in fine arts, photography established a high-level Advisory Group AGS members had been requested to and design, Mark Elder has worked as on security (AGS). consult widely with stakeholders in their graphic designer for over twenty years. The AGS met extensively by tele- countries and many of the stakeholders Most of this time was spent as an art conference, but also held two physical had indicated that they lacked knowledge director in the magazine industry both meetings, in New York in June 2004 about what security standards exist and in Sydney and London. He has worked and in Geneva in September. Its final how to obtain them. As a result, the ISO on, at one time or another, nearly eve- report and recommendations were con- Central Secretariat has been requested ry publication that you can think of in sidered by the Technical Management to make available a Web portal provid- such areas as lifestyle, motoring, music, Board at its meeting in February 2005 ing access to the inventory of security health, gardening, to name a few. and subsequently were made available standards and linking to similar portals For the last fifteen years, he has to all ISO member bodies. of other organizations. It is expected been running his own design company, In its report, the AGS noted that that the portal will be available by the Look Serious Design, specialising in current ISO work on security had resulted end of 2005. developing designs for new businesses, almost entirely from bottom-up efforts Most of the remaining AGS recom- new publications and ideas that interest mendations related to particular aspects him. He has worked with clients in Indo- of security and have been referred to the nesia, Singapore, London and Los Ange- relevant ISO committees. These deal with les. As well as designing, he has written such subjects as management of security, a book, TV commercials, an award win- threat/vulnerability assessment (which ning short film as well as countless arti- will be addressed in a new initiative to cles on travel, humour and men’s issues develop a standard for the broad field of for Elle, Cleo, GQ, Body+Soul and The risk management), built infrastructure Sun Herald. His article on anorexia in protection, protection and equipment for boys is now part of the Australian cur- first responders, personal identification, riculum for high school students. cybersecurity, healthcare, resources and transportation systems. As well as being a classically A particularly urgent need was trained percussionist his other interests seen for an emergency preparedness are travelling and photography. He is standard and a proposal is expected in presently the Corporate Creative Director the next few months to develop an Inter- with SAI Global, Australia.In his spare national Workshop Agreement (IWA) on time, he is writing another book, work- this subject. ing on a series of paintings for an exhibi- tion, helping friends launch a new mag- azine and studying psychology.
8 ISO Focus September 2005 Standards for a safer world
Improved ISO/IEC 17799 heralds new series on infor- mation security management systems by Ted Humphreys, Convenor ISO/IEC JTC 1/SC 27, WG 1
he newly published ISO/IEC 17799:2005, Information technol- Togy – Security techniques – Code of practice for information security man- agement, is a revised, improved version of the standard that has become the inter- national benchmark. It will be followed later this year by the new ISO/IEC 27001, © ISO Information security management sys- tems – Requirements, intended for man- reported their resulting financial losses for information security management 3), agement system certification. as totalling USD 455 848 000 2) (excerpt integrates the latest developments in the Every organization has assets essen- from “ Business standards : IT security field to maintain it as the international tial to its survival. Arguably, information — securing your business advantage ”, standard code of practice. in its various forms is one of the most ISO Management Systems, July-August ISO/IEC 17799:2005 is a code of prac- important assets, be it printed, stored 2003). tice for information security management. electronically, posted or e-mailed, shown It is not a certification standard and was on film or spoken. Improved protection neither designed, nor is it suitable for this For most businesses, information secu- guidelines purpose. It will be followed in the last rity may be essential to maintain compet- quarter of the year (publication current- itive edge, cash flow, profitability, legal With exploitation of these computer ly expected in November 2005) by the compliance and commercial image. But vulnerabilities accelerating at an alarm- specification standard ISO/IEC 27001, many businesses and most non-business ing rate, the work of Joint Technical Information security management sys- organizations may hold information as Committee, ISO/IEC JTC 1, Informa- tem (ISMS) requirements, which can be their only asset. An absence of informa- tion technology, Subcommittee 27, IT used for certification. tion security may threaten their integrity Security techniques, Working Group 1, and, therefore, very existence. Requirements, services and guidelines has become timelier than ever. The 2002 Computer Crime and Secu- 1) The survey is conducted by the Computer rity Survey 1) of 503 computer security In view of the critical need for the Security Institute with the participation of the practitioners in the United States indicat- business world to protect the confiden- San Francisco Federal Bureau of Investigations ed that the threat from computer crime tiality and integrity of information, the (FBI) Computer Intrusion Squad. and other information security breaches ISO/IEC working group has developed 2) Refers to those respondents who were willing continues unabated – and that the finan- an improved version of the joint ISO/IEC and/or able to quantify their financial losses. cial toll is mounting. standard that has become the burgeon- 3) ISO/IEC 17799:2005, Information technology According to the survey’s findings, ing e-commerce community’s interna- – Security techniques – Code of practice for 90 % of respondents detected computer tional benchmark for information secu- information security management, costs 200 security breaches within the 12 months rity management. Swiss francs and is available from ISO national Just published, the revised ISO/IEC member institutes membership (these are listed covered by the survey, 80 % acknowl- with full contact details on ISO’s Web site : edged financial losses due to computer 17799:2005, Information technology – www.iso.org) and from ISO Central Secretariat breaches, and 46 % (223 respondents) Security techniques – Code of practice ([email protected]).
ISO Focus September 2005 9 Main Focus What users think of ISO/IEC 17799
International language Has ISO/IEC 17799 been valuable to users ? What do they expect from the revised version ? The revised ISO/IEC 17799:2005 is the most important standard for manag- Here is some feedback from organizations around the world about benefits ing information security that has been they have experienced from implementing the best practice given in this developed – it establishes a truly inter- standard, to support the economic well-being of their businesses. national common language for informa- tion security for all organizations around Microsoft : ‘ An invaluable toolset ’ the world to engage with each other to do business. “ The ISO/IEC 17799 standard, in particular, the newly revised version, is an invaluable toolset for the information security professional. This standard pro- vides them with a universal approach of communicating information security “ Information security management best practice, a way to ensure consistency of practice, and a means may be essential to to establish and raise the baseline for managing information security risk in their maintain competitive edge .” environment.” Meng-Chow Kang, CISSP, CISA and Chief Security & Privacy Advisor, Asia Pacific Region, Microsoft. It provides organizations with many state-of-the-art additions and improve- Fujitsu : ‘ Much more user friendly ’ ments in information security best prac- tice. For example, better management “ The 2000 version of 17799 provided management with a tool to ensure that of security arrangements with external all important areas of information security were included in security control pro- businesses, outsourcing and service pro- grammes including best practice advice to deal with the risks of third party access viders, enhanced indicant handling capa- from suppliers, outsourcing arrangements and service delivery. The new 2005 ver- bility, dealing with problems of patch sion makes it much simpler to develop internal standards because the requirements management, mobile devices, wireless are now clearly and consistently described for each control. We plan to start using technologies and harmful mobile code it in our ISMS work as soon as possible because it is much more user friendly.” via the Internet, improvements in best John Snare, Fujitsu Australia. practice managing human resources and several other new features. PCCW : ‘ has benefited extensively ’ The new version addresses the secu- rity of information in its widest sense, “ By continuously enhancing its strategic and operational approach to the con- providing best business practice, guide- sistent management of information security, PCCW has benefited extensively from lines and general principles for imple- using the structured approach contained within ISO 17799. With the release of the menting, maintaining and managing new version, including the new multiple controls, the tightening of existing con- information security in any organiza- trols and the alignment of the new simplified structure, ISO 17799:2005 will allow tion, producing and using information PCCW to immediately enhance and further lead the industry in applying world in any form. best information security practices to the protection of its information assets.” ISO/IEC 17799:2005 identifies the Dale Johnstone, Information Security Governance Risk Management, controls that form the starting point for PCCW Limited, Hong Kong. information security. It covers the criti- cal success factors, the organization of information security, asset management, human resources, physical and environ- • new and emerging technologies and mental security, communications and Business drivers and requirements greater connectivity, and the impact operations management, information sys- this has on protecting information ; tems acquisition, development and main- Several changes to business environ- and tenance, incident management, business ments and new ways of doing business • growing security requirements for continuity management and compliance. were important in driving the develop- regulatory compliance. It is destined to become an essential tool ment of the revised ISO/IEC 17799:2005. for organizations of every type and size, We recognized : whether public or private. “ The new version Here are some of the drivers for this • the growing dependence on the use provides best business revised edition of the Code of Practice, of external services and the manage- highlighting its new features that address ment of service delivery ; practice for managing the latest business requirements. • changes to the risks and threats fac- information security in any ing businesses ; organization. ”
10 ISO Focus September 2005 Standards for a safer world
External services practice to external services to address today’s business demands, and has also The revised edition introduces a number Threats and introduced new service management con- of improvements and updates and addi- trols aimed at securing the availability vulnerabilities tional best practice provisions. and accessibility of external services. ISO/IEC 17799:2005 also acknowl- The business world is more depend- edges a number of threats and vulner- ent on external services for its outsourc- abilities that have emerged recently, ing, off-shoring, networking and Inter- Human resources including : net hosting needs than ever before – and Another revision addresses the critical more business is being carried out with area of information security and employ- • Management of software patches – in clients, business partners and supply ees. Irrespective of how good the secu- recognition of the increasing risk of chains using various on-line and net- rity technology may be, people can be new software being exploited before working arrangements. exploited and thus compromise securi- patches can be introduced to counter While providing business efficiency ty. ISO/IEC 17799:2005 improves best the problem. and better information sharing in high- practice in three key areas : • Potential problems of mobile code ly competitive markets, it also makes – addressing the need for control of access to organizational systems easier 1. Prior to employment mobile software code to avoid breach- and increases the vulnerability of sen- – the recruitment process ; es of information security, including sitive and critical information. unauthorised use or disruption of busi- ISO/IEC 17799:2005 extends best – employee references and screening, and ness systems, networks, or applica- tions. – contracts, terms and conditions of • About the author employment. Pervasive use of mobile devices and wireless networks – awareness that Ted Humphreys 2. During employment those sharing wireless networks can is the Convenor – allocating roles and responsibilities ; gain access to mobile devices, lap- of ISO/IEC JTC tops and business information. 1/SC 27, WG1, – giving access rights and establishing which is user accounts ; and responsible for managing – training and awareness, including Helping organizations projects such as applying procedures and reporting worldwide ISO/IEC 17799, incidents. ISO/IEC 13555 ISO/IEC 17799:2005 is intended to and ISO/IEC 3. At termination of employment provide organizations around the world 18044. Ted Humphreys is Director of – removing access rights and user with new best practice improvements and XiSEC Consultants Ltd, a UK company accounts, thus preventing later access enhancements to help them : providing Information Security to the organization’s systems and proc- Management consultancy services around • provide greater customer confidence the world. He has been an expert in the esses ; and assurance that their systems and field of IT and telecommunications – removing physical access, e.g. can- services are “ fit for purpose ” ; security, information security and risk cellation of entry passes ; and • make more profitable use of their management for more than 27 years. During this time he has worked for major – return of assets such as information, investment in information security international companies (in Europe, North papers, storage media, software and as a business enabler ; America and Asia), and organizations and laptops. • enhance management control of busi- institutions such as the European ness information assets and informa- Commission and the OECD. tion security risks; • make improvements to internal secu- © ISO rity policies and procedures opera- tions, and to security arrangements with suppliers and service provid- ers ; • achieve compliance with applicable national and international security requirements.
ISO Focus September 2005 11 Main Focus
Complementary and supportive standard © ISO While ISO/IEC 17799:2005 is a code of practice for information security management, it is not applicable to man- agement system certification. However, the complementary and supportive stand- ard ISO/IEC 27001, Information securi- ty management systems – Requirements is designed for this purpose. Publication of the ISO/IEC 27001 ISMS is expected in November 2005. The specification standard is a revised version of BS 7799 Part 2:2002 (ISMS), which has been used for certification for the past seven years. Both use the Plan-Do- Check-Act process model as featured in ISO 9001:2000 and ISO 14001:2004, and are based on the same certification proc- ess as the QMS and EMS standards.
International certification activities Already over 1300 organisations in over 50 countries have had their ISMS certified. The figure is rising by around 80-100 per month and it is expected that certification to ISO/IEC 27001:2005 will accelerate this growth via some 45 accredited certifica- tion bodies involved in the process. A free access register, available on the ISMS International User Group Web Biometrics : behavioural and biological characteris- site (www.xisec.com), provides details tics. Hand and facial features, finger- of the certificates to be registered and/ global challenges prints and iris patterns are examples of or modified/deleted. This information is biological characteristics. Behavioural submitted regularly by all the accredited and customer characteristics are traits that are learned certification bodies involved. or acquired, such as signature verifica- needs tion and keystroke dynamics. Biomet- The ISO/IEC 27000 series ric technologies are ready to pervade nearly all aspects of the economy and ISO/IEC 17799:2005 and the future by Fernando L. Podio, Chair, our daily lives. ISO/IEC 27001 are part of the ISO/IEC ISO/IEC JTC 1/SC 37 Although for many years biomet- 27000 series of standards being developed ric technologies have been used main- by JTC 1/SC 27. There is a proposal to iometric technologies are able to ly in law enforcement, they can be now allocate the number ISO/IEC 27002 to establish or verify the personal found in all levels of government func- ISO/IEC 17799 in 2007. Currently, SC 2 7 Bidentity of individuals against tions, in national defence applications is developing ISO/IEC 27003 and ISO/ previously acquired data. Used alone, or and in commercial fields ranging from IEC 27004, aimed at providing support- together with other authentication tech- financial transactions to visitor authen- ing guidance for ISO/IEC 27001. nologies such as tokens and encryption, tication in amusement parks. World The creation of a family of ISMS- biometric technologies can provide high- events in the last few years have further related standards is intended to mirror the er degrees of security than other tech- increased global interest in highly secure approach adopted by the ISO 9000:2000 nologies employed alone, and can also personal authentication using biomet- series of QMS standards – and thus ISO/ be used to overcome their weaknesses. rics. National security priorities have IEC 27001 will serve information secu- Biometrics is defined as the automated led to the use of biometrics in machine rity as ISO 9001:2000 does quality. recognition of individuals based on their readable travel documents, employee
12 ISO Focus September 2005 Standards for a safer world identification badges, and other secure al biometric standards. SC 37 success- applications. fully brought together a wide range of testing methodologies to test the With the rapid dissemination of interests among IT organizations, the performance of systems and devic- biometric technologies, it is important biometric industry, security experts es. The goal is to provide tools for to recognize that enterprise systems and and end-users of multiple biometric- the understanding and prediction of applications based upon consensus-based based identification and verification real-world error and system through- international biometric standards are applications. The JTC 1 subcommittee put performance. Current develop- more likely to be interoperable, scalable, currently has twenty-two participating ment includes a principles and testing usable, reliable, secure, and economical members, five observer members and framework specification that presents – than proprietary systems. established liaisons with eleven organi- the requirements and best scientific zations including other JTC 1 subcom- practices for conducting technical per- Data interchange formats mittees, an ISO TC, and outside organi- formance testing to determine error and other open systems zations ; SC 37 is currently responsible and throughput rates. The multi-part standards for the development of thirty projects/ standard includes performance-test- subprojects. ing methodologies for specific test- The establishment of ISO/IEC ing programs and for different test- JTC 1/SC 37, Biometrics in June 2002 ing methodologies, and also includes offered the IT community and end– “ Biometric technologies a framework for biometric device per- users an international venue to acceler- can be now found in all formance evaluation ate and harmonize formal internation- levels of government Biometric interface standards include functions, in national the CBEFF standard described above, the BioAPI specification and relat- About the author defence applications and in ed standards. The BioAPI specifi- commercial fields ranging cation defines an open system stan- Fernando L. Podio is a from financial transactions dard application program interface member of the to visitor authentication in (API) that allows software applica- Computer tions to communicate with a broad Security amusement parks.” range of biometric technologies in a Division of the common way. The related standards Information under development include a biomet- As shown in the accompany- Technology ric archive specification, support for ing chart, SC 37’s work programme Laboratory at Graphical Users’ Interfaces, a BioAPI includes the following types of biomet- the National specification for systems with mem- ric standards : Institute of ory or computing power limitations, Standards and Technology (NIST). For the Biometric data interchange standard and a BioAPI interworking protocol past seven years he has been involved in formats promote the exchange of bio- biometrics research and standardization. enabling distributed components of a He is currently responsible for the NIST metric data in standardized formats biometric system to talk to each oth- Program on Accelerating the Development among multiple vendors and appli- er. A conformance testing methodol- of Critical Biometric Standards & cations. They define either biometric ogy for BioAPI is also under devel- Associated Conformity Assessment image formats or template formats. opment. Activities. He is Chair of ISO/IEC JTC 1/ SC 37 is developing these formats for Biometric profiles for interopera- SC 37, Biometrics and he also chairs the a number of modalities. International Committee for Information bility and data interchange stan- Technology Standards Technical Common Biometric Exchange For- dards describe requirements for spe- Committee M1, Biometrics. He is the mats Framework (CBEFF) defines cific applications and identify base co-chair of the Biometric Consortium a data structure that is a requirement standards for specific domain(s) of which is an organization of over one for conformance to all the data inter- use. They also identify mandatory thousand members from Government, change standards. It defines meta- requirements for each of these base industry and academia. data that describe biometric data in standards and the optional charac- Computer Security Division, Information the structure, enabling applications to teristics and parameter values that Technology Laboratory, NIST decide their interest in the particular should be considered mandatory for 100 Bureau Drive, MS 8930 data without having to decode it. It the specific application(s). Gaithersburg, MD. 20899-8930 includes, for example, the identifica- In addition to the projects described tion of the data format E-mail : [email protected] above, SC 37 is developing a harmonized Biometric performance testing and biometric vocabulary and four techni- reporting standards define standard cal reports :
ISO Focus September 2005 13 Main Focus