For Biometrics Leader Daon : “ Standards Are Critical ”

Volume 2, No. 2, February 2011, ISSN 1729-8709

Security

• Guest Interview : For biometrics leader Daon : “ Standards are critical ”

• Cabling standards for high-tech football stadiums t t

Contents

Comment Kevin W. Knight, Chair of ISO working group that developed ISO 31000:2009 On high alert – Solutions to managing security-related risk ...... 1

ISO Focus+ is published 10 times a year World Scene (single issues : July-August, November-December) International events and international standardization ...... 2 It is available in English and French. Guest Interview Annual subscription – 98 Swiss Francs Individual copies – 16 Swiss Francs Catherine Tilton – Vice-President, Daon ...... 3

Publisher Special Report ISO Central Secretariat (International Organization for Maximum security – Minimum risk...... 8 Standardization) 1, chemin de la Voie-Creuse Be prepared – Ensuring security and resilience throughout the supply chain...... 10 CH – 1211 Genève 20 Switzerland Operation cyber-security – Solutions for business-as-usual...... 13 Tel. : +41 22 749 01 11 Fax : +41 22 733 34 30 Safeguarding payments – ISO standards beef up protection in a networked world.. 16 E-mail : [email protected] Web : www.iso.org/isofocus+ Who is who ? – Biometrics provides answers for public and private sectors...... 18 A matter of life and death – Metric system to the rescue...... 23 Manager : Roger Frost Editor : Elizabeth Gasiorowski-Denis Dangerous routes – Anti-tampering measures for freight containers ...... 26 Assistant Editor : Maria Lazarte Communication Officer : Sandrine Tranchard Protecting our society – ISO’s crisis management approach to all hazards...... 29 Artwork : Xela Damond, Pierre Granier and Alexane Rosa Centre-fold Translation : Translation Services, ISO Central Secretariat Ready ?...... 20-21

Subscription enquiries : Sonia Rosas Friot Planet ISO ISO Central Secretariat Tel. : +41 22 749 03 36 News of the ISO system ...... 32 Fax : +41 22 749 09 47 E-mail : [email protected] Management Solutions © ISO, 2011. All rights reserved. ISO 14001 for SMEs – Handbook/CD on environmental management ...... 33

The contents of ISO Focus+ are copyrighted and may not, whether in whole Standards in Action or in part, be reproduced, stored in a Cabling standards – Turning football stadiums into high-tech arenas ...... 34 retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying or otherwise, 360° without written permission of the Editor. How to do it – Getting standardization into the classroom ...... 37 The articles in ISO Focus+ express the views of the authors, and do not New Releases necessarily reflect the views of ISO or of any of its members. Best-selling ISO standards – Now available in e-book formats...... 40

ISSN 1729-8709 Coming Up 41 Printed in Switzerland

Cover photo : ISO, 2011

ISO Update : www.iso.org/isoupdate t

Comment On high alert Solutions to managing security-related risk

Security, or rather the lack of security, results in a variety of effects infrastructure, which are required to achieve that lead to uncertainty with respect to the achievement of societal organizational objectives. and organizational objectives. The use of the term “ security ” implies The management of security risk requires those accountable to have a thorough under- that there exists the threat of risk – whether from terrorism, cyber- standing of the risk management principles, security or identity threat – and that dire measures need to be taken framework and process first and foremost. in order to secure society from these threats. This must be complemented by a thorough understanding of the specific security disciplines. In the current environment, Following the publication of exposure to potential harm and seeking security within society or an organization ISO 31000:2009, Risk management – Prin- actively to bypass existing controls. The cannot be left isolated from all of the other ciples and guidelines, the management of potential consequences of security risk also management processes and systems. risk has moved from a focus on financial, need to be addressed in the organization’s Security should encompass issues such operational, market, employment, insurance plans for managing disruption-related risk as strategy, governance, ethical conduct, and reputational risks to a broader approach so as to ensure that the required capability, safety and organizational performance. based on the effect of uncertainty on the resources and knowledge are available and For the management of security risk to be achievement of organizational objectives. accessible to support the achievement of successfully integrated into the fabric of A consequence of focusing on the effect these key objectives. society and organizations, it must become of uncertainty on objectives is that the man- an integral part of how they operate by agement of security risk has moved from becoming as fundamental as financial and the shadows into mainstream management. ISO 31000 is a must-have human relations management, communica- A risk-based approach to security draws the tion and decision-making skills. attention of the organization’s board and solution for all. ISO 31000 is a must-have solution for all top management. It also results in transpar- organizations and the whole of society. It ent decision-making with respect to risks provides best practice guidelines to effec- that threaten the ongoing sustainability An effective enterprise risk management tively manage security-related risk, and and resilience of an organization. It also system (ERM) will ensure that security- in so doing, maximizes opportunities and requires that appropriate accountabilities related risk is interlinked with all other risk minimize threats for the benefit of all.  and responsibilities are assigned at each management activities being addressed (e.g. and every step of the management process, safety, environmental, marketing, reputa- and that all security risks have an owner. tion, regulatory, financial, etc). It must be The involvement in, and management clearly understood that the only differences of, security risk by top management in approach relate to the application of disci- ensures that the control and treatment of pline specific knowledge and skills that relate events, often outside the experience of an to each risk area – the overall principles, organization, are properly addressed. The framework and process remain the same. end goal is to provide the best outcomes While many security risk activities may for the achievement of the organization’s be conducted by specialist areas, many will objectives. Security risks are identified, also be conducted as part of the way other assessed and treated as part of the overall organizational units routinely address their risk management of organizational risk, result- exposures (e.g. managing employment-related ing in greater understanding of the need for security risks should be a fundamental human the organization’s investment in security resources accountability whilst information related treatment. technology (IT) related security risk should The formal inclusion of security risk be an accountability of IT management). is a vitally important part of an effective The management of risk is critical to organizational approach to the manage- effective decision-making that ensures Kevin W. Knight AM* ment of risk that should fit seamlessly into strategy and controls are more appropriately Chair of the ISO working group that an organization’s management system. It applied. It provides an interface between developed ISO 31000:2009. introduces a new element : the concept such decision-making and the implemen- * Member of the General Division of someone deliberately introducing an tation of key functions, processes and of the Order of Australia.

ISO Focus+ February 2011 © ISO Focus+, www.iso.org/isofocus+ 1 t World Scene

members also agreed on REDD+ for crediting emission reductions from forest preservation. Businesses were encouraged to participate more actively in policy development process, and it is expected that they will be offered a formal engagement process in the near future. COP16 therefore allowed for greater contributions from businesses in the negotiations and recognition of their role in the fight against climate change. Clearly, all stakeholders must be involved in order to effectively tackle climate change. This is why ISO’s portfolio of standards for tackling climate change is Director of DIN Dr. Torsten Bahke (centre back) with speakers at the event on education about standardization, in Germany. so important. ISO collects expertise from all stakeholders, builds consensus on best German efforts to promote event in Rio (hence the name), the conference practice, and delivers practical tools that will bring world leaders together to : can be effectively implemented by industry, standardization education business and government. Secure renewed political commitment to • The UNFCCC has been signed by 194 “ Education about standardization – inter- sustainable development national multidisciplinary ” was the title of State Parties and the Kyoto Protocol has been • Assess progress towards internationally ratified by 184 State Parties. a conference organized by the Technische agreed goals on sustainable development Universität Berlin in cooperation with DIN, • Address new and emerging challenges. the ISO member for Germany. Social responsibility in Viet Nam The event highlighted the importance of UNCSD members have agreed on the fol- Social responsibility was at the heart of an standardization for the economy and society lowing themes for the conference : a green event organized by the Viet Nam Chamber as a whole. It also emphasized the need to economy within the context of sustainable of Commerce and Industry (VCCI) in coor- integrate standardization in education at all development and poverty eradication, and dination with the United Nations Industrial levels, and as early as possible, in order to an institutional framework for sustainable Development Organization (UNIDO). The strengthen and advance its role in society. development. conference, which focused on ISO 26000 The conference, which was organized at ISO is planning to be actively involved in for social responsibility, took place in Hanoi, the end of 2010 and attended by over 70 the event and its preparation because many Viet Nam, in November 2010. participants, reviewed the current needs and of its standards provide powerful tools for “ The social responsibility of companies and taking action. Among them is ISO 14001 for activities through several presentations made organizations has become a very important environmental management systems. Up to by representatives from academia and industry issue for Viet Nam in today’s context ”, said the end of December 2009, at least 223 149 such as Prof. Dr. Knut Blind, Egon Behr and Nguyên Quang Vinh, Director of the Business certificates to ISO 14001:2004 had been issued Dr. Jens N. Albers. Further presentations were Office of Sustainable Development under the in 159 countries and economies. VCCI, in his opening statement. held by representatives of DIN and Beuth, Other standards (published and in devel- such as Heinz Gaub and Claudia Michalski opment) in the ISO 14000 family address and also by the European representatives greenhouse gas emissions, lifecycle assessment, Christine Kertesz and John Ketchell. labelling, carbon footprint and eco-design, as Daniele Gerundino, Strategic Advisor well as other environmental concerns. to the ISO Secretary-General, spoke about Additional issues targeted by ISO stand- ISO’s efforts to promote standardization in ards include energy management (the future education. He mentioned the ISO Award for ISO 50001), environmental impact and sustain- higher education institutions which aims to ability of buildings, renewable energies, etc. encourage awareness of standardization. He also highlighted ISO’s two additional awards Together against climate change which promote standardization, including the Helmut Reihlen Award for young standard- The latest edition of the Conference of the izers and the Lawrence D. Eicher Leadership Parties of the United Nations Framework Award for outstanding performance of ISO Convention on Climate Change (UNFCCC) – COP 16 – took place in Cancun, Mexico Company representatives from various technical committees. sectors, and in particular from the clothing, A separate focus was the relevance of in December 2010. The decisions taken during the conference footwear and cement industries, participated in standardization for employees of enterprises, ranged from the establishment of a “ Green a round-table conference during which speak- including the demands placed on them and Climate Fund ” to administer assistance to ers discussed issues such as discrimination possibilities for qualification. poor nations, to inscribing the commitments against women, workers’ journeys after the The conference presentations, mainly in from the 2009 COP15 accord in Copenhagen, traditional Tet holiday, the minimum wage, German, are available at www.ebn.din.de/ into formal UN documentation. UNFCCC industrial hygiene, community training and sb/medienraum. the cost reduction of waste processing. A sustainable development programme Hope for the planet in Rio+20 for cement factories was launched in order to reduce clinker rates in the manufactur- High hopes are placed on the UN Conference ing process, exploit natural resources more on Sustainable Development (UNCSD), also efficiently, undertake a management reform known as the Rio+20 Earth Summit, to be held in low-profit factories, and pay more atten- in Rio de Janeiro, Brazil in May 2012. Taking tion to workers’ health and occupational place exactly 20 years after the initial 1992 environment. 

2 © ISO Focus+, www.iso.org/isofocus+ ISO Focus+ February 2011 t Guest Interview Catherine Tilton Daon – Leading biometric solutions

ISO Focus+ : What are the advantages of biometrics in general, and for enhancing security in particular ? How do standards contribute to the development of the industry ? Catherine Tilton : It’s common knowledge that the world is becoming ever-more connected and mobile. Verification of personal identity becomes increasingly important in this new environment, as we constantly communicate while on the move and deal with each other remotely. Confirming our identities is essential to accessing commercial and civil services, and in some situations is necessary to prove we are not a threat. Daon, a company born in Ireland and headquartered in the USA, relies on ISO/IEC biometrics standards in providing platforms for the entire identity lifecycle, spanning applications that include border management, transportation and credentialing of employees and citizens.

Biometrics must be interoperable and reliable.

Biometrics refers to the automated recognition of individuals based on their behavioural and biological characteristics. This can include unique fingerprint, iris, or facial features that distinguish one person Daon

© from another. Biometrics technology has become an essential weapon in the world- Photo : wide fight against both terrorism threats and identity theft. Catherine Tilton is the Vice-President of Standards and Emerging Biometric data is directly linked to the Technology at Daon. She has more than 25 years of engineering individual, making it a key tool in verify- and management experience, including some 16 years in the ing an asserted identity. Its use provides benefits not only for security, but also for biometrics industry. Ms. Tilton has led the design, development, and convenience as the individual does not deployment of numerous biometric systems in both the commercial need to carry or remember anything extra. and government domains. She is also very active in the development For biometrics to be used effectively, of national and international biometric standards, currently serving as data must be exchanged. This exchange may simply be between a capture device the US head of delegation to ISO/IEC JTC1/SC 37 on biometrics, and a local resource, or it can be between a and Chair of the Biometric Identity Assurance Services (BIAS) collection system and a backend matching Integration technical committee at the Organization for the system – or between systems, agencies or Advancement of Structured Information Standards (OASIS). governments. Standards are required to support interoperable data exchange in a Her degrees are in nuclear and systems engineering. heterogeneous environment.

ISO Focus+ February 2011 © ISO Focus+, www.iso.org/isofocus+ 3 t

Guest Interview

and Mexico, and “ visa shopping ” in the European Union. Two programmes that are highly dependent upon ISO standards are the International Civil Aviation Organization (ICAO) ePassport programme and India’s Unique Identity programme.

ISO Focus+ : With the growing security risks of travelling, ePassports are more and more in demand. How did ISO/IEC standards for machine readable documents help the industry progress ? Catherine Tilton : Since 1996, the Interna- tional Civil Aviation Organization (ICAO), an agency of the UN, has been working Daon

© towards a machine-readable travel document (MRTD). Realizing that a stronger Photo : connection than printed text and a photo Reading a biometric British passport. was needed to tie the passport/visa holder to the document, ICAO worked with Daon has architected its product suite data formats forming the core upon which ISO/IEC/JTC 1/SC 17, Cards and personal according to open standards, since the layers are built. Data interchange formats identification, to develop a scheme based company’s platforms are virtually always have been defined for fingerprint image upon a contactless chip card, asymmetric integrated within larger systems. Also, one and template (the extracted features upon cryptography and biometrics. Digital facial of the main features of the Daon platforms which biometric matching is performed), photographs were selected as the “ globally is neutrality toward biometric modality, facial, iris, signature, vascular, and hand interoperable biometric ” (mandatory for technology and vendor. That is, the plat- geometry data records. all ePassports), with fingerprint and iris form is able to support a wide variety of Daon has provided biometric identity biometrics specified as options. But how biometric devices and algorithms, as well assurance systems around the world, was the biometric data to be made truly as external system interfaces, through its including for Japan’s border management interoperable ? “ snap-in ” architecture. Standards are criti- system, citizenship and immigration in Fortunately, by the time biometric cal to this capability. Australia, national ID in the Middle East data was to be specified, SC 37 had been

Standards are critical.

ISO Focus+ : How have biometric standards evolved in the last decade ? What role do ISO/IEC standards play in Daon’s identity assurance systems ? Catherine Tilton : Prior to 2001, the only biometric standards were those used by law enforcement and a very few commercial standards. But the tragic events of 9/11 stimulated application of biometrics for enhanced security, and development acceler- ated. ISO/IEC Joint Technical Committee JTC 1 subcommittee SC 37, Biometrics, was established in 2002. SC 37 has published biometric standards in the areas of technical interfaces, data interchange formats, performance testing and application profiles. The subcommittee has published a total of 31 standards and six technical reports, of which the most used are those related to biometric data formats. Daon

The SC 37 family of biometric standards © is meant to be a compatible set that can be used together in a layered approach, with the Photo :

4 © ISO Focus+, www.iso.org/isofocus+ ISO Focus+ February 2011 t

Daon About Daon ©

Photo : Daon is a leading provider of identity assurance software products focused on meeting the needs of governments and commercial organizations worldwide. Daon supports customers and system integrators in building enterprise solutions requiring the highest level of security, performance, scalability, reliability and privacy. Daon’s commercial off-the-shelf products are scalable, flexible and proven in the most challenging real-world environments and have been selected to secure more than 700 million identities around the globe. The Daon product suite covers every aspect of identity management An Indian girl supplies fingerprint images as part of the Unique Identity initiative. from pre-enrolment and identity proofing to enrolment, multimodal capture, adjudication, credentialing formed and had developed draft standards ISO Focus+ : One of the world’s largest and provisioning, and provides a biometrics programmes for identity assur- for the selected modalities. The ISO/IEC technology agnostic approach which ance systems is taking place in India. 19794 series of biometric data interchange gives leverage to the customer. Could you please describe the greatest standards defined the format for facial Daon’s offices are located in challenges encountered in the programme’s data (ISO/IEC 19794-5), fingerprint data Washington DC, New York, Canberra, (ISO/IEC 19794-4) and iris data (ISO/IEC implementation, and how are ISO/IEC biometric standards helping ? Singapore, London, New Delhi and 19794-6). ICAO and JTC 1/SC 17, Cards Dublin. and personal identification, were then able Catherine Tilton : India has 1.2 billion to cite these standards as requirements for residents, including many of very limited For more information : the logical data structure of their machine- means who lack personal identification www.daon.com readable travel documents, as provided documents. The Indian Government has in ICAO 9303 and ISO/IEC 7501. These long striven to provide basic support to the Daon

standards allow, for example, a German poor, but the infrastructure is not always © passport to be read, and the biometrics available to ensure that benefits get to the Photo : verified, in Spain. intended recipients. Authorities refer to One of Daon’s primary application this as “ leakage ” in the system that allows domains is border systems, and the com- benefits to be consumed by fraud and mid- dlemen instead of by those in need. pany quickly included ISO/IEC 19794 In 2009 a new agency, the Unique biometric data encoders and decoders within Identity Authority of India (UIDAI), was its DaonEngine platform, as well as its chartered by the government to establish DaonEnroll biometric collection product. identification for all of the country’s resi- This enables utilization of the software for dents who want and need it, so that they border management systems, including in would no longer be disenfranchised and Australia, Japan and the European Union. excluded from the financial and medical It further relies on the facial capture quality systems. The agency is developing the guidelines of ISO/IEC 19794-5 to ensure Aadhaar (Foundation) system, which will that the digital photographs it captures for allow registrars (such as benefits agencies, its clients meet ICAO requirements, and banks and tax authorities) to collect basic are suitable for both visual inspection and biographic information plus fingerprint, facial recognition purposes. iris, and facial images from residents.

ISO Focus+ February 2011 © ISO Focus+, www.iso.org/isofocus+ 5 t

Guest Interview Daon © Photo :

Capture of iris images from an Indian schoolgirl formatted according to ISO/IEC 19794-6.

The biometrics are used to first perform sufficient matching accuracy for such a the ISO/IEC 19785 CBEFF (Common uniqueness checks through one-to-many large population. Biometric Exchange Formats Framework) multimodal biometric matching, and later Since the system involves numerous standard for packaging the biometric data, to perform one-to-one identity verification. registrars who will enrol and authenticate providing common structure, metadata and The uniqueness checks (or de-duplication) clients across the entire country, the biomet- security block. ensures that each person exists once and rics must be interoperable and reliable. only once in the system and is assigned only This is where the ISO/IEC 19794 biometric Daon provides identity one unique identity number. Verification data interchange formats once again play allows an identity to be authenticated at a major role. In addition to the same iris, systems to four the time that services are being provided fingerprint and face image standards used of the top seven to ensure they are going to the authorized in ePassports, Aadhaar also utilizes the economies of the world. recipient. Multiple biometrics are needed ISO/IEC 19794-2 fingerprint minutiae to ensure broad population coverage and standard for authentication purposes, and One of Aadhaar’s biometric solution providers is built upon Daon technology for the integration of the multimodal biometric matchers as well as the storage, management and security of the biometric data. Daon has been involved in the work of SC 37 since its inception and is familiar with all of the biometric standards employed by Aadhaar, having already incorporated them within the Daon product suite.

ISO Focus+ : Why does Daon invest in the development of ISO standards ? Catherine Tilton : In the words of Daon’s CEO, Tom Grissen, “ Our business is highly dependent on data sharing and interoperability… To be on the leading edge and ready to go when our customers are, we have to be in a position to anticipate where the standards are going and be strategic in building them into our platforms.” This Daon

6 © ISO Focus+, www.iso.org/isofocus+ ISO Focus+ February 2011 t

2010-12-10 16:01:13

.indd 1

ISO 9001 for small businesses - 2010 - E

Robin ISO 9001 ad.indd 1 2011-01-19 11:23:25 t

8 © ISO Focus+, www.iso.org/isofocus+ ISO Focus+ February 2011 t Special Report

Maximum security Minimum risk by Sandrine Tranchard

From terrorism to fraud, to piracy and identity theft, security has become one of the highest priorities of government, business and the general public at large.

Whether concerned about airport operational in the event of crises, there- safety or leaked data like the latest fore increasing confidence in business, WikiLeaks cables, security threats community, customer, first responder know no borders and can impact trade and organizational interactions. and society at many levels, affecting Most of us are conscious of the serious individuals, processes and organizations security risks posed by identity theft alike. The results can be catastrophic, and fraud. ISO, through its technical whether in loss of life, serious harm, committee ISO/TC 68, is working on compromised data and national security standards for financial security that are or even bankruptcy to name a few. critical in enabling nearly instantaneous ISO offers solutions to address execution of billions of transactions, security gaps by both anticipating and annually representing trillions of dol- managing eventual threats. An array of lars in payments. This will help address articles in the following Special Report security gaps. of ISO Focus+ highlights some of the Biometrics is increasingly being most important standards in this area. used to guarantee personal security. With the exponential growth of inter- International Standards help enhance national commerce, it becomes harder the development and efficiency of this for any one country to manage supply technology. chain security on its own. The ISO 28000 Telebiometrics gained importance series of International Standards for 10 years ago when identification and supply chain security management authentication was made a central system harmonizes global efforts to issue in anti-terrorism efforts. ISO, the help organizations in industries such International Electrotechnical Com- as manufacturing, service, storage and mission (IEC) and the International transportation to reduce risks to people Telecommunication Union (ITU) are and cargo. jointly developing documents for simple, Freight containers are particularly secure transmission of unique object vulnerable as they are always on the identifiers for the quantities involved move and routinely cross borders. in its measurement. International Standards for container Finally, cyber-security is perhaps seals help authorities fight related crime one of the greatest challenges of our and facilitate the work of professionals digital age. ISO standards in this field in the transport industry by air, sea, can help prevent attacks such viruses, road or rail. worms and phishing. Earthquakes, floods, volcanic ashes The following articles highlight some and attacks are some examples of the of the most critical areas where security risks dealt with by the ISO technical can be impacted and show how ISO committee developing standards for standards help face challenges.  societal security. Its standards will help organizations to be prepared for Sandrine Tranchard is Communication Officer incidents so that they can continue to be at the ISO Central Secretariat.

ISO Focus+ February 2011 © ISO Focus+, www.iso.org/isofocus+ 9 t

Special Report

The solution

The ISO 28000 family comprises a Be prepared series of standards to help organizations successfully plan for, and recover from, Ensuring security any disruptive event. The core standard, ISO 28000:2007, Specification for security and resilience throughout management systems for the supply chain, serves as an umbrella management system the supply chain that enhances overall security performance, while reducing financial burden. The management system framework established by ISO 28000 can be used to cover all aspects of security : risk assessment, emergency preparedness, business continuity, sustainability, recovery, resilience and/or disaster management, whether relating to terrorism, piracy, cargo theft, fraud, or many other security disruptions. Organizations may tailor an approach compatible with their existing operating systems. Those who have already adopted a process approach to management systems may be able to use their existing system as a foundation for implementing a security management system based on ISO 28000. Moreover, ISO 28000 is the only published and certifiable International Standard that takes a holistic, risk-based approach to by Charles H. Piersall managing risks associated with any disruptive incident in the supply chain – before, during and after the event. The standard From the source of raw materials to the point of manufacture, suggests how to improve resilience and service, or storage, to crossing boundaries by all modes of transport preparedness performance in a cost effective way based on a plan-do-check-act (PDCA) at any stage of the production or supply process on the way to end management system model. consumers – the supply chain is exposed to various security threats, As stated in ISO 28000, “ Risk assess- both intentional and environmental. ment shall consider the likelihood of an event and all of its consequences which ISO’s solution to these vulnerabilities is experience or understanding of the subject, shall include : physical failure threats and the ISO 28000 family of standards for supply and of what is needed from decision makers. risks ; operational threats and risks ; natural chain security. The ISO 28000 series has I will therefore begin with the ISO 28000 environmental events ; factors outside of already experienced considerable success. definition of “ supply chain ”. It is not a the organization’s control ; stakeholder Numerous businesses and organizations in simple, single linking of elements in a threats and risks such as failure to meet diverse sectors (e.g. logistics, forwarders, chain. It is the “ linked set of resources regulatory requirements or damage to software, pharmaceutical, electronics, and processes that begins with the sourc- reputation or brand ; and any threat to IT, etc.) are certified, or in the process of ing of raw material and extends through continuity of operations ”. obtaining certification, to ISO 28000, by the delivery of products or services to the third-party independent auditors. Below end user across the modes of transport.” Who’s using ISO 28000 is an overview of ISO 28000, examples Therefore, it is a complex network of many of implementation and an update on the links and nodes, tailored to meet the needs It is no surprise therefore that more latest developments in the series (see Box of a particular organization, industry and and more industries are turning towards page 12). government regulatory requirements. ISO 28000. Below are a few examples of widely diverse industries implementing Along with these buzzwords, there are and certifying to ISO 28000 : Drop the buzzwords often attempts to create additional layering of management systems standards, rede- DP World was first to certify a marine The topics of security, security man- fining the security regime and imposing terminal, and will complete certification agement and safety and security of the additional certification requirements. This to ISO 28000 throughout its network of supply chain, are riddled with buzzwords approach not only adds confusion, but also 48 terminals in 31 countries worldwide by sometimes from sources with no practical unwarranted costs to the industry. 2012. DP World is the only global marine

10 © ISO Focus+, www.iso.org/isofocus+ ISO Focus+ February 2011 t

terminal operator to have achieved simulta- neous ISO 28000 certification and C-TPAT 1) membership. Its European terminals were also certified as Approved Economic Opera- tors (AEO) by the European Union. Port of Houston Authority, one of the world’s largest ports, was the first port World European Customs Trade Singapore Transported authority in the world to become certified Customs Commission Partnership Secure Assets to ISO 28000. Organization Authorized Against Trade Protection Economic Terrorism Partnership Association (WCO) Operator ISO 28000 helps (C-TPAT) (STP) (TAPA) organizations manage SAFE (AEO) Framework any disruptive event.

YCH Group, Singapore, is the first International supply chain management company to Organization for ISO 28000 be certified to ISO 28000. YCH Group is Standardization the leading integrated end-to-end supply chain management and logistics partner to some of the world’s largest consumer How ISO 28000 is being used around the world. and electronics to chemical and healthcare companies including Canon, Dell, Moet- DB Schenker, the world’s second- and the first marine terminal to obtain Hennessy, ExxonMobil, B. Braun, LVMH, largest forwarder, obtained certification certification to ISO 28000 in the country. Royal Friesland Campina and Motorola. to ISO 28000 for its regional head office CTS Logistics-China, a logistics and TNT Express’ Asia regional head office for the Asia-Pacific sector in Singapore, manufacturing company providing kit- in Singapore is the first express integrator along with its local office and operations at ting assembly of turnkey management of to achieve certification to ISO 28000. Singapore Changi airport. Klaus Eberlin, YCH India is certified to the Transported Chief Operating Officer for Asia-Pacific, Asset Protection Association (TAPA) views the ISO standard as a “ kind of 1) C-TPAT is a voluntary US Government-busi- A-class 2) and is ISO 28000-compliant for umbrella standard that encompasses ness initiative to build cooperative relationships its security systems. YCH India provides elements like the TAPA programmes. that strengthen and improve overall international supply chain and border security. customized supply chain solutions for ISO 28000 extends beyond physical aspects electronics, consumer goods, chemicals/ of security to elements like information 2) TAPA provides a forum that unites global healthcare and automotive industries in flow and financial data ”. manufacturers, logistics providers, freight carriers, law enforcement agencies, and other India. Its clientele include DELL, ACER, Asian Terminals is a port operator, stakeholders with the common aim of reducing TPV, General Mills, HCL and others. developer and investor in the Philippines, losses from international supply chains.

Even a low probability threat can have consequence for the supply chain. Though millions of people may never experience an earthquake, each year there are about 18 earthquakes of magnitude (M) 7.0 or larger worldwide – their impact can be considerable.

ISO Focus+ February 2011 © ISO Focus+, www.iso.org/isofocus+ 11 t

Special Report

consumer electronics, IT and telecommunication products, has successfully implemented ISO 28000. Banner Plasticard (Philippines), who offers design and printing of cards, per- sonalization, embossing, encoding, thermal printing, wrapping crating and palletizing The ISO 28000 family is certified to ISO 28000. Professional training for security and • ISO 28000:2007, Specification for security management systems for the supply other practitioners, based on ISO 28000, chain – the overall “ umbrella ”, certifiable, management system standard for is also being conducted for both supply supply chain security chain business operators and customs officers. • ISO 28001:2007, Best practices for implementing supply chain security, assessments and plans – designed to assist industry in meeting requirements for the Authorized Economic Operator (AEO) programme Road ahead • ISO/PAS 28002:2010, Development of resilience in the supply chain – In addition to all the examples mentioned Requirements with guidance for use – a publicly available specification (PAS) above, there are also further transporta- that provides additional focus on resilience. It responds to the need of firms to tion, pharmaceutical, health care, high tech industries and many other global ensure that their suppliers and the extended supply chain have taken steps to industries and government organizations prevent and mitigate the threats and hazards to which they are exposed. As part in process of implementing and certifying of the ISO 28000 management system, ISO/PAS 28002 emphasizes the need for to ISO 28000. an on-going, interactive process to prevent, respond to and assure continuation of Clearly, the standard is rapidly gaining an organization’s core operations after a major disruptive event ground since it was first published in 2007. • ISO 28003:2007, Requirements for bodies providing audit and certification And the reason for this is simple : there is a of supply chain security management systems – guidance for accreditation need for clear, unambiguous international guidance to help tackle the vulnerabilities and certification bodies of the supply chain and world trade in all • ISO 28004:2007, Guide for implementing ISO 28000 – assists users in sectors. ISO 28000 is just that.  implementation • Three ISO 28004 addenda were developed subsequent to the publication of the standard in order to provide additional useful guidance : Amd1 – for use in medium and small seaport operations [in support About the author of a request from the International Maritime Organization (IMO)]. To be published in 2011 as a PAS. Captain Charles H. Piersall has – specific guidance for small and medium-sized businesses (SMEs) Amd2 been Chair of to implement ISO 28000. To be published in 2011 as a PAS ISO/TC 8, Ships Amd3 – specific guidance for organizations seeking to incorporate and marine requirements contained in ISO 28001 for Authorized Economic Operators. The technology, for security best practices contained in ISO 28001 were carefully developed in 16 years. He is a liaison with the World Customs Organization (WCO). Published retired US Navy as PAS (2010). Captain with over 54 years of distinguished maritime • ISO 28005, Electronic port clearance (EPC) – provides for computer-to-computer service – first as a senior naval officer data transmission. This standard is consistent with requirements from IMO and then as an industry executive. He is and WCO. To expedite its development, ISO 28005 has been broken into two parts : recognized worldwide as a leader in the ISO 28005-1, Message structures (under development, publication expected in field of international maritime and supply 2011) chain security standards. In addition to ISO/PAS 28005-2:2009, Core data elements. the highest military awards and honours, Capt. Piersall has received numerous • ISO 28006, Security management of RO-RO passenger ferries – Best practice for high-level awards for his contributions to application of security measures (under development, publication as ISO/PAS is international standardization including the expected end of 2011) ANSI Astin-Polk International Standards • ISO 20858:2007, Ships and marine technology – Maritime port facility Medal and the US Coast Guard’s Dis- security assessments and security plan development – provides for uniform tinguished Public Service Award. Under his leadership, ISO/TC 8 received ISO’s implementation of IMO’s International Ship and Port Facility Security Code. highest award – the Lawrence D. Eicher Leadership Award in 2005.

12 © ISO Focus+, www.iso.org/isofocus+ ISO Focus+ February 2011 t Operation cyber-security Solutions for business-as-usual

by Edward Humphreys

Stories are many and varied about the cyber-threats faced by businesses, governments and citizens. These are not merely rumours ; they are real and their impact is significant.

News of the whistle-blowing activities One of the most disturbing events of 2010 does, the consequences could be catastrophic of the WikiLeaks Website has spread like was the Stuxnet computer “ worm ” that for governments, commercial organizations wildfire through the world’s press, TV and was capable of compromising the safety of and individuals. Internet forums. One result of this attention industrial systems such as nuclear power is that hackers are ramping up the cyber- plant controllers, hydroelectric plants, Cyber-security standards war, downloading software used to launch power grids and other energy facilities. The So is it likely that the future will include a attacks against commercial companies. frequency and sophistication of this type of secure, Web-based environment to be used It is estimated that some 260 000 secret malware – as well as questions about the by business, governments and citizens ? Are documents from the US State Department possible motivations of the perpetrators – companies and governments fully aware of are in the hands of WikiLeaks, but less than have raised concerns in governments and one percent of this trove has been released. the risks and impacts they face ? operators of critical infrastructure. WikiLeaks has released classified informa- The general answer is that most organiza- The Stuxnet worm spotlights the vulner- tion, potentially putting American lives at tions are still not adopting an appropriate abilities of Internet communications and risk, threatening the country’s infrastructure risk-based approach to protecting themselves the fact that some parts of critical national and having an impact on national security. and their assets. This means assessing the WikiLeaks has also had an impact on many infrastructure can be viewed as a “ ticking risks, implementing security controls to commercial online companies. time-bomb.” But this is not the only area reduce these risks, regularly monitoring One group taking up the cyber-war game where many countries are vulnerable to and reviewing the effectiveness of these is a shadowy organization called Operation cyber-warfare. controls, re-assessing risks and making Payback, which has coordinated a number We are likely seeing the overture to a necessary improvements if risk levels have of successful “ distributed denial of service ” performance that is only beginning. When it increased (see Figure 1, page 14). (DDoS) attacks on PayPal, Visa, MasterCard and Amazon. Although Operation Payback has no known affiliation with WikiLeaks, the two groups fight for similar ideals in demanding transparency and countering censorship. It might be described as the first real info-war. Cyber-security was an issue long before WikiLeaks became a household name. There are many reported cases of stolen personal and customer data, including hundreds of thousands of social security numbers. Other cyber-threats are widespread identity theft, a boom in Internet fraud and crimes against children.

ISO Focus+ February 2011 © ISO Focus+, www.iso.org/isofocus+ 13 t

Special Report

Another important feature of ISO/IEC 27001 is that it can be used for third-party Risk assessment ISMS risk and control certification audits, which means an organi- PLAN zation can have its ISMS independently Risk management management decision making assessed by an external body. This provides greater confidence and assurance that the organization’s ISMS is “ fit-for-purpose ”. Implement system More than 12 000 organizations have been of risk controls DO ACT certified to ISO/IEC 27001 since the standard was first published by ISO five years ago. The certification rate is almost trebling each Risk review Implement year, a reflection of the standard’s utility CHECK improvements of risk controls in tackling organizational risks. ISMS measurements Taming the cyber-tiger Risk re-assessment Another area of ISO standardization focuses on information security incidents. Figure 1 : ISO/IEC 27001 information security management system (ISMS) risk-based approach. It is important for organizations that experi- In other words, the risk-based approach is management system (ISMS) standards. ence a cyber-incident to be able to respond a continual improvement process to keep an These include : efficiently and expediently to limit its impacts. Time is of the essence – the longer it takes organization up-to-date and fully protected. • ISO/IEC 27002:2005, Information to control and recover from the incident, the ISO/IEC 27001:2005, Information technology – Security techniques more likely it is that the effects will penetrate technology – Security techniques – Infor- – Code of practice for information deeper into organizational systems. If the mation security management systems security management – Requirements, is a risk-based standard incident takes down business systems, then • ISO/IEC 27003:2010, Information that has been adopted by hundreds of the organization cannot carry on with normal technology – Security techniques – thousands of organizations to implement operations (see Figure 2). The question Information security management appropriate risk management processes. becomes how long the organization can system implementation guidance ISO/IEC 27001 provides an effective tolerate having its systems offline. management framework for information • ISO/IEC 27004:2009, Information Is it acceptable that the online presence is security, as it accommodates all types of technology – Security techniques – inaccessible to customers for 24 to 48 hours, organizational security needs and business Information security management or is the limit just 12 hours or less ? How requirements and is capable of evolving – Measurement long can a company survive when it is and improving the level of protection com- • ISO/IEC 27005:2008, Information unable to supply services, and how much mensurate with changes in the cyber-threat technology – Security techniques – will customers tolerate before they change environment. Information security risk management. suppliers ? These questions are particularly

Cyber-security was Level of Incident an issue long before operations

WikiLeaks became Maximum tolerable a household name. period of outage 100 % Many programmes designed to tackle the cyber-war issue reference ISO/IEC 27001 and its supporting code of practice ISO/IEC 27002:2005, Information technology – Security techniques – Code of Minimum practice for information security manage- level ment. One such activity is the US Homeland Security programme, which references both of these standards as appropriate risk-based frameworks for managing and 0 % tackling cyber-security risks. Time The implementation of ISO/IEC 27001 Recovery time Period to resume is supported by a range of guidelines objective normal operations in what is referred to as the ISO/IEC 27000 family of information security Figure 2 : Operational systems outage and recovery.

14 © ISO Focus+, www.iso.org/isofocus+ ISO Focus+ February 2011 t

important to financial systems, online book- to have ICT systems back up a running in ing, electricity and gas supply management, the shortest possible time (see Figure 3). It telecom operators and other systems providing is associated with a number of other Inter- customer services. national Standards aimed at dealing with incident preparedness, disaster recovery Being prepared is simply planning, and emergency response and management including : common sense. • ISO/IEC 27035 on information security incident management Information and communication technol- • ISO/IEC 24762 on guidelines for ogy (ICT) has become an integral part of the information and communication tech- critical infrastructure in all sectors, whether nology disaster recovery services public, private or voluntary. The proliferation • ISO/IEC 18043 on the selection, of networking services, and the capabilities deployment and operations of intru- of systems and applications, has also meant sion detection systems (IDS) that organizations are ever-more reliant on safe and secure ICT infrastructures. Failure • ISO/IEC 27010 on information The business environment is constantly of these systems, including security issues security management inter-sector changing – along with threats to a company’s such as hacking and malware, will impact communications survival. Organizations need to be ahead the continuity of business operations. • ISO/PAS 22399:2007 on guidelines of the game, and an excellent defence can The critical functions that require busi- for incident preparedness and opera- be built around risk-based ISMS founded ness continuity are usually dependent upon on ISO/IEC 27001, together with incident tional continuity management ICT. This dependence means that ICT preparedness and business continuity man- disruptions can constitute strategic risks • ITU-T X.1056 on security incident agement processes based on ISO/IEC 27031 to organizational reputation. In comes management guidelines for telecom- and ISO/IEC 27035. ISO/IEC 27031, Information technology munications organizations. WikiLeaks may be today’s sensational – Security techniques – Guidelines for news story, but it could easily be eclipsed information and communication technology Together with the ISO/IEC 27001 fam- by another cyber-warfare story tomorrow. readiness for business continuity, currently ily, this suite of standards provides a set Organizations should not be tempted to fall at final draft stage. of management tools that can mean the into the complacency of “ it won’t happen ISO/IEC 27031 deals with ICT readiness difference between survival and destruc- to us.” The risks are there, and we all share for business continuity, which enables tion of the organization’s business. These the same technology, the same Internet and organizations to be prepared when an standards increase the organization’s ability many applications, so being prepared is incident, such as a cyber-attack, occurs and to reduce the impacts of most cyber-attacks. simply common sense. 

Incident About the author Level of operations Original period of outage Prof. Edward Humphreys has Reduce period of outage been involved in the field of infor- 100 % mation security for 35 years. During this time he has Implementing the ICT readiness Z % worked for major framework (including early alerting, international com- warning and detection systems and response capability) can avoid panies (in Europe, North America and sudden and drastic failure of systems Asia), as well organizations and institu- and enable gradual deterioration of tions such as the European Commission, X % operation status as well as shorten response times. Council of Europe and the Organisation for Economic Co-operation and Deve- 0 % lopment (OECD). Prof. Humphreys is Time The more effective the readiness Convenor of the ISO/IEC working group capability, the minimum level developing ISMS standards. He is also operational continuity could range a visiting professor of ISMS studies at from X % to Z %. various universities around the world and has written several books on the imple- Figure 3 : Operational continuity and recovery management using ISO/IEC 27031. mentation of ISMS standards.

ISO Focus+ February 2011 © ISO Focus+, www.iso.org/isofocus+ 15 t

Special Report

Addressing all security threats

Given the rapidly evolving nature of the Safeguarding payments system and the threats against it, ISO standards stipulating these requirements are in nearly constant review and update payments cycles. Efforts are currently focused on addressing new attack scenarios identified both in academia and, in limited cases, the real world. New, stronger encryption algorithms are now available ; however, their use is not simply a matter of unplugging the old and plugging in the new. Instead, the security and functionality requirements for each use must be carefully reviewed and analysed, ensuring that the new algorithm provides the full strength its users expect, and that no inadvertent weaknesses are introduced. One illustration of how important these efforts are was seen a decade ago, when the industry last looked at transitioning from an old encryption algorithm to a newer one. Early implementations of the new encryption algorithm were approximately 36 quadrillion (36 000 000 000 000 000) times less effective than envisioned. Relatively modest changes, introduced through standardization efforts, addressed these weaknesses and secure ISO standards beef up protection implementations are now available and in use. PINs are static values that must be pro- in a networked world tected wherever they are used, processed, or stored. A compromised PIN could result in fraud losses, and the payments industry is by John F. Sheets looking for new authentication methods that are less reliant on protection of unchang- Payment standards, and in particular payment security standards, are ing authentication values but instead use a cornerstone of the retail payments system. ISO technical committee dynamically generated authentication codes that are usable for only a single transaction ISO/TC 68, Financial services, develops standards that are critical and thereby mitigate fraud. in enabling nearly instantaneous execution of billions of transactions annually representing trillions of dollars in payments. New payment opportunities Retail payment security does not end Without ISO standards and the pay- do so. The PIN itself is short and easy to with the PIN. In our increasingly intercon- ment systems’ built-in compliance with remember and as a result would be easy to nected world, security threats may come these standards, a cardholder from Kigali, steal if not for a host of security measures from virtually anywhere, and the aim of Rwanda would not be able to quickly, and requirements codified in ISO standards. the criminal mind is (usually) simply to conveniently and securely pay for goods These include requirements for : make money by any means. So while the or services while travelling in Paramaribo, • Devices that handle and process PINs use and protection of PINs in traditional Suriname. Moreover, financial institutions • Logical protection of PINs through environments remains an important topic the world over could not have built the encryption for existing and new ISO standards, other globally interoperable, multi-billion dollar standards are being developed to address • Management of encryption keys used card payments system without ISO security growing opportunities – for commerce to protect PINs and related standards. and for fraud. Many ISO retail financial payments • Authentication of transaction mes- Much of this work remains pre-standard- security standards focus on protection of sages to ensure authenticity and ization, but ISO technical reports (TRs) are the Personal Identification Number (PIN) integrity a guidance mechanism for the development used to provide assurance that the person • Message formats and protocols for of these new technologies. For instance, an using the payment card is authorised to transaction messages. ISO TR has been developed for acceptance

16 © ISO Focus+, www.iso.org/isofocus+ ISO Focus+ February 2011 t

of PINs for open network transactions such as ecommerce over the Internet. With hundreds of millions of devices connected to the Internet, protecting PINs in open network environments is a significant challenge. The relevant ISO guidance for secure acceptance in this space warns that PINs should never be entered into general purpose devices for transmission over the Internet. If PINs are to be used in this environment, they are used solely in conjunction with integrated circuit cards (ICCs) and sent to the card for validation. A related endeavour is replacement of ISO 8583, the 20-year-old retail financial messaging standard, with a modern framework for a host of financial services messaging functions. This is a huge effort. Creating a universal messaging standard is a complex and time-consuming undertaking that will likely face implementation challenges along the way. It is always critically ISO/IEC IT standards do not – and should by an increasingly interconnected and important that a full complement of target not – address the specific needs of the retail time-sensitive world. Challenges for the users are involved in the development of financial services market. standardization process include timeliness any standard, but this is especially true Many of the security requirements that of standards development and relevance in when a standard is designed to facilitate are considered the minimum acceptable a changing world. the secure transfer of money. in the financial services world would be Not all new technologies should be Interoperability and operational efficiency viewed as “ gross overkill ” in general IT standardized ; sometimes it is just too soon problems are often the root cause of break- environments. Similarly, ISO/IEC IT secu- to write a standard for an emerging technol- downs in security protocols, so care must rity standards alone are often insufficient ogy. In these cases, ISO technical reports be taken to ensure that the legitimate busi- for the protection of financial transactions. and/or technical specifications may be more ness needs of all stakeholders are factored appropriate. When it is too soon even for into the development of this new payments Meeting our customer’s needs that, the technology or business framework framework. Defence in depth is a critical must mature before ISO efforts can begin. consideration ; layered security is far more ISO/TC 68 security and related standards The retail financial payments industry effective than single safeguards. – both existing and under development – is a big customer of, and contributor are critical to commerce in the 21st century. to, ISO standards and technical reports. Robust and vibrant standardization processes These consensus-based documents provide The card payments ensure that stakeholder needs are addressed frameworks for billions of transactions system would and that the resulting standards will provide annually representing trillions of dollars not be possible the functionality and protections demanded in commerce.  without ISO standards. About the author There is a joke in the standards world that the great thing about standards is that John F. Sheets there are so many to choose from. Indeed is Convenor of at times it can seem this way. But standards ISO/TC 68/SC 2/ must fit the industry they were developed WG 13, Security to support, and this may lead to multiple in retail banking, standards pertaining to the same or very and Chair of the similar topics. US-based ASC X9 A case in point would be the ISO/IEC F6, Cardholder IT security standards and their ISO/TC 68/ Authentication & SC 2 counterparts. ISO/IEC IT security ICCs, working group. He has worked standards provide a broad, generalized set in the payments industry for 25 years, of security requirements for IT systems, and currently as Senior Business Leader while ISO/TC 68 standards in many cases responsible for Payment Technology reference these IT security standards, the Development for Visa, Inc.

ISO Focus+ February 2011 © ISO Focus+, www.iso.org/isofocus+ 17 t

Special Report

national borders, and restrict access to secure sites, including buildings and computer Who is who ? networks. Biometrics are being used for the protection of buildings from unauthorized individuals, in employee IDs, in retail, banking and financial institutions (e.g. employee-based/customer-based applications), associated with the management of welfare programmes and in health care applications (e.g. service provider security to protect patient privacy, patient delivery verification protecting patient and provider). Other applications include verification of users’ identity in mobile devices, col- leges (e.g. online identity verification) and amusement parks. Consumer uses are also expected to significantly increase for personal security and convenience in home automation and security systems, retail, gaming and hospitality industries and even in childcare/school applications (e.g. Biometrics provides answers lunch programmes, guardian verification for public and private sectors for child release). Need for international biometric standards by Fernando L. Podio The success of biometric applications is particularly dependent on the interoperabil- One of the critical issues related to secured information technology ity of biometric systems. Deploying these (IT) systems and applications is the verification of the user’s iden- systems requires a portfolio of technically sound international biometric standards tity. The relationship between a biometric characteristic (e.g. some- that meets customers’ needs. As discussed thing that you are) and the users of a system or application, provides above, the deployment of standards-based, a strong binding. This binding is stronger than those that can be high-performance, interoperable biometric achieved between a user and other technologies currently in use for solutions is expected to increase levels of security for critical infrastructures that personal authentication, such as passwords (e.g. something that you has not been possible to-date with other know) and tokens (e.g. something that you have). technologies. An important consideration and rationale Subcommittee SC 37, Biometrics, of the ridge patterns and the behavioural act of for the development of a comprehensive ISO/IEC Joint Technical Committee, Infor- presenting the finger. Biometric recogni- portfolio of biometric standards is that they mation technology (JTC 1/SC 37), defines tion encompasses biometric verification promote the availability of multiple sources biometrics as “ automated recognition of and identification. Automated recognition for comparable products. These standards individuals based on their behavioural and implies that a machine-based system is used must provide support for a diverse range biological characteristics ”. Examples of for either the full recognition process or is of systems and applications designed to biological characteristics are finger, face, assisted by a human being. provide reliable verification and identifica- hand, and iris. Behavioural characteristics tion of individuals. are traits that are learned or acquired, such Marketplace They should benefit the customers for as dynamic signature verification and for biometric-based solutions whom these standards are developed keystroke dynamics. It is usual to find, including end-users, system developers, in the literature, biometric characteristics For decades, biometric technologies were the IT industry as well as other standards identified as two different types : biological used primarily in law enforcement applica- developers working in related standards and behavioural. tions. However, over the past several years, (e.g. security, token-based). The follow- According to JTC 1/SC 37 experts, the marketplace for biometric solutions ing addresses published and ongoing work behavioural and biological characteris- has significantly widened. Currently, they in JTC 1/SC 37. This subcommittee is tics cannot be completely separated. For are increasingly being required in public responsible for the development of a large example, a fingerprint image results from and private sector applications worldwide portfolio of biometric standards in support the biological characteristics of the finger to authenticate a person’s identity, secure of interoperability and data interchange.

18 © ISO Focus+, www.iso.org/isofocus+ ISO Focus+ February 2011 t

Secure IT systems biometric-based open systems solutions. an instantiation of the Common Biometric and applications SC 37 works in close collaboration with Exchange Formats Framework (CBEFF). two other ISO/IEC JTC 1 subcommittees The adoption of ISO/IEC JTC 1/SC 37 Including published standards and ongo- responsible for developing related standards : standards by this organization is expected ing projects, the subcommittee is currently SC 27, IT Security techniques, and SC 17, to significantly impact the use of biometrics responsible for over 100 projects. Topics Cards and personal identification. for MRTD in the countries represented addressed by these standards include within ICAO. The International Labour biometric data interchange formats for a Impact and benefits Organization (ILO) developed requirements number of biometric modalities, biometric for a Seafarers’ ID Card which includes technical interface standards, performance A number of international and national the use of two fingerprint templates to be and conformance testing methodology organizations have adopted or are consider- stored in a barcode. standards, sample quality standards, and ing adopting many of the biometric standards standards in support of cross jurisdictional developed by ISO/IEC JTC1/SC 37. The issues related to the utilization of biometric The marketplace for International Civil Aviation Organiza- technologies in commercial applications. biometric solutions has tion (ICAO), for example, selected facial The subcommittee is also developing significantly widened. a harmonized biometric vocabulary to recognition as the globally interoperable serve the standards community as well as biometric for machine-assisted identity confirmation for machine readable travel other customers. To date, 44 International ILO’s requirements specify the use of Standards (including amendments) and six documents (MRTD). some of the standards approved by ISO/IEC technical reports have been published. These ICAO requires conformance to the face JTC 1/SC 37 ; specifically finger minutiae and standards are aimed at helping customers recognition standard developed by SC 37. finger image data interchange formats (pub- to achieve higher levels of security and Other SC 37 standards adopted by ICAO lished as International Standards in 2005). interoperability in personal authentica- are the fingerprint data interchange formats, JTC1/SC 37, in collaboration with ILO, tion and identification applications using the iris recognition interchange format and developed a biometric profile for seafarers.

ISO Focus+ February 2011 © ISO Focus+, www.iso.org/isofocus+ 19 t

Ready ?

20 © ISO Focus+, www.iso.org/isofocus+ t

Terrorism, cyber-security, identity theft, environmental disasters, or any other risk can result in serious consequences.

Danger cannot always be avoided but you can be prepared to avoid an eventual fall.

International Standards provide global solutions for evaluating risks, defining priority actions and implementing best practice to support security management.

ISO Focus+ February 2011 © ISO Focus+, www.iso.org/isofocus+ 21 t

Special Report

information. The Spanish the Indian Government concluded that the ePassport contains the face ISO/IEC series of biometrics standards for image conforming to a face fingerprints, face and iris data interchange image data interchange formats developed by SC 37 were the most format developed by SC 37. suitable for the project. In the USA, several organizations require Roadmap selected biometric data interchange standards ISO/IEC JTC1/SC 37 is planning to developed by ISO/IEC continue the development of International JTC 1/SC 37 and some of Standards, keeping in mind the customer’s the ongoing biometric testing needs and the support for the mass market programs use performance testing adoption of biometrics-based solutions. methodology standards developed by SC 37 concluded the development of most The docu- the subcommittee. The latest significant of the “ first generation ” of biometric ment, already pub- adoptions are the biometric standards that standards. lished as an International the Planning Commission of the Unique Recent technology innovations and new Identification Authority of India has rec- Standard, includes normative requirements customers’ needs are being addressed by ommended for the unique identity project. to several of the ISO/IEC JTC 1/SC 37 the subcommittee through the development (See Guest Interview page 3) standards. of the “ second generation ” of biometric Several countries represented in SC 37 standards. They include revision projects are also adopting the ISO/IEC JTC 1/SC The subcommittee for the biometric data interchange formats, 37 standards. For example, Spain has two the development of new biometric technical official documents that store biometric data is currently responsible interface standards, performance (and con- using the ISO/IEC JTC 1/SC 37 standard for over 100 projects. formance) testing methodology standards data interchange formats ; the electronic and biometric sample quality standards. national identity card (DNIe) and the Span- The subcommittee is also responding to ish ePassport. The DNIe card includes the After reviewing International Standards other standards organization needs by personal information of the citizen, details and current national recommendations, initiating new projects in support of their of electronic certificates and the biometric the biometric committee established by standards and requirements. 

About the author

Fernando L. Podio is a member of the Computer Security Division of the Information Technology Labo- ratory at the US National Institute of Standards and Technology (NIST). He has worked in different aspects of IT development, measurements and standards for over 30 years. For the past 12 years, Mr. Podio has been involved in biometrics testing, research and standardization. He is currently leading biometric standards activities and technology development efforts in support of biometric standards and associated conformity assessment including the development of conformance test architectures and test suites for testing implementations of biometric standards. Mr. Podio is Chair of ISO/IEC JTC 1/SC 37, Biometrics.

22 © ISO Focus+, www.iso.org/isofocus+ ISO Focus+ February 2011 t

Telebiometrics There is a rapidly increasing interest in quantities and units for physiology. In A matter of life cooperation with the International Telecom- munication Union (ITU) ITU-T/SG 17, Telecommunication security, ISO/TC 12 and death and IEC/TC 25 have begun development of a harmonized International Standard, designated by ISO and IEC as 80003, Quantities and their units to be used in physiology, with six parts. This series is concerned with biometrics, especially telebiometrics and telemedicine. Telebiometrics uses measurements taken from parts of the human body, such as vein structure, fingerprints, iris and faces, to link an individual to a series of numerical values. Telebiometrics gained importance 10 years ago, when identification and authentication was made a central issue in anti-terrorism efforts. As every person is unique, information from our bodies and habits is difficult to steal or replicate. Telebiometrics thus enables a reliable form of identification and can provide a more robust fraud and identity theft protection than other methods.

Adoption of the metric Metric system to the rescue system has been in process since the 1790s.

by Anders J Thor, Paul Gérôme and Jean-Paul Lemaire Telebiometrics, which can be conceived as the application of biometrics to telecom- In every struggle, there are unacknowledged, hidden “ heroes ”. munication and of telecommunications to They are the building blocks without which success would not be remote biometric sensing, was initially possible, yet so pervasive that they often go unnoticed. That is the standardized in 2004 by ITU in ITU-T/Rec- case of quantities and units. ommendation X.1081 : The Telebiometric Multimodal Model. This was followed by From baking a cake to transmitting assume that we have already developed IEC 80000-14, Telebiometrics related to security data – quantities and units enable everything we need. Wrong. Although physiology, published in 2007 as a part of every aspect of our lives. Without the metric relatively slow-moving due to the need the ISO and IEC 80000 harmonized series system contained in International Standards, for careful consideration based on basic and ITU-T Recommendation X.1082. a whole range of activities, from shopping science, the field is actively tackling new Over the last three years, an extended at the supermarket to industrial production, challenges under the joint work on Interna- version was developed and accepted as a to scientific research, to international trade, tional Standards being developed by ISO/TC new work item proposal from ITU/T SG would be, at best, extremely haphazard. 12 and the International Electrotechnical 17 by both ISO/TC 12 and IEC/TC 25. For example, when NASA’s Orbiter Commission (IEC)’s IEC/TC 25, both of crashed into Mars in September 1999, which are entitled Quantities and units. Three strong backers it was because engineering teams used In 2009, ISO and IEC completed a new, The current push for further standardiza- different measurement units, one metric, harmonized, double-logo International tion in telebiometrics is led by : the other Imperial – for key spacecraft Standard, with the designation 80000, operation. This mistake cost USD 125 Quantities and units, with 14 parts. • IEC – IEC/TC 25/WG 5, Physiologi- million. In order to avoid such scenarios, In this article, we provide a glimpse into cal quantities and units and IEC/TC standardization is key. the world of quantities and units, and into 25/WG 6, Telehealth and telemedicine Adoption of the metric system of weights the most exciting developments in telebi- • ISO – ISO/TC 12/WG 13, Telebiomet- and measures has been in process since the ometrics, which increases the reliability of rics related to human physiology and French Revolution. Because of that, some biometric data. ISO/TC 12/WG 18, Telemedicines)

ISO Focus+ February 2011 © ISO Focus+, www.iso.org/isofocus+ 23 t

Special Report

the need for medical staff and patients to Well-equipped clinic Local medical team be located in the same area and enables in an urban area (probably in a mobile van) long-distance interactions. with expertise in another country Known as ASN.1, the protocol is used or rural area to transmit data about patients, medical staff, observers, pharmaceutical staff, Consultant / Surgeon drug manufacturers and drugs, medical Medical support team devices, medical software, medical insur- ances, medical records and DNA profiles. Figure 1 shows an example where a clinic with expertise can help a medical team in Video, surgical manipulator Surgical equipment a remote area. Figure 2 shows examples of unique object identifiers associated with Mobile/satellite this protocol. Voice Voice Never-ending With a global society increasingly reliant Figure 1 : ASN.1 enables long-distance communication. on electronic tools and virtual spheres, the assurance of security through innovative

• ITU – ITU-T Study Group 17 the human senses. It can be used to provide Lead Study Group on Security/Q.9, specifications related to : Telebiometrics. • Safety issues These three standard development • Security issues organizations are jointly preparing three • Biometric authentication issues texts with a common root-system attribu- • Privacy issues. tion for simple, secure transmission of a unique object identifier for each quantity As such, telebiometrics covers the fields of interest. This will be based on an ITU of physics, chemistry, biology, culturology Recommendation regarding X series data and psychology. networks and open system communications, numbered X.1081 (04-2004), The telebio- Enabling telemedicine metric multimodal model – A framework for the specification of security and safety One of the protocols that ISO/TC 12 aspects of telebiometrics. and ITU-T Q.9/17 are developing defines The telebiometric multimodal model structured messages for communication (TMM) can be understood as the model between an operator and a remote telemedi- of the interactions of a human being with cine device (transmission, authentication, its environment using modalities based on integrity and privacy protection). It removes

{2 42 3}

{2 42 3 1} {2 42 3 2} {2 42 3 3} {2 42 3 4} Telebiometrics{2 42 3 5} {2 42 gained 3 6} {2 42 3 7} {2 42 3 8} {2 42 3 9} importance Patients Medical Observers Pharma- Drug Medical Medical Medical Medical staff ceutical manufac- devices software insurance records staff turers

Figure 2 : Unique object identifiers associated with the ASN.1 protocol.

24 © ISO Focus+, www.iso.org/isofocus+ ISO Focus+ February 2011 t

Not written in stone areas like telebiometrics is rapidly gaining in importance. Its future impact could There is an on-going discussion on new definitions of four of the seven include customer information, transaction authentication, medical record management, International System of Units (SI) base units : etc. The joint work being done in standardi- • Mass (kilogram), zation is crucial to enable its application, • Electric current (ampere), while taking account of considerations such as privacy. • Thermodynamic temperature (kelvin) In addition to telebiometrics, work on • Amount of substance (mole). quantities and units is important for anything we do, and as the world evolves, so does The kilogram is the only remaining SI base unit that is still defined in terms the task of standardizers. of a concrete artefact, the international prototype of the kilogram kept by the International Bureau of Weights and Measures (BIPM). We know that this international prototype is aging, but we do not how much. One seeks to replace Telebiometrics the concrete artefact with an abstract definition using a fundamental constant gained importance in such as the mass of the carbon-12 isotope, which is the basis of relative atomic anti-terrorism efforts. masses in chemistry.

Some metrologists want to replace the current definition of the ampere, which But why a matter of life and death ? A

is based on a fundamental magnetic constant μ0, with a definition based on the simple number glitch can have disastrous elementary charge e. In our opinion, this is misleading because it is electric results for security. Imagine also the current and not electric charge that is the base quantity in the International consequences if doctors, pharmacists and System of Quantities (ISQ). Furthermore, we would lose the ability to express the manufacturers where not on the same page when it came to quantities and units, what fundamental constants (the electric constant, ε0 ; the impedance of vacuum, Z0 ; and the admittance of vacuum, Y ) precisely in SI units. would happen to patients ? Or if a hacker 0 takes over an ElectroCardioGram to mali- There is also a proposal to replace the definition of the kelvin, now defined by ciously reverse the results (slow to rapid), the triple-point of water (the temperature and pressure at which gas, liquid, and so that the doctor prescribing according solid forms of a substance coexist in thermodynamic equilibrium). to a false diagnosis kills the patient – a This would be achieved by fixing the value of the Boltzmann constant (the perfect hacker crime ! The ASN.1 protocol physical constant relating energy at the particle level with temperature observed described above provides a highly secure at the bulk level). This is a clear improvement since the triple-point of water process that protects from hackers and other depends on the isotopic composition of the water and thus its triple-point is not lethal consequences, as well as maintaining a fundamental constant. patient privacy. And the list of security considerations goes on and on – what if Finally, the mole should be defined by fixing the value of the Avogadro constant engineers did not have harmonized quantities (the ratio of the number of entities in a sample to the amount of substance). and units to work with ? The same applies to absolutely everything. 

About the authors

Anders J Thor, Paul Gérôme Jean-Paul formerly an Assis- is a professional Lemaire works tant Professor of taxonomist trained at the University Mechanics at the in anthropology Paris Diderot for Royal Institute (Doctorat d’Etat the French National of Technology in de la Sorbonne), Research Center Stockholm, has semiotics, general (CNRS). He has been Project Mana- system theory and been participating ger at the Swedish dermo-science. in ASN.1 standar- Standards Institute (SIS) since 1975. His expertise is in public safety and dization (ITU-T SG 17 Q12 and ISO/ He is Chairman of ISO/TC 12, Quantities security. He contributes to the work of the IEC JTC 1, Information technology, SC and units, and of IEC/TC 25, Quantities following standards development organi- 6, Telecommunications and information and units. He is also Convenor of several zations : ITU-T/SG 17 (Editor of security exchange between systems, WG 9, ASN.1 working groups in ISO and IEC. Recommendations X.1081 and X.1082) ; and registration) since 1998. ISO/TC 12 (Convenor of WG 13) ; and He is involved in Telebiometrics (ITU-T IEC/TC 25 (Convenor of WG 5, Physi- SG 17 Q9), and is Convener of the ological quantities and units). ISO/IEC JTC 1/SC 6/WG 8, Directory.

ISO Focus+ February 2011 © ISO Focus+, www.iso.org/isofocus+ 25 t

Special Report

by Michael Bohlman

Dangerous When freight containerization first burst onto the transporta- routes tion scene some 50 years ago, it was hailed as a boon for security because it substantially reduced Anti-tampering measures the problem of cargo pilferage. for freight containers The opaque walls and ability to lock containers made it difficult for thieves to “ shop ” for cargo that was worth stealing.

But it did not take long for “ the bad guys ” to figure out how to circumvent a freight container’s design features so it could be opened and then re-closed without leaving any visible evidence of a break-in. The battle to improve the security of freight containers had begun, and it continues to this day.

Built to withstand In today’s climate of terrorist threats, an even greater concern now focuses on what may be placed into a freight container without the knowledge of the shipper, transportation providers, or customs authorities. Still, the basic issue remains the same from the perspective of designers and manufacturers of freight containers. Criminals or terrorists should never be able to open and then re-close a freight container without leaving obvious evidence.

An even greater concern now focuses on what may be placed into a freight container.

ISO technical committee ISO/TC 104, Freight containers, has produced several specification changes to improve a container’s ability to resist being opened and re-closed without leaving evidence. In addition to meeting basic customs requirements, containers now feature better door and hinge designs, enhancements to locking and sealing features and, most recently, significant improvement in the mechanical seals that secure a freight container’s doors. The standards now require container doors to be designed so that entry can be detected by verifying the condition of an affixed seal. Because schemes to circumvent

26 © ISO Focus+, www.iso.org/isofocus+ ISO Focus+ February 2011 t : © US Coast Guard Photo

Design of door handles and seals has to evolve constantly to beat new threats.

design features and compromise the integrity removed. This simple design change helps can easily be overlooked in a container of a container are constantly evolving, the ensure the security of the container. inspection. Mounting the customs plate standards now provide additional guidance on the inside of the left door can make this ISO/TC 104 also specifies how container to better meet the performance requirements security breach more difficult. Substantially manufacturers can improve the securing contained in ISO 1496-1:1990, Series 1 strengthened customs plate designs that plate (also known as the customs plate) freight containers – Specification and testing. cannot be bent without visibly damaging the that is installed on the right door to prevent container would serve the same objective. perpetrators from accessing the left door. Design improvements Thieves have utilised a specially constructed breaker bar to bend the customs plate back One example of this guidance addresses ISO/TC 104 will continue the vulnerability of the door handle hub rivet at a 90° angle from the container door. The on the container door’s right side, which handles of the left door are then opened to work with customs can be easily removed using simple hand and the left door is forcibly pulled past the and security authorities. tools or drilled out with an electric drill. rubber gasket of the right door, opening the This allows the door handle to be removed container to theft, pilferage or the insertion of undeclared material. from the handle hub so the right door can Other design features that form an “ inter- be opened while leaving the security seal Once the doors are re-closed, the same tool lock ” between the two doors or otherwise intact. An elongated handle hub that extends is used to bend the plate back to its original preclude manipulation of the unsealed door below the rivet hole prevents the handle position. The only sign of manipulation without breaking the seal would be equally from being removed even if the rivet is may be cracking in the plate’s paint, which acceptable. Where feasible, design features

ISO Focus+ February 2011 © ISO Focus+, www.iso.org/isofocus+ 27 t

Special Report can be used in combination with a higher location of the plate on the outside of the Point of applied load right door ; however, merely placing the custom plate with its current design in a higher location would not be sufficient. Tube (seal holder) Improving mechanical seals Moment Arm 90° Improvements in the standards for movement mechanical seals address several issues : • Resistance to breakage Seal • Control of the seal to ensure its integrity from manufacturer to point of use on the container Holding device Vise or • Improved coding of the seal to assist similar object in control • Resistance to tampering.

Mechanical seals are now specifically tested for tamper resistance ; that is, their Figure 1 : Test apparatus for testing the resistance of a seal to breaking when being bent – ability to thwart attempts to open and then one of several improved tests to standardize the structural capabilities of seals. reseal them without leaving evidence (see Figure 1). This improvement has been fully figure out new ways to defeat the tamper incorporated into ISO’s work on electronic Mechanical seals resistance features of today’s seals. seals as well. Along with other potential are now specifically ISO/TC 104 will continue to work with security enhancements, electronic seals tested for tamper customs and security authorities to address now have the same resistance to mechanical each newly invented vulnerability and tampering as do mechanical seals. ISO’s resistance. develop effective, low-cost solutions. The work in this area continues as criminals technical committee continues to liaise with the World Customs Organization, the Maritime Security Committee of the Baltic and International Maritime Council, the UN/ ECE/TRANS Multidisciplinary Group of Experts on Inland Transport Security, and US and other national customs and security authorities. 

About the author

Michael Bohlman, Director of Marine Services for the American container ship operator Horizon Lines, is Chair of ISO/ TC 104, Freight containers, and Vice Chairman of the International Cargo Handling & Co-ordination Association (ICHCA) International Safety Panel. He also serves as Chairman of the Maritime Security Committee of the Baltic and International Maritime Council (BIMCO) and as a member of BIMCO’s Executive Committee and Board. He is Chairman of the Board of the Chamber of Shipping of Customs security plates have seen some changes overtime to address evolving vulnerabilities. America.

28 © ISO Focus+, www.iso.org/isofocus+ ISO Focus+ February 2011 t

Protecting our society ISO’s crisis management approach to all hazards

by Krister Kumlin differently in different parts of the world, but we decided to retain the title as long as there was a common understanding of the When I was asked to chair an ISO technical committee aimed at committee’s scope of activities. improving crisis management and business continuity capabilities, I had little knowledge of standardization issues, and even less of Addressing all hazards

emergency management. But a lifelong career in the Swedish Foreign ISO/TC 223 develops International Stand- Service had given me experience of multilateral work, and tackling a ards that aim to increase societal security, new field of international negotiations struck me as an important task which means protection of society from and and an appealing challenge. After receiving assurances that I would response to disruptive incidents, emergen- be given all necessary expert support, I accepted the offer. cies, and disasters caused by intentional and unintentional human acts, natural hazards and technical failures. An “ all-hazards Five years later, I have little reason to there was a clear need to synchronize these perspective ” covers adaptive, proactive and regret that decision. Working with ISO/TC efforts internationally. reactive strategies before, during and after 223, Societal security, getting to know Established in 2000 on a Russian initiative, a disruptive incident. Societal security is the people involved and gaining insights ISO/TC 223 was found to be the natural a multi-disciplinary field involving actors into the world of ISO have been highly vehicle. The failure of the international from the public and private sectors, includ- rewarding. However, we have yet to deliver Arctic salvage operation of the atomic ing not-for-profit organizations. practical results. submarine Kursk had prompted Moscow to Work on ISO/TC 223 began with con- suggest that ISO help develop International A market need for standards siderable optimism. Our plan was to build Standards for emergency management. on the five major works on emergency In response to the increase in man-made After several years of inactivity, the management already in existence from and natural catastrophes that occurred in responsibility of ISO/TC 223 was handed Australia, Israel, Japan, the UK and the the beginning of the century, ISO decided over to the Swedish Standards Institute (SSI). USA. Representatives of these countries in 2004 to review its efforts in security. An early step in the committee’s reactivation agreed to elaborate a common approach A number of countries had already devel- was its name change from Civil defence to based on their respective national documents. oped or were in the process of elaborating the broader Societal security. We gradually In purely technical terms this “ best of national standards for societal security, and discovered that the latter term is interpreted five ” approach was highly successful. By

ISO Focus+ February 2011 © ISO Focus+, www.iso.org/isofocus+ 29 t

Special Report

the end of 2007, a Norwegian-led working group announced that members had agreed on a joint text. ISO/TC 223 could celebrate its first deliverable : a publicly available specification ISO/PAS 22399:2007, Societal security – Guideline for incident About ISO/TC 223, Societal security preparedness and operational continuity management. From a political perspective, ISO/TC 223 promotes the adapative capacity of : however, these celebrations turned out to • Individuals be premature when some of the five major players had second thoughts. As it became • Organizations clear that their own national standards • Communities would not prevail, initial enthusiasm for the common product began to evaporate. • Society The cost of modifying national solutions …confronted with the risk of disruptive events (intentional, unintentional and would be too high. naturally caused. This adaptive capacity is known as resilience. Societal security is a multi-disciplinary field.

ISO/TC 223 Standardization to These early developments illustrate a promote resilience longstanding issue in standardization : to what extent are countries prepared to Risk Management Security Management relinquish their own solutions in search Emergency Management Physical Asset Protection for common ground ? ISO’s experience has many success stories, but this remains Crises Management Information & Network Security a challenge that slows down adoption of Disaster Management Critical Infrastructure Protection some standards. Emergency Preparedness Incident Response Recovery Management Continuity Management The challenges In my experience, the life of a technical committee can be divided into two phases. ISO/TC 223 aspires to answer how individuals, organizations, communities The first is a philosophical phase, with and society can : seemingly endless expert discussions on • Anticipate, prevent, prepare for, respond to and recover from disruptive events committee structure relative to substance, potentially resulting in an incident, emergency, crisis or disaster on what we want to do versus what we ought to do. Standardizing procedures • Protect assets (human, physical, intangible and environmental) from disruptive is far more complex than standardizing events products. Sometimes long-drawn out dis- • Identify, assess, and leverage their capacity and capabilities to withstand cussions take place on the exact wording disruptive events. of a business plan rather than on what is actually happening in the outside world, ISO/TC 223 provides tools to enhance capacity and demonstrate improved be it in Haiti, the Pakistani plains or the performance through : American Gulf Coast. • Standardization for the prevention and management of disruptive events • Standardization to promote collaboration and coordination of incident identification, response and recovery • Standardization for the design, deployment and evaluation of technical capabilities.

ISO/TC 223 brings together experts from developing and developed countries across the globe. Stakeholders are primarily organizations in the private and public sectors, including emergency service providers, contingency planners, small and medium- sized enterprises, critical infrastructure providers, consumer groups, governmental and regulatory bodies, NGOs, development agencies, and relief organizations.

But the philosophical phase is a necessary within the ISO balloting timetable. These preliminary. In the case of ISO/TC 223, it relate to : served to identify needs and aspirations • Terminology between major players and within the developing world, clearing up technical • Business continuity management issues to reach agreement on a balance systems between organizational resilience and • Video surveillance business continuity-based management • Emergency management (incident systems that will best serve the interests response, public warning and shared of societal security. situation awareness) The relatively slow pace of progress in ISO/TC 223 is a reflection of the complex- • Requirements for organizational ity of the issue rather than of substantive resilience disagreements between committee mem- • Guidelines for exercises and testing. bers. Building consensus is moreover a huge challenge, and that is exactly why So far, ISO/TC 223 has registered ISO was created, to provide a platform only two deliverables : a technical report for exchanging views and agreeing on best ISO/TR 22312:2010, in which different practice solutions. Having experienced how existing technological capabilities rel- difficult this is in practice, my admiration evant to security standardization efforts for this work is even greater. are explored, and ISO/PAS 22399:2007, Societal security – Guideline for incident Time for action preparedness and operational continuity management, the “best of five” document participation in the work of the committee At our 10th plenary meeting, superbly described above. By the end of next while facilitating local standardization of organized by the Thai Industrial Standards year, deliverables should be completed security measures. Institute (TISI) in Bangkok in December at a regular pace. Although work is pro- The ISO Committee on developing coun- 2010, we achieved a breakthrough of gressing, the technical committee would try matters (ISO/DEVCO) has regularly sorts. By all indications, after four years of benefit if a larger number of practitioners invited individual developing country experts ground-clearing discussions, ISO/TC 223 (as opposed to standards experts) would to participate in workshops on emergency is now about to enter the second phase, join the effort. management, timed to coincide with plenary the phase of maturity and, hopefully, of Special attention is given to the participa- meetings. Close coordination between the practical action. tion of developing countries. Apart from the developing country contact group and the During the coming six months, each of five substantive working groups, the ISO/TC preparations of workshops is essential for the five working groups will put forward 223 has set up a developing country contact the success of this programme. a number of proposals at various points group intended to encourage long-term My mandate as Chair of ISO/TC 223 runs out at the end of 2011. By then we will have a clear view of how ISO/TC 223 will contribute to the broad field of societal security. For me personally, the ISO journey, with its particular ground rules, traditions and highly professional players, has been an exceptionally rewarding experience. 

About the author

Ambassador Krister Kumlin has held series of positions within the Swedish Foreign Service, which he joined in 1962, including postings as ambassador to Japan, Brazil and Greece. He is currently a senior adviser at the Swedish Civil Contingencies Agency and Chair of ISO/TC 223, Societal security.

Planet ISO Planet ISO

First issue of WSC eNewsletter Among the new project proposals were Nanotechnologies two new standards on analytical methods for continue high work rate ISO and its partners, the International Electro- addressing the determination of dioxane, and technical Commission (IEC) and the International the determination of mono-chloroacetic acid and Telecommunication Union (ITU), have launched di- chloroacetic acid in surface active agents. an electronic newsletter under the banner of the Two other new proposals for standards World Standards Cooperation (WSC) providing on microbiology addressed the evaluation of concrete examples of how standards impact the antimicrobial soaps and microbiological test bottom line, stimulate economic growth, produc- methods for liquid hand dish washing. After tivity and innovation and allow businesses large further review these two new proposals will be and small to access broader markets. circulated to members for voting. The first issue of the WSCeNewsletter includes ISIRI, ISO member for the Islamic Republic the following success stories : of Iran, holds the ISO/TC 91 secretariat, which The 11th meeting (in just over five years) of • How Tyco Electronics achieved additional currently has 17 participants and 34 observer ISO technical committee ISO/TC 229, Nanotech- profits of USD +50 million by participating member countries. nologies, was held in Kuala Lumpur, Malaysia in standardization The next plenary will be held on 9-10 June at the invitation of Standards Malaysia, ISO • Why the former CEO of Mitsubishi believes 2011, in Vienna, Austria, following the 8th World member for the country, in December 2010. that standardization and certification are Surfactants Congress. Over 150 delegates from 19 member countries, now crucial for Japanese companies’ con- and more than a dozen organizations in liaison tinued success Bronze medal attended the event. • Why the CEO of Rockwell, the world’s larg- for excellence Working groups meetings on terminology and nomenclature, measurement and characterization, est automation company, recommends that in aerospace businesses participate in standardization work health, safety and the environment, and materials • How a 50-employee SME succeeded in The 2011 American specifications, made excellent progress on all opening up the European market for its Institute of Aeronautics current projects. medical devices. and Astronautics (AIAA) Task groups addressed hot topics such as Bronze Medal for Excel- nanotechnologies and sustainability and consumer In addition, the eNewsletter features and societal dimensions of nanotechnologies. David Finkleman. lence in Aerospace Stand- articles on : ardization was given to The ongoing work of the study group on metrol- • How to calculate the cost of benefits of David Finkleman, Convenor of ISO working ogy, the nanotechnologies liaison coordination standardization group WG 3, Space operations, within technical group, and the Chairman’s advisory group, also • Insider tips from senior executives on committee ISO/TC 20, Aircraft and space vehicles, made headway. standardization subcommittee SC 14, Space systems and operations. Prof. Halimaton Hamdan, Under Secretary, • The benefits of standards in “CEO speak” The recognition is conferred “ for significantly National Nanotechnology Directorate, Malaysian Ministry of Science, Technology and Innovation • New evidence that links technological advancing international cooperation and stand- delivered a keynote speech. change, productivity and economic growth ardization in the area of space system and ground All 17 resolutions were unanimously con- directly to standardization in studies system operations and design.” Dr. Finkleman firmed. It was agreed that the next plenary will conducted in Australia, Canada, France, received the award at a special ceremony held th take place in St. Petersburg, Russia from 16 to Germany and the United Kingdom. in conjunction with the 49 AIAA Aerospace Science Meeting held in Orlando, Florida, in 20 May 2011. The WSC eNewsletter will be published January 2011. ISO/TC 229, with a membership of 36 three times a year. A subscription form is avail- Dr. Finkleman is a Principal at the Center for participant and eight observer members, and able at http://tinyurl.com/WSCnewsletter. Space Standards and Innovation. He is a Fellow with 32 organizations in liaison, has so far Additional information on the WSC and its of AIAA, and of the American Astronautical been responsible for the development of 11 activities can be accessed on the WSC Website : Society. An article by Dr. Finkleman on the published documents, including three Interna- www.worldstandardscooperation.org latest developments in WG 3 “ One for all, all tional Standards, five technical specifications for one – Global space collaborations blast off ” and three technical reports. Currently some Surface active agents move forward appears in the November 2010 ISO Focus+. other 33 documents are under development.  The latest developments on surface active agents were discussed at the 17th plenary meeting of the committee responsible for developing standards in the field, ISO/TC 91. The event hosted by SAC, ISO member for China, and the China Research Institute of Daily Chemical Industry took place in November 2010 in Beijing, China. Also known as surfactants, surface active agents are found in many household products such as soaps, detergents, conditioners and shampoos. They are also used in industrial manufacturing, in areas as varied as food processing, metallurgy, pharmaceuticals and public works. Excluding soap, the worldwide estimation of surfactants exceeds five million tonnes. Some 15 participants from key organizations in the field attended the meeting. Progress was made on the revision of ISO 4317, Surface-active agents and detergents – Determination of water content – Karl Fischer method. Participants at the ISO/TC 91 plenary in China.

Handbook/CD on environmental management

by Roger Frost

Small and medium-sized enterprises are being provided with a new tool to make it easier for them to achieve the benefits of implementing an environmental management system based on the International Standard, ISO 14001.

ISO 14001 - Are you ready - E.indd C1

2010-12-06 15:25:31

The tool comes in the form of a combined Checklist step-by-step manner will enable managers handbook and CD, ISO 14001 Environmen- of an organization to determine its present tal Management Systems – An easy-to-use ISO Secretary-General, Rob Steele, and environmental performance, and will help checklist for small business – Are you ITC Executive Director, Patricia R. Francis, them identify areas for improvement. ready ? It is published in English, French write in the Foreword to the handbook : The checklist is in 16 parts, each covering and Spanish editions by ISO, developer “ Experience shows that small and medium- a particular stage in the EMS implementation of ISO 14001 and more than 18 500 other sized enterprises can also implement an process. Each part provides a brief explanation standards, and the International Trade effective EMS and realize a variety of of the relevant requirement(s) of ISO 14001, Centre (ITC). benefits. However, EMS implementation as well as guidance on how to incorporate The publication of ISO 14001 in 1996 can present some challenges. This checklist these into an EMS that meets the needs of and then revised in 2004 has proved to be aims at helping organizations to understand a particular organization. The CD provides very successful, as it is now implemented in the requirements for environment manage- the convenience of electronic navigation ment systems and identify the main areas for more than 159 countries and has provided and allows responses to each question to improvement. It will therefore be of value organizations with a powerful management be saved and then printed in PDF format even if the ultimate aim is not third-party tool to improve their environmental perfor- ISO 14001 Environmental Management certification of the organization. mance. More than 223 149 organizations Systems – An easy-to-use checklist for small had been certified worldwide to ISO 14001 business – Are you ready ? A5 format, ring at the end of 2009, which is an increase of SMEs can also binder, is printed in English (87 pages, ISBN 18 % compared to 2008. Many companies implement an effective 978-92-67-10531-4), French (89 pages, have improved their operations and reduced ISBN 978-92-67-20531-1) and Spanish the impact of their activities, processes, EMS and realize benefits. (93 pages, ISBN 978-62-67-30531-8) edi- products and services on the environment tions. The accompanying CD is trilingual by using a systematic approach that seeks (ISBN 978-92-67-02019-8). continual improvement. “ We hope that this new handbook to help The product is available from ISO national The benefits of positively addressing achieve the benefits of ISO 14001 will be of member institutes (listed with contact environmental issues not only cover the practical use to small businesses whatever details on the ISO Website www.iso.org). preservation of the environment, but are their activity and wherever they may be, It may also be obtained directly from the also linked to business performance and but especially in developing countries and ISO Central Secretariat, through the ISO profitability while improving the corpo- economies in transition.” Store (www.iso.org), or by contacting the rate image, enhancing access to export The handbook and CD are in the form Marketing, Communication and Information markets, providing a common reference of a checklist which guides the user to ask department ([email protected]).  for communicating environmental issues and answer a series of questions regard- with customers, regulators, the public and ing the environmental activities of their Roger Frost is Head of Communication Services, other stakeholders, etc. organization. Answering the questions in a ISO Central Secretariat.

The Letzigrund Stadium in Zurich, Switzerland, built for UEFA EURO 2008, has an R&M local area cable TV network which transmits top quality images to the viewing lounges.

over 1 700 fiber-optic connections in the Multimedia data networks delivering terabytes of digital arena – one of the largest cable networks information inside and outside of sports stadiums are being shaped ever installed in Ukraine. by ISO/IEC 11801 and ISO/IEC 24702 cabling standards. Temples of high-tech With the excitement of the 2010 FIFA State-of-the-art data networks multimedia World Cup in South Africa still fresh in the memory, Brazil 2014 in prospect, and According to Swiss cabling specialist Stadionwelt, a German sports stadium the recent bidding wars for the 2018 and Reichle & De-Massari AG (R&M), the journal, has described soccer stadiums as 2022 FIFA World Cup venues making answer is via state-of-the-art data networks “ temples of high-tech multimedia ”. During headline news, there is no other global that ensure all communication systems in international contests gigantic quantities sport to rival the passion and media frenzy a stadium are always on the ball. These of data in the form of digital TV images generated by football. networks handle extraordinary peak loads flow from stadiums to broadcasters and while integrating multiple functions, and they The “ beautiful game ” is the focus of TV companies. must achieve this with absolute reliability. massive television, radio and newspaper Telekom Austria estimated that its fibre coverage, serving millions of fans around R&M recently installed a complex net- optic network transmitted a total of two the world with images, data, and a wealth of work infrastructure at the new Donbass petabytes of data during UEFA EURO information on matches, teams and players. Arena in Donetsk, Ukraine, one of the 2008 – that is about five times the data But how are all these images and pieces venues for the UEFA EURO 2012 Euro- of information transmitted to the gigantic pean football championship to be held in quantity of all the books ever written. video screens in football stadiums, to Poland and the Ukraine. The company Yet the larger stadiums do far more than public viewing sites, and simultaneously laid 60 kilometers of fibre optic cable, transmit high definition (HDTV) or 3-D to television and the Internet ? How does and more than 400 kilometers of shielded television images. They are sophisticated a modern soccer stadium communicate ? Cat. 6 copper cable with 6 000 copper and information hubs producing large amounts

of real-time data that make tough demands on communications infrastructures. One of the latest developments in the amazing technological evolution surround- ing the sport is a microchip in the ball enabling its position to be determined to the nearest millimeter. The interactive ball is followed by several antenna around the stadium that communicate over a computer network, giving referees live support during matches. The same network allows touchline : © R&M

photographers to feed digital photos from Photo a camera or laptop directly to the Internet or their editorial offices.

ISO/IEC cabling standards are designed : © R&M to ensure uniformity, Photo consistency Berne Young Boys play FC Sion in the Stade de Suisse in Berne, a state-of-the-art stadium and harmonization. equipped with a multimedia cabling network installed by R&M in conformity with ISO/IEC 11801 and ISO/IEC 24702.

In addition, stadium networks can now Further dimensions are designed to ensure uniformity, consist- integrate access controls, spectator monitor- ency and harmonization of millions of cable ing, alarms, electronic ticketing and cashier “ These are just a few of the applications network components. These are : ISO/IEC systems, lighting control, and heating and that can be integrated using the standard 11801:2002, Information technology – ventilation. Video monitoring also plays an Ethernet Protocol and IP. Convergence is Generic cabling for customer premises, and important role in helping detect crowd unrest opening up even further interesting dimen- ISO/IEC 24702:2006, Information technol- quickly, or in guiding spectators and traffic. sions to managing stadiums, facilities, ogy – Generic cabling – Industrial premises. Cameras can be integrated into stadium data sports and special events,” says Markus R&M reminds customers that the prerequi- networks with structured cabling using IP Schlageter, Head of Marketing at R&M. site for highly integrated network operations (Internet Protocol) linked, for example, to “ Now, only a single platform is needed is cabling that conforms to ISO/IEC 11801, alarm, signaling, remote control, server for wireless LAN (local area networks), or EN 50173. Also, because arenas are and backup systems, or to security staff. phone and broadband Internet, video and subject to specific peak loads, the company audio transmission inside and outside the recommends ISO/IEC 24702 for planning stadium.” of industrial and outdoor applications. This Huge stadiums such as the Allianz Arena International Standard, which complements in Munich, or the Santiago Bernabéu Stadium the requirements of ISO/IEC 11801, helps in Madrid already have their own integrated users adapt their infrastructures to tougher data centres. Coaches, players and fans of environmental conditions involving dust, Real Madrid, for instance, can access a data moisture and mechanical loads. archive over radio and Internet containing several terabytes of videos, images, reports Standards – and statistics for analysis and planning. “shaping the industry” The Letzigrund Stadium in Zurich, built for UEFA EURO 2008, uses a LAN to ISO Focus+ asked Matthias Gerber, Head transmit live TV images from the playing of Presales Engineering at R&M, to com- field to all lounges, via the data network. ment on how ISO/IEC 11801 and ISO/IEC Top quality TV footage is fed into 20 LAN 24702 have helped R&M’s business, and the sub-distributors using a cable TV solution importance of these standards to the cabling from R&M. network industry, particularly as R&M has been involved in their development. Cabling standards “ R&M has always regarded ISO/IEC 11801 as its lead standard and is fully com-

Photo technology has been closely mirrored by we have participated in ISO/IEC JTC 1/ the development of two ISO/IEC cabling SC 25/WG 3, Customer premises cabling, Waterproof protected connectors are used for outdoor cabling in exposed environments standards — part of a series of international the ISO/IEC working group that developed such as football stadiums. information technology standards — that the new standards, and we adopted them

Standards in Action

as soon as they became technically final- understanding of the physics involved, and ized, even before official publication,” said triggered incredible progress in possible About Reichle & Matthias Gerber. data transmission speed. On the customer De-Massari (R&M) “ The creation and worldwide standardiza- side, standardization has reduced the risks tion of a generic customer premises cabling of stranded investments, and has helped to system has generated enormous market future-proof infrastructure investments. R&M of Wetzikon, Switzerland, potential. This has enabled the cabling In this way these standards have actu- is a leading supplier of passive industry to invest in product innovation, ally helped to make money available for cabling solutions for high quality personal resources and production capabili- long-term investment in communication communication networks. ties. The economy of scale allowed R&M infrastructure.” The company’s copper and fibre to develop and build up fully automatic optic systems contribute to assembly lines for mass production of RJ45 A requirement of doing business connectors in Switzerland. In addition, the maximum network availability work to standardize and categorize cabling Matthias Gerber reports that conformity worldwide, providing cabling, components and define common measure- to one of the cabling standards is a normal connectors and assemblies for ment methods has helped the end customer requirement in the cabling industry. While office and residential premises, to compare offerings, and also promotes fair there are regional preferences in which industrial networks, data centres, competition between vendors.” standards to specify (ISO/IEC, CENELEC fibre-to-the-home (FTTH) networks, or TIA) depending on where in the world and shipbuilding. the project is located, he says that the R&M considers cabling ISO/IEC standards are widely recognized standards one of as the umbrella specification for the cabling industry. the most successful “ Unified and standardized generic cabling standardization activities. provides a huge customer base for active component development, and promotes the evolution of new, faster transmission According to Mr. Gerber, R&M considers equipment. For years now, development the generic cabling standards as one of the of the newest IEEE Ethernet transmission most successful standardization activities applications refer to the cabling standards ever. “ ISO/IEC 11801 and ISO/IEC 24702 for channel specification,” he concluded.  have definitely created a huge push for the cabling industry. By providing guidance to the end-user and cabling vendor, the * This article has been adapted for ISO two International Standards have clarified Focus+ from “ Turning soccer stadiums

Photo the entire industry.” network technology ”, available on the Matthias Gerber, Head of Presales “ The demanding performance targets R&M Website, by Geneva-based free- Engineering at Reichle & De-Massari AG. defined by the standards required deeper lance journalist Garry Lambert. : © R&M Photo

Cabling network security is provided by this R&M patch guard which locks critical system connector plugs and cords against inadvertent removal.

One problem is that students often per- ceive standardization to be a dull topic, leading them to choose other courses as electives. Meanwhile, teachers may be How to do it reluctant to cover standardization because they are unfamiliar with key issues or unaware of their importance. Instructors Getting standardization may focus on subjects perceived as more popular with students, and they may avoid into the classroom standardization because curricula are already overloaded with other topics. A workshop organized in 2006 by Inter- national Cooperation for Education about Standardization (ICES) concluded that improving standardization education is dependent upon three main factors : • National policies • Resource availability • Close cooperation between industry, standards bodies, academia and other educational and governmental organizations.

Education is needed to empower people to improve current standardization systems.

Developing and deploying a national standardization education strategy and policy is a fundamental prerequisite for a systematic approach. This strategy may broadly address a range of educational areas, or it may be limited. It may specify in detail exactly what will be done and by whom, or take a global perspective. The more broad and detailed the strategy, the more standardization education activities are in place in a country.

Continuing support Experience in the Republic of Korea and the Netherlands shows that long-term investments of time and money are required, as well as the efforts of dedicated individuals who actively seek out and support schools in developing, implementing and maintaining standardization education. Typical elements of a successful national approach include : by Henk J. de Vries • An inventory of educational needs • Formation of a steering group in which espite recent improvements, in particular in Asia, standardization the most important stakeholders are D represented (industry, standards bod- is a subject often overlooked in education. If the standardization com- ies, governmental and educational munity is to succeed in raising the field’s status among educators, organizations) a combination of barriers must be overcome. • An action plan

360°

diplomas in standardization. Many standardization organizations provide education activities, primarily for business people but sometimes also as part of general education programmes.

Experience shows that long-term investments of time and money are required.

The number of universities that have included standardization in their curricula is limited, and the barriers mentioned above need to be addressed. Universities usually implement standardization education as a response to external stimuli, such as national policies. Only a handful of countries have genuine chairs in standardization or national networks of standardization researchers. Both are important : the more standardization is addressed in academic research, the more scientific researchers will be inclined to pay attention to it in their teaching activities. • One or more devoted staff members, standardization systems and to further Standardization education is relevant able to make multi-year commitments develop standardization as a discipline. not only at the academic level ; vocational (so funding is a prerequisite) Standardization bodies should be cen- education at different levels is important, • Development of curricula and tres of standardization expertise. Part of as are secondary schools. Compared with materials the professionalization of international universities, these schools have less flex- standardization could be to better educate ibility to freely choose subject areas. It • A train-the-teachers programme technical officers of standardization bod- may be necessary to change the end terms • Promotional activities ies. International standardization could as a path to implementing standardization. • Performing education be upgraded by moving in the direction of This requires addressing not only individual granting ISO and the International Electro- teachers and schools, but also associations • Evaluation. technical Commission (IEC) secretariats and other organizations involved in educa- Activities can start with one or a few only to technical officers with recognized tion at the national level. teachers from a limited number of schools and then expand. A plan for teaching practitioners is also needed.

Bridging five worlds

Another challenge is to bridge five worlds, all of which are associated with standardization but know sometimes little about each other’s interests and capacities. These worlds include industry, standardization bodies, academia, other educational institutions, and government. Industry and other stakeholders need awareness of standards and standardization from employees. This insight should include the ability to recognize the need for further academic, vocational and other education in standards-related tasks. Finally, comprehensive academic education is needed to empower people to improve current

National governments would profit may not apply to universities, but probably A more complete paper, including references from better standardization education for does for most other learning institutions. to underlying studies, may be found in : Vries, Henk J. de (2010) Implementing Standardisation administrators in various positions. Civil This will require substantial lobbying, which Education at the National Level. Jean-Christophe servants may also include standardization will be made easier if some educational Graz & Kai Jakobs (Eds) EURAS Proceedings knowledge in the criteria for accreditation programmes are already in place. Where 2010 – Services Standardisation Conference. of educational programs. applicable, reference should be made to Aachen : Wissenschaftsverlag Mainz, pp. 127- 135. Versions of that paper in French and German the policies of the Asia-Pacific Economic will be published in Enjeux and DIN-Mitteilun- Toward more Cooperation (APEC) and the European gen, respectively. standardization education Union as well as to national standardization strategies. This article began with a list of barri- About the author ers to the expansion of standardization Dr. Henk J. de education. The first of these, increasing Initiatives for more Vries is associate the attractiveness of the field for students, standardization Professor of Stand- might be the most difficult, but engaging education are underway ardization at the teaching methods and materials may be around the world. Rotterdam School a partial solution. Teachers’ willingness of Management to include the topic in their courses will (RSM), Erasmus grow when teachers and school adminis- In the Republic of Korea, improved University, in Rot- trators are convinced of the importance of standardization education has been pro- terdam, the Neth- standardization. moted by a trade union – perhaps not the erlands. His education and research focus To this end, standardization education messenger most of us would first expect, on standardization from a business point steering groups should be established at but showing that any stakeholder can take of view, see www.rsm.nl/hdevries. the national level with participation from the initiative. Next, funding is required RSM was winner of the ISO Award on industry, government, standards bodies and to employ one or more devoted people to Higher Education in Standardization academia. These groups would have the develop educational materials, organize 2009. Dr. Henk J. De Vries is Vice-Presi- side-effect of increasing awareness about train-the-trainer programmes and other dent of the European Academy for Stand- the importance of standardization education initial tasks. This money might come from ardisation (EURAS), Vice-Chair of the for industry and government representatives, industry, from the standards bodies’ own International Cooperation for Education which would be a step toward addressing resources, or from government. about Standardization (ICES), and Special the third barrier. Meanwhile, initiatives for more stand- Adviser to the International Federation Education steering groups would also ardization education are underway around of Standards Users (IFAN). His teaching stimulate the inclusion of standardization in the world. Future research might make an activities include an executive course “In- formal requirements defining the topics to inventory of initiatives and achievements ternational Standardisation – Achieving which students are exposed in school. This and relate effects to measures taken.  Business Goals”, see www.rsm.nl/is.

New Releases New Releases

• ISO/IEC 17025:2005, General requirements for the competence of Best-selling testing and calibration laboratories • ISO/IEC 17025:2005/Cor 1:2006, General requirements for the competence of testing and calibration ISO standards laboratories • ISO/IEC 27001:2005, Information technology – Security techniques Now available in e-book formats – Information security management systems – Requirements • ISO/IEC 27002:2005, Information technology – Security techniques – Code of practice for information security management • ISO 9000:2005, Quality management systems – Fundamentals and vocabulary • ISO 9004:2009, Managing for the sus- tained success of an organization – A quality management approach • ISO 13485:2003, Medical devices – Quality management systems – Requirements for regulatory purposes • ISO 13485:2003/Cor 1:2009, Medi- cal devices – Quality management systems – Requirements for regulatory by Roger Frost purposes • ISO/IEC 27005:2008, Information A selection of ISO’s best-selling standards, such as ISO 9001 (qual- technology – Security techniques – ity management), ISO 31000 (risk management) and ISO/IEC 27001 Information security risk management • ISO/IEC 31010:2009, Risk manage- (information security management), are now available in formats ment – Risk assessment techniques compatible with the most popular e-book readers. • ISO Guide 73:2009, Risk management – Vocabulary In addition to paper and PDF, purchas- the form in which users can obtain ISO • ISO 14971:2007, Medical devices ers can now choose from the following standards also evolves.” – Application of risk management to formats : medical devices • Standard ePub format, compatible Standards in e-book formats • ISO 19011:2002, Guidelines for qual- with most e-book readers such as the ity and/or environmental management Sony Reader, Barnes and Noble’s • ISO 9001:2008, Quality management systems auditing Nook, etc. systems – Requirements • ISO/IEC 27004:2009, Information • ePub format optimized for Apple’s • ISO 9001:2008/Cor 1:2009, Quality technology – Security techniques iPad and iPhone, which allows the management systems – Requirements – Information security management – Measurement full use of the functionalities of these • ISO 31000:2009, Risk management devices – Principles and guidelines • ISO 22000:2005, Food safety manage- • Mobipocket format, compatible with ment systems – Requirements for any • ISO 14001:2004, Environmental man- organization in the food chain Amazon’s Kindle. agement systems – Requirements with • ISO/IEC 20000-1:2005, Information guidance for use The selection of e-book compatible technology – Service management standards is available in both English and • ISO 14001:2004/Cor 1:2009, Envi- – Part 1 : Specification French for the same price as the standards ronmental management systems – • ISO/IEC 38500:2008, Corporate gov- in PDF format. Requirements with guidance for use ernance of information technology ISO Secretary-General Rob Steele com- • ISO/TS 16949:2009, Quality man- • ISO 10993-5:2009, Biological evalua- ments : “ The range of challenges for which agement systems – Particular tion of medical devices – Part 5 : Tests ISO standards offer solutions continues to requirements for the application for in vitro cytotoxicity. broaden in order to meet the expectations of ISO 9001:2008 for automotive of the international community. In pace production and relevant service part Roger Frost is Head of Communication Services, with this evolving content, it’s normal that organizations ISO Central Secretariat.

Guest interview UNOG Director-General

The March issue of ISO Focus+ features an exclusive interview with Sergei A. Ordzhonikidze, Director-General of the United Nations Office at Geneva (UNOG), the representative office of the UN Secretary-General in Switzerland. In his interview Mr. Ordzhonikidze talks about the UN’s long-standing cooperation with ISO, which has led to the development of a number of standards that help Social meet the UN’s wider goals. He says, “ The value of collaboration between ISO and the UN is underwritten within the mandates of both organizations. Many of the values responsibility include knowledge sharing, coordination of activities, joint research and publication efforts, and ensuring effectiveness and 2010 saw the launch of one of to case studies of early adopters, the issue efficiency as we respond to the urgent the most eagerly awaited International highlights bridging documents from key needs of the most vulnerable. Concrete Standards of recent years, ISO 26000, organizations in the field and promotional actions are expected and together we can which provides guidance to both business efforts from ISO members. make it a reality. and public sector organizations on social Before ISO 26000 was published, there “ Today’s challenges are global in scope. responsibility (SR). were a myriad of individual programmes We must combine the universal authority It was the largest and most representative and initiatives operating simultaneously, of the United Nations, the global reach of standard development process within ISO, with diverging understandings of what SR international business and the mobilizing requiring the concerted effort of over 450 even meant. By bringing all stakeholders power of civil society to confront these participating experts and 200 observers to the decision-making table, ISO 26000 challenges together.” Learn more in our from 99 ISO member countries and 42 achieved for the first time, global con- next issue.  organizations in liaison, during five years sensus in this field. of intense consensus-building work. ISO Secretary-General Rob Steele has ISO 26000 responded to a growing said : “ What makes ISO 26000 exceptional ISO Update world need for clear and harmonized best among the many already existing social practice on how to ensure social equity, responsibility initiatives is that it distils a The ISO Update, a monthly sup- healthy ecosystems and good organizational truly international consensus on what social plement to ISO Focus+ is available governance, with the ultimate objective of responsibility means and what core subjects electronically (PDF) in both English contributing to sustainable development. need to be addressed to implement it.” www.iso.org/isoupdate and French This pressure came from customers, con- But the influence of ISO 26000 does www.iso.org/fr/isoupdate. sumers, governments, associations and the not stop at organizations. In the next The ISO Update informs about the latest public at large. At the same time, far-sighted issue, readers will learn how it is inspir- developments in the ISO world, including organizational leaders recognized that ing a new generation of sustainability ISO member bodies’ CEO and address lasting success must be built on credible standards. changes, draft standards under circulation, business practices and the prevention of Also, readers will find out who won the as well as newly published, confirmed such activities as fraudulent accounting social media (Facebook, Twitter) contest, or withdrawn standards. It also includes and labour exploitation. which challenged the general public to a list of upcoming technical committee The March ISO Focus+ provides an write an article on social responsibility plenary meetings.  in-depth view of ISO 26000. In addition and ISO 26000. 

Chimpanzé_ISO 27001_ad.indd 1 2011-01-25 10:20:09