IEC GUIDE 120-2018 pdf download.Security aspects – Guidelines for their inclusion in publications.
5.6 Developing security publications
5.6.1 Base security publications
Many base security publications were originally developed by government, consortia or specialist commercial organizations. Most of these have been subsequently formalised into international or other generally accepted technological standards. IEC committees should reference the public form of these standards if one exists. The rules for referencing non ISO and IEC standards from within ISO and IEC publications are specified in 1 0.2 of ISO/IEC Directives Part 2:201 8. Within IEC, base security publications defining security controls are prepared by ISO/IEC JTC 1 /SC 27, IT security techniques. Other IEC committees should not attempt to develop such generic security controls as they are unlikely to have the necessary level of generic security expertise and information. If an IEC committee identifies a need for a new publication of this type, it should supply the relevant use case to JTC 1 /SC 27 and request it to prepare an appropriate publication.
It is left open to IEC committees to define security publications for their own domain to address:
• relevant terminology,
• common threats and attacks,
• security design philosophy or such related issues, and
• common technical requirements (such as interoperability).
5.6.2 Group security publications
Group security publications will normally be domain-specific publications.
Group security publications will normally be developed within one IEC committee, but may have application in areas beyond the scope of that committee. Normally, the domain committee will retain responsibility for publications development and maintenance, but should take account of other known use cases and requirements of wider use. Group security publications should build upon basic security services as defined in appropriate base security publications, but may be parameterised or configured to reflect the intended field of application. This includes identifying specific threats, types of attack and consequences that apply to the intended field of application.
IEC committees should not attempt to restrict the applicability of group security publications without good reason. This will enable developers of compliant products and systems to offer them for use elsewhere. However, group security publications should clearly identify any assumptions or limitations concerning their applicability in order to minimise the potential for misuse. Where necessary, IEC committees developing group security publications should consult or work collaboratively with the originators of the base security publications that they reference. 5.6.3 Product security publications Product security publications should normally be produced by the IEC committee that deals with the aspects of that type of product or series of products. Product security publications will often only deal with the product’s interaction with its environment, referencing generic base or group publications to define internal behaviour.
5.6.4 Guidance security publications and test security publications These publications should be produced by the IEC committee responsible for the base, group or product publication to which these publications refer. Assistance should be sought from specialist committees dealing with conformity assessment if applicable. Committees should consider whether it is more effective to deal with guidance and test aspects of a publication through body text or annexes to the main specification, rather than by separate publications or parts of publications. There are benefits and drawbacks in both approaches. Committees referencing guidance publications or annexes should take care not to create normative references to guidance information. In normative publications, references to guidance information should appear in the bibliography.IEC GUIDE 120 pdf download.