Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Methodology for IT security evaluation (ISO/IEC 18045:2022)

This document defines the minimum actions to be performed by an evaluator in order to conduct an ISO/IEC 15408 series evaluation, using the criteria and evaluation evidence defined in the ISO/IEC 15408 series.

Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre - Evaluationskriterien für IT-Sicherheit - Methodik für die Bewertung der IT-Sicherheit (ISO/IEC 18045:2022)

Dieses Dokument legt die Aktionen fest, die ein Evaluator mindestens durchführen muss, um eine Evaluierung nach der Normenreihe ISO/IEC 15408 unter Verwendung der in der Normenreihe ISO/IEC 15408 definierten Kriterien und Evaluationsnachweise durchzuführen.

Sécurité de l'information, cybersécurité et protection de la vie privée - Critères d'évaluation pour la sécurité des technologies de l'information - Méthodologie pour l'évaluation de sécurité (ISO/IEC 18045:2022)

Le présent document définit les actions minimales à réaliser par un évaluateur pour mener une évaluation selon la série de normes ISO/IEC 15408 en utilisant les critères et les preuves d'évaluation définis dans la série de normes ISO/IEC 15408.

Informacijska varnost, kibernetska varnost in varstvo zasebnosti - Merila za ocenjevanje varnosti IT - Metodologija za ocenjevanje varnosti IT (ISO/IEC 18045:2022)

Ta dokument spremlja dokument »Merila za ocenjevanje varnosti IT«, standard ISO/IEC 15408 (vsi deli). Ta dokument določa minimalne ukrepe, ki jih mora izvesti ocenjevalec, da izvede oceno iz skupine standardov ISO/IEC 15408 z uporabo meril in dokazov za ocenjevanje, opredeljenih v skupini standardov ISO/IEC 15408.

General Information

Status
Published
Publication Date
31-Oct-2023
ICS
35.030 - IT Security
Technical Committee
CEN/CLC/TC 13 - Cybersecurity and Data Protection
Drafting Committee
CEN/CLC/TC 13 - Cybersecurity and Data Protection
Current Stage
6060 - Definitive text made available (DAV) - Publishing
Start Date
01-Nov-2023
Due Date
23-Jun-2025
Completion Date
01-Nov-2023
Ref Project
SIST EN ISO/IEC 18045:2024 - Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Methodology for IT security evaluation (ISO/IEC 18045:2022)

Relations

Replaces
EN ISO/IEC 18045:2020 - Information technology - Security techniques - Methodology for IT security evaluation (ISO/IEC 18045:2008)
Effective Date
18-Jan-2023
Revised
FprEN ISO/IEC 18045 - Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Requirements and methodology for IT security evaluation (ISO/IEC FDIS 18045:2025)
Effective Date
17-Apr-2024

Overview

EN ISO/IEC 18045:2023 - Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Methodology for IT security evaluation (ISO/IEC 18045:2022) - defines the minimum actions an evaluator must perform to conduct an evaluation against the ISO/IEC 15408 series (Common Criteria). Adopted as EN ISO/IEC 18045:2023 and published by the Slovene standards body (SIST), this methodology standard provides structured guidance for planning, executing and reporting IT security evaluations and for managing evaluation evidence and outputs.

Key topics and technical requirements

  • Evaluation process and tasks: Guidance on evaluation inputs, sub-activities and outputs, including objectives and application notes for each task area.
  • Roles and responsibilities: Definitions of evaluator roles, relationships between roles, and required activities to reach reliable verdicts.
  • Evaluator verdicts and reporting: Rules for forming verdicts and producing evaluation artifacts such as the Evaluation Technical Report (ETR).
  • Protection Profile (PP) and PP‑module evaluation: Methodology for assessing Protection Profiles, re‑use of certified PP results, PP introductions, conformance claims, security problem definitions, objectives, extended components and security requirements.
  • Management of evaluation evidence: Minimum actions for collecting, organizing and validating evidence required by the ISO/IEC 15408 criteria.
  • Conformance and consistency checks: Procedures for verifying consistency of claims, requirements and mappings between problem definition, objectives and security requirements.

Keywords: ISO/IEC 18045, IT security evaluation methodology, ISO/IEC 15408, Protection Profile evaluation, Evaluation Technical Report, evaluator roles, cybersecurity standard.

Practical applications - who uses this standard

  • Independent evaluators and laboratories - to follow a consistent, auditable methodology when performing Common Criteria evaluations.
  • Certification bodies - to assess evaluator outputs and ensure evaluations meet the minimum methodology requirements.
  • Product vendors and PP authors - to prepare deliverables (security targets, protection profiles, evidence) that align with evaluator expectations.
  • Procurement and compliance teams - to interpret evaluation results and incorporate certified claims into procurement and risk decisions.
  • Security consultants and auditors - to understand the evaluation lifecycle, required evidence, and how evaluator verdicts are derived.

Related standards

  • ISO/IEC 15408 series (Common Criteria) - evaluation criteria and evidence referenced by ISO/IEC 18045.
  • EN ISO/IEC 18045:2023 - European adoption of the ISO/IEC 18045:2022 text.
  • Other relevant frameworks: ISO/IEC 27001 (information security management) - complementary for organizational controls and governance.

This standard is essential for anyone involved in formal IT security evaluation, certification, or producing evaluable security documentation, ensuring consistent, repeatable and defensible evaluation outcomes.

EN ISO/IEC 18045:2024 - BARVE - Page 3 previewEN ISO/IEC 18045:2024 - BARVE - Page 1 previewEN ISO/IEC 18045:2024 - BARVE - Page 2 previewEN ISO/IEC 18045:2024 - BARVE - Page 4 preview
PreviousNext
Standard

EN ISO/IEC 18045:2024 - BARVE

English language
439 pages
Preview
Preview
e-Library read for
1 day
EN ISO/IEC 18045:2024 - BARVE - Page 3 previewEN ISO/IEC 18045:2024 - BARVE - Page 1 previewEN ISO/IEC 18045:2024 - BARVE - Page 2 previewEN ISO/IEC 18045:2024 - BARVE - Page 4 preview
PreviousNext
Standard

EN ISO/IEC 18045:2024 - BARVE

English language
439 pages
Preview
Preview
e-Library read for
1 day

Frequently Asked Questions

EN ISO/IEC 18045:2023 is a standard published by the European Committee for Standardization (CEN). Its full title is "Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Methodology for IT security evaluation (ISO/IEC 18045:2022)". This standard covers: This document defines the minimum actions to be performed by an evaluator in order to conduct an ISO/IEC 15408 series evaluation, using the criteria and evaluation evidence defined in the ISO/IEC 15408 series.

This document defines the minimum actions to be performed by an evaluator in order to conduct an ISO/IEC 15408 series evaluation, using the criteria and evaluation evidence defined in the ISO/IEC 15408 series.

EN ISO/IEC 18045:2023 is classified under the following ICS (International Classification for Standards) categories: 35.030 - IT Security. The ICS classification helps identify the subject area and facilitates finding related standards.

EN ISO/IEC 18045:2023 has the following relationships with other standards: It is inter standard links to EN ISO/IEC 18045:2020, FprEN ISO/IEC 18045. Understanding these relationships helps ensure you are using the most current and applicable version of the standard.

You can purchase EN ISO/IEC 18045:2023 directly from iTeh Standards. The document is available in PDF format and is delivered instantly after payment. Add the standard to your cart and complete the secure checkout process. iTeh Standards is an authorized distributor of CEN standards.

Standards Content (Sample)


SLOVENSKI STANDARD
01-april-2024
Nadomešča:
SIST EN ISO/IEC 18045:2020
Informacijska varnost, kibernetska varnost in varovanje zasebnosti - Merila za
ocenjevanje varnosti IT - Metodologija za ocenjevanje varnosti IT (ISO/IEC
18045:2022)
Information security, cybersecurity and privacy protection - Evaluation criteria for IT
security - Methodology for IT security evaluation (ISO/IEC 18045:2022)
Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre -
Evaluationskriterien für IT-Sicherheit - Methodik für die Bewertung der IT-Sicherheit
(ISO/IEC 18045:2022)
Sécurité de l'information, cybersécurité et protection de la vie privée - Critères
d'évaluation pour la sécurité des technologies de l'information - Méthodologie pour
l'évaluation de sécurité (ISO/IEC 18045:2022)
Ta slovenski standard je istoveten z: EN ISO/IEC 18045:2023
ICS:
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD EN ISO/IEC 18045

NORME EUROPÉENNE
EUROPÄISCHE NORM
November 2023
ICS 35.030
Supersedes EN ISO/IEC 18045:2020
English version
Information security, cybersecurity and privacy protection
- Evaluation criteria for IT security - Methodology for IT
security evaluation (ISO/IEC 18045:2022)
Sécurité de l'information, cybersécurité et protection Informationssicherheit, Cybersicherheit und Schutz
de la vie privée - Critères d'évaluation pour la sécurité der Privatsphäre - Evaluationskriterien für IT-
des technologies de l'information - Méthodologie pour Sicherheit - Methodik für die Bewertung der IT-
l'évaluation de sécurité (ISO/IEC 18045:2022) Sicherheit (ISO/IEC 18045:2022)
This European Standard was approved by CEN on 29 October 2023.

CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.

CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2023 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. EN ISO/IEC 18045:2023 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 3

European foreword
The text of ISO/IEC 18045:2022 has been prepared by Technical Committee ISO/IEC JTC 1 "Information
technology” of the International Organization for Standardization (ISO) and has been taken over as
Protection” the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by May 2024, and conflicting national standards shall be
withdrawn at the latest by May 2024.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN-CENELEC shall not be held responsible for identifying any or all such patent rights.
This document supersedes EN ISO/IEC 18045:2020.
Any feedback and questions on this document should be directed to the users’ national standards body.
A complete listing of these bodies can be found on the CEN and CENELEC websites.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 18045:2022 has been approved by CEN-CENELEC as EN ISO/IEC 18045:2023
without any modification.
INTERNATIONAL ISO/IEC
STANDARD 18045
Third edition
2022-08
Information security, cybersecurity
and privacy protection — Evaluation
criteria for IT security — Methodology
for IT security evaluation
Sécurité de l'information, cybersécurité et protection de la vie
privée — Critères d'évaluation pour la sécurité des technologies de
l'information — Méthodologie pour l'évaluation de sécurité
Reference number
ISO/IEC 18045:2022(E)
© ISO/IEC 2022
ISO/IEC 18045:2022(E)
© ISO/IEC 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2022 – All rights reserved

ISO/IEC 18045:2022(E)
Table of Contents
LIST OF FIGURES . ix
LIST OF TABLES . x
FOREWORD . xi
INTRODUCTION . xii
SCOPE . 1
NORMATIVE REFERENCES . 1
TERMS AND DEFINITIONS . 1
ABBREVIATED TERMS . 4
TERMINOLOGY . 4
VERB USAGE . 4
GENERAL EVALUATION GUIDANCE . 5
RELATIONSHIP BETWEEN THE ISO/IEC 15408 SERIES AND ISO/IEC 18045 STRUCTURES . 5
EVALUATION PROCESS AND RELATED TASKS . 5
9.1 GENERAL . 5
9.2 EVALUATION PROCESS OVERVIEW . 6
9.2.1 Objectives . 6
9.2.2 Responsibilities of the roles . 6
9.2.3 Relationship of roles . 6
9.2.4 General evaluation model . 7
9.2.5 Evaluator verdicts . 7
9.3 EVALUATION INPUT TASK . 9
9.3.1 Objectives . 9
9.3.2 Application notes . 9
9.3.3 Management of evaluation evidence sub-task . 10
9.4 EVALUATION SUB-ACTIVITIES.10
9.5 EVALUATION OUTPUT TASK .10
9.5.1 Objectives . 10
9.5.2 Management of evaluation outputs . 11
9.5.3 Application notes . 11
9.5.4 Write OR sub-task . 11
9.5.5 Write ETR sub-task . 11
CLASS APE: PROTECTION PROFILE EVALUATION . 19
10.1 GENERAL .19
10.2 RE-USING THE EVALUATION RESULTS OF CERTIFIED PPS .19
10.3 PP INTRODUCTION (APE_INT) .20
10.3.1 Evaluation of sub-activity (APE_INT.1) . 20
10.4 CONFORMANCE CLAIMS (APE_CCL) .21
10.4.1 Evaluation of sub-activity (APE_CCL.1) . 21
10.5 SECURITY PROBLEM DEFINITION (APE_SPD) .31
10.5.1 Evaluation of sub-activity (APE_SPD.1) . 31
10.6 SECURITY OBJECTIVES (APE_OBJ) .32
10.6.1 Evaluation of sub-activity (APE_OBJ.1) . 32
10.6.2 Evaluation of sub-activity (APE_OBJ.2) . 33
10.7 EXTENDED COMPONENTS DEFINITION (APE_ECD) .36
10.7.1 Evaluation of sub-activity (APE_ECD.1) . 36
© ISO/IEC 2022 – All rights reserved
iii
ISO/IEC 18045:2022(E)
10.8 SECURITY REQUIREMENTS (APE_REQ) .40
10.8.1 Evaluation of sub-activity (APE_REQ.1) . 40
10.8.2 Evaluation of sub-activity (APE_REQ.2) . 45
CLASS ACE: PROTECTION PROFILE CONFIGURATION EVALUATION . 49
11.1 GENERAL .49
11.2 PP-MODULE INTRODUCTION (ACE_INT) .51
11.2.1 Evaluation of sub-activity (ACE_INT.1) . 51
11.3 PP-MODULE CONFORMANCE CLAIMS (ACE_CCL) .53
11.3.1 Evaluation of sub-activity (ACE_CCL.1) . 53
11.4 PP-MODULE SECURITY PROBLEM DEFINITION (ACE_SPD) . 58
11.4.1 Evaluation of sub-activity (ACE_SPD.1) . 58
11.5 PP-MODULE SECURITY OBJECTIVES (ACE_OBJ) .59
11.5.1 Evaluation of sub-activity (ACE_OBJ.1) . 59
11.5.2 Evaluation of sub-activity (ACE_OBJ.2) . 60
11.6 PP-MODULE EXTENDED COMPONENTS DEFINITION (ACE_ECD) . 63
11.6.1 Evaluation of sub-activity (ACE_ECD.1) . 63
11.7 PP-MODULE SECURITY REQUIREMENTS (ACE_REQ) . 67
11.7.1 Evaluation of sub-activity (ACE_REQ.1) . 67
11.7.2 Evaluation of sub-activity (ACE_REQ.2) . 72
11.8 PP-MODULE CONSISTENCY (ACE_MCO) .76
11.8.1 Evaluation of sub-activity (ACE_MCO.1) . 76
11.9 PP-CONFIGURATION CONSISTENCY (ACE_CCO) .79
11.9.1 Evaluation of sub-activity (ACE_CCO.1) . 79
CLASS ASE: SECURITY TARGET EVALUATION . 87
12.1 GENERAL .87
12.2 APPLICATION NOTES .87
12.2.1 Re-using the evaluation results of certified PPs. 87
12.3 ST INTRODUCTION (ASE_INT) .88
12.3.1 Evaluation of sub-activity (ASE_INT.1) . 88
12.4 CONFORMANCE CLAIMS (ASE_CCL) .91
12.4.1 Evaluation of sub-activity (ASE_CCL.1) . 91
12.5 SECURITY PROBLEM DEFINITION (ASE_SPD) . 105
12.5.1 Evaluation of sub-activity (ASE_SPD.1) . 105
12.6 SECURITY OBJECTIVES (ASE_OBJ) . 106
12.6.1 Evaluation of sub-activity (ASE_OBJ.1) . 106
12.6.2 Evaluation of sub-activity (ASE_OBJ.2) . 107
12.7 EXTENDED COMPONENTS DEFINITION (ASE_ECD) . 109
12.7.1 Evaluation of sub-activity (ASE_ECD.1) . 109
12.8 SECURITY REQUIREMENTS (ASE_REQ) . 113
12.8.1 Evaluation of sub-activity (ASE_REQ.1) . 113
12.8.2 Evaluation of sub-activity (ASE_REQ.2) . 119
12.9 TOE SUMMARY SPECIFICATION (ASE_TSS) . 124
12.9.1 Evaluation of sub-activity (ASE_TSS.1) . 124
12.9.2 Evaluation of sub-activity (ASE_TSS.2) . 125
12.10 CONSISTENCY OF COMPOSITE PRODUCT SECURITY TARGET (ASE_COMP) . 127
12.10.1 General . 127
12.10.2 Evaluation of sub-activity (ASE_COMP.1) . 127
CLASS ADV: DEVELOPMENT . 132
13.1 GENERAL . 132
13.2 APPLICATION NOTES . 132
13.3 SECURITY ARCHITECTURE (ADV_ARC) . 133
13.3.1 Evaluation of sub-activity (ADV_ARC.1) . 133
13.4 FUNCTIONAL SPECIFICATION (ADV_FSP) . 137
13.4.1 Evaluation of sub-activity (ADV_FSP.1) . 137
13.4.2 Evaluation of sub-activity (ADV_FSP.2) . 140
© ISO/IEC 2022 – All rights reserved
iv
ISO/IEC 18045:2022(E)
13.4.3 Evaluation of sub-activity (ADV_FSP.3) . 145
13.4.4 Evaluation of sub-activity (ADV_FSP.4) . 150
13.4.5 Evaluation of sub-activity (ADV_FSP.5) . 155
13.4.6 Evaluation of sub-activity (ADV_FSP.6) . 161
13.5 IMPLEMENTATION REPRESENTATION (ADV_IMP) . 161
13.5.1 Evaluation of sub-activity (ADV_IMP.1) . 161
13.5.2 Evaluation of sub-activity (ADV_IMP.2) . 164
13.6 TSF INTERNALS (ADV_INT) . 166
13.6.1 Evaluation of sub-activity (ADV_INT.1) . 166
13.6.2 Evaluation of sub-activity (ADV_INT.2) . 169
13.6.3 Evaluation of sub-activity (ADV_INT.3) . 171
13.7 FORMAL TSF MODEL (ADV_SPM) . 173
13.7.1 Evaluation of sub-activity (ADV_SPM.1) . 173
13.8 TOE DESIGN (ADV_TDS) . 180
13.8.1 Evaluation of sub-activity (ADV_TDS.1) . 180
13.8.2 Evaluation of sub-activity (ADV_TDS.2) . 183
13.8.3 Evaluation of sub-activity (ADV_TDS.3) . 188
13.8.4 Evaluation of sub-activity (ADV_TDS.4) . 197
13.8.5 Evaluation of sub-activity (ADV_TDS.5) . 206
13.8.6 Evaluation of sub-activity (ADV_TDS.6) . 213
13.9 COMPOSITE DESIGN COMPLIANCE (ADV_COMP) . 214
13.9.1 General . 214
13.9.2 Evaluation of sub-activity (ADV_COMP.1) . 214
CLASS AGD: GUIDANCE DOCUMENTS . 216
14.1 GENERAL .216
14.2 APPLICATION NOTES .216
14.3 OPERATIONAL USER GUIDANCE (AGD_OPE) . 216
14.3.1 Evaluation of sub-activity (AGD_OPE.1). 216
14.4 PREPARATIVE PROCEDURES (AGD_PRE) . 219
14.4.1 Evaluation of sub-activity (AGD_PRE.1) . 219
CLASS ALC: LIFE-CYCLE SUPPORT . 221
15.1 GENERAL .221
15.2 CM CAPABILITIES (ALC_CMC) . 222
15.2.1 Evaluation of sub-activity (ALC_CMC.1) . 222
15.2.2 Evaluation of sub-activity (ALC_CMC.2) . 223
15.2.3 Evaluation of sub-activity (ALC_CMC.3) . 224
15.2.4 Evaluation of sub-activity (ALC_CMC.4) . 228
15.2.5 Evaluation of sub-activity (ALC_CMC.5) . 233
15.3 CM SCOPE (ALC_CMS) .240
15.3.1 Evaluation of sub-activity (ALC_CMS.1) . 240
15.3.2 Evaluation of sub-activity (ALC_CMS.2) . 241
15.3.3 Evaluation of sub-activity (ALC_CMS.3) . 242
15.3.4 Evaluation of sub-activity (ALC_CMS.4) . 243
15.3.5 Evaluation of sub-activity (ALC_CMS.5) . 244
15.4 DELIVERY (ALC_DEL) .245
15.4.1 Evaluation of sub-activity (ALC_DEL.1) . 245
15.5 DEVELOPMENT SECURITY (ALC_DVS) . 247
15.5.1 Evaluation of sub-activity (ALC_DVS.1) . 247
15.5.2 Evaluation of sub-activity (ALC_DVS.2) . 249
15.6 FLAW REMEDIATION (ALC_FLR) . 252
15.6.1 Evaluation of sub-activity (ALC_FLR.1) . 252
15.6.2 Evaluation of sub-activity (ALC_FLR.2) . 254
15.6.3 Evaluation of sub-activity (ALC_FLR.3) . 257
15.7 LIFE-CYCLE DEFINITION (ALC_LCD) . 262
15.7.1 Evaluation of sub-activity (ALC_LCD.1) . 262
15.7.2 Evaluation of sub-activity (ALC_LCD.2) . 263
© ISO/IEC 2022 – All rights reserved
v
ISO/IEC 18045:2022(E)
15.8 TOE DEVELOPMENT ARTIFACTS (ALC_TDA) . 265
15.8.1 Evaluation of sub-activity (ALC_TDA.1) . 265
15.8.2 Evaluation of sub-activity (ALC_TDA.2) . 268
15.8.3 Evaluation of sub-activity (ALC_TDA.3) . 272
15.9 TOOLS AND TECHNIQUES (ALC_TAT) . 276
15.9.1 Evaluation of sub-activity (ALC_TAT.1) . 276
15.9.2 Evaluation of sub-activity (ALC_TAT.2) . 278
15.9.3 Evaluation of sub-activity (ALC_TAT.3) . 281
15.10 INTEGRATION OF COMPOSITION PARTS AND CONSISTENCY CHECK OF DELIVERY PROCEDURES (ALC_COMP) . 284
15.10.1 General . 284
15.10.2 Evaluation of sub-activity (ALC_COMP.1) . 284
CLASS ATE: TESTS . 286
16.1 GENERAL . 286
16.2 APPLICATION NOTES . 287
16.2.1 Understanding the expected behaviour of the TOE . 287
16.2.2 Testing vs. alternate approaches to verify the expected behaviour of functionality . 288
16.2.3 Verifying the adequacy of tests . 288
16.3 COVERAGE (ATE_COV) . 288
16.3.1 Evaluation of sub-activity (ATE_COV.1) . 288
16.3.2 Evaluation of sub-activity (ATE_COV.2) . 289
16.3.3 Evaluation of sub-activity (ATE_COV.3) . 291
16.4 DEPTH (ATE_DPT) . 293
16.4.1 Evaluation of sub-activity (ATE_DPT.1) . 293
16.4.2 Evaluation of sub-activity (ATE_DPT.2) . 295
16.4.3 Evaluation of sub-activity (ATE_DPT.3) . 298
16.4.4 Evaluation of sub-activity (ATE_DPT.4) . 300
16.5 FUNCTIONAL TESTS (ATE_FUN) . 300
16.5.1 Evaluation of sub-activity (ATE_FUN.1) . 300
16.5.2 Evaluation of sub-activity (ATE_FUN.2) . 303
16.6 INDEPENDENT TESTING (ATE_IND) . 307
16.6.1 Evaluation of sub-activity (ATE_IND.1) . 307
16.6.2 Evaluation of sub-activity (ATE_IND.2) . 311
16.6.3 Evaluation of sub-activity (ATE_IND.3) . 316
16.7 COMPOSITE FUNCTIONAL TESTING (ATE_COMP) . 316
16.7.1 General . 316
16.7.2 Evaluation of sub-activity (ATE_COMP.1) . 316
CLASS AVA: VULNERABILITY ASSESSMENT . 317
17.1 GENERAL .
...


SLOVENSKI STANDARD
01-april-2024
Nadomešča:
SIST EN ISO/IEC 18045:2020
Informacijska varnost, kibernetska varnost in varstvo zasebnosti - Merila za
ocenjevanje varnosti IT - Metodologija za ocenjevanje varnosti IT (ISO/IEC
18045:2022)
Information security, cybersecurity and privacy protection - Evaluation criteria for IT
security - Methodology for IT security evaluation (ISO/IEC 18045:2022)
Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre -
Evaluationskriterien für IT-Sicherheit - Methodik für die Bewertung der IT-Sicherheit
(ISO/IEC 18045:2022)
Sécurité de l'information, cybersécurité et protection de la vie privée - Critères
d'évaluation pour la sécurité des technologies de l'information - Méthodologie pour
l'évaluation de sécurité (ISO/IEC 18045:2022)
Ta slovenski standard je istoveten z: EN ISO/IEC 18045:2023
ICS:
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD EN ISO/IEC 18045

NORME EUROPÉENNE
EUROPÄISCHE NORM
November 2023
ICS 35.030
Supersedes EN ISO/IEC 18045:2020
English version
Information security, cybersecurity and privacy protection
- Evaluation criteria for IT security - Methodology for IT
security evaluation (ISO/IEC 18045:2022)
Sécurité de l'information, cybersécurité et protection Informationssicherheit, Cybersicherheit und Schutz
de la vie privée - Critères d'évaluation pour la sécurité der Privatsphäre - Evaluationskriterien für IT-
des technologies de l'information - Méthodologie pour Sicherheit - Methodik für die Bewertung der IT-
l'évaluation de sécurité (ISO/IEC 18045:2022) Sicherheit (ISO/IEC 18045:2022)
This European Standard was approved by CEN on 29 October 2023.

CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.

CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2023 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. EN ISO/IEC 18045:2023 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 3

European foreword
The text of ISO/IEC 18045:2022 has been prepared by Technical Committee ISO/IEC JTC 1 "Information
technology” of the International Organization for Standardization (ISO) and has been taken over as
Protection” the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by May 2024, and conflicting national standards shall be
withdrawn at the latest by May 2024.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN-CENELEC shall not be held responsible for identifying any or all such patent rights.
This document supersedes EN ISO/IEC 18045:2020.
Any feedback and questions on this document should be directed to the users’ national standards body.
A complete listing of these bodies can be found on the CEN and CENELEC websites.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 18045:2022 has been approved by CEN-CENELEC as EN ISO/IEC 18045:2023
without any modification.
INTERNATIONAL ISO/IEC
STANDARD 18045
Third edition
2022-08
Information security, cybersecurity
and privacy protection — Evaluation
criteria for IT security — Methodology
for IT security evaluation
Sécurité de l'information, cybersécurité et protection de la vie
privée — Critères d'évaluation pour la sécurité des technologies de
l'information — Méthodologie pour l'évaluation de sécurité
Reference number
ISO/IEC 18045:2022(E)
© ISO/IEC 2022
ISO/IEC 18045:2022(E)
© ISO/IEC 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2022 – All rights reserved

ISO/IEC 18045:2022(E)
Table of Contents
LIST OF FIGURES . ix
LIST OF TABLES . x
FOREWORD . xi
INTRODUCTION . xii
SCOPE . 1
NORMATIVE REFERENCES . 1
TERMS AND DEFINITIONS . 1
ABBREVIATED TERMS . 4
TERMINOLOGY . 4
VERB USAGE . 4
GENERAL EVALUATION GUIDANCE . 5
RELATIONSHIP BETWEEN THE ISO/IEC 15408 SERIES AND ISO/IEC 18045 STRUCTURES . 5
EVALUATION PROCESS AND RELATED TASKS . 5
9.1 GENERAL . 5
9.2 EVALUATION PROCESS OVERVIEW . 6
9.2.1 Objectives . 6
9.2.2 Responsibilities of the roles . 6
9.2.3 Relationship of roles . 6
9.2.4 General evaluation model . 7
9.2.5 Evaluator verdicts . 7
9.3 EVALUATION INPUT TASK . 9
9.3.1 Objectives . 9
9.3.2 Application notes . 9
9.3.3 Management of evaluation evidence sub-task . 10
9.4 EVALUATION SUB-ACTIVITIES.10
9.5 EVALUATION OUTPUT TASK .10
9.5.1 Objectives . 10
9.5.2 Management of evaluation outputs . 11
9.5.3 Application notes . 11
9.5.4 Write OR sub-task . 11
9.5.5 Write ETR sub-task . 11
CLASS APE: PROTECTION PROFILE EVALUATION . 19
10.1 GENERAL .19
10.2 RE-USING THE EVALUATION RESULTS OF CERTIFIED PPS .19
10.3 PP INTRODUCTION (APE_INT) .20
10.3.1 Evaluation of sub-activity (APE_INT.1) . 20
10.4 CONFORMANCE CLAIMS (APE_CCL) .21
10.4.1 Evaluation of sub-activity (APE_CCL.1) . 21
10.5 SECURITY PROBLEM DEFINITION (APE_SPD) .31
10.5.1 Evaluation of sub-activity (APE_SPD.1) . 31
10.6 SECURITY OBJECTIVES (APE_OBJ) .32
10.6.1 Evaluation of sub-activity (APE_OBJ.1) . 32
10.6.2 Evaluation of sub-activity (APE_OBJ.2) . 33
10.7 EXTENDED COMPONENTS DEFINITION (APE_ECD) .36
10.7.1 Evaluation of sub-activity (APE_ECD.1) . 36
© ISO/IEC 2022 – All rights reserved
iii
ISO/IEC 18045:2022(E)
10.8 SECURITY REQUIREMENTS (APE_REQ) .40
10.8.1 Evaluation of sub-activity (APE_REQ.1) . 40
10.8.2 Evaluation of sub-activity (APE_REQ.2) . 45
CLASS ACE: PROTECTION PROFILE CONFIGURATION EVALUATION . 49
11.1 GENERAL .49
11.2 PP-MODULE INTRODUCTION (ACE_INT) .51
11.2.1 Evaluation of sub-activity (ACE_INT.1) . 51
11.3 PP-MODULE CONFORMANCE CLAIMS (ACE_CCL) .53
11.3.1 Evaluation of sub-activity (ACE_CCL.1) . 53
11.4 PP-MODULE SECURITY PROBLEM DEFINITION (ACE_SPD) . 58
11.4.1 Evaluation of sub-activity (ACE_SPD.1) . 58
11.5 PP-MODULE SECURITY OBJECTIVES (ACE_OBJ) .59
11.5.1 Evaluation of sub-activity (ACE_OBJ.1) . 59
11.5.2 Evaluation of sub-activity (ACE_OBJ.2) . 60
11.6 PP-MODULE EXTENDED COMPONENTS DEFINITION (ACE_ECD) . 63
11.6.1 Evaluation of sub-activity (ACE_ECD.1) . 63
11.7 PP-MODULE SECURITY REQUIREMENTS (ACE_REQ) . 67
11.7.1 Evaluation of sub-activity (ACE_REQ.1) . 67
11.7.2 Evaluation of sub-activity (ACE_REQ.2) . 72
11.8 PP-MODULE CONSISTENCY (ACE_MCO) .76
11.8.1 Evaluation of sub-activity (ACE_MCO.1) . 76
11.9 PP-CONFIGURATION CONSISTENCY (ACE_CCO) .79
11.9.1 Evaluation of sub-activity (ACE_CCO.1) . 79
CLASS ASE: SECURITY TARGET EVALUATION . 87
12.1 GENERAL .87
12.2 APPLICATION NOTES .87
12.2.1 Re-using the evaluation results of certified PPs. 87
12.3 ST INTRODUCTION (ASE_INT) .88
12.3.1 Evaluation of sub-activity (ASE_INT.1) . 88
12.4 CONFORMANCE CLAIMS (ASE_CCL) .91
12.4.1 Evaluation of sub-activity (ASE_CCL.1) . 91
12.5 SECURITY PROBLEM DEFINITION (ASE_SPD) . 105
12.5.1 Evaluation of sub-activity (ASE_SPD.1) . 105
12.6 SECURITY OBJECTIVES (ASE_OBJ) . 106
12.6.1 Evaluation of sub-activity (ASE_OBJ.1) . 106
12.6.2 Evaluation of sub-activity (ASE_OBJ.2) . 107
12.7 EXTENDED COMPONENTS DEFINITION (ASE_ECD) . 109
12.7.1 Evaluation of sub-activity (ASE_ECD.1) . 109
12.8 SECURITY REQUIREMENTS (ASE_REQ) . 113
12.8.1 Evaluation of sub-activity (ASE_REQ.1) . 113
12.8.2 Evaluation of sub-activity (ASE_REQ.2) . 119
12.9 TOE SUMMARY SPECIFICATION (ASE_TSS) . 124
12.9.1 Evaluation of sub-activity (ASE_TSS.1) . 124
12.9.2 Evaluation of sub-activity (ASE_TSS.2) . 125
12.10 CONSISTENCY OF COMPOSITE PRODUCT SECURITY TARGET (ASE_COMP) . 127
12.10.1 General . 127
12.10.2 Evaluation of sub-activity (ASE_COMP.1) . 127
CLASS ADV: DEVELOPMENT . 132
13.1 GENERAL . 132
13.2 APPLICATION NOTES . 132
13.3 SECURITY ARCHITECTURE (ADV_ARC) . 133
13.3.1 Evaluation of sub-activity (ADV_ARC.1) . 133
13.4 FUNCTIONAL SPECIFICATION (ADV_FSP) . 137
13.4.1 Evaluation of sub-activity (ADV_FSP.1) . 137
13.4.2 Evaluation of sub-activity (ADV_FSP.2) . 140
© ISO/IEC 2022 – All rights reserved
iv
ISO/IEC 18045:2022(E)
13.4.3 Evaluation of sub-activity (ADV_FSP.3) . 145
13.4.4 Evaluation of sub-activity (ADV_FSP.4) . 150
13.4.5 Evaluation of sub-activity (ADV_FSP.5) . 155
13.4.6 Evaluation of sub-activity (ADV_FSP.6) . 161
13.5 IMPLEMENTATION REPRESENTATION (ADV_IMP) . 161
13.5.1 Evaluation of sub-activity (ADV_IMP.1) . 161
13.5.2 Evaluation of sub-activity (ADV_IMP.2) . 164
13.6 TSF INTERNALS (ADV_INT) . 166
13.6.1 Evaluation of sub-activity (ADV_INT.1) . 166
13.6.2 Evaluation of sub-activity (ADV_INT.2) . 169
13.6.3 Evaluation of sub-activity (ADV_INT.3) . 171
13.7 FORMAL TSF MODEL (ADV_SPM) . 173
13.7.1 Evaluation of sub-activity (ADV_SPM.1) . 173
13.8 TOE DESIGN (ADV_TDS) . 180
13.8.1 Evaluation of sub-activity (ADV_TDS.1) . 180
13.8.2 Evaluation of sub-activity (ADV_TDS.2) . 183
13.8.3 Evaluation of sub-activity (ADV_TDS.3) . 188
13.8.4 Evaluation of sub-activity (ADV_TDS.4) . 197
13.8.5 Evaluation of sub-activity (ADV_TDS.5) . 206
13.8.6 Evaluation of sub-activity (ADV_TDS.6) . 213
13.9 COMPOSITE DESIGN COMPLIANCE (ADV_COMP) . 214
13.9.1 General . 214
13.9.2 Evaluation of sub-activity (ADV_COMP.1) . 214
CLASS AGD: GUIDANCE DOCUMENTS . 216
14.1 GENERAL .216
14.2 APPLICATION NOTES .216
14.3 OPERATIONAL USER GUIDANCE (AGD_OPE) . 216
14.3.1 Evaluation of sub-activity (AGD_OPE.1). 216
14.4 PREPARATIVE PROCEDURES (AGD_PRE) . 219
14.4.1 Evaluation of sub-activity (AGD_PRE.1) . 219
CLASS ALC: LIFE-CYCLE SUPPORT . 221
15.1 GENERAL .221
15.2 CM CAPABILITIES (ALC_CMC) . 222
15.2.1 Evaluation of sub-activity (ALC_CMC.1) . 222
15.2.2 Evaluation of sub-activity (ALC_CMC.2) . 223
15.2.3 Evaluation of sub-activity (ALC_CMC.3) . 224
15.2.4 Evaluation of sub-activity (ALC_CMC.4) . 228
15.2.5 Evaluation of sub-activity (ALC_CMC.5) . 233
15.3 CM SCOPE (ALC_CMS) .240
15.3.1 Evaluation of sub-activity (ALC_CMS.1) . 240
15.3.2 Evaluation of sub-activity (ALC_CMS.2) . 241
15.3.3 Evaluation of sub-activity (ALC_CMS.3) . 242
15.3.4 Evaluation of sub-activity (ALC_CMS.4) . 243
15.3.5 Evaluation of sub-activity (ALC_CMS.5) . 244
15.4 DELIVERY (ALC_DEL) .245
15.4.1 Evaluation of sub-activity (ALC_DEL.1) . 245
15.5 DEVELOPMENT SECURITY (ALC_DVS) . 247
15.5.1 Evaluation of sub-activity (ALC_DVS.1) . 247
15.5.2 Evaluation of sub-activity (ALC_DVS.2) . 249
15.6 FLAW REMEDIATION (ALC_FLR) . 252
15.6.1 Evaluation of sub-activity (ALC_FLR.1) . 252
15.6.2 Evaluation of sub-activity (ALC_FLR.2) . 254
15.6.3 Evaluation of sub-activity (ALC_FLR.3) . 257
15.7 LIFE-CYCLE DEFINITION (ALC_LCD) . 262
15.7.1 Evaluation of sub-activity (ALC_LCD.1) . 262
15.7.2 Evaluation of sub-activity (ALC_LCD.2) . 263
© ISO/IEC 2022 – All rights reserved
v
ISO/IEC 18045:2022(E)
15.8 TOE DEVELOPMENT ARTIFACTS (ALC_TDA) . 265
15.8.1 Evaluation of sub-activity (ALC_TDA.1) . 265
15.8.2 Evaluation of sub-activity (ALC_TDA.2) . 268
15.8.3 Evaluation of sub-activity (ALC_TDA.3) . 272
15.9 TOOLS AND TECHNIQUES (ALC_TAT) . 276
15.9.1 Evaluation of sub-activity (ALC_TAT.1) . 276
15.9.2 Evaluation of sub-activity (ALC_TAT.2) . 278
15.9.3 Evaluation of sub-activity (ALC_TAT.3) . 281
15.10 INTEGRATION OF COMPOSITION PARTS AND CONSISTENCY CHECK OF DELIVERY PROCEDURES (ALC_COMP) . 284
15.10.1 General . 284
15.10.2 Evaluation of sub-activity (ALC_COMP.1) . 284
CLASS ATE: TESTS . 286
16.1 GENERAL . 286
16.2 APPLICATION NOTES . 287
16.2.1 Understanding the expected behaviour of the TOE . 287
16.2.2 Testing vs. alternate approaches to verify the expected behaviour of functionality . 288
16.2.3 Verifying the adequacy of tests . 288
16.3 COVERAGE (ATE_COV) . 288
16.3.1 Evaluation of sub-activity (ATE_COV.1) . 288
16.3.2 Evaluation of sub-activity (ATE_COV.2) . 289
16.3.3 Evaluation of sub-activity (ATE_COV.3) . 291
16.4 DEPTH (ATE_DPT) . 293
16.4.1 Evaluation of sub-activity (ATE_DPT.1) . 293
16.4.2 Evaluation of sub-activity (ATE_DPT.2) . 295
16.4.3 Evaluation of sub-activity (ATE_DPT.3) . 298
16.4.4 Evaluation of sub-activity (ATE_DPT.4) . 300
16.5 FUNCTIONAL TESTS (ATE_FUN) . 300
16.5.1 Evaluation of sub-activity (ATE_FUN.1) . 300
16.5.2 Evaluation of sub-activity (ATE_FUN.2) . 303
16.6 INDEPENDENT TESTING (ATE_IND) . 307
16.6.1 Evaluation of sub-activity (ATE_IND.1) . 307
16.6.2 Evaluation of sub-activity (ATE_IND.2) . 311
16.6.3 Evaluation of sub-activity (ATE_IND.3) . 316
16.7 COMPOSITE FUNCTIONAL TESTING (ATE_COMP) . 316
16.7.1 General . 316
16.7.2 Evaluation of sub-activity (ATE_COMP.1) . 316
CLASS AVA: VULNERABILITY ASSESSMENT . 317
17.1 GENERAL .
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

Loading comments...

EN ISO/IEC 18045:2023は、情報セキュリティ、サイバーセキュリティおよびプライバシー保護に関連する評価基準を設定する重要な文書です。この標準は、ITセキュリティ評価のための方法論を明確に定義しており、ISO/IEC 15408シリーズの評価を実施するために必要な最低限のアクションを提示します。 この標準の強みは、構造的なアプローチと明確な評価基準を提供することです。これによって、評価者は一貫性があり信頼性の高い方法でITシステムのセキュリティを評価できるようになります。特に、ISO/IEC 15408シリーズで定義された基準および評価証拠を用いることで、評価プロセスの透明性と手順が確保されます。また、情報セキュリティに関わる利害関係者にとって、共通の理解と基準に基づく評価の実施が可能となり、相互運用性の向上にも寄与します。 さらに、EN ISO/IEC 18045:2023は、急速に進化するサイバーセキュリティのニーズに対応するために、最新の情報セキュリティのトレンドおよびベストプラクティスを反映しています。これにより、企業や組織は、適切なセキュリティ対策を講じるための具体的なガイダンスを得ることができます。 総じて、EN ISO/IEC 18045:2023は、ITセキュリティ評価の質を向上させるために不可欠な基準であり、情報セキュリティの分野において非常に重要な位置を占めています。情報セキュリティ、サイバーセキュリティ、プライバシー保護の確立に向けた評価を促進するこの標準は、今後も多くの組織に有用なリソースとなるでしょう。

EN ISO/IEC 18045:2023 표준은 정보 보안, 사이버 보안 및 개인 정보 보호의 평가 기준을 정립하고 있으며, IT 보안 평가를 위한 방법론을 제시합니다. 이 표준은 ISO/IEC 15408 시리즈 평가를 수행하기 위해 평가자가 수행해야 하는 최소한의 행동을 명확히 정의하고 있습니다. 이 표준의 주요 강점은 평가 프로세스의 체계적인 접근 방식을 제공함으로써, 정보 보안 및 사이버 보안 평가의 신뢰성을 높이는 점입니다. 구체적으로, ISO/IEC 15408 시리즈에서 정의한 기준과 평가 증거를 활용하여 평가자가 평가를 효과적으로 수행할 수 있도록 돕습니다. 이러한 점은 IT 보안 평가에 있어 일관성을 보장하고, 각 평가 단계에서 필요한 정보와 절차를 명확히 하여 최종 결과물의 품질을 높이는 데 크게 기여합니다. 또한, EN ISO/IEC 18045:2023은 현재 증가하는 사이버 위협 및 정보 보안 위험을 반영하여, 기업과 조직이 강력한 보안 조치를 수립하고 그에 대한 평가를 체계적으로 수행할 수 있도록 관련성 있는 지침을 제공합니다. 이는 사용자가 자신의 IT 시스템에 대해 신뢰할 수 있는 평가를 받을 수 있도록 해주며, 이를 통해 정보 보호에 대한 투자 가치를 극대화하는 데 중요한 역할을 합니다. 결론적으로, EN ISO/IEC 18045:2023 표준은 IT 보안 평가의 방법론을 표준화함으로써, 정보 보안 및 사이버 보안을 강화하고 평가의 신뢰성을 높이는 데 필수적인 도구로 자리매김하고 있습니다. 이 표준의 적용은 모든 관련 조직이 사이버 보안의 발전에 적극적으로 기여할 수 있도록 지원합니다.

Die Norm EN ISO/IEC 18045:2023 stellt eine wesentliche Grundlage für die Evaluierung der IT-Sicherheit dar, indem sie spezifische Kriterien und Methodologien definiert. Ihr Anwendungsbereich fokussiert sich auf die Durchführung von Bewertungen gemäß der ISO/IEC 15408-Serie. Dies ist besonders relevant für Organisationen, die sicherstellen möchten, dass ihre IT-Sicherheitsmaßnahmen den internationalen Standards entsprechen. Ein besonders starkes Merkmal dieser Norm ist die klare Definition der Mindestmaßnahmen, die ein Evaluator ergreifen muss, um eine Bewertung durchzuführen. Diese Strukturierung ermöglicht es Fachleuten, sowohl die Anforderungen der Norm als auch die notwendigen Beweisführungen effizient zu verstehen und umzusetzen. Durch diese Standardisierung wird die Konsistenz der Evaluierung verbessert, was nicht nur das Vertrauen in IT-Sicherheitslösungen stärkt, sondern auch die Transparenz im Bewertungsprozess erhöht. Darüber hinaus hebt sich die Norm durch ihre Anpassungsfähigkeit an verschiedene Technologien und Bedrohungsszenarien hervor. Sie berücksichtigt die dynamischen Entwicklungen im Bereich der Informationssicherheit, Cybersicherheit und des Datenschutzes, was sie zu einem zeitgemäßen und relevanten Dokument macht. Die Methodologie, die hier vorgestellt wird, fördert ein strukturiertes Vorgehen, welches für die Identifizierung und Bewertung von Risiken unerlässlich ist. Insgesamt bietet die EN ISO/IEC 18045:2023 Unternehmen und Evaluatoren eine fundierte, evidenzbasierte Herangehensweise, die ihre Relevanz im Kontext steigender Cyberbedrohungen und der integral notwendigen Datenschutzmaßnahmen unterstreicht. Mit dieser Norm wird ein wertvoller Beitrag zur Stärkung der IT-Sicherheitsstandards geleistet, was letztlich zu einer erhöhten Sicherheit von Informationen und Systemen führt.

La norme EN ISO/IEC 18045:2023 joue un rôle crucial dans le domaine de la sécurité de l'information, de la cybersécurité et de la protection de la vie privée. Son objectif principal est de définir les actions minimales qu'un évaluateur doit effectuer pour mener à bien une évaluation selon la série ISO/IEC 15408. Cela témoigne de l'importance de cette norme dans l'établissement de critères d'évaluation pour la sécurité informatique. Parmi les points forts de la norme, on trouve sa méthodologie solide pour l'évaluation de la sécurité informatique. En offrant un cadre structuré, elle permet aux évaluateurs de s'appuyer sur des critères clairs et des preuves d'évaluation définies par la série ISO/IEC 15408. Cette démarche assure non seulement la cohérence des évaluations, mais aussi leur fiabilité et leur pertinence face aux exigences contemporaines de cybersécurité. La norme démontre également son actualité et sa pertinence dans un environnement numérique en constante évolution. La nécessité d'une évaluation rigoureuse de la sécurité des systèmes d'information n'a jamais été aussi pressante, surtout considérant l'augmentation des menaces cybersécuritaires. EN ISO/IEC 18045:2023 répond donc à un besoin croissant d'établir des standards et des évaluations de sécurité robustes. En résumé, cette norme est essentielle pour les professionnels de la sécurité informatique désireux de mener des évaluations précises et efficaces. Elle pose des bases solides pour une évaluation systématique et rigoureuse, tout en renforçant la confiance dans les systèmes d'information évalués. La norme SIST EN ISO/IEC 18045:2024, de ce fait, se positionne comme une pièce maîtresse dans l'architecture de la sécurité informatique moderne.

The EN ISO/IEC 18045:2023 standard is a critical document that provides a comprehensive framework for evaluating IT security systems in accordance with the criteria outlined in the ISO/IEC 15408 series. This standard delineates the minimum actions that evaluators must undertake to ensure a thorough assessment of information security, cybersecurity, and privacy protection. One of the significant strengths of this standard is its emphasis on a structured methodology for IT security evaluation. By defining clear evaluation criteria, EN ISO/IEC 18045:2023 enhances the consistency and reliability of security assessments across different systems and environments. This is vital in promoting trust and confidence in IT security solutions, especially as cyber threats continue to evolve. Furthermore, the standard's relevance in today's digital landscape cannot be overstated. With the escalating importance of cybersecurity, the guidelines set forth in this document help organizations establish robust security measures. The standard addresses the pressing need for a systematic approach to evaluating security products and systems, ensuring that organizations can demonstrate compliance with international security norms. Additionally, the standard's alignment with the ISO/IEC 15408 series provides a solid foundation for evaluators to work within a recognized framework. This synergy not only simplifies the evaluation process but also facilitates cross-recognition of security assessment results internationally, which is vital for organizations operating in a global marketplace. Overall, EN ISO/IEC 18045:2023 stands as an essential reference for IT security evaluations, combining clarity and depth to support evaluators in their critical role of securing information systems against increasingly sophisticated threats.

La norme SIST EN ISO/IEC 18045:2024 se révèle être un document fondamental pour la sécurité de l'information, la cybersécurité et la protection de la vie privée. Elle établit une méthodologie claire et structurée pour l'évaluation de la sécurité IT, en s'appuyant sur les critères et les éléments de preuve définis dans la série ISO/IEC 15408. Le champ d'application de cette norme est essentiel, car elle définit les actions minimales que doit réaliser un évaluateur pour mener à bien une évaluation conforme à la norme ISO/IEC 15408. Cette exigence garantit une approche standardisée qui augmente la fiabilité et la transparence des évaluations de sécurité des systèmes informatiques. Parmi les points forts de la norme, on note sa capacité à intégrer des critères d'évaluation précis, ce qui permet d'identifier et de mesurer efficacement les niveaux de sécurité des produits et systèmes informatiques. En outre, la norme offre une méthodologie pragmatique qui peut être appliquée dans divers contextes technologiques, rendant ainsi son utilisation pertinente pour les entreprises soucieuses de protéger leurs données et d'assurer leur conformité réglementaire. La pertinence de cette norme est amplifiée par l'importance croissante des enjeux de cybersécurité. À mesure que les menaces évoluent, une méthodologie d'évaluation robuste est indispensable pour garantir que les produits technologiques respectent les exigences de sécurité. Ainsi, la norme SIST EN ISO/IEC 18045:2024 se positionne comme un pilier pour les organisations qui cherchent à établir des processus d'évaluation fiables et efficaces, assurant la protection de la vie privée et la sécurité de l'information. En somme, la norme SIST EN ISO/IEC 18045:2024 encadre de manière efficace les pratiques d'évaluation en matière de sécurité informatique, renforçant ainsi la résilience des systèmes face aux défis contemporains de la cybersécurité.

Die Norm EN ISO/IEC 18045:2023 ist von grundlegender Bedeutung für die Bewertung von IT-Sicherheitssystemen. Sie definiert die minimalen Maßnahmen, die ein Bewerter durchführen muss, um eine Bewertung gemäß der ISO/IEC 15408-Serie vorzunehmen. Die klare Struktur und die detaillierten Vorgaben in dieser Norm stellen sicher, dass Evaluierungen konsistent und nachvollziehbar sind. Ein hervorstechendes Merkmal dieser Norm ist ihre umfassende Methodologie, die es ermöglicht, verschiedene Sicherheitsmechanismen systematisch zu bewerten. Die Strenge, mit der die Kriterien formuliert sind, trägt dazu bei, die Qualität und Zuverlässigkeit der Bewertungen zu erhöhen, was essentielles Vertrauen in die IT-Sicherheit und den Datenschutz schafft. Zusätzlich fördert die Norm die Kommunikation zwischen Evaluatoren und Stakeholdern, indem sie eine gemeinsame Sprache und einen einheitlichen Ansatz für die Bewertung von IT-Sicherheitsprodukten bereitstellt. Dies ist besonders wichtig in einer Zeit, in der Cybersecurity-Bedrohungen zunehmend komplexer werden und effektive Sicherheitslösungen erforderlich sind. In der heutigen digitalen Landschaft ist die Relevanz dieser Norm offensichtlich. Sie bietet einen klaren Rahmen für Organisationen, die ihre Systeme auf Sicherheit und Datenschutz evaluieren möchten. Schließlich fördert die EN ISO/IEC 18045:2023 nicht nur die Einhaltung internationaler Standards, sondern unterstützt auch Unternehmen dabei, ihre Sicherheitsstrategien zu optimieren und sich gegen potenzielle Bedrohungen zu wappnen.

EN ISO/IEC 18045:2023は、情報セキュリティ、サイバーセキュリティ、およびプライバシー保護に関連する重要な標準であり、ITセキュリティ評価のための方法論を定義しています。この標準の主な目的は、ISO/IEC 15408シリーズ評価を実施する際に、評価者が行うべき最小限のアクションを明確にすることです。 この標準の強みは、ISO/IEC 15408シリーズに基づいた評価基準や評価証拠を明確に定義している点にあります。具体的には、情報システムとそのセキュリティ特性に対するリスク評価を体系的に遂行するための指針が提供されており、評価者はこの方法論を通じて、正確かつ一貫性のある評価を行うことができます。これにより、セキュリティ製品やシステムの信頼性を高め、ユーザーや企業のリスクを軽減する助けとなります。 また、この標準は、現代の情報セキュリティ環境において、サイバー攻撃の手法が進化し続ける中で、評価者に対して必要な適応力を促します。ITセキュリティ評価における透明性と信頼性を確保するため、この文書に従うことで、エンドユーザーはより高い安心感を持って技術を利用できるようになります。 EN ISO/IEC 18045:2023の関連性は、情報技術の急速な進化に起因しており、サイバーセキュリティの重要性が増加している現在、特に際立っています。企業や組織がこの標準を遵守することで、より高いセキュリティ基準を達成し、効果的なプライバシー保護を実現することが期待されます。

The EN ISO/IEC 18045:2023 standard provides a robust framework for evaluating IT security, specifically focusing on the methodologies applied in accordance with the ISO/IEC 15408 series. The standard encompasses a comprehensive scope that lays out the minimum actions required by an evaluator to conduct a thorough assessment of IT systems. One of the significant strengths of this standard is its alignment with internationally recognized criteria and evaluation evidence defined in the ISO/IEC 15408 series. This ensures that evaluators can utilize a consistent methodology that meets globally accepted benchmarks for information security, cybersecurity, and privacy protection. By establishing such a baseline, the standard enhances the credibility and reliability of evaluations, encouraging a higher level of trust in the outcomes. Additionally, the incorporation of detailed guidelines means that evaluators are equipped with clear instructions that enhance the efficiency and accuracy of the evaluation process. The structured approach outlined in the EN ISO/IEC 18045:2023 facilitates a thorough examination of IT security measures in a way that can adapt to various organizational needs and compliance requirements. The relevance of this standard is underscored in the current climate of rising cyber threats and the growing emphasis on data protection. By providing evaluators with a methodical approach to assess security measures, the EN ISO/IEC 18045:2023 standard plays a critical role in strengthening the overall cybersecurity posture of organizations. This systematic evaluation methodology not only aids in identifying vulnerabilities but also promotes continuous improvement in IT security practices. Overall, EN ISO/IEC 18045:2023 is an essential resource for organizations striving to enhance their cybersecurity and privacy protection frameworks through standardized evaluation methods. Its emphasis on adherence to established international criteria significantly contributes to its value as a leading standard in the field of IT security evaluation.

SIST EN ISO/IEC 18045:2024 문서는 정보 보안, 사이버 보안 및 개인 정보 보호의 평가 기준과 IT 보안 평가 방법론을 상세히 설명하고 있습니다. 본 표준은 ISO/IEC 15408 시리즈 평가를 수행하기 위한 최소한의 조치를 정의하며, 이는 평가자가 ISO/IEC 15408 시리즈에 명시된 기준 및 평가 증거를 활용하여 안전한 IT 환경을 보장하는 데 필수적인 역할을 합니다. 이 표준의 주요 강점 중 하나는 IT 보안 평가의 체계적 접근을 제공한다는 점입니다. ISO/IEC 15408 시리즈에 준거하여, 평가자는 특정 보안 요구사항을 충족하는지를 명확히 파악할 수 있으며, 이는 특히 정보 보안 및 사이버 보안의 중요성이 증가하는 시대에 더욱 중요합니다. 평가자는 이 문서에서 제시된 지침을 통해 보다 신뢰할 수 있는 평가 결과를 도출할 수 있으며, 이는 조직의 안전성을 증대시키는 데 기여합니다. 또한, SIST EN ISO/IEC 18045:2024는 최신 정보 보안 위협을 반영하여 주기적으로 업데이트 되며, 첨단 기술 변화에 적응할 수 있는 유연성을 제공합니다. 따라서 이 표준은 정보 보안 및 사이버 보안 분야의 최신 동향을 반영하며, 사용자와 평가자 모두에게 실질적인 가이드를 제공합니다. 결론적으로, SIST EN ISO/IEC 18045:2024는 정보 및 사이버 보안의 평가를 위한 필수적인 도구로, 평가자의 역량 강화를 통해 조직의 보안성을 보다 체계적이고 효과적으로 높일 수 있는 강력한 기준을 제시하고 있습니다.