EN ISO/IEC 15408-2:2023
(Main)Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 2: Security functional components (ISO/IEC 15408-2:2022)
Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 2: Security functional components (ISO/IEC 15408-2:2022)
This document defines the required structure and content of security functional components for the purpose of security evaluation. It includes a catalogue of functional components that will meet the common security functionality requirements of many IT products.
Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre - Evaluationskriterien für IT-Sicherheit - Teil 2: Sicherheit funktionale Komponenten (ISO/IEC 15408-2:2022)
Sécurité de l'information, cybersécurité et protection de la vie privée - Critères d'évaluation pour la sécurité des technologies de l'information - Partie 2: Composants fonctionnels de sécurité (ISO/IEC 15408-2:2022)
Informacijska varnost, kibernetska varnost in varstvo zasebnosti - Merila za vrednotenje varnosti IT - 2. del: Funkcionalne varnostne komponente (ISO/IEC 15408-2:2022)
Ta dokument določa zahtevano strukturo in vsebino funkcionalnih varnostnih komponent za namen vrednotenja varnosti. Vključuje katalog funkcionalnih komponent, ki izpolnjujejo zahteve številnih izdelkov IT v zvezi s splošno varnostno funkcionalnostjo.
General Information
- Status
- Published
- Publication Date
- 05-Dec-2023
- Technical Committee
- CEN/CLC/TC 13 - Cybersecurity and Data Protection
- Drafting Committee
- CEN/CLC/TC 13 - Cybersecurity and Data Protection
- Current Stage
- 6060 - Definitive text made available (DAV) - Publishing
- Start Date
- 06-Dec-2023
- Due Date
- 23-Jun-2025
- Completion Date
- 06-Dec-2023
Relations
- Effective Date
- 19-Jan-2023
- Effective Date
- 22-May-2024
Overview
EN ISO/IEC 15408-2:2023 - Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 2: Security functional components (ISO/IEC 15408-2:2022) defines the required structure and content for security functional components used in IT security evaluations. Adopted as EN ISO/IEC 15408-2:2023 and published by SIST (01 May 2024), this part of the ISO/IEC 15408 series (Common Criteria) provides a standardized catalogue of functional components that address common security functionality across many IT products.
Key Topics and Technical Requirements
- Functional requirements paradigm: establishes how functional components are structured and expressed for use in evaluation artefacts.
- Class / Family / Component structure: specifies a hierarchical model - classes group related families, families group components, and components define specific functional requirements.
- Component catalogue: a reusable set of security functional components intended to satisfy typical security needs in products and systems.
- Security audit (Class FAU): example coverage in the document includes families and components such as:
- FAU_ARP (automatic response)
- FAU_GEN (auditable data generation)
- FAU_SAA (security audit analysis)
- FAU_SAR (security audit review)
- FAU_SEL (event selection)
- FAU_STG (audit data storage) These illustrate the levelled component descriptions, management and audit considerations included in the standard.
- Normative references, terms & definitions: ensures consistent semantics for evaluations and interoperability of evaluation results.
Practical Applications
- Creating or updating Protection Profiles and Security Targets for product certification under the Common Criteria framework.
- Mapping product features to standardized security functional components to support third‑party evaluation and certification.
- Guiding product architects and security engineers in specifying measurable, testable security functions (audit, authentication, access control, etc.).
- Supporting procurement and compliance teams in defining required security functions for vendor selection and assurance.
Who Should Use This Standard
- Security product vendors and developers preparing certification artefacts.
- Evaluation laboratories and certification bodies conducting Common Criteria assessments.
- Security architects, systems integrators, and procurement officers specifying or verifying security requirements.
- Regulatory or compliance teams aligning product capabilities with recognized evaluation criteria.
Related Standards
- ISO/IEC 15408 series (Common Criteria) - Part 1 (general) and Part 3 (assurance) - for the full evaluation framework and assurance requirements.
Keywords: ISO/IEC 15408-2, security functional components, Common Criteria, security evaluation, IT security, cybersecurity, privacy protection, security audit, protection profile, security target.
Frequently Asked Questions
EN ISO/IEC 15408-2:2023 is a standard published by the European Committee for Standardization (CEN). Its full title is "Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 2: Security functional components (ISO/IEC 15408-2:2022)". This standard covers: This document defines the required structure and content of security functional components for the purpose of security evaluation. It includes a catalogue of functional components that will meet the common security functionality requirements of many IT products.
This document defines the required structure and content of security functional components for the purpose of security evaluation. It includes a catalogue of functional components that will meet the common security functionality requirements of many IT products.
EN ISO/IEC 15408-2:2023 is classified under the following ICS (International Classification for Standards) categories: 35.030 - IT Security. The ICS classification helps identify the subject area and facilitates finding related standards.
EN ISO/IEC 15408-2:2023 has the following relationships with other standards: It is inter standard links to EN ISO/IEC 15408-2:2020, prEN ISO/IEC 15408-2. Understanding these relationships helps ensure you are using the most current and applicable version of the standard.
You can purchase EN ISO/IEC 15408-2:2023 directly from iTeh Standards. The document is available in PDF format and is delivered instantly after payment. Add the standard to your cart and complete the secure checkout process. iTeh Standards is an authorized distributor of CEN standards.
Standards Content (Sample)
SLOVENSKI STANDARD
01-maj-2024
Nadomešča:
SIST EN ISO/IEC 15408-2:2020
Informacijska varnost, kibernetska varnost in varstvo zasebnosti - Merila za
vrednotenje varnosti IT - 2. del: Funkcionalne varnostne komponente (ISO/IEC
15408-2:2022)
Information security, cybersecurity and privacy protection - Evaluation criteria for IT
security - Part 2: Security functional components (ISO/IEC 15408-2:2022)
Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre -
Evaluationskriterien für IT-Sicherheit - Teil 2: Sicherheit funktionale Komponenten
(ISO/IEC 15408-2:2022)
Sécurité de l'information, cybersécurité et protection de la vie privée - Critères
d'évaluation pour la sécurité des technologies de l'information - Partie 2: Composants
fonctionnels de sécurité (ISO/IEC 15408-2:2022)
Ta slovenski standard je istoveten z: EN ISO/IEC 15408-2:2023
ICS:
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD EN ISO/IEC 15408-2
NORME EUROPÉENNE
EUROPÄISCHE NORM
December 2023
ICS 35.030
Supersedes EN ISO/IEC 15408-2:2020
English version
Information security, cybersecurity and privacy protection
- Evaluation criteria for IT security - Part 2: Security
functional components (ISO/IEC 15408-2:2022)
Sécurité de l'information, cybersécurité et protection Informationssicherheit, Cybersicherheit und Schutz
de la vie privée - Critères d'évaluation pour la sécurité der Privatsphäre - Evaluationskriterien für IT-
des technologies de l'information - Partie 2: Sicherheit - Teil 2: Sicherheit funktionale
Composants fonctionnels de sécurité (ISO/IEC 15408- Komponenten (ISO/IEC 15408-2:2022)
2:2022)
This European Standard was approved by CEN on 20 November 2023.
CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.
CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.
CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2023 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. EN ISO/IEC 15408-2:2023 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 3
European foreword
The text of ISO/IEC 15408-2:2022 has been prepared by Technical Committee ISO/IEC JTC 1
"Information technology” of the International Organization for Standardization (ISO) and has been
taken over as EN ISO/IEC 15408-2:2023 by Technical Committee CEN-CENELEC/ JTC 13 “Cybersecurity
and Data Protection” the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by June 2024, and conflicting national standards shall be
withdrawn at the latest by June 2024.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN-CENELEC shall not be held responsible for identifying any or all such patent rights.
This document supersedes EN ISO/IEC 15408-2:2020.
Any feedback and questions on this document should be directed to the users’ national standards body.
A complete listing of these bodies can be found on the CEN and CENELEC websites.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 15408-2:2022 has been approved by CEN-CENELEC as EN ISO/IEC 15408-2:2023
without any modification.
INTERNATIONAL ISO/IEC
STANDARD 15408-2
Fourth edition
2022-08
Information security, cybersecurity
and privacy protection — Evaluation
criteria for IT security —
Part 2:
Security functional components
Sécurité de l'information, cybersécurité et protection de la vie
privée — Critères d'évaluation pour la sécurité des technologies de
l'information —
Partie 2: Composants fonctionnels de sécurité
Reference number
ISO/IEC 15408-2:2022(E)
© ISO/IEC 2022
ISO/IEC 15408-2:2022(E)
© ISO/IEC 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2022 – All rights reserved
ISO/IEC 15408-2:2022(E)
Contents Page
Foreword . xv
Introduction . xvii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 3
5 Overview . 4
5.1 General . 4
5.2 Organization of this document . . 4
6 Functional requirements paradigm . .5
7 Security functional components .9
7.1 Overview . 9
7.1.1 General . 9
7.1.2 Class structure . 9
7.1.3 Family structure . 10
7.1.4 Component structure . 11
7.2 Component catalogue .13
8 Class FAU: Security audit .14
8.1 Class description . 14
8.2 Security audit automatic response (FAU_ARP) . 15
8.2.1 Family behaviour .15
8.2.2 Components leveling and description . 15
8.2.3 Management of FAU_ARP.1 . 15
8.2.4 Audit of FAU_ARP.1 . 15
8.2.5 FAU_ARP.1 Security alarms . 15
8.3 Security audit data generation (FAU_GEN) . 15
8.3.1 Family behaviour . 15
8.3.2 Components leveling and description . 15
8.3.3 Management of FAU_GEN.1, FAU_GEN.2 . 16
8.3.4 Audit of FAU_GEN.1, FAU_GEN.2. 16
8.3.5 FAU_GEN.1 Audit data generation . 16
8.3.6 FAU_GEN.2 User identity association . 16
8.4 Security audit analysis (FAU_SAA) . 17
8.4.1 Family behaviour . 17
8.4.2 Components leveling and description . 17
8.4.3 Management of FAU_SAA.1 . 17
8.4.4 Management of FAU_SAA.2 . 18
8.4.5 Management of FAU_SAA.3 . 18
8.4.6 Management of FAU_SAA.4 . 18
8.4.7 Audit of FAU_SAA.1, FAU_SAA.2, FAU_SAA.3, FAU_SAA.4 . 18
8.4.8 FAU_SAA.1 Potential violation analysis . 18
8.4.9 FAU_SAA.2 Profile based anomaly detection . 18
8.4.10 FAU_SAA.3 Simple attack heuristics . 19
8.4.11 FAU_SAA.4 Complex attack heuristics . 19
8.5 Security audit review (FAU_SAR) . 20
8.5.1 Family behaviour .20
8.5.2 Components leveling and description . 20
8.5.3 Management of FAU_SAR.1 . 20
8.5.4 Management of FAU_SAR.2, FAU_SAR.3 . 20
8.5.5 Audit of FAU_SAR.1 . .20
8.5.6 Audit of FAU_SAR.2 . 21
iii
© ISO/IEC 2022 – All rights reserved
ISO/IEC 15408-2:2022(E)
8.5.7 Audit of FAU_SAR.3 . 21
8.5.8 FAU_SAR.1 Audit review . 21
8.5.9 FAU_SAR.2 Restricted audit review . 21
8.5.10 FAU_SAR.3 Selectable audit review . 21
8.6 Security audit event selection (FAU_SEL) . 22
8.6.1 Family behaviour .22
8.6.2 Components leveling and description . 22
8.6.3 Management of FAU_SEL.1 . 22
8.6.4 Audit of FAU_SEL.1.22
8.6.5 FAU_SEL.1 Selective audit . 22
8.7 Security audit data storage (FAU_STG) . 22
8.7.1 Family behaviour .22
8.7.2 Components leveling and description . 23
8.7.3 Management of FAU_STG.1 . 23
8.7.4 Management of FAU_STG.2 . 23
8.7.5 Management of FAU_STG.3 . 23
8.7.6 Management of FAU_STG.4 . 23
8.7.7 Management of FAU_STG.5 . 23
8.7.8 Audit of FAU_STG.1 . 24
8.7.9 Audit of FAU_STG.2, FAU_STG.3 . 24
8.7.10 Audit of FAU_STG.4 . 24
8.7.11 Audit of FAU_STG.5 . 24
8.7.12 FAU_STG.1 Audit data storage location . 24
8.7.13 FAU_STG.2 Protected audit data storage . 24
8.7.14 FAU_STG.3 Guarantees of audit data availability . 25
8.7.15 FAU_STG.4 Action in case of possible audit data loss . 25
8.7.16 FAU_STG.5 Prevention of audit data loss . 25
9 Class FCO: Communication .25
9.1 Class description .25
9.2 Non-repudiation of origin (FCO_NRO) . 26
9.2.1 Family behaviour .26
9.2.2 Components leveling and description . 26
9.2.3 Management of FCO_NRO.1, FCO_NRO.2 . 26
9.2.4 Audit of FCO_NRO.1 .26
9.2.5 Audit of FCO_NRO.2 . 27
9.2.6 FCO_NRO.1 Selective proof of origin . 27
9.2.7 FCO_NRO.2 Enforced proof of origin . 27
9.3 Non-repudiation of receipt (FCO_NRR) .28
9.3.1 Family behaviour .28
9.3.2 Components leveling and description .28
9.3.3 Management of FCO_NRR.1, FCO_NRR.2 .28
9.3.4 Audit of FCO_NRR.1.28
9.3.5 Audit of FCO_NRR.2 .28
9.3.6 FCO_NRR.1 Selective proof of receipt .29
9.3.7 FCO_NRR.2 Enforced proof of receipt .29
10 Class FCS: Cryptographic support .29
10.1 Class description .29
10.2 Cryptographic key management (FCS_CKM) .30
10.2.1 Family behaviour .30
10.2.2 Components leveling and description .30
10.2.3 Management of FCS_CKM.1, FCS_CKM.2, FCS_CKM.3, FCS_CKM.5, CKM.6 . 31
10.2.4 Audit of FCS_CKM.1, FCS_CKM.2, FCS_CKM.3, FCS_CKM.5, CKM.6 . 31
10.2.5 FCS_CKM.1 Cryptographic key generation . 31
10.2.6 FCS_CKM.2 Cryptographic key distribution . 32
10.2.7 FCS_CKM.3 Cryptographic key access . 32
10.2.8 FCS_CKM.4 Cryptographic key destruction . 32
10.2.9 FCS_CKM.5 Cryptographic key derivation . 33
iv
© ISO/IEC 2022 – All rights reserved
ISO/IEC 15408-2:2022(E)
10.2.10 FCS_CKM.6 Timing and event of cryptographic key destruction .33
10.3 Cryptographic operation (FCS_COP) . 33
10.3.1 Family behaviour .33
10.3.2 Components leveling and description . 33
10.3.3 Management of FCS_COP.1 .34
10.3.4 Audit of FCS_COP.1 .34
10.3.5 FCS_COP.1 Cryptographic operation .34
10.4 Random bit generation (FCS_RBG) .34
10.4.1 Family behaviour .34
10.4.2 Components leveling and description .34
10.4.3 Management of FCS_RBG.1, FCS_RBG.2, FCS_RBG.3, FCS_RBG.4, FCS_
RBG.5, FCS_RBG.6 . 35
10.4.4 Audit of FCS_RBG.1, FCS_RBG.2 . 35
10.4.5 Audit of FCS_RBG.3, FCS_RBG.4, FCS_RBG.5, FCS_RBG.6 . 35
10.4.6 FCS_RBG.1 Random bit generation (RBG) . 35
10.4.7 FCS_RBG.2 Random bit generation (external seeding) .36
10.4.8 FCS_RBG.3 Random bit generation (internal seeding – single source) .36
10.4.9 FCS_RBG.4 Random bit generation (internal seeding – multiple sources) . 37
10.4.10 FCS_RBG.5 Random bit generation (combining noise sources) . 37
10.4.11 FCS_RBG.6 Random bit generation service . 37
10.5 Generation of random numbers (FCS_RNG) . 37
10.5.1 Family behaviour . 37
10.5.2 Components leveling and description .38
10.5.3 Management of FCS_RNG.1 .38
10.5.4 Audit of FCS_RNG.1 .38
10.5.5 FCS_RNG.1 Random number generation .38
11 Class FDP: User data protection.38
11.1 Class description .38
11.2 Access control policy (FDP_ACC) .40
11.2.1 Family behaviour .40
11.2.2 Components leveling and description . 41
11.2.3 Management of FDP_ACC.1, FDP_ACC.2 . 41
11.2.4 Audit of FDP_ACC.1, FDP_ACC.2 . 41
11.2.5 FDP_ACC.1 Subset access control . 41
11.2.6 FDP_ACC.2 Complete access control . 41
11.3 Access control functions (FDP_ACF) . 42
11.3.1 Family behaviour . 42
11.3.2 Components leveling and description . 42
11.3.3 Management of FDP_ACF.1 . 42
11.3.4 Audit of FDP_ACF.1 . 42
11.3.5 FDP_ACF.1 Security attribute-based access control . 42
11.4 Data authentication (FDP_DAU) . 43
11.4.1 Family behaviour . 43
11.4.2 Components leveling and description . 43
11.4.3 Management of FDP_DAU.1, FDP_DAU.2 . 43
11.4.4 Audit of FDP_DAU.1 . 43
11.4.5 Audit of FDP_DAU.2 .44
11.4.6 FDP_DAU.1 Basic Data Authentication .44
11.4.7 FDP_DAU.2 Data Authentication with Identity of Guarantor .44
11.5 Export from the TOE (FDP_ETC) .44
11.5.1 Family behaviour .44
11.5.2 Components leveling and description . 45
11.5.3 Management of FDP_ETC.1 . 45
11.5.4 Management of FDP_ETC.2 . 45
11.5.5 Audit of FDP_ETC.1, FDP_ETC.2 . 45
11.5.6 FDP_ETC.1 Export of user data without security attributes . 45
11.5.7 FDP_ETC.2 Export of user data with security attributes . 45
11.6 Information flow control policy (FDP_IFC) .46
v
© ISO/IEC 2022 – All rights reserved
ISO/IEC 15408-2:2022(E)
11.6.1 Family behaviour .46
11.6.2 Components leveling and description .46
11.6.3 Management of FDP_IFC.1, FDP_IFC.2 . 47
11.6.4 Audit of FDP_IFC.1, FDP_IFC.2 . 47
11.6.5 FDP_IFC.1 Subset information flow control. 47
11.6.6 FDP_IFC.2 Complete information flow control . 47
11.7 Information flow control functions (FDP_IFF) . 47
11.7.1 Family behaviour . 47
11.7.2 Components leveling and description .48
11.7.3 Management of FDP_IFF.1, FDP_IFF.2 .48
11.7.4 Management of FDP_IFF.3, FDP_IFF.4, FDP_IFF.5 .48
11.7.5 Management of FDP_IFF.6 .49
11.7.6 Audit of FDP_IFF.1, FDP_IFF.2, FDP_IFF.5 .49
11.7.7 Audit of FDP_IFF.3, FDP_IFF.4, FDP_IFF.6 .49
11.7.8 FDP_IFF.1 Simple security attributes .49
11.7.9 FDP_IFF.2 Hierarchical security attributes .50
11.7.10 FDP_IFF.3 Limited illicit information flows. 51
11.7.11 FDP_IFF.4 Partial elimination of illicit information flows . 51
11.7.12 FDP_IFF.5 No illicit information flows . 51
11.7.13 FDP_IFF.6 Illicit information flow monitoring . 51
11.8 Information Retention Control (FDP_IRC) . 52
11.8.1 Family behaviour . 52
11.8.2 Components leveling and description . 52
11.8.3 Management of FDP_IRC.1 . . 53
11.8.4 Audit of FDP_IRC.1 .53
11.8.5 FDP_IRC.1 Information retention control . 53
11.9 Import from outside of the TOE (FDP_ITC) . 53
11.9.1 Family behaviour . 53
11.9.2 Components leveling and description . 53
11.9.3 Management of FDP_ITC.1, FDP_ITC.2 .54
11.9.4 Audit of FDP_ITC.1, FDP_ITC.2 .54
11.9.5 FDP_ITC.1 Import of user data without security attributes .54
11.9.6 FDP_ITC.2 Import of user data with security attributes .54
11.10 Internal TOE transfer (FDP_ITT) . 55
11.10.1 Family behaviour .55
11.10.2 Components leveling and description . 55
11.10.3 Management of FDP_ITT.1, FDP_ITT.2 . 55
11.10.4 Management of FDP_ITT.3, FDP_ITT.4 .56
11.10.5 Audit of FDP_ITT.1, FDP_ITT.2 .56
11.10.6 Audit of FDP_ITT.3, FDP_ITT.4 .56
11.10.7 FDP_ITT.1 Basic internal transfer protection .56
11.10.8 FDP_ITT.2 Transmission separation by attribute .56
11.10.9 FDP_ITT.3 Integrity monitoring . 57
11.10.10 .
FDP_ITT.4 Attribute-based integrity monitoring . 57
11.11 Residual information protection (FDP_RIP) . 57
11.11.1 Family behaviour . 57
11.11.2 Components leveling and description .58
11.11.3 Management of FDP_RIP.1, FDP_RIP.2 .58
11.11.4 Audit of FDP_RIP.1, FDP_RIP.2 .58
11.11.5 FDP_RIP.1 Subset residual information protection .58
11.11.6 FDP_RIP.2 Full residual information protection .58
11.12 Rollback (FDP_ROL) . 59
11.12.1 Family behaviour . 59
11.12.2 Components leveling and description . 59
11.12.3 Management of FDP_ROL.1, FDP_ROL.2 . 59
11.12.4 Audit of FDP_ROL.1, FDP_ROL.2 . 59
11.12.5 FDP_ROL.1 Basic rollback . 59
vi
© ISO/IEC 2022 – All rights reserved
ISO/IEC 15408-2:2022(E)
11.12.6 FDP_ROL.2 Advanced rollback .60
11.13 Stored data confidentiality (FDP_SDC) .60
11.13.1 Family behaviour .60
11.13.2 Componen
...
SLOVENSKI STANDARD
01-maj-2024
Nadomešča:
SIST EN ISO/IEC 15408-2:2020
Informacijska varnost, kibernetska varnost in varovanje zasebnosti - Merila za
vrednotenje varnosti IT - 2. del: Funkcionalne varnostne komponente (ISO/IEC
15408-2:2022)
Information security, cybersecurity and privacy protection - Evaluation criteria for IT
security - Part 2: Security functional components (ISO/IEC 15408-2:2022)
Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre -
Evaluationskriterien für IT-Sicherheit - Teil 2: Sicherheit funktionale Komponenten
(ISO/IEC 15408-2:2022)
Sécurité de l'information, cybersécurité et protection de la vie privée - Critères
d'évaluation pour la sécurité des technologies de l'information - Partie 2: Composants
fonctionnels de sécurité (ISO/IEC 15408-2:2022)
Ta slovenski standard je istoveten z: EN ISO/IEC 15408-2:2023
ICS:
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD EN ISO/IEC 15408-2
NORME EUROPÉENNE
EUROPÄISCHE NORM
December 2023
ICS 35.030
Supersedes EN ISO/IEC 15408-2:2020
English version
Information security, cybersecurity and privacy protection
- Evaluation criteria for IT security - Part 2: Security
functional components (ISO/IEC 15408-2:2022)
Sécurité de l'information, cybersécurité et protection Informationssicherheit, Cybersicherheit und Schutz
de la vie privée - Critères d'évaluation pour la sécurité der Privatsphäre - Evaluationskriterien für IT-
des technologies de l'information - Partie 2: Sicherheit - Teil 2: Sicherheit funktionale
Composants fonctionnels de sécurité (ISO/IEC 15408- Komponenten (ISO/IEC 15408-2:2022)
2:2022)
This European Standard was approved by CEN on 20 November 2023.
CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.
CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.
CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2023 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. EN ISO/IEC 15408-2:2023 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 3
European foreword
The text of ISO/IEC 15408-2:2022 has been prepared by Technical Committee ISO/IEC JTC 1
"Information technology” of the International Organization for Standardization (ISO) and has been
taken over as EN ISO/IEC 15408-2:2023 by Technical Committee CEN-CENELEC/ JTC 13 “Cybersecurity
and Data Protection” the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by June 2024, and conflicting national standards shall be
withdrawn at the latest by June 2024.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN-CENELEC shall not be held responsible for identifying any or all such patent rights.
This document supersedes EN ISO/IEC 15408-2:2020.
Any feedback and questions on this document should be directed to the users’ national standards body.
A complete listing of these bodies can be found on the CEN and CENELEC websites.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 15408-2:2022 has been approved by CEN-CENELEC as EN ISO/IEC 15408-2:2023
without any modification.
INTERNATIONAL ISO/IEC
STANDARD 15408-2
Fourth edition
2022-08
Information security, cybersecurity
and privacy protection — Evaluation
criteria for IT security —
Part 2:
Security functional components
Sécurité de l'information, cybersécurité et protection de la vie
privée — Critères d'évaluation pour la sécurité des technologies de
l'information —
Partie 2: Composants fonctionnels de sécurité
Reference number
ISO/IEC 15408-2:2022(E)
© ISO/IEC 2022
ISO/IEC 15408-2:2022(E)
© ISO/IEC 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2022 – All rights reserved
ISO/IEC 15408-2:2022(E)
Contents Page
Foreword . xv
Introduction . xvii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 3
5 Overview . 4
5.1 General . 4
5.2 Organization of this document . . 4
6 Functional requirements paradigm . .5
7 Security functional components .9
7.1 Overview . 9
7.1.1 General . 9
7.1.2 Class structure . 9
7.1.3 Family structure . 10
7.1.4 Component structure . 11
7.2 Component catalogue .13
8 Class FAU: Security audit .14
8.1 Class description . 14
8.2 Security audit automatic response (FAU_ARP) . 15
8.2.1 Family behaviour .15
8.2.2 Components leveling and description . 15
8.2.3 Management of FAU_ARP.1 . 15
8.2.4 Audit of FAU_ARP.1 . 15
8.2.5 FAU_ARP.1 Security alarms . 15
8.3 Security audit data generation (FAU_GEN) . 15
8.3.1 Family behaviour . 15
8.3.2 Components leveling and description . 15
8.3.3 Management of FAU_GEN.1, FAU_GEN.2 . 16
8.3.4 Audit of FAU_GEN.1, FAU_GEN.2. 16
8.3.5 FAU_GEN.1 Audit data generation . 16
8.3.6 FAU_GEN.2 User identity association . 16
8.4 Security audit analysis (FAU_SAA) . 17
8.4.1 Family behaviour . 17
8.4.2 Components leveling and description . 17
8.4.3 Management of FAU_SAA.1 . 17
8.4.4 Management of FAU_SAA.2 . 18
8.4.5 Management of FAU_SAA.3 . 18
8.4.6 Management of FAU_SAA.4 . 18
8.4.7 Audit of FAU_SAA.1, FAU_SAA.2, FAU_SAA.3, FAU_SAA.4 . 18
8.4.8 FAU_SAA.1 Potential violation analysis . 18
8.4.9 FAU_SAA.2 Profile based anomaly detection . 18
8.4.10 FAU_SAA.3 Simple attack heuristics . 19
8.4.11 FAU_SAA.4 Complex attack heuristics . 19
8.5 Security audit review (FAU_SAR) . 20
8.5.1 Family behaviour .20
8.5.2 Components leveling and description . 20
8.5.3 Management of FAU_SAR.1 . 20
8.5.4 Management of FAU_SAR.2, FAU_SAR.3 . 20
8.5.5 Audit of FAU_SAR.1 . .20
8.5.6 Audit of FAU_SAR.2 . 21
iii
© ISO/IEC 2022 – All rights reserved
ISO/IEC 15408-2:2022(E)
8.5.7 Audit of FAU_SAR.3 . 21
8.5.8 FAU_SAR.1 Audit review . 21
8.5.9 FAU_SAR.2 Restricted audit review . 21
8.5.10 FAU_SAR.3 Selectable audit review . 21
8.6 Security audit event selection (FAU_SEL) . 22
8.6.1 Family behaviour .22
8.6.2 Components leveling and description . 22
8.6.3 Management of FAU_SEL.1 . 22
8.6.4 Audit of FAU_SEL.1.22
8.6.5 FAU_SEL.1 Selective audit . 22
8.7 Security audit data storage (FAU_STG) . 22
8.7.1 Family behaviour .22
8.7.2 Components leveling and description . 23
8.7.3 Management of FAU_STG.1 . 23
8.7.4 Management of FAU_STG.2 . 23
8.7.5 Management of FAU_STG.3 . 23
8.7.6 Management of FAU_STG.4 . 23
8.7.7 Management of FAU_STG.5 . 23
8.7.8 Audit of FAU_STG.1 . 24
8.7.9 Audit of FAU_STG.2, FAU_STG.3 . 24
8.7.10 Audit of FAU_STG.4 . 24
8.7.11 Audit of FAU_STG.5 . 24
8.7.12 FAU_STG.1 Audit data storage location . 24
8.7.13 FAU_STG.2 Protected audit data storage . 24
8.7.14 FAU_STG.3 Guarantees of audit data availability . 25
8.7.15 FAU_STG.4 Action in case of possible audit data loss . 25
8.7.16 FAU_STG.5 Prevention of audit data loss . 25
9 Class FCO: Communication .25
9.1 Class description .25
9.2 Non-repudiation of origin (FCO_NRO) . 26
9.2.1 Family behaviour .26
9.2.2 Components leveling and description . 26
9.2.3 Management of FCO_NRO.1, FCO_NRO.2 . 26
9.2.4 Audit of FCO_NRO.1 .26
9.2.5 Audit of FCO_NRO.2 . 27
9.2.6 FCO_NRO.1 Selective proof of origin . 27
9.2.7 FCO_NRO.2 Enforced proof of origin . 27
9.3 Non-repudiation of receipt (FCO_NRR) .28
9.3.1 Family behaviour .28
9.3.2 Components leveling and description .28
9.3.3 Management of FCO_NRR.1, FCO_NRR.2 .28
9.3.4 Audit of FCO_NRR.1.28
9.3.5 Audit of FCO_NRR.2 .28
9.3.6 FCO_NRR.1 Selective proof of receipt .29
9.3.7 FCO_NRR.2 Enforced proof of receipt .29
10 Class FCS: Cryptographic support .29
10.1 Class description .29
10.2 Cryptographic key management (FCS_CKM) .30
10.2.1 Family behaviour .30
10.2.2 Components leveling and description .30
10.2.3 Management of FCS_CKM.1, FCS_CKM.2, FCS_CKM.3, FCS_CKM.5, CKM.6 . 31
10.2.4 Audit of FCS_CKM.1, FCS_CKM.2, FCS_CKM.3, FCS_CKM.5, CKM.6 . 31
10.2.5 FCS_CKM.1 Cryptographic key generation . 31
10.2.6 FCS_CKM.2 Cryptographic key distribution . 32
10.2.7 FCS_CKM.3 Cryptographic key access . 32
10.2.8 FCS_CKM.4 Cryptographic key destruction . 32
10.2.9 FCS_CKM.5 Cryptographic key derivation . 33
iv
© ISO/IEC 2022 – All rights reserved
ISO/IEC 15408-2:2022(E)
10.2.10 FCS_CKM.6 Timing and event of cryptographic key destruction .33
10.3 Cryptographic operation (FCS_COP) . 33
10.3.1 Family behaviour .33
10.3.2 Components leveling and description . 33
10.3.3 Management of FCS_COP.1 .34
10.3.4 Audit of FCS_COP.1 .34
10.3.5 FCS_COP.1 Cryptographic operation .34
10.4 Random bit generation (FCS_RBG) .34
10.4.1 Family behaviour .34
10.4.2 Components leveling and description .34
10.4.3 Management of FCS_RBG.1, FCS_RBG.2, FCS_RBG.3, FCS_RBG.4, FCS_
RBG.5, FCS_RBG.6 . 35
10.4.4 Audit of FCS_RBG.1, FCS_RBG.2 . 35
10.4.5 Audit of FCS_RBG.3, FCS_RBG.4, FCS_RBG.5, FCS_RBG.6 . 35
10.4.6 FCS_RBG.1 Random bit generation (RBG) . 35
10.4.7 FCS_RBG.2 Random bit generation (external seeding) .36
10.4.8 FCS_RBG.3 Random bit generation (internal seeding – single source) .36
10.4.9 FCS_RBG.4 Random bit generation (internal seeding – multiple sources) . 37
10.4.10 FCS_RBG.5 Random bit generation (combining noise sources) . 37
10.4.11 FCS_RBG.6 Random bit generation service . 37
10.5 Generation of random numbers (FCS_RNG) . 37
10.5.1 Family behaviour . 37
10.5.2 Components leveling and description .38
10.5.3 Management of FCS_RNG.1 .38
10.5.4 Audit of FCS_RNG.1 .38
10.5.5 FCS_RNG.1 Random number generation .38
11 Class FDP: User data protection.38
11.1 Class description .38
11.2 Access control policy (FDP_ACC) .40
11.2.1 Family behaviour .40
11.2.2 Components leveling and description . 41
11.2.3 Management of FDP_ACC.1, FDP_ACC.2 . 41
11.2.4 Audit of FDP_ACC.1, FDP_ACC.2 . 41
11.2.5 FDP_ACC.1 Subset access control . 41
11.2.6 FDP_ACC.2 Complete access control . 41
11.3 Access control functions (FDP_ACF) . 42
11.3.1 Family behaviour . 42
11.3.2 Components leveling and description . 42
11.3.3 Management of FDP_ACF.1 . 42
11.3.4 Audit of FDP_ACF.1 . 42
11.3.5 FDP_ACF.1 Security attribute-based access control . 42
11.4 Data authentication (FDP_DAU) . 43
11.4.1 Family behaviour . 43
11.4.2 Components leveling and description . 43
11.4.3 Management of FDP_DAU.1, FDP_DAU.2 . 43
11.4.4 Audit of FDP_DAU.1 . 43
11.4.5 Audit of FDP_DAU.2 .44
11.4.6 FDP_DAU.1 Basic Data Authentication .44
11.4.7 FDP_DAU.2 Data Authentication with Identity of Guarantor .44
11.5 Export from the TOE (FDP_ETC) .44
11.5.1 Family behaviour .44
11.5.2 Components leveling and description . 45
11.5.3 Management of FDP_ETC.1 . 45
11.5.4 Management of FDP_ETC.2 . 45
11.5.5 Audit of FDP_ETC.1, FDP_ETC.2 . 45
11.5.6 FDP_ETC.1 Export of user data without security attributes . 45
11.5.7 FDP_ETC.2 Export of user data with security attributes . 45
11.6 Information flow control policy (FDP_IFC) .46
v
© ISO/IEC 2022 – All rights reserved
ISO/IEC 15408-2:2022(E)
11.6.1 Family behaviour .46
11.6.2 Components leveling and description .46
11.6.3 Management of FDP_IFC.1, FDP_IFC.2 . 47
11.6.4 Audit of FDP_IFC.1, FDP_IFC.2 . 47
11.6.5 FDP_IFC.1 Subset information flow control. 47
11.6.6 FDP_IFC.2 Complete information flow control . 47
11.7 Information flow control functions (FDP_IFF) . 47
11.7.1 Family behaviour . 47
11.7.2 Components leveling and description .48
11.7.3 Management of FDP_IFF.1, FDP_IFF.2 .48
11.7.4 Management of FDP_IFF.3, FDP_IFF.4, FDP_IFF.5 .48
11.7.5 Management of FDP_IFF.6 .49
11.7.6 Audit of FDP_IFF.1, FDP_IFF.2, FDP_IFF.5 .49
11.7.7 Audit of FDP_IFF.3, FDP_IFF.4, FDP_IFF.6 .49
11.7.8 FDP_IFF.1 Simple security attributes .49
11.7.9 FDP_IFF.2 Hierarchical security attributes .50
11.7.10 FDP_IFF.3 Limited illicit information flows. 51
11.7.11 FDP_IFF.4 Partial elimination of illicit information flows . 51
11.7.12 FDP_IFF.5 No illicit information flows . 51
11.7.13 FDP_IFF.6 Illicit information flow monitoring . 51
11.8 Information Retention Control (FDP_IRC) . 52
11.8.1 Family behaviour . 52
11.8.2 Components leveling and description . 52
11.8.3 Management of FDP_IRC.1 . . 53
11.8.4 Audit of FDP_IRC.1 .53
11.8.5 FDP_IRC.1 Information retention control . 53
11.9 Import from outside of the TOE (FDP_ITC) . 53
11.9.1 Family behaviour . 53
11.9.2 Components leveling and description . 53
11.9.3 Management of FDP_ITC.1, FDP_ITC.2 .54
11.9.4 Audit of FDP_ITC.1, FDP_ITC.2 .54
11.9.5 FDP_ITC.1 Import of user data without security attributes .54
11.9.6 FDP_ITC.2 Import of user data with security attributes .54
11.10 Internal TOE transfer (FDP_ITT) . 55
11.10.1 Family behaviour .55
11.10.2 Components leveling and description . 55
11.10.3 Management of FDP_ITT.1, FDP_ITT.2 . 55
11.10.4 Management of FDP_ITT.3, FDP_ITT.4 .56
11.10.5 Audit of FDP_ITT.1, FDP_ITT.2 .56
11.10.6 Audit of FDP_ITT.3, FDP_ITT.4 .56
11.10.7 FDP_ITT.1 Basic internal transfer protection .56
11.10.8 FDP_ITT.2 Transmission separation by attribute .56
11.10.9 FDP_ITT.3 Integrity monitoring . 57
11.10.10 .
FDP_ITT.4 Attribute-based integrity monitoring . 57
11.11 Residual information protection (FDP_RIP) . 57
11.11.1 Family behaviour . 57
11.11.2 Components leveling and description .58
11.11.3 Management of FDP_RIP.1, FDP_RIP.2 .58
11.11.4 Audit of FDP_RIP.1, FDP_RIP.2 .58
11.11.5 FDP_RIP.1 Subset residual information protection .58
11.11.6 FDP_RIP.2 Full residual information protection .58
11.12 Rollback (FDP_ROL) . 59
11.12.1 Family behaviour . 59
11.12.2 Components leveling and description . 59
11.12.3 Management of FDP_ROL.1, FDP_ROL.2 . 59
11.12.4 Audit of FDP_ROL.1, FDP_ROL.2 . 59
11.12.5 FDP_ROL.1 Basic rollback . 59
vi
© ISO/IEC 2022 – All rights reserved
ISO/IEC 15408-2:2022(E)
11.12.6 FDP_ROL.2 Advanced rollback .60
11.13 Stored data confidentiality (FDP_SDC) .60
11.13.1 Family behaviour .60
11.13.2 Compon
...
Der Standard EN ISO/IEC 15408-2:2023 bietet eine umfassende Grundlage für die Evaluierung von IT-Sicherheitskomponenten, die in einer Vielzahl von Informationssystemen Anwendung finden. Der Fokus dieses Dokuments liegt auf der Definition der notwendigen Struktur und der Inhalte von sicherheitsrelevanten funktionalen Komponenten. Dies ist insbesondere für Sicherheitsprüfungen von entscheidender Bedeutung, da es sicherstellt, dass diese Komponenten den allgemeinen Sicherheitsanforderungen vieler IT-Produkte gerecht werden. Ein bemerkenswerter Stärke des Standards ist das kuratierte Katalogsystem der funktionalen Komponenten. Dieses Katalog bietet eine systematische und leicht zugängliche Übersicht der Anforderungen, was die Implementierung von Sicherheitsfunktionen in IT-Produkten erheblich vereinfacht. Darüber hinaus fördert der Standard eine einheitliche Herangehensweise an die Sicherheitsbewertung, was zu einer erhöhten Interoperabilität zwischen verschiedenen Systemen führt. So wird gewährleistet, dass produzierte Sicherheitskomponenten nicht nur die funktionalen Anforderungen erfüllen, sondern auch hohen Sicherheitsstandards entsprechen. Die Relevanz von EN ISO/IEC 15408-2:2023 in der heutigen IT-Landschaft kann nicht unterschätzt werden. Angesichts der wachsenden Bedrohungen im Bereich der Cybersicherheit und des stetig steigenden Bedarfs an Datenschutz ist es von zentraler Bedeutung, dass IT-Produkte nicht nur sichere, sondern auch nachvollziehbare Sicherheitsmaßnahmen implementieren. Der Standard trägt dazu bei, das Vertrauen in Sicherheitslösungen zu stärken und sichert so die Integrität und Vertraulichkeit wichtiger Informationen. Insgesamt liefert der EN ISO/IEC 15408-2:2023 einen klaren Rahmen für die Evaluierung und Implementierung von IT-Sicherheitsfunktionen und ist daher von grundlegender Bedeutung für Organisationen, die auf robuste Sicherheitsarchitekturen angewiesen sind. Die klare Definition der funktionalen Komponenten und deren strukturierte Katalogisierung sind wesentliche Stärken, die das Dokument zu einem unverzichtbaren Werkzeug für Fachleute im Bereich der Informationssicherheit machen.
SIST EN ISO/IEC 15408-2:2024 문서는 IT 보안 평가를 위한 필수 기준을 정의하고 있으며, 정보 보안, 사이버 보안 및 개인 정보 보호와 관련된 평가 기준에 초점을 맞추고 있습니다. 이 표준은 보안 기능 구성 요소의 요구 사항을 명확히 하여 IT 제품의 안전성을 높이는 데 기여합니다. 이 문서의 주요 강점 중 하나는 다양한 IT 제품의 공통 보안 기능 요구 사항을 충족할 수 있는 기능 구성 요소 목록을 포함하고 있다는 점입니다. 이는 여러 산업과 분야에서 일관되고 신뢰할 수 있는 평가 기준을 제공하여, 제조업체와 소비자 간의 신뢰를 구축하는 데 중요한 역할을 합니다. 보안 기능 구성 요소를 규명함으로써, 기업들이 자신의 제품을 더욱 효과적으로 설계할 수 있도록 지원하고 있습니다. 또한, EN ISO/IEC 15408-2:2023 표준의 범위는 사이버 보안과 정보 보호의 중요성이 날로 증가하는 현대 사회에서 더욱더 관련성이 높습니다. 데이터 유출 및 사이버 공격의 위험이 증가함에 따라, 이 표준은 IT 보안에 대한 체계적이고 포괄적인 접근 방식을 제공하여 의사 결정자들이 보다 효과적으로 위험을 관리할 수 있도록 합니다. 결론적으로, SIST EN ISO/IEC 15408-2:2024 표준은 IT 보안 평가에 필수적이며, 보안 기능 구성 요소에 대한 명확한 기준을 수립함으로써 정보 보안, 사이버 보안 및 개인 정보 보호 분야의 성장을 촉진하고 있습니다. 이는 최종적으로 모든 이해 관계자에게 혜택을 제공하는 중요한 문서입니다.
Die Norm EN ISO/IEC 15408-2:2023 ist ein essentielles Dokument im Bereich der Informationssicherheit, Cybersicherheit und Datenschutz, das als Evaluationskriterien für die IT-Sicherheit dient. Der Fokus dieser Norm liegt auf den Sicherheitsfunktionalen Komponenten, die eine zentrale Rolle bei der Bewertung von IT-Sicherheitslösungen spielen. Der Umfang der Norm definiert die erforderliche Struktur und den Inhalt der sicherheitstechnischen Funktionalitäten, was eine klare Grundlage für die Sicherheitsbewertung schafft. Dies ist besonders relevant in einer Zeit, in der die Sicherheitsanforderungen an IT-Produkte stetig steigen und die Notwendigkeit eines einheitlichen Rahmens für die Bewertung und Zertifizierung immer drängender wird. Ein herausragendes Merkmal dieser Norm ist der umfassende Katalog an funktionalen Komponenten, der auf die gemeinsamen Sicherheitsanforderungen vieler IT-Produkte abzielt. Dies erleichtert nicht nur die Entwicklung neuer Technologien, sondern fördert auch die Interoperabilität und das Vertrauen in die Sicherheit von IT-Systemen. Durch die Bereitstellung standardisierter Bewertungskriterien können Unternehmen sicherstellen, dass ihre Produkte diesen Anforderungen entsprechen und somit einen hohen Sicherheitsstandard gewährleisten. Die Relevanz von EN ISO/IEC 15408-2:2023 erstreckt sich über verschiedene Branchen hinweg. Unternehmen, die IT-Sicherheitslösungen anbieten oder implementieren, profitieren von der klaren Struktur der Norm, da sie als Leitfaden für die Entwicklung und Evaluierung von Sicherheitsprodukten dient. Die Norm unterstützt nicht nur die Einhaltung gesetzlicher Vorschriften, sondern trägt auch zur Schaffung eines sicheren digitalen Umfelds bei, das für den Schutz sensibler Daten unerlässlich ist. Insgesamt überzeugt die EN ISO/IEC 15408-2:2023 durch ihre umfassende Herangehensweise an Sicherheitsfunktionalitäten, die es Organisationen ermöglicht, Sicherheitsziele effektiv zu erreichen und ihre Produkte entsprechend den steigenden Anforderungen des Marktes zu positionieren.
EN ISO/IEC 15408-2:2023は、ITセキュリティの評価に必要なセキュリティ機能コンポーネントの構造と内容を定義した重要な標準です。この標準は、情報セキュリティ、サイバーセキュリティ、およびプライバシー保護における評価基準を提供し、IT製品の一般的なセキュリティ機能要件を満たすための機能コンポーネントのカタログを含んでいます。 この標準の強みの一つは、セキュリティ評価のための明確な枠組みを提供する点です。これにより、IT製品の設計者や開発者は、一貫した方法でセキュリティ機能を評価し、実装することが可能となります。また、EN ISO/IEC 15408-2:2023は、さまざまなIT製品に適用できるため、その柔軟性が際立っています。複数の業界においても広く利用される可能性があり、特にサイバーセキュリティの向上を目指す企業にとっては、不可欠なリソースとなるでしょう。 さらに、この標準におけるセキュリティ機能コンポーネントのカタログは、実際の製品やサービスに即した具体的な指針を提供するため、ユーザーは求めるセキュリティレベルを容易に実現することができます。これにより、ITセキュリティに関するリスクを軽減し、信頼性を向上させることが期待されます。 EN ISO/IEC 15408-2:2023は、情報セキュリティの評価と実装において根幹となる役割を果たすものであり、その関連性は今後ますます重要性を増すと考えられます。セキュリティ効果を最大化するための基準を提供することで、企業のサイバー防御能力を強化し、プライバシーを守るための堅固な基盤を提供します。
The standard EN ISO/IEC 15408-2:2023 provides a comprehensive framework for evaluating and ensuring the security of IT products through its defined structure and content for security functional components. The primary scope of this document includes a meticulous description of the functional components essential for security evaluation, thereby facilitating a systematic approach to information security, cybersecurity, and privacy protection. One of the significant strengths of this standard is its catalogue of security functional components, which addresses common security functionality requirements across a diverse range of IT products. This focus on standardization not only promotes consistency in security evaluations but also enhances interoperability between products, ultimately leading to a more secure digital environment. The clarity and organization of the components allow evaluators to effectively assess compliance with vital security requirements. Furthermore, the relevance of the EN ISO/IEC 15408-2:2023 standard in today's landscape of increasing cyber threats cannot be overstated. As organizations continue to recognize the critical nature of cybersecurity measures, this standard serves as a valuable guide for achieving a robust security posture. By following the outlined criteria, organizations can ensure that their IT products not only adhere to necessary security functionalities but also remain resilient against emerging threats. In conclusion, EN ISO/IEC 15408-2:2023 is instrumental in defining rigorous evaluation criteria for IT security. Its structured approach to security functional components makes it a cornerstone resource for organizations striving to enhance their cybersecurity measures and align with global best practices in information security and privacy protection.
The standard EN ISO/IEC 15408-2:2023 plays a critical role in the landscape of information security, cybersecurity, and privacy protection by providing a comprehensive framework for evaluating IT security through the lens of security functional components. The document meticulously defines the structure and content of these security functional components, thereby ensuring a standardized approach to security evaluation that is essential for maintaining integrity across diverse IT products. A significant strength of EN ISO/IEC 15408-2:2023 lies in its well-organized catalogue of functional components. This catalogue is designed to meet the common security functionality requirements prevalent in the IT sector, allowing for a cohesive understanding of the security features necessary for effective cybersecurity measures. This standard effectively bridges the gap between theoretical security specifications and practical application, facilitating a shared language among security professionals and organizations as they navigate the complexities of cybersecurity evaluation. Moreover, the document is pertinent not only for developers and manufacturers but also for evaluators of security products who require a structured, methodical approach to assessing the effectiveness of security functionalities. By establishing a clear benchmark for security evaluations, EN ISO/IEC 15408-2:2023 supports the creation of reliable IT security solutions that are aligned with international standards, thereby bolstering trust in technology solutions and enabling better risk management practices. As cybersecurity threats continue to evolve, the relevance of this standard cannot be overstated. EN ISO/IEC 15408-2:2023 stands as a pivotal resource for organizations looking to enhance their security posture through well-defined evaluation criteria. It not only empowers entities to meet industry compliance requirements but also aids in fostering innovation by providing clear guidelines for the development of secure IT products. By adhering to this standard, companies can strive for excellence in security evaluation processes, thereby advancing the overall integrity and safety of information systems.
표준 EN ISO/IEC 15408-2:2023은 정보 보안, 사이버 보안 및 개인 정보 보호를 위한 필수적인 기준을 제시하고 있습니다. 이 문서는 IT 보안 평가의 목표를 달성하기 위해 요구되는 보안 기능 구성 요소의 구조와 내용을 정의합니다. 특히, 다양한 IT 제품의 공통 보안 기능 요구 사항을 충족하는 기능 구성 요소 목록을 포함하고 있어 이 표준의 범위는 매우 넓고 포괄적입니다. 이 표준의 강점은 체계적인 접근 방식으로, 각 기능 요소를 명확하게 설명하고 평가 기준을 제시하여, 보안 제품 및 솔루션의 일관된 품질 보증을 가능하게 합니다. 특히, 사용자는 표준을 통해 IT 제품이 요구하는 보안 기능을 쉽게 이해하고 비교할 수 있으며, 이를 통해 보다 안전한 사이버 환경을 조성할 수 있습니다. 또한, EN ISO/IEC 15408-2:2023은 정보 보안 및 사이버 보안의 최신 동향을 반영하고 있어, 기술 발전에 대한 적시성과 관련성을 유지하고 있습니다. 이는 특히 빠르게 변화하는 사이버 위협 환경에서 기업들이 효과적으로 대응할 수 있도록 합니다. 이러한 이유로 이 표준은 IT 보안 평가 및 인증 분야에서 필수적인 기준으로 자리잡고 있으며, 기업의 데이터 보호 및 개인 정보 보호를 강화하는 데 기여하고 있습니다. 결론적으로, EN ISO/IEC 15408-2:2023 표준은 IT 보안의 기능 구성 요소를 규명하며, 그에 따른 평가 기준을 제공함으로써 정보 보안 및 사이버 보안의 중요성을 더욱 부각시킵니다. 이러한 측면에서 이 문서는 정보 보안의 표준화 및 품질 향상을 위한 중요한 기준점으로 작용할 것입니다.
La norme SIST EN ISO/IEC 15408-2:2024 est un document essentiel qui clarifie la structure et le contenu des composants fonctionnels de sécurité dans le cadre de l'évaluation de la sécurité informatique. Cette norme s'inscrit au sein du vaste domaine de la sécurité de l'information, de la cybersécurité et de la protection de la vie privée, jouant un rôle crucial en fournissant des critères d'évaluation clairs et précis pour les composants de sécurité. L'un des principaux atouts de cette norme est son catalogue exhaustif des composants fonctionnels. Ce catalogue est conçu pour répondre aux exigences communes de fonctionnalité de sécurité pour une large gamme de produits informatiques, garantissant ainsi que les fournisseurs et les développeurs puissent s'assurer du respect des meilleures pratiques en matière de sécurité. En termes de pertinence, la norme EN ISO/IEC 15408-2:2023 s'adapte parfaitement aux besoins actuels du secteur de la technologie, qui fait face à des menaces de plus en plus sophistiquées en matière de cybersécurité. La définition rigoureuse des composants fonctionnels permet non seulement d'évaluer la sécurité des systèmes informatiques mais aussi de promouvoir la confiance des utilisateurs et des entreprises dans les produits qu'ils choisissent. En somme, la norme SIST EN ISO/IEC 15408-2:2024 représente un guide robuste et nécessaire pour les professionnels du secteur, offrant une base solide pour l'évaluation de la sévérité des composants de sécurité et contribuant ainsi à une meilleure protection des données et de la vie privée à l'ère numérique.
EN ISO/IEC 15408-2:2023は、情報セキュリティ、サイバーセキュリティ、およびプライバシー保護に関する評価基準を提供する重要な標準です。この文書の範囲は、セキュリティ評価の目的のために求められるセキュリティ機能コンポーネントの構造と内容を定義しており、多くのIT製品の一般的なセキュリティ機能要件を満たすための機能コンポーネントのカタログを含んでいます。 この標準の強みは、その明確な構造と包括的な内容にあります。セキュリティ機能コンポーネントの具体的な要求を体系的に整理しているため、開発者や評価者が参照しやすく、効率的なセキュリティ評価を実現できます。また、IT製品に求められる共通のセキュリティ機能に焦点を当てることで、多様な業界やシステムにおける適用可能性も高めています。 さらに、EN ISO/IEC 15408-2:2023は、ITセキュリティの向上に貢献するための基盤としても機能します。この文書を基にした評価プロセスにより、企業は自社の情報セキュリティ対策やサイバーセキュリティ戦略の強化を図ることができます。このように、標準の関連性は非常に高く、グローバルな情報環境においてもその重要性が増しています。
La norme EN ISO/IEC 15408-2:2023 offre un cadre essentiel pour l'évaluation de la sécurité informatique en définissant la structure et le contenu requis des composants fonctionnels de sécurité. Ce document constitue une avancée significative dans le domaine de la normalisation en matière de sécurité, car il permet aux organisations de s'assurer que leurs produits informatiques répondent aux exigences fonctionnelles de sécurité communes. L'une des forces clés de cette norme réside dans son catalogue exhaustif de composants fonctionnels. Ces composants sont conçus pour répondre à un large éventail de besoins en matière de sécurité, ce qui les rend pertinents pour divers produits IT. Cela facilite la mise en conformité et l'évaluation des dispositifs de sécurité, tout en assurant une cohérence et une uniformité dans le cadre des pratiques de cybersécurité. De plus, la norme EN ISO/IEC 15408-2:2023 est particulièrement pertinente dans un contexte où les préoccupations liées à la cybersécurité et à la protection de la vie privée sont de plus en plus pressantes. En fournissant des critères d'évaluation clairs et structurés, cette norme aide les entreprises et les développeurs à concevoir des systèmes plus robustes, capables de protéger les données sensibles et de répondre aux défis en constante évolution de la sécurité informatique. En résumé, la norme EN ISO/IEC 15408-2:2023 se démarque par sa capacité à établir des composantes fonctionnelles de sécurité fiables, apportant une réponse adaptée aux besoins croissants en matière de sécurité, de cybersécurité et de protection de la vie privée dans la sphère des technologies de l'information.
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.
Loading comments...