prEN ISO/IEC 19896-3

SLOVENSKI STANDARD
01-marec-2025
Informacijska varnost, kibernetska varnost in varovanje zasebnosti - Zahteve za
usposobljenost osebja za ugotavljanje skladnosti z varnostjo IT - 3. del: Zahteve
glede znanja in spretnosti ocenjevalcev in certifikacijskih organov v skladu s
standardom ISO/IEC 15408 (ISO/IEC DIS 19896-3:2024)
Information security, cybersecurity and privacy protection - Requirements for the
competence of IT security conformance assessment body personnel - Part 3: Knowledge
and skills requirements for ISO/IEC 15408 evaluators and certifiers (ISO/IEC DIS 19896-
3:2024)
Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre - Anforderungen an
die Kompetenz des Personals von Konformitätsbewertungsstellen für IT-Sicherheit - Teil
3: Anforderungen an die Kenntnisse und Fähigkeiten von Evaluatoren und Zertifizierern
nach ISO/IEC 15408 (ISO/IEC DIS 19896-3:2024)
Sécurité de l'information, cybersécurité et protection de la vie privée - Exigences
relatives aux compétences du personnel des organismes d'évaluation de la conformité
de la sécurité TI - Partie 3: Exigences en matière de connaissances et de compétences
pour les évaluateurs et certificateurs de l'ISO/IEC 15408 (ISO/IEC DIS 19896-3:2024)
Ta slovenski standard je istoveten z: prEN ISO/IEC 19896-3
ICS:
03.100.30 Vodenje ljudi Management of human
resources
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

DRAFT
International
Standard
ISO/IEC
DIS
19896-3
ISO/IEC JTC 1/SC 27
Information security, cybersecurity
Secretariat: DIN
and privacy protection —
Voting begins on:
Requirements for the competence
2024-12-16
of IT security conformance
Voting terminates on:
assessment body personnel —
2025-03-10
Part 3:
Knowledge and skills requirements
for ISO/IEC 15408 evaluators and
certifiers
ICS: 35.030
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS.
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Reference number
© ISO/IEC 2024
ISO/IEC DIS 19896-3:2024(en)
DRAFT
ISO/IEC DIS 19896-3:2024(en)
International
Standard
ISO/IEC
DIS
19896-3
ISO/IEC JTC 1/SC 27
Information security, cybersecurity
Secretariat: DIN
and privacy protection —
Voting begins on:
Requirements for the competence
of IT security conformance
Voting terminates on:
assessment body personnel —
Part 3:
Knowledge and skills requirements
for ISO/IEC 15408 evaluators and
certifiers
ICS: 35.030
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
© ISO/IEC 2024
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
BE CONSIDERED IN THE LIGHT OF THEIR
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
or ISO’s member body in the country of the requester.
NATIONAL REGULATIONS.
ISO copyright office
RECIPIENTS OF THIS DRAFT ARE INVITED
CP 401 • Ch. de Blandonnet 8
TO SUBMIT, WITH THEIR COMMENTS,
CH-1214 Vernier, Geneva
NOTIFICATION OF ANY RELEVANT PATENT
Phone: +41 22 749 01 11
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland Reference number
© ISO/IEC 2024
ISO/IEC DIS 19896-3:2024(en)
© ISO/IEC 2024 – All rights reserved
ii
ISO/IEC DIS 19896-3:2024(en)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Knowledge . 2
4.1 Knowledge required for evaluators .2
4.1.1 General .2
4.1.2 Knowledge of ISO/IEC 15408 and ISO/IEC 18045 .2
4.1.3 Knowledge of the assurance paradigm .4
4.1.4 Knowledge of information security.5
4.1.5 Knowledge of the technology .6
4.2 Knowledge required for certifiers .7
4.2.1 General .7
4.2.2 Knowledge of ISO/IEC 15408 and ISO/IEC 18045 .7
4.2.3 Knowledge of the assurance paradigm .9
4.2.4 Knowledge of information security.11
4.2.5 Knowledge of technology. 12
5 Skills .13
5.1 Skills required for evaluators . 13
5.1.1 General . 13
5.1.2 Basic evaluation skills . 13
5.1.3 Core evaluation skills given in ISO/IEC 15408-3 and ISO/IEC 18045 .14
5.1.4 Skills required for specific security assurance classes . 15
5.1.5 Skills required for specific security functional requirement classes .16
5.1.6 Skills required for specific technology .16
5.2 Skill required for certifiers .16
5.2.1 Basic certification skills .16
5.2.2 Core certification skills regarding ISO/IEC 15408-3 and ISO/IEC 18045 .17
5.2.3 Skills required for specific security assurance classes .17
5.2.4 Skills required for specific security functional requirement classes .17
5.2.5 Skills required for specific technology .18
Annex A (informative) Technology types: Knowledge and skills . 19
Annex B (informative) Examples of knowledge and skills required for evaluating security
assurance requirement classes .25
Annex C (informative) Examples of knowledge required for evaluating security functional
requirement classes .38
Bibliography . 41

© ISO/IEC 2024 – All rights reserved
iii
ISO/IEC DIS 19896-3:2024(en)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations,
governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of
information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/
IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any
patent rights identified during the development of the document will be in the Introduction and/or on the
ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee
SC 27, Information security, cybersecurity and privacy protection.
A list of all parts in the ISO/IEC 19896 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.

© ISO/IEC 2024 – All rights reserved
iv
ISO/IEC DIS 19896-3:2024(en)
Introduction
The ISO/IEC 15408 series permits comparability between the results of independent security evaluations.
It does so by providing a common set of requirements for the security functionality of IT products and
for assurance measures applied to
...