iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
CEN

EN ISO/IEC 19896-1:2023

(Main)

IT security techniques - Competence requirements for information security testers and evaluators - Part 1: Introduction, concepts and general requirements (ISO/IEC 19896-1:2018)

IT security techniques - Competence requirements for information security testers and evaluators - Part 1: Introduction, concepts and general requirements (ISO/IEC 19896-1:2018)

ISO/IEC 19896-1:2018 defines terms and establishes an organized set of concepts and relationships to understand the competency requirements for information security assurance conformance-testing and evaluation specialists, thereby establishing a basis for shared understanding of the concepts and principles central to the ISO/IEC 19896 series across its user communities. It provides fundamental information to users of the ISO/IEC 19896 series.

IT-Sicherheitstechniken - Kompetenzanforderungen an Tester und Evaluatoren von Informationssicherheit - Teil 1: Einführung, Konzepte und allgemeine Anforderungen (ISO/IEC 19896‑1:2018)

Techniques de sécurité IT - Exigences de compétence pour l'information testeurs d'assurance et les évaluateurs - Partie 1: Introduction, concepts et exigences générales (ISO/IEC 19896-1:2018)

Le présent document définit les termes et établit un ensemble structuré de concepts et leurs relations pour comprendre les exigences de compétences des spécialistes des essais de conformité et de l'évaluation pour l'assurance de la sécurité de l'information, établissant ainsi la base d'une compréhension partagée des concepts et des principes centraux de la série ISO/IEC 19896 à travers ses communautés d'utilisateurs. Il fournit des informations fondamentales aux utilisateurs de la série ISO/IEC 19896.

IT varnostne tehnike - Zahteve za usposobljenost za preskuševalce in ocenjevalce informacijske varnosti - 1. del: Uvod, pojmi in splošne zahteve (ISO/IEC 19896-1:2018)

General Information

Status
Published
Publication Date
29-Apr-2023
ICS
35.030 - IT Security
Technical Committee
CEN/CLC/TC 13 - Cybersecurity and Data Protection
Drafting Committee
CEN/CLC/TC 13 - Cybersecurity and Data Protection
Current Stage
6060 - Definitive text made available (DAV) - Publishing
Start Date
25-Jan-2023
Due Date
06-Nov-2024
Completion Date
25-Jan-2023
Ref Project
oSIST prEN ISO/IEC 19896-1:2022 - IT security techniques - Competence requirements for information security testers and evaluators - Part 1: Introduction, concepts and general requirements (ISO/IEC 19896-1:2018)

Buy Standard

prEN ISO/IEC 19896-1:2022prEN ISO/IEC 19896-1:2022
PreviousNext
Draft
prEN ISO/IEC 19896-1:2022
English language
16 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)

SLOVENSKI STANDARD
oSIST prEN ISO/IEC 19896-1:2022
01-november-2022
IT varnostne tehnike - Zahteve za usposobljenost za preskuševalce in ocenjevalce
informacijske varnosti - 1. del: Uvod, pojmi in splošne zahteve (ISO/IEC 19896-
1:2018)

IT security techniques - Competence requirements for information security testers and

evaluators - Part 1: Introduction, concepts and general requirements (ISO/IEC 19896-

1:2018)
IT-Sicherheitstechniken - Kompetenzanforderungen an Tester und Evaluatoren von

Informationssicherheit - Teil 1: Einführung, Konzepte und allgemeine Anforderungen

(ISO/IEC 19896‑1:2018)
Techniques de sécurité IT - Exigences de compétence pour l'information testeurs

d'assurance et les évaluateurs - Partie 1: Introduction, concepts et exigences générales

(ISO/IEC 19896-1:2018)
Ta slovenski standard je istoveten z: prEN ISO/IEC 19896-1
ICS:
03.100.30 Vodenje ljudi Management of human
resources
35.030 Informacijska varnost IT Security
oSIST prEN ISO/IEC 19896-1:2022 en,fr,de

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
oSIST prEN ISO/IEC 19896-1:2022
---------------------- Page: 2 ----------------------
oSIST prEN ISO/IEC 19896-1:2022
INTERNATIONAL ISO/IEC
STANDARD 19896-1
First edition
2018-02
IT security techniques — Competence
requirements for information security
testers and evaluators —
Part 1:
Introduction, concepts and general
requirements
Techniques de sécurité IT — Exigences de compétence pour
l'information testeurs d'assurance et les évaluateurs —
Partie 1: Introduction, concepts et exigences générales
Reference number
ISO/IEC 19896-1:2018(E)
ISO/IEC 2018
---------------------- Page: 3 ----------------------
oSIST prEN ISO/IEC 19896-1:2022
ISO/IEC 19896-1:2018(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2018

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2018 – All rights reserved
---------------------- Page: 4 ----------------------
oSIST prEN ISO/IEC 19896-1:2022
ISO/IEC 19896-1:2018(E)
Contents Page

Foreword ........................................................................................................................................................................................................................................iv

Introduction ..................................................................................................................................................................................................................................v

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Concepts ........................................................................................................................................................................................................................ 2

5 Elements of competence ............................................................................................................................................................................... 3

5.1 Competences ............................................................................................................................................................................................. 3

5.2 Knowledge .................................................................................................................................................................................................. 3

5.3 Skills ................................................................................................................................................................................................................. 4

5.4 Experience .................................................................................................................................................................................................. 4

5.5 Education ..................................................................................................................................................................................................... 5

5.6 Effectiveness ............................................................................................................................................................................................. 5

6 Competency levels ............................................................................................................................................................................................... 5

6.1 General ........................................................................................................................................................................................................... 5

6.2 Level 1 (Associate) ............................................................................................................................................................................... 5

6.3 Level 2 (Professional) ....................................................................................................................................................................... 5

6.4 Level 3 (Manager) ................................................................................................................................................................................ 5

6.5 Level 4 (Principal) ................................................................................................................................................................................ 6

7 Measurement of elements of competence ................................................................................................................................. 6

7.1 Knowledge .................................................................................................................................................................................................. 6

7.2 Skills ................................................................................................................................................................................................................. 6

7.3 Experience .................................................................................................................................................................................................. 6

7.4 Education ..................................................................................................................................................................................................... 6

7.5 Effectiveness ............................................................................................................................................................................................. 7

7.6 Recording elements of competence ...................................................................................................................................... 7

Annex A (informative) Framework for describing competence requirements ........................................................8

Annex B (informative) Example records of experience and competence ...................................................................10

Bibliography .............................................................................................................................................................................................................................11

© ISO/IEC 2018 – All rights reserved iii
---------------------- Page: 5 ----------------------
oSIST prEN ISO/IEC 19896-1:2022
ISO/IEC 19896-1:2018(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are

members of ISO or IEC participate in the development of International Standards through technical

committees established by the respective organization to deal with particular fields of technical

activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international

organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the

work. In the field of information technology, ISO and IEC have established a joint technical committee,

ISO/IEC JTC 1.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for

the different types of document should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject

of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent

rights. Details of any patent rights identified during the development of the document will be in the

Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the following

URL: www .iso .org/ iso/ foreword .html.

This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 27, IT Security techniques.
A list of all parts in the ISO/IEC 19896 series can be found on the ISO website.
iv © ISO/IEC 2018 – All rights reserved
---------------------- Page: 6 ----------------------
oSIST prEN ISO/IEC 19896-1:2022
ISO/IEC 19896-1:2018(E)
Introduction

The objective of the ISO/IEC 19896 series is to provide the fundamental concepts related to the topic

of the competence of the individuals responsible for performing IT product security evaluations

and conformance testing. The ISO/IEC 19896 series provides the framework and the specialized

requirements that specify the minimum competence of individuals performing IT product security

evaluations and conformance testing using established standards.
In pursuit of this objective, the ISO/IEC 19896 series comprises the following:

a) The terms and definitions relating to the topic of competence in IT product security evaluators and

testers;

b) The fundamental concepts relating to competence in IT product security evaluations and

conformance testing; and

c) The minimum competence requirements for IT product security evaluators and testers to conduct

IT product testing/evaluation.
The ISO/IEC 19896 series is of interest to:
a) Information security evaluation and conformance-testing specialists;
b) Information security evaluation and conformance-testing approval authorities;
c) Information security evaluation and conformance-testing laboratories;

d) Vendors or technology providers whose IT products can be the subject of information security

assurance evaluations or conformance-testing;
e) Organizations offering professional credentials or recognitions.

The ISO/IEC 19896 series is organized in parts to address the competence of evaluation and testing

professionals as follows.

In this document, the introduction and concepts, provides an overview of the definitions, fundamental

concepts and a general description of the framework used to communicate the competence requirements

for certain specialized areas. This material is aimed at providing the fundamental knowledge necessary

to use the framework presented in the other parts of the ISO/IEC 19896 series appropriately.

ISO/IEC 19896-2 describes the minimum set of competence requirements at each competency level for

conformance testers working with ISO/IEC 19790 and associated standards.

ISO/IEC 19896-3 describes the minimum set of competence requirements at each competency level for

information security evaluators working with ISO/IEC 15408 (all parts) and associated standards.

© ISO/IEC 2018 – All rights reserved v
---------------------- Page: 7 ----------------------
oSIST prEN ISO/IEC 19896-1:2022
---------------------- Page: 8 ----------------------
oSIST prEN ISO/IEC 19896-1:2022
INTERNATIONAL STANDARD ISO/IEC 19896-1:2018(E)
IT security techniques — Competence requirements for
information security testers and evaluators —
Part 1:
Introduction, concepts and general requirements
1 Scope

This document defines terms and establishes an organized set of concepts and relationships to

understand the competency requirements for information security assurance conformance-testing

and evaluation specialists, thereby establishing a basis for shared understanding of the concepts and

principles central to the ISO/IEC 19896 series across its user communities. It provides fundamental

information to users of the ISO/IEC 19896 series.
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 17000, Conformity assessment — Vocabulary and general principles

ISO/IEC 17025, General requirements for the competence of testing and calibration laboratories

3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO/IEC 17000, ISO/IEC 17025

and the following apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at http:// www .electropedia .org/
3.1
competence
ability to apply knowledge and skills to achieve intended results
[SOURCE: ISO/IEC 17024:2012, 3.6]
3.2
conformance-tester
tester

individual assigned to perform test activities in accordance with a given conformance testing standard

and associated testing methodology

Note 1 to entry: An example of such a standard is ISO/IEC 19790 and the testing methodology specified in

ISO/IEC 24759.
3.3
education

process of receiving or giving systematic instruction, especially at a school or university

© ISO/IEC 2018 – All rights reserved 1
---------------------- Page: 9 ----------------------
oSIST prEN ISO/IEC 19896-1:2022
ISO/IEC 19896-1:2018(E)
3.4
effectiveness

ability to apply knowledge and skills in a productive manner, characterized by attributes of behaviour

such as aptitude, initiative, enthusiasm, willingness, communication skills, team participation, and

leadership
3.5
evaluator

individual assigned to perform evaluations in accordance with a given evaluation standard and

associated evaluation methodology

Note 1 to entry: An example of evaluation standards is ISO/IEC 15408 (all parts) with the associated evaluation

methodology given in ISO/IEC 18045.
3.6
experience

involvement at a practical level with projects related to the field of competence

3.7
knowledge

facts, information, truths, principles or understanding acquired through experience or education

Note 1 to entry: An example of knowledge is the ability to describe the various parts of an information assurance

standard.

[SOURCE: ISO/IEC TS 17027:2014, 2.56, modified — Note 1 to entry has been added.]

3.8
laboratory

organization with a management system providing evaluation and or testing work in accordance with a

defined set of policies and procedures and utilizing a defined methodology for testing or evaluating the

security functionality of IT products

Note 1 to entry: These organizations are often given alternative names by various approval authorities. For

example, IT Security Evaluation Facility (ITSEF), Common Criteria Testing Laboratory (CCTL), Commercial

Evaluation Facility (CLEF).
3.9
skill

ability to perform a task or activity with a specific intended outcome acquired through education,

training, experience or other means
Note 1 to entry: An example of
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

CEN
EN ISO/IEC 19896-2:2023(Main)
IT security techniques - Competence requirements for information security testers and evaluators - Part 2: Knowledge, skills and effectiveness requirements for ISO/IEC 19790 testers (ISO/IEC 19896-2:2018)
oSIST prEN ISO/IEC 19896-2:2022

This document provides the minimum requirements for the knowledge, skills and effectiveness requirements of individuals performing testing activities for a conformance scheme using ISO/IEC 19790 and ISO/IEC 24759.

  • Draft
    39 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 19896-3:2023(Main)
IT security techniques - Competence requirements for information security testers and evaluators - Part 3: Knowledge, skills and effectiveness requirements for ISO/IEC 15408 evaluators (ISO/IEC 19896-3:2018)
oSIST prEN ISO/IEC 19896-3:2022

This document provides the specialized requirements to demonstrate competence of individuals in performing IT product security evaluations in accordance with ISO/IEC 15408 (all parts) and  ISO/IEC 18045.

  • Draft
    39 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 24760-2:2022(Main)
Information technology - Security techniques - A framework for identity management - Part 2: Reference architecture and requirements (ISO/IEC 24760-2:2015)
SIST EN ISO/IEC 24760-2:2023

ISO/IEC 24760-2:2015 provides guidelines for the implementation of systems for the management of identity information, and specifies requirements for the implementation and operation of a framework for identity management.
ISO/IEC 24760-2:2015 is applicable to any information system where information relating to identity is processed or stored.

  • Standard
    55 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Draft
    52 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN ISO/IEC/TS 27006-2:2022(Main)
Requirements for bodies providing audit and certification of information security management systems - Part 2: Privacy information management systems (ISO/IEC TS 27006-2:2021)
SIST-TS CEN ISO/IEC/TS 27006-2:2023

This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701 in combination with ISO/IEC 27001, in addition to the requirements contained within ISO/IEC 27006 and ISO/IEC 27701. It is primarily intended to support the accreditation of certification bodies providing PIMS certification.
The requirements contained in this document need to be demonstrated in terms of competence and reliability by anybody providing PIMS certification, and the guidance contained in this document provides additional interpretation of these requirements for any body providing PIMS certification.
NOTE     This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

  • Technical specification
    18 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 27002:2022(Main)
Information security, cybersecurity and privacy protection - Information security controls (ISO/IEC 27002:2022)
SIST EN ISO/IEC 27002:2022

This document provides a reference set of generic information security controls including implementation guidance. This document is designed to be used by organizations:
a) within the context of an information security management system (ISMS) based on ISO/IEC27001;
b) for implementing information security controls based on internationally recognized best practices;
c) for developing organization-specific information security management guidelines.

  • Standard
    164 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Draft
    161 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 17640:2022(Main)
Fixed-time cybersecurity evaluation methodology for ICT products
SIST EN 17640:2023

This document describes a cybersecurity evaluation methodology that can be implemented using pre-defined time and workload resources, for ICT products. It is intended to be applicable for all three assurance levels defined in the CSA (i.e. basic, substantial and high).
The methodology comprises different evaluation blocks including assessment activities that comply with the evaluation requirements of the CSA for the mentioned three assurance levels. Where appropriate, it can be applied both to third-party evaluation and self-assessment.

  • Standard
    54 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Draft
    56 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 24760-1:2022(Main)
IT Security and Privacy - A framework for identity management - Part 1: Terminology and concepts (ISO/IEC 24760-1:2019)
SIST EN ISO/IEC 24760-1:2022

ISO/IEC 24760-1:2019 defines terms for identity management, and •specifies core concepts of identity and identity management and their relationships.
It is applicable to any information system that processes identity information.
A bibliography of documents describing various aspects of identity information management is provided.

  • Standard
    32 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Draft
    29 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 24760-3:2022(Main)
Information technology - Security techniques - A framework for identity management - Part 3: Practice (ISO/IEC 24760-3:2016)
SIST EN ISO/IEC 24760-3:2023

ISO/IEC 24760-3:2016 provides guidance for the management of identity information and for ensuring that an identity management system conforms to ISO/IEC 24760-1 and ISO/IEC 24760-2.
ISO/IEC 24760-3:2016 is applicable to an identity management system where identifiers or PII relating to entities are acquired, processed, stored, transferred or used for the purposes of identifying or authenticating entities and/or for the purpose of decision making using attributes of entities. Practices for identity management can also be addressed in other standards.

  • Standard
    39 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Draft
    36 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 17529:2022(Main)
Data protection and privacy by design and by default
SIST EN 17529:2022

This document provides requirements for manufacturers and/or service providers to implement Data protection and Privacy by Design and by Default (DPbDD) early in their development of their products and services, i.e. before (or independently of) any specific application integration, to make sure that they are as privacy ready as possible. The document will be applicable to all business sectors, including the security industry.

  • Standard
    62 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Draft
    58 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 29151:2022(Main)
Information technology - Security techniques - Code of practice for personally identifiable information protection (ISO/IEC 29151:2017)
SIST EN ISO/IEC 29151:2022

ISO/IEC 29151:2017 establishes control objectives, controls and guidelines for implementing controls, to meet the
requirements identified by a risk and impact assessment related to the protection of personally identifiable information
(PII).
In particular, this Recommendation | International Standard specifies guidelines based on ISO/IEC 27002, taking into
consideration the requirements for processing PII that may be applicable within the context of an organization's
information security risk environment(s).
ISO/IEC 29151:2017 is applicable to all types and sizes of organizations acting as PII controllers (as defined in ISO/IEC 29100),
including public and private companies, government entities and not-for-profit organizations that process PII.

  • Standard
    49 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Draft
    46 pages
    English language
    sale 10% off
    e-Library read for
    1 day