FprEN ISO/IEC 18045
(Main)Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Requirements and methodology for IT security evaluation (ISO/IEC FDIS 18045:2025)
Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Requirements and methodology for IT security evaluation (ISO/IEC FDIS 18045:2025)
This document defines the minimum actions to be performed by an evaluator in order to conduct an ISO/IEC 15408 series evaluation, using the criteria and evaluation evidence defined in the ISO/IEC 15408 series.
Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre - Evaluationskriterien für IT-Sicherheit - Methodik für die Bewertung der IT-Sicherheit (ISO/IEC FDIS 18045:2025)
Sécurité de l'information, cybersécurité et protection de la vie privée - Critères d'évaluation pour la sécurité des technologies de l'information - Méthodologie pour l'évaluation de sécurité (ISO/IEC FDIS 18045:2025)
Informacijska varnost, kibernetska varnost in varstvo zasebnosti - Merila za ocenjevanje varnosti IT - Zahteve in metodologija za ocenjevanje varnosti IT (ISO/IEC DIS 18045:2024)
General Information
- Status
- Not Published
- Publication Date
- 03-May-2026
- Technical Committee
- CEN/CLC/TC 13 - Cybersecurity and Data Protection
- Current Stage
- 5020 - Submission to Vote - Formal Approval
- Start Date
- 11-Dec-2025
- Completion Date
- 11-Dec-2025
Relations
- Effective Date
- 17-Apr-2024
Overview
The FprEN ISO/IEC 18045 standard, titled Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Requirements and methodology for IT security evaluation (ISO/IEC FDIS 18045:2025), is a critical framework established by CEN to guide IT security evaluations. This standard defines the minimum required actions for evaluators when conducting security assessments based on the ISO/IEC 15408 series. It is structured to support systematic and consistent evaluation of IT security products, ensuring robustness in information security, cybersecurity, and privacy protection.
By outlining a detailed methodology, ISO/IEC 18045 improves the reliability and validity of IT security evaluations, helping organizations and evaluators to align with international best practices while enhancing trust in IT systems and security technologies.
Key Topics
- Evaluation Methodology: ISO/IEC 18045 details the comprehensive process and tasks required for security evaluation, including evaluation objectives, roles, responsibilities, and model structures.
- Evaluation Process: It covers the entire lifecycle of evaluation, from input evidence management through evaluation sub-activities to the output reports.
- Conformance Claims: The standard describes procedures to assess conformance of Protection Profiles (PPs), PP-Modules, and Security Targets (ST) to ensure compliance with security requirements.
- Security Objectives and Requirements: It outlines how to evaluate defined security objectives, extended components, and security problem definitions within IT products.
- Evaluator Guidelines: Provides clear guidance on evaluating evidence, managing evaluation data, and documenting results with appropriate verdicts to maintain consistency across evaluations.
- Support for ISO/IEC 15408 Series: Demonstrates the relationship and structural alignment with the ISO/IEC 15408 framework, improving evaluation coherence and inter-operability.
Applications
The ISO/IEC 18045 standard is essential for:
- IT Security Product Certification: Provides evaluators with a recognized methodology to assess security functionality and assurance in IT products, which supports certification efforts.
- Cybersecurity Risk Management: Helps organizations validate the effectiveness of security measures in place and make informed decisions on cybersecurity investments.
- Compliance and Regulatory Requirements: Enables demonstration of adherence to national and international regulations involving information security standards.
- Privacy Protection Assurance: Assists in evaluating the privacy protection mechanisms embedded within IT systems ensuring compliance with privacy laws.
- Vendor and Product Assessment: Facilitates rigorous evaluation of vendors' claims regarding the security capabilities of their products before procurement or deployment.
- Standardized Evaluation Practices: Fosters consistency and repeatability in IT security assessments, which is critical for trust in digital infrastructures.
Related Standards
- ISO/IEC 15408 (Common Criteria): ISO/IEC 18045 is designed to operate as the evaluation methodology for products evaluated under the Common Criteria framework.
- ISO/IEC 27001: Complementary in information security management systems, offering broader organizational security controls.
- ISO/IEC 27002: Provides detailed security control implementation guidance that supports the environment in which security evaluation is performed.
- ISO/IEC 29147 and 30111: Standards covering vulnerability disclosure and handling processes, integrating with security evaluation findings.
- NIST SP 800 Series: While U.S.-focused, these provide additional frameworks for cybersecurity and risk management that may be referenced alongside evaluations based on ISO/IEC standards.
By adhering to ISO/IEC 18045 requirements, evaluators and organizations ensure a globally recognized and trusted approach to IT security evaluation, enhancing cybersecurity resilience and upholding privacy protection in today's digitally interconnected environment.
Frequently Asked Questions
FprEN ISO/IEC 18045 is a draft published by the European Committee for Standardization (CEN). Its full title is "Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Requirements and methodology for IT security evaluation (ISO/IEC FDIS 18045:2025)". This standard covers: This document defines the minimum actions to be performed by an evaluator in order to conduct an ISO/IEC 15408 series evaluation, using the criteria and evaluation evidence defined in the ISO/IEC 15408 series.
This document defines the minimum actions to be performed by an evaluator in order to conduct an ISO/IEC 15408 series evaluation, using the criteria and evaluation evidence defined in the ISO/IEC 15408 series.
FprEN ISO/IEC 18045 is classified under the following ICS (International Classification for Standards) categories: 35.030 - IT Security. The ICS classification helps identify the subject area and facilitates finding related standards.
FprEN ISO/IEC 18045 has the following relationships with other standards: It is inter standard links to EN ISO/IEC 18045:2023. Understanding these relationships helps ensure you are using the most current and applicable version of the standard.
You can purchase FprEN ISO/IEC 18045 directly from iTeh Standards. The document is available in PDF format and is delivered instantly after payment. Add the standard to your cart and complete the secure checkout process. iTeh Standards is an authorized distributor of CEN standards.
Standards Content (Sample)
SLOVENSKI STANDARD
oSIST prEN ISO/IEC 18045:2024
01-oktober-2024
Informacijska varnost, kibernetska varnost in varovanje zasebnosti - Merila za
ocenjevanje varnosti IT - Metodologija za ocenjevanje varnosti IT (ISO/IEC DIS
18045:2024)
Information security, cybersecurity and privacy protection - Evaluation criteria for IT
security - Methodology for IT security evaluation (ISO/IEC DIS 18045:2024)
Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre -
Evaluationskriterien für IT-Sicherheit - Methodik für die Bewertung der IT-Sicherheit
(ISO/IEC DIS 18045:2024)
Sécurité de l'information, cybersécurité et protection de la vie privée - Critères
d'évaluation pour la sécurité des technologies de l'information - Méthodologie pour
l'évaluation de sécurité (ISO/IEC DIS 18045:2024)
Ta slovenski standard je istoveten z: prEN ISO/IEC 18045
ICS:
35.030 Informacijska varnost IT Security
oSIST prEN ISO/IEC 18045:2024 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
oSIST prEN ISO/IEC 18045:2024
oSIST prEN ISO/IEC 18045:2024
DRAFT
International
Standard
ISO/IEC DIS 18045
ISO/IEC JTC 1/SC 27
Information security, cybersecurity
Secretariat: DIN
and privacy protection —
Voting begins on:
Evaluation criteria for IT security
2024-08-14
— Methodology for IT security
Voting terminates on:
evaluation
2024-11-06
Sécurité de l'information, cybersécurité et protection de la vie
privée — Critères d'évaluation pour la sécurité des technologies
de l'information — Méthodologie pour l'évaluation de sécurité
ICS: 35.030
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS.
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Reference number
© ISO/IEC 2024
ISO/IEC DIS 18045:2024(en)
oSIST prEN ISO/IEC 18045:2024
DRAFT
ISO/IEC DIS 18045:2024(en)
International
Standard
ISO/IEC DIS 18045
ISO/IEC JTC 1/SC 27
Information security, cybersecurity
Secretariat: DIN
and privacy protection —
Voting begins on:
Evaluation criteria for IT security
— Methodology for IT security
Voting terminates on:
evaluation
Sécurité de l'information, cybersécurité et protection de la vie
privée — Critères d'évaluation pour la sécurité des technologies
de l'information — Méthodologie pour l'évaluation de sécurité
ICS: 35.030
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
© ISO/IEC 2024
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
BE CONSIDERED IN THE LIGHT OF THEIR
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
or ISO’s member body in the country of the requester.
NATIONAL REGULATIONS.
ISO copyright office
RECIPIENTS OF THIS DRAFT ARE INVITED
CP 401 • Ch. de Blandonnet 8
TO SUBMIT, WITH THEIR COMMENTS,
CH-1214 Vernier, Geneva
NOTIFICATION OF ANY RELEVANT PATENT
Phone: +41 22 749 01 11
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland Reference number
© ISO/IEC 2024
ISO/IEC DIS 18045:2024(en)
© ISO/IEC 2024 – All rights reserved
ii
oSIST prEN ISO/IEC 18045:2024
ISO/IEC DIS 18045:2024(en)
Contents Page
Foreword .vii
Introduction .ix
1 Scope . 1
2 Normative references . 1
3 Terms, definitions and abbreviated terms . 1
4 Terminology . . 4
5 Verb usage . 4
6 General evaluation guidance . 4
7 Relationship between the ISO/IEC 15408 series and ISO/IEC 18045 structures . 4
8 Evaluation process and related tasks . 5
8.1 General .5
8.2 Evaluation process overview . .6
8.2.1 Objectives .6
8.2.2 Responsibilities of the roles .6
8.2.3 Relationship of roles .6
8.2.4 General evaluation model .6
8.2.5 Evaluator verdicts .7
8.3 Evaluation input task .9
8.3.1 Objectives .9
8.3.2 Application notes .9
8.3.3 Management of evaluation evidence sub-task .10
8.4 Evaluation sub-activities .10
8.5 Evaluation output task .10
8.5.1 Objectives .10
8.5.2 Management of evaluation outputs .11
8.5.3 Application notes .11
8.5.4 Write OR sub-task .11
8.5.5 Write ETR sub-task .11
9 Class APE Protection Profile (PP) evaluation .18
9.1 Introduction .18
9.1.1 Re-using the evaluation results of certified PPs .18
9.2 Conformance claims (APE_CCL) .19
9.2.1 Evaluation of sub-activity (APE_CCL.1) .19
9.3 Extended components definition (APE_ECD) . 29
9.3.1 Evaluation of sub-activity (APE_ECD.1) . 29
9.4 PP introduction (APE_INT) . 33
9.4.1 Evaluation of sub-activity (APE_INT.1) . 33
9.5 Security objectives (APE_OBJ) . 34
9.5.1 Evaluation of sub-activity (APE_OBJ.1) . 34
9.5.2 Evaluation of sub-activity (APE_OBJ.2) . 36
9.6 Security requirements (APE_REQ) . 38
9.6.1 Evaluation of sub-activity (APE_REQ.1) . 38
9.6.2 Evaluation of sub-activity (APE_REQ.2). 44
9.7 Security problem definition (APE_SPD) . 48
9.7.1 Evaluation of sub-activity (APE_SPD.1) . 48
10 Class ACE Protection Profile Configuration evaluation .50
10.1 Introduction . 50
10.2 PP-Module conformance claims (ACE_CCL) .51
10.2.1 Evaluation of sub-activity (ACE_CCL.1) .51
10.3 PP-Configuration consistency (ACE_CCO) .57
10.3.1 Evaluation of sub-activity (ACE_CCO.1) .57
© ISO/IEC 2024 – All rights reserved
iii
oSIST prEN ISO/IEC 18045:2024
ISO/IEC DIS 18045:2024(en)
10.4 PP-Module extended components definition (ACE_ECD). 65
10.4.1 Evaluation of sub-activity (ACE_ECD.1) . 65
10.5 PP-Module introduction (ACE_INT) . 69
10.5.1 Evaluation of sub-activity (ACE_INT.1) . 69
10.6 PP-Module consistency (ACE_MCO) . 72
10.6.1 Evaluation of sub-activity (ACE_MCO.1) . 72
10.7 PP-Module security objectives (ACE_OBJ) . 75
10.7.1 Evaluation of sub-activity (ACE_OBJ.1) . 75
10.7.2 Evaluation of sub-activity (ACE_OBJ.2) . 77
10.8 PP-Module security requirements (ACE_REQ) . 80
10.8.1 Evaluation of sub-activity (ACE_REQ.1) . 80
10.8.2 Evaluation of sub-activity (ACE_REQ.2) . 85
10.9 PP-Module security problem definition (ACE_SPD) . 90
10.9.1 Evaluation of sub-activity (ACE_SPD.1) . 90
11 Class ASE Security Target (ST) evaluation .92
11.1 Introduction . 92
11.2 Application notes . 92
11.2.1 Re-using the evaluation results of certified PPs . 92
11.2.2 Composition . 92
11.3 Conformance claims (ASE_CCL) . 93
11.3.1 Evaluation of sub-activity (ASE_CCL.1) . 93
11.4 Consistency of composite product Security Target (ASE_COMP) . 106
11.4.1 Evaluation of sub-activity (ASE_COMP.1) . 106
11.5 Extended components definition (ASE_ECD) . 111
11.5.1 Evaluation of sub-activity (ASE_ECD.1) . 111
11.6 ST introduction (ASE_INT) . 115
11.6.1 Evaluation of sub-activity (ASE_INT.1) . 115
11.7 Security objectives (ASE_OBJ) . 118
11.7.1 Evaluation of sub-activity (ASE_OBJ.1) . 118
11.7.2 Evaluation of sub-activity (ASE_OBJ.2) . 120
11.8 Security requirements (ASE_REQ). 122
11.8.1 Evaluation of sub-activity (ASE_REQ.1) . 122
11.8.2 Evaluation of sub-activity (ASE_REQ.2) . 129
11.9 Security problem definition (ASE_SPD) . 135
11.9.1 Evaluation of sub-activity (ASE_SPD.1) . 135
11.10 TOE summary specification (ASE_TSS) . 136
11.10.1 Evaluation of sub-activity (ASE_TSS.1) . 136
11.10.2 Evaluation of sub-activity (ASE_TSS.2) . 137
12 Class ADV Development .138
12.1 Introduction . 138
12.2 Application notes . 139
12.2.1 Composition . 139
12.3 Security architecture (ADV_ARC) . 140
12.3.1 Evaluation of sub-activity (ADV_ARC.1) . 140
12.4 Composite design compliance (ADV_COMP) . 144
12.4.1 Evaluation of sub-activity (ADV_COMP.1) . 144
12.5 Functional specification (ADV_FSP) . 146
12.5.1 Evaluation of sub-activity (ADV_FSP.1) . 146
12.5.2 Evaluation of sub-activity (ADV_FSP.2) . 149
12.5.3 Evaluation of sub-activity (ADV_FSP.3) .154
12.5.4 Evaluation of sub-activity (ADV_FSP.4) . 159
12.5.5 Evaluation of sub-activity (ADV_FSP.5) . 165
12.6 Implementation representation (ADV_IMP) .171
12.6.1 Evaluation of sub-activity (ADV_IMP.1) .171
12.6.2 Evaluation of sub-activity (ADV_IMP.2) . 173
12.7 TSF internals (ADV_INT) .176
12.7.1 Evaluation of sub-activity (ADV_INT.1) .176
12.7.2 Evaluation of sub-activity (ADV_INT.2) . 178
© ISO/IEC 2024 – All rights reserved
iv
oSIST prEN ISO/IEC 18045:2024
ISO/IEC DIS 18045:2024(en)
12.7.3 Evaluation of sub-activity (ADV_INT.3) . 180
12.8 Formal TSF model (ADV_SPM). 183
12.8.1 Evaluation of sub-activity (ADV_SPM.1) . 183
12.9 TOE design (ADV_TDS) . 189
12.9.1 Evaluation of sub-activity (ADV_TDS.1) . 189
12.9.2 Evaluation of sub-activity (ADV_TDS.2) . 193
12.9.3 Evaluation of sub-activity (ADV_TDS.3) . 198
12.9.4 Evaluation of sub-activity (ADV_TDS.4). 207
12.9.5 Evaluation of sub-activity (ADV_TDS.5) . 216
13 Class AGD Guidance documents .223
13.1 Introduction . 223
13.2 Application notes . 224
13.3 Operational user guidance (AGD_OPE) . 224
13.3.1 Evaluation of sub-activity (AGD_OPE.1) . 224
13.4 Preparative procedures (AGD_PRE) . 227
13.4.1 Evaluation of sub-activity (AGD_PRE.1) . 227
14 Class ALC Life-cycle support .229
14.1 Introduction . 229
14.2 Application notes . 229
14.2.1 Composition . 229
14.3 CM capabilities (ALC_CMC) . 230
14.3.1 Evaluation of sub-activity (ALC_CMC.1). 230
14.3.2 Evaluation of sub-activity (ALC_CMC.2) . 231
14.3.3 Evaluation of sub-activity (ALC_CMC.3) . 232
14.3.4 Evaluation of sub-activity (ALC_CMC.4) . 236
14.3.5 Evaluation of sub-activity (ALC_CMC.5) . 242
14.4 CM scope (ALC_CMS) . 249
14.4.1 Evaluation of sub-activity (ALC_CMS.1) . 249
14.4.2 Evaluation of sub-activity (ALC_CMS.2) . 250
14.4.3 Evaluation of sub-activity (ALC_CMS.3) . 251
14.4.4 Evaluation of sub-activity (ALC_CMS.4) . 252
14.4.5 Evaluation of sub-activity (ALC_CMS.5) . 253
14.5 Integration of composition parts and consistency check of delivery procedures (ALC_
COMP) .254
14.5.1 Evaluation of sub-activity (ALC_COMP.1) .254
14.6 Delivery (ALC_DEL) . 257
14.6.1 Evaluation of sub-activity (ALC_DEL.1) . 257
14.7 Developer environment security (ALC_DVS) . 258
14.7.1 Evaluation of sub-activity (ALC_DVS.1) . 258
14.7.2 Evaluation of sub-activity (ALC_DVS.2) .260
14.8 Flaw remediation (ALC_FLR) . 263
14.8.1 Evaluation of sub-activity (ALC_FLR.1) .263
14.8.2 Evaluation of sub-activity (ALC_FLR.2) . 265
14.8.3 Evaluation of sub-activity (ALC_FLR.3) . 269
14.9 Development life-cycle definition (ALC_LCD) .274
14.9.1 Evaluation of sub-activity (ALC_LCD.1) .274
14.9.2 Evaluation of sub-activity (ALC_LCD.2) . 275
14.10 Tools and techniques (ALC_TAT) . 278
14.10.1 Evaluation of sub-activity (ALC_TAT.1). 278
14.10.2 Evaluation of sub-activity (ALC_TAT.2) .280
14.10.3 Evaluation of sub-activity (ALC_TAT.3) .283
14.11 TOE development artefacts (ALC_TDA) .285
14.11.1 Evaluation of sub-activity (ALC_TDA.1) .285
14.11.2 Evaluation of sub-activity (ALC_TDA.2) .289
14.11.3 Evaluation of sub-activity (ALC_TDA.3) . 293
15 Class ATE Tests .297
15.1 Introduction . 297
© ISO/IEC 2024 – All rights reserved
v
oSIST prEN ISO/IEC 18045:2024
ISO/IEC DIS 18045:2024(en)
15.2 Application notes . 297
15.2.1 Understanding the expected behaviour of the TOE .298
15.2.2 Testing vs. alternate approaches to verify the expected behaviour of
functionality . 298
15.2.3 Verifying the adequacy of tests .299
15.2.4 Composition .299
15.3 Composite functional testing (ATE_COMP) .299
15.3.1 Evaluation of sub-activity (ATE_COMP.1) .299
15.4 Coverage (ATE_COV) . 301
15.4.1 Evaluation of sub-activity (ATE_COV.1) . 301
15.4.2 Evaluation of sub-activity (ATE_COV.2) . 301
15.4.3 Evaluation of sub-activity (ATE_COV.3) . 303
15.5 Depth (ATE_DPT) . 305
15.5.1 Evaluation of sub-activity (ATE_DPT.1) . . 305
15.5.2 Evaluation of sub-activity (ATE_DPT.2) . 307
15.5.3 Evaluation of sub-activity (ATE_DPT.3) .310
15.6 Functional tests (ATE_FUN) . 312
15.6.1 Evaluation of sub-activity (ATE_FUN.1) . 312
15.6.2 Evaluation of sub-activity (ATE_FUN.2) . 315
15.7 Independent testing (ATE_IND) .319
15.7.1 Evaluation of sub-activity (ATE_IND.1) .319
15.7.2 Evaluation of sub-activity (ATE_IND.2) . 323
16 Class AVA Vulnerability assessment .327
16.1 Introduction . 327
16.2 Application notes . 328
16.2.1 Composition . 328
16.3 Composite vulnerability assessment (AVA_COMP) . 328
16.3.1 Evaluation of sub-activity (AVA_COMP.1). 328
16.4 Vulnerability analysis (AVA_VAN) . 330
16.4.1 Evaluation of sub-activity (AVA_VAN.1). 330
16.4.2 Evaluation of sub-activity (AVA_VAN.2) . 335
16.4.3 Evaluation of sub-activity (AVA_VAN.3) . 342
16.4.4 Evaluation of sub-activity (AVA_VAN.4) . 350
16.4.5 Evaluation of sub-activity (AVA_VAN.5) . 357
17 Class ACO Composition .365
17.1 Introduction . 365
17.2 Application notes .365
17.3 Composition rationale (ACO_COR) .366
17.3.1 Evaluation of sub-activity (ACO_COR.1) .366
17.4 Composed TOE testing (ACO_CTT) . 371
17.4.1 Evaluation of sub-activity (ACO_CTT.1) . 371
17.4.2 Evaluation of sub-activity (ACO_CTT.2) .374
17.5 Development evidence (ACO_DEV) . 378
17.5.1 Evaluation of sub-activity (ACO_DEV.1) . 378
17.5.2 Evaluation of sub-activity (ACO_DEV.2) . 379
17.5.3 Evaluation of sub-activity (ACO_DEV.3) .381
17.6 Reliance of dependent component (ACO_REL) .384
17.6.1 Evaluation of sub-activity (ACO_REL.1) .384
17.6.2 Evaluation of sub-activity (ACO_REL.2) .386
17.7 Composition vulnerability analysis (ACO_VUL) .388
17.7.1 Evaluation of sub-activity (ACO_VUL.1) .388
17.7.2 Evaluation of sub-activity (ACO_VUL.2) . 391
17.7.3 Evaluation of sub-activity (ACO_VUL.3) . 395
Annex A (informative) General evaluation guidance . 399
Annex B (informative) Vulnerability assessment (AVA) . 408
Annex C (informative) Evaluation techniques and tools .428
© ISO/IEC 2024 – All rights reserved
vi
oSIST prEN ISO/IEC 18045:2024
ISO/IEC DIS 18045:2024(en)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
I
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.
Loading comments...