FprEN ISO/IEC 15408-4

SLOVENSKI STANDARD
oSIST prEN ISO/IEC 15408-4:2024
01-november-2024
Informacijska varnost, kibernetska varnost in varovanje zasebnosti - Merila za
vrednotenje varnosti IT - 4. del: Okvir za specifikacijo metod vrednotenja in
dejavnosti (ISO/IEC DIS 15408-4:2024)
Information security, cybersecurity and privacy protection - Evaluation criteria for IT
security - Part 4: Framework for the specification of evaluation methods and activities
(ISO/IEC DIS 15408-4:2024)
Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre -
Evaluationskriterien für IT-Sicherheit - Teil 4: Rahmen für die Festlegung von
Bewertungsmethoden und -tätigkeiten
Sécurité de l'information, cybersécurité et protection de la vie privée - Critères
d'évaluation pour la sécurité des technologies de l'information - Partie 4: Cadre prévu
pour la spécification des méthodes d'évaluation et des activités connexes (ISO/IEC DIS
15408-4:2024)
Ta slovenski standard je istoveten z: prEN ISO/IEC 15408-4
ICS:
35.030 Informacijska varnost IT Security
oSIST prEN ISO/IEC 15408-4:2024 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

oSIST prEN ISO/IEC 15408-4:2024

oSIST prEN ISO/IEC 15408-4:2024
DRAFT
International
Standard
ISO/IEC
DIS
15408-4
ISO/IEC JTC 1/SC 27
Information security, cybersecurity
Secretariat: DIN
and privacy protection —
Voting begins on:
Evaluation criteria for IT security —
2024-08-19
Part 4:
Voting terminates on:
2024-11-11
Framework for the specification of
evaluation methods and activities
Sécurité de l'information, cybersécurité et protection de la vie
privée — Critères d'évaluation pour la sécurité des technologies
de l'information —
Partie 4: Cadre prévu pour la spécification des méthodes
d'évaluation et des activités connexes
ICS: ISO ics
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS.
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Reference number
© ISO/IEC 2024
ISO/IEC DIS 15408-4:2024(en)
oSIST prEN ISO/IEC 15408-4:2024
DRAFT
ISO/IEC DIS 15408-4:2024(en)
International
Standard
ISO/IEC
DIS
15408-4
ISO/IEC JTC 1/SC 27
Information security, cybersecurity
Secretariat: DIN
and privacy protection —
Voting begins on:
Evaluation criteria for IT security —
2024-08-19
Part 4:
Voting terminates on:
2024-11-11
Framework for the specification of
evaluation methods and activities
Sécurité de l'information, cybersécurité et protection de la vie
privée — Critères d'évaluation pour la sécurité des technologies
de l'information —
Partie 4: Cadre prévu pour la spécification des méthodes
d'évaluation et des activités connexes
ICS: ISO ics
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
© ISO/IEC 2024
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
BE CONSIDERED IN THE LIGHT OF THEIR
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
or ISO’s member body in the country of the requester.
NATIONAL REGULATIONS.
ISO copyright office
RECIPIENTS OF THIS DRAFT ARE INVITED
CP 401 • Ch. de Blandonnet 8
TO SUBMIT, WITH THEIR COMMENTS,
CH-1214 Vernier, Geneva
NOTIFICATION OF ANY RELEVANT PATENT
Phone: +41 22 749 01 11
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland Reference number
© ISO/IEC 2024
ISO/IEC DIS 15408-4:2024(en)
© ISO/IEC 2024 – All rights reserved
ii
oSIST prEN ISO/IEC 15408-4:2024
ISO/IEC DIS 15408-4:2024(en)
Contents Page
Foreword .iv
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms, definitions and abbreviated terms . 1
4 General model of evaluation methods and evaluation activities . 2
4.1 Concepts and model .2
4.2 Deriving evaluation methods and evaluation activities .3
4.3 Verb usage in the description of evaluation methods and evaluation activities .6
4.4 Conventions for the description of evaluation methods and evaluation activities .6
5 Structure of an evaluation method . 6
5.1 Overview .6
5.2 Specification of an evaluation method .7
5.2.1 Overview .7
5.2.2 Identification of evaluation methods .9
5.2.3 Entity responsible for the evaluation method .9
5.2.4 Scope of the evaluation method .9
5.2.5 Dependencies .10
5.2.6 Required input from the developer or other entities .10
5.2.7 Required tool types .10
5.2.8 Required evaluator competences .10
5.2.9 Requirements for reporting .10
5.2.10 Rationale for the evaluation method .11
5.2.11 Additional verb definitions . 12
5.2.12 Set of evaluation activities. 13
6 Structure of evaluation activities .13
6.1 Overview . 13
6.2 Specification of an evaluation activity . 13
6.2.1 Unique identification of the evaluation activity . 13
6.2.2 Objective of the evaluation activity . 13
6.2.3 Evaluation activity links to SFRs, SARs, and other evaluation activities . 13
6.2.4 Required input from the developer or other entities .14
6.2.5 Required tool types .14
6.2.6 Required evaluator competences .14
6.2.7 Assessment strategy .14
6.2.8 Pass/fail criteria . 15
6.2.9 Requirements for reporting . 15
6.2.10 Rationale for the evaluation activity .16
Bibliography . 17

© ISO/IEC 2024 – All rights reserved
iii
oSIST prEN ISO/IEC 15408-4:2024
ISO/IEC DIS 15408-4:2024(en)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee
has been established has the right to be represented on that committee. International organizations,
governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely
with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed patent
rights in respect thereof. As of the date of publication of this document, ISO had not received notice of (a)
patent(s) which may be required to implement this document. However, implementers are cautioned that
this may not represent the latest information, which may be obtained from the patent database available at
www.iso.org/patents. ISO shall not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
This fifth edition cancels and replaces the fourth edition (ISO/IEC 15408-2:2022), which has been technically
revised.
The main changes are as follows:
— Minor typographical errors corrected.
A list of all parts in the ISO 15408 series can be found on the ISO website.
The catalogue of security assurance requirements defined in this document is provided in machine readable
format (XML) at: https://standards.iso.org/iso-iec/TBD.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.

© ISO/IEC 2024 – All rights reserved
iv
oSIST prEN ISO/IEC 15408-4:2024
ISO/IEC DIS 15408-4:2024(en)
Legal notice
The governmental organizations listed below contributed to the development of this version of the Common
Criteria for Information Technology Security Evaluations. As the joint holders of the copyright in the Common
Criteria for Information Technology Security Evaluations (called CC), they hereby grant non-exclusive license
to ISO/IEC to use CC in the continued development/maintenance of the ISO/IEC 15408 series of standards.
However, these governmental organizations retain the right to use, copy, distribute, translate or modify CC
as they see fit.
Australia The Australian Signals Directorate
Canada Communications Security Establishment
France Agence Nationale de la Sécurité des Systèmes d'Information
Germany Bundesamt für Sicherheit in der Informationstechnik
Japan Information-technology Promotion Agency
Netherlands Netherlands National Communications Security Agency
New Zealand Government Communications Security Bureau
Republic of Korea National Security Research Institute
Spain Centro Criptológico Nacional
Sweden FMV, Swedish Defence Materiel Administration
United Kingdom National Cyber Security Centre
United States The National Security Agency and the National Institute of Standards and Technology

© ISO/IEC 2024 – All rights reserved
v
oSIST prEN ISO/IEC 15408-4:2024
ISO/IEC DIS 15408-4:2024(en)
Introduction
The ISO/IEC 15408 series permits comparability between the results of independent security evaluations,
by providing a common set of requirements for the security functionality of IT products and for assurance
measures applied to these IT products during a security evaluation. ISO/IEC 18045 provides a companion
methodology for some of the assurance requirements specified in the ISO/IEC 15408 series.
The model of security evaluation in ISO/IEC 15408-1 identifies that high-level generic evaluation activities
are defined in ISO/IEC 18045, but that more specific evaluation activities (EAs) can be defined as technology-
specific adaptations of these generic activities for particular evaluation contexts, e.g. for security functional
requirements (SFRs) or security assurance requirements (SARs) applied to specific technologies or target of
evaluation (TOE) types. Specification of such evaluation activities is already occurring amongst practitioners
and this creates a need for a specification for defining such evaluation activities.
This document describes a framework that can be used for deriving evaluation activities from work units
of ISO/IEC 18045 and grouping them into evaluation methods (EMs). Evaluation activities or evaluation
methods can be included in protection profiles (PPs) and any documents supporting them. Where a PP, PP-
Configuration, PP-Module, package, or Security Target (ST) identifies that specific evaluation methods/
evaluation activities are to be used, then the evaluators are required by ISO/IEC 18045 to follow and
report the relevant evaluation methods/evaluation activities when assigning evaluator verdicts. As noted
in ISO/IEC 15408-1, in some cases an evaluation authority can decide not to approve the use of particular
evaluation methods/evaluation activities: in such a case, the evaluation authority can decide not to carry out
evaluations following an ST that requires those evaluation methods/evaluation activities.
This document also allows for evaluation activities to be defined for extended SARs, in which case derivation
of the evaluation activities relates to equivalent evaluator action elements and work units defined for that
extended SAR. Where reference is made in this document to the use of ISO/IEC 18045 or ISO/IEC 15408-3
for SARs (such as when defining rationales for evaluation activities), then, in the case of an extended SAR,
the reference applies instead to the equivalent evaluator action elements and work units defined for that
extended SAR.
For clarity, this document specifies how to define evaluation methods and evaluation activities but does not
itself specify instances of evaluation methods or evaluation activities.
The following notes appears in other parts of the ISO/IEC 15408 series and in ISO/IEC 18045 to describe the
use of bold and italic type in those documents. This document does not use those conventions, but the notes
have been retained for alignment with the rest of the series.
NOTE 1 This document uses bold type to highlight hierarchical relationships between requirements. This
convention calls for the use of bold type for all new requirements.
NOTE 2 For security functional requirements, the use of italics denotes assignment and selection items.
NOTE 3 For security assurance requirements, special verbs relating to mandatory evaluation activities are
presented in bold italic type face.

© ISO/IEC 2024 – All rights reserved
vi
oSIST prEN ISO/IEC 15408-4:2024
DRAFT International Standard ISO/IEC DIS 15408-4:2024(en)
Information security, cybersecurity and privacy protection —
Evaluation criteria for IT security —
Part 4:
Framework for the specification of evaluation methods and
activities
1 Scope
This document provides a standardized framework for specifying objective, repeatable and reproducible
evaluation methods and evaluation activities.
This document does not specify how to evaluate, adopt, or maintain evaluation methods and evaluation
activities. These aspects are a matter for those originating the evaluation methods and evaluation activities
in their particular area of interest.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 15408-1, Information security, cybersecurity and privacy protection — Evaluation criteria for IT
security — Part 1: Introduction and general model
ISO/IEC 15408-2, Information security, cybersecurity and privacy protection — Evaluation criteria for IT
security — Part 2: Security functional components
ISO/IEC 15408-3, Information security, cybersecurity and privacy protection — Evaluation criteria for IT
security — Part 3: Security assurance components
ISO/IEC 18045, Information security, cybersecurity and privacy protection — Methodology for IT security
evaluation
3 Terms, definitions and abbreviated terms
For the purposes of this document, the terms, definitions, and abbreviated terms given in ISO/IEC 15408-1,
ISO/IEC 15408-2, ISO/IEC 15408-3, ISO/IEC 15408-5, ISO/IEC 18045 and the following apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at www .iso .org/ obp;
— IEC Electropedia: available at www .electropedia .org/ .

© ISO/IEC 2024 – All rights reserved
oSIST prEN ISO/IEC 15408-4:2024
ISO/IEC DIS 15408-4:2024(en)
4 General model of evaluation methods and evaluation activities
4.1 Concepts and model
ISO/IEC 18045 defines a generic set of work units that an evaluator carries out in order to reach a verdict
for most of the assurance classes, families and components defined in ISO/IEC 15408-3. The relationship
between the structure of a SAR in ISO/IEC 15408-3 and the work units in ISO/IEC 18045 is described in
ISO/IEC 18045 and summarized in Figure 1.
Figure 1 — Mapping of ISO/IEC 15408-3 and ISO/IEC 18045 to structures of this document
For the purposes of defining new evaluation methods and evaluation activities, the main point to note is that
each action (representing an evaluator action element in ISO/IEC 15408-3 or an implied evaluator action
element) is represented in ISO/IEC 18045 as a set of work units that are carried out by an evaluator.
This document specifies the ways in which new evaluation activities can be derived from the generic work
units in ISO/IEC 18045, and combined into an evaluation method that is intended for use in some particular
evaluation context. A typical example of such an evaluation context would be a particular TOE type or
particular technology type.
EXAMPLE 1
— TOE type: a network device
— Technology type: specific cryptographic functions
If evaluation methods and evaluation activities are required to be used with a particular PP, PP-Module or PP-
Configuration, then a PP or PP-Module or PP-Configuration shall identify this requirement in its conformance
statement. If evaluation methods and evaluation activities are required to be used with a particular package,
then the package shall identify this requirement in the security requirement section. If Evaluation Methods
and Evaluation Activities are claimed by an ST as a result of that ST claiming conformance to a PP, PP-
Configuration, or package, then the ST shall identify the EMs/EAs used in its conformance claim. No formal
claim of conformance to ISO/IEC 15408-4 is made in any of these cases (the contents of PPs, PP-Modules, PP-
Configurations and packages are described in more detail in ISO/IEC 15408-1).

© ISO/IEC 2024 – All rights reserved
oSIST prEN ISO/IEC 15408-4:2024
ISO/IEC DIS 15408-4:2024(en)
A PP, PP-Configuration, PP-Module or package may use more than one evaluation method or separate set of
evaluation activities.
EXAMPLE 2
Multiple evaluation methods can be used where separate evaluation methods have been defined for cryptographic
operations and for secure channel protocols used in a PP.
NOTE 1 Where exact conformance is used, ISO/IEC 15408-1 states that evaluation methods/evaluation activities
are not allowed to be defined in a PP-Configuration: the evaluation methods/evaluation activities to be used are
included in the PPs and PP-Modules and not in the PP-Configuration).
When a PP, PP-Module, PP-Configuration, or package identifies that certain evaluation methods/evaluation
activities are to be used, then this is done using a standard wording that states the requirement and
references the definition of the evaluation methods/evaluation activities to be used. An ST shall only
identify required evaluation methods and evaluation activities that are included in a PP, PP-Module, PP-
Configuration or package to which the ST claims conformance (i.e. the ST itself shall not add, modify or
remove any evaluation methods or evaluation activities). An ST shall include identification of all evaluation
methods/evaluation activities that it requires (i.e. including any that are required by PPs, PP-Modules, PP-
Configurations, or packages to which the ST claims conformance), so that there is a single list that can be
checked and referenced by evaluators and readers of the ST.
Evaluation methods and evaluation activities may be defined within the document that requires them (e.g. as
part of a PP), or externally in a different document (or in a combination of both). Although identification is
required as described above, it is not necessary to reproduce the text of the evaluation methods/evaluation
activities in other documents (e.g, an ST does not have to include the full text of the evaluation methods/
evaluation activities from a PP to which it claims conformance).
4.2 Deriving evaluation methods and evaluation activities
In general, defining evaluation activities and evaluation methods may start either from an SAR, aiming to
make some or all parts of its work units more specific, or from an SFR, aiming to define specific aspects of
work units related to that SFR.
When starting from an SAR, a guideline for the process is as follows.
— Identify the relevant ISO/IEC 18045 work units from which to derive at least one individual evaluation
activity or groups of evaluation activities;
— For each work unit from which an evaluation activity is derived:
— define the new evaluation activities in terms of the specific work to be carried out and evaluation
criteria as described in subclause 6.2 (including, if required, pass/fail criteria as described in
subclause 6.2.8);
— group evaluation activities into an evaluation method if necessary;
— state the rationale for the new evaluation activities and the evaluation method under which they are
grouped as described in subclause 5.2.10 and subclause 6.2.10.
EXAMPLE 1
A rationale can include reference to the developer action, and content and presentation elements of
the work units from which they are derived.
A guideline for starting from an SFR would be as follows.
— Identify the relevant SFR;
— Identify the SARs (from ISO/IEC 15408-3 or a set of extended SARs, or both) to be addressed for that
particular SFR, and the corresponding ISO/IEC 18045 work units;

© ISO/IEC 2024 – All rights reserved
oSIST prEN ISO/IEC 15408-4:2024
ISO/IEC DIS 15408-4:2024(en)
— Define the new evaluation activities in terms of the specific work to be carried out and evaluation criteria
as described in subclause 6.2 (including, if required, pass/fail criteria as described in subclause 6.2.8);
EXAMPLE 2
Evaluation activities can be defined to examine the presentation of a specific SFR in the TOE Summary
Specification (derived from Class ASE Security Target (ST) evaluation (see ISO/IEC 15408-3, Clause 9)),
to examine the presentation of the SFR in the guidance documentation (derived from Class AGD Guidance
documents (see ISO/IEC 15408-3, Clause 11)), and to carry out specific tests of the SFR (derived from
Class ATE Tests (see ISO/IEC 15408-3, Clause 13)).
— Map the affected work units for the SARs to the new evaluation activities;
— State the rationale for the new evaluation activities, and the evaluation method under which they are
grouped, as described in subclause 5.2.10 and subclause 6.2.10.
Although an author may choose to start from SARs or SFRs, it is noted that SARs ultimately cover all SFRs.
Starting from SFRs as described above is a technique that can be useful when clarifying the detail of how an
SAR applies to a particular SFR, and that can be useful for presenting SFRs alongside the description of their
evaluation activities.
It is not required to have a 1:1 mapping between work units and new evaluation activities, and the actual
correspondence is documented in a rationale (as described in subclause 5.2.10). The derivation may be made
in terms of individual work units or groups of work units, and this is depicted in Figure 2. In case a) of
Figure 2 the author maps each work unit from ISO/IEC 18045 to a corresponding evaluation activity, while
in case b) the author maps different numbers of work units and evaluation activities, whilst still addressing
all aspects of an action (i.e. the collection of work units).
Figure 2 — Alternative approaches to mapping ISO/IEC 18045 to derived evaluation activities
Other approaches are possible depending on the content of the specific work units and evaluation activities:
even where the same number of work units and evaluation activities exist, a simple 1:1 mapping is sometimes

© ISO/IEC 2024 – All rights reserved
oSIST prEN ISO/IEC 15408-4:2024
ISO/IEC DIS 15408-4:2024(en)
not possible and therefore a mapping at the action level may be appropriate. Some more detailed mapping
situations are described in the examples below.
NOTE 1 These examples assume that the evaluation activities described are being defined by a community that can
judge the suitability of the rationale for completeness of the evaluation activities. The examples are concerned only
with the form and structure of the mappings, not with the nature or acceptance of the completeness rationale.
EXAMPLE 3
For a TOE type that includes both software and hardware, additional evaluation activities can be defined to deal with
the manufacturing environment and its processes. Considering the Developer environment security (ALC_DVS) (see
ISO/IEC 15408-3, 12.6) family, a possible approach would be to adopt all the existing Developer environment security
(ALC_DVS) (see ISO/IEC 15408-3, 12.6) work units for the software development environment and to define additional
evaluation activities for each of the relevant hardware and manufacturing aspects. These aspects can include
extensions of the normal Developer environment security (ALC_DVS) (see ISO/IEC 15408-3, 12.6) scope to additional
items such as protection of hardware design in the development environment, secure transfer of software from the
development environment to the manufacturing environment, security of the manufacturing site, and protection of
the manufactured product while awaiting delivery. They can also include new aspects related to objects and processes
that arise only in the manufacturing environment, such as:
— confirming that the firmware used on a manufacturing line is reliably obtained from the authorized version
created on the firmware build system;
— checking configuration management of test programs for testing the TOE on the manufacturing line;
— confirming that processes to disable test or debug interfaces on the TOE operate correctly and reliably;
— examining the physical and logical security of key management systems used to inject keys or certificates into the
TOE during manufacture.
In this example the original ALC_DVS.1.1E action is mapped to include all the new evaluation activities, but an
alternative approach would be to define additional evaluation activities for each individual work unit for ALC_
DVS.1.1E, identifying the additional activities to cover the manufacturing environment for that work unit.
EXAMPLE 4
If AVA_VAN.1, Vulnerability survey (see ISO/IEC 15408-3, 14.4.1) vulnerability analysis is applied to a particular type
of TOE, where there is a specific need to achieve consistency in the public domain vulnerability sources used then a
possible approach would be to define an evaluation activity that covers the Vulnerability analysis (AVA_VAN) (see
ISO/IEC 15408-3, 14.4) work unit dealing with searching public domain sources by specifying the particular sources
to be used, perhaps along with particular searches to be carried out and decision criteria for selecting a resulting list
of potential vulnerabilities to be analysed and tested. In this example the original AVA_VAN.1-3 work unit is mapped to
the new evaluation activity.
EXAMPLE 5
— For an evaluation method to be used with hardware such as an integrated circuit, evaluation activities can be
defined to examine the circuit’s architecture, defining required inputs that give the evaluator specific details about
the operations and information available through the circuit’s interfaces. The definition of these required inputs
can then make clear that the relevant interfaces include the circuit’s physical surface, its executable programming
instructions, and its communication interfaces.
— Further evaluation activities within the evaluation method can examine the circuit’s resistance against physical
probing in order to prevent manipulating or disabling TSF features.
— For testing activities, evaluation activities within the evaluation method can define a required input that presents
the circuit’s design as a flow chart of security functions permeating through the circuit’s subsystems. The flow
chart can then be used by the evaluator to create test cases and to confirm the test coverage of the circuit.
EXAMPLE 6
— For a TOE type such as a network device that provides cryptographically verifiable firmware updates, evaluation
activities can give specific details of how the evaluator is required to review the Security Target and guidance
documentation to confirm certain specific characteristics required of the cryptographic update process.

© ISO/IEC 2024 – All rights reserved
oSIST prEN ISO/IEC 15408-4:2024
ISO/IEC DIS 15408-4:2024(en)
— Other evaluation activities can define specific test cases covering the verification of the current firmware, the
availability of updates, fetching updates, verifying the source of the updates using cryptographic signatures, and
the use of specific types of invalid update in order to test the TOE’s acceptance functions.
4.3 Verb usage in the description of evaluation methods and evaluation activities
Where a verb is defined in ISO/IEC 15408-1 then the description of evaluation activities shall use those verbs
only in accordance with the definitions. Alternative verbs may be used in an evaluation method for use in
its evaluation activities provided that the alternative verbs are defined in the evaluation method. Any such
verb definition shall make clear the extent to which evaluator judgement (as opposed to simple checking) is
involved.
EXAMPLE 1
An evaluation method that includes automated test generation for a protocol can define a verb “cover”, applied to
enumerated types in a protocol parameter, to mean trying all defined and undefined values of the parameter within
the available parameter length. Then evaluation activities can be written in forms such as “The evaluator shall cover
the PaymentMode field”.
Evaluator action verbs such as check, examine, report and record are used in this document with the meanings
defined in ISO/IEC 15408-1.
4.4 Conventions for the description of evaluation methods and evaluation activities
The paragraphs below describe conventions used in ISO/IEC 15408-3 and ISO/IEC 18045 that support
consistency in the description of evaluation methods and evaluation activities.
All work unit and sub-task verbs are preceded by the auxiliary verb “shall” and by presenting both the
verb and the “shall” in bold italic type face. The auxiliary verb “shall” is used only when the provided text is
mandatory and therefore only within the work units and sub-tasks. The work units and sub-tasks contain
mandatory activities that the evaluator must perform in order to assign verdicts.
Guidance text accompanying work units and sub-tasks gives further explanation on how to apply the work
units and sub-tasks in an evaluation.
5 Structure of an evaluation method
5.1 Overview
An evaluation method and its constituent evaluation activities are defined for use in a particular evaluation
context. For example, separate evaluation methods may be defined for specific technology areas which can
range from specific functions up to specific product types or even. in extreme cases, for a specific product
when the product is evaluated for unique features but where there is a requirement to have the product
evaluated using a separately defined method that supports visibility, repeatability and reproducibility of the
evaluation.
EXAMPLE 1
Evaluation contexts for which separate evaluation methods can be defined are:
— specific product types like network devices, smart cards, biometric devices, mobile devices;
— specific security functions reused for multiple product types, such as cryptographic functions, cryptographic
protocols, digital certificate validation, identification and authentication schemes.
An evaluation method comprises a collection of individual evaluation activities, with additional information
about the way in which the evaluation activities collectively meet a goal related to an identified evaluation
context.
© ISO/IEC 2024 – All rights reserved
oSIST prEN ISO/IEC 15408-4:2024
ISO/IEC DIS 15408-4:2024(en)
The description of an evaluation method includes:
— identification of the entity that is responsible for definition and maintenance of the evaluation method;
— the intended scope of the evaluation method, identifying the objective for deriving the evaluation
activities in the evaluation method, the evaluation context in which it is intended to be applied, and any
known limitation of, or aspects not intended to be covered by, the evaluation method;
— any tool types and/or evaluator competences required to carry out the evaluation activities contained in
the evaluation method;
— any requirements for reporting on the results of applying the evaluation method;
— identification of each work unit in ISO/IEC 18045 (or equivalent for an extended SAR) that is addressed
by the evaluation activities in the evaluation method;
— identification of any extended SARs from which an evaluation method is derived (if applicable);
— any additional verbs used in the description of evaluation activities in place of verbs defined in
ISO/IEC 15408-1.
Further description of the content, including identification of which content elements are mandatory,
and how content elements may be distributed between evaluation method and its evaluation activities, is
given in subclause 5.2 and subclause 6.2 and is summarised in Table 1. Where a content element is optional
(e.g. identification of specific evaluator competences, or required tool types), then that part may simply be
omitted from the relevant definition: it is not necessary to include a blank section.
5.2 Specification of an evaluation method
5.2.1 Overview
An evaluation method is specified in terms of the information identified in subclause 5.2.2 to subclause 5.2.12.
No specific format is required for providing or presenting this information, except where stated for
individual elements in subclause 5.2.2 to subclause 5.2.12. The purpose of specifying the description of an
evaluation method in subclause 5.2.2 to subclause 5.2.12 is to ensure that the assurance techniques used in
an evaluation can be unambiguously identified, and that the evaluation method is used appropriately (in the
context for which it was intended) and in a way that supports consistent evaluation results.
In general, the description of an evaluation method can be taken to include the descriptions of the individual
evaluation activities that it contains. This means that aspects of the evaluation method description may be
deduced from the evaluation activity descriptions.
Figure 3 illustrates the content described in this document for an evaluation method. It does not define a
mandatory structure for describing an evaluation method.

© ISO/IEC 2024 – All rights reserved
oSIST prEN ISO/IEC 15408-4:2024
ISO/IEC DIS 15408-4:2024(en)
Figure 3 — Contents of an evaluation method
The contents shown in Figure 3 are described in more detail in subclause 5.2 and subclause 6.2, and a
summary of the mandatory and optional requirements for specifying evaluation methods and evaluation
activities is given in Table 1.
Table 1 — Distribution of content between evaluation methods and evaluation activities
Content element Evaluation method Evaluation activity
Identifier Mandatory Mandatory
Entity Responsible Mandatory Not applicable
Scope Mandatory Not applicable
Dependencies Optional Optional
Required inputs Mandatory Mandatory
Required tool types Optional Optional
Required evaluator competences Optional Optional
Requirements for reporting Optional Optional
Rationale Mandatory Mandatory
Evaluation activities Mandatory Not applicable
Additional verb definitions Optional Not applicable
Objective Not applicable Mandatory
Evaluation activity links to SFRs, Not applicable Optional
SARs and other evaluation activities
Assessment strategy Not applicable Mandatory
Pass/fail criteria Not applicable Optional

© ISO/IEC 2024 – All rights reserved
oSIST prEN ISO/IEC 15408-4:2024
ISO/IEC DIS 15408-4:2024(en)
5.2.2 Identification of evaluation methods
The definition of an evaluation method shall include a unique identifier in order to unambiguously identify
the set of evaluation activities to be applied in any given evaluation. An identifier should be assigned at the
evaluation method level (rather than just at the level of the evaluation activities it contains), reflecting the
fact that an evaluation method is intended to be applied as a whole, and is subject to rationale and defined
purpose and objectives at this level. If a set of evaluation activities has been grouped into an evaluation
method, then it shall only be identified as the same evaluation method when the complete set of evaluation
activities in the evaluation method is used, with the same rationale as contained in the original evaluation
method. If there is a need to divide the evaluation method into smaller subsets of evaluation activities, then
a separate evaluation method, with its own rationale, shall be defined for each subset.
EXAMPLE 1
A unique identifier expressed by the title and version number of a supporting document or PP containing the
evaluation method.
EXAMPLE 2
An identifier obtained from a registration authority.
As described in subclause 5.2.10, an evaluation method may be overlain by another evaluation method
(e.g. for use in other PPs or PP-Modules). In such a case, if the original evaluation method rationale still
holds (as described in subclause 5.2.10), then the identifier of the original evaluation method shall be used.
However, if the rationale is changed as part of the
...