prEN ISO/IEC 15408-4

SLOVENSKI STANDARD
01-november-2024
Informacijska varnost, kibernetska varnost in varovanje zasebnosti - Merila za
vrednotenje varnosti IT - 4. del: Okvir za specifikacijo metod vrednotenja in
dejavnosti (ISO/IEC DIS 15408-4:2024)
Information security, cybersecurity and privacy protection - Evaluation criteria for IT
security - Part 4: Framework for the specification of evaluation methods and activities
(ISO/IEC DIS 15408-4:2024)
Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre -
Evaluationskriterien für IT-Sicherheit - Teil 4: Rahmen für die Festlegung von
Bewertungsmethoden und -tätigkeiten
Sécurité de l'information, cybersécurité et protection de la vie privée - Critères
d'évaluation pour la sécurité des technologies de l'information - Partie 4: Cadre prévu
pour la spécification des méthodes d'évaluation et des activités connexes (ISO/IEC DIS
15408-4:2024)
Ta slovenski standard je istoveten z: prEN ISO/IEC 15408-4
ICS:
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

DRAFT
International
Standard
ISO/IEC
DIS
15408-4
ISO/IEC JTC 1/SC 27
Information security, cybersecurity
Secretariat: DIN
and privacy protection —
Voting begins on:
Evaluation criteria for IT security —
2024-08-19
Part 4:
Voting terminates on:
2024-11-11
Framework for the specification of
evaluation methods and activities
Sécurité de l'information, cybersécurité et protection de la vie
privée — Critères d'évaluation pour la sécurité des technologies
de l'information —
Partie 4: Cadre prévu pour la spécification des méthodes
d'évaluation et des activités connexes
ICS: ISO ics
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS.
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Reference number
© ISO/IEC 2024
ISO/IEC DIS 15408-4:2024(en)
DRAFT
ISO/IEC DIS 15408-4:2024(en)
International
Standard
ISO/IEC
DIS
15408-4
ISO/IEC JTC 1/SC 27
Information security, cybersecurity
Secretariat: DIN
and privacy protection —
Voting begins on:
Evaluation criteria for IT security —
2024-08-19
Part 4:
Voting terminates on:
2024-11-11
Framework for the specification of
evaluation methods and activities
Sécurité de l'information, cybersécurité et protection de la vie
privée — Critères d'évaluation pour la sécurité des technologies
de l'information —
Partie 4: Cadre prévu pour la spécification des méthodes
d'évaluation et des activités connexes
ICS: ISO ics
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
© ISO/IEC 2024
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
BE CONSIDERED IN THE LIGHT OF THEIR
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
or ISO’s member body in the country of the requester.
NATIONAL REGULATIONS.
ISO copyright office
RECIPIENTS OF THIS DRAFT ARE INVITED
CP 401 • Ch. de Blandonnet 8
TO SUBMIT, WITH THEIR COMMENTS,
CH-1214 Vernier, Geneva
NOTIFICATION OF ANY RELEVANT PATENT
Phone: +41 22 749 01 11
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland Reference number
© ISO/IEC 2024
ISO/IEC DIS 15408-4:2024(en)
© ISO/IEC 2024 – All rights reserved
ii
ISO/IEC DIS 15408-4:2024(en)
Contents Page
Foreword .iv
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms, definitions and abbreviated terms . 1
4 General model of evaluation methods and evaluation activities . 2
4.1 Concepts and model .2
4.2 Deriving evaluation methods and evaluation activities .3
4.3 Verb usage in the description of evaluation methods and evaluation activities .6
4.4 Conventions for the description of evaluation methods and evaluation activities .6
5 Structure of an evaluation method . 6
5.1 Overview .6
5.2 Specification of an evaluation method .7
5.2.1 Overview .7
5.2.2 Identification of evaluation methods .9
5.2.3 Entity responsible for the evaluation method .9
5.2.4 Scope of the evaluation method .9
5.2.5 Dependencies .10
5.2.6 Required input from the developer or other entities .10
5.2.7 Required tool types .10
5.2.8 Required evaluator competences .10
5.2.9 Requirements for reporting .10
5.2.10 Rationale for the evaluation method .11
5.2.11 Additional verb definitions . 12
5.2.12 Set of evaluation activities. 13
6 Structure of evaluation activities .13
6.1 Overview . 13
6.2 Specification of an evaluation activity . 13
6.2.1 Unique identification of the evaluation activity . 13
6.2.2 Objective of the evaluation activity . 13
6.2.3 Evaluation activity links to SFRs, SARs, and other evaluation activities . 13
6.2.4 Required input from the developer or other entities .14
6.2.5 Required tool types .14
6.2.6 Required evaluator competences .14
6.2.7 Assessment strategy .14
6.2.8 Pass/fail criteria . 15
6.2.9 Requirements for reporting . 15
6.2.10 Rationale for the evaluation activity .16
Bibliography . 17

© ISO/IEC 2024 – All rights reserved
iii
ISO/IEC DIS 15408-4:2024(en)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee
has been established has the right to be represented on that committee. International organizations,
governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely
with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed patent
rights in respect thereof. As of the date of publication of this document, ISO had not received notice of (a)
patent(s) which may be required to implement this document. However, implementers are cautioned that
this may not represent the latest information, which may be obtained from the patent database available at
www.iso.org/patents. ISO shall not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
This fifth edition cancels and replaces the fourth edition (ISO/IEC 15408-2:2022), which has been technically
revised.
The main changes are as follows:
— Minor typographical errors corrected.
A list of all
...