EN ISO/IEC 15408-3:2023
(Main)Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 3: Security assurance components (ISO/IEC 15408-3:2022)
Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 3: Security assurance components (ISO/IEC 15408-3:2022)
This document defines the assurance requirements of the ISO/IEC 15408 series. It includes the individual assurance components from which the evaluation assurance levels and other packages contained in ISO/IEC 15408-5 are composed, and the criteria for evaluation of Protection Profiles (PPs), PP-Configurations, PP-Modules, and Security Targets (STs).
Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre - Evaluationskriterien für IT-Sicherheit - Teil 3: Sicherheit Gewährleistungskomponenten (ISO/IEC 15408-3:2022)
Dieses Dokument definiert die Vertrauenswürdigkeitsanforderungen der Normenreihe ISO/IEC15408. Es beinhaltet die einzelnen Vertrauenswürdigkeitskomponenten, aus denen sich die in ISO/IEC15408-5 enthaltenen Vertrauenswürdigkeitsstufen und andere Pakete zusammensetzen, sowie die Kriterien für die Evaluierung von Schutzprofilen(PP), PP-Konfigurationen, PP-Modulen und Sicherheitsvorgaben(ST).
Sécurité de l'information, cybersécurité et protection de la vie privée - Critères d'évaluation pour la sécurité des technologies de l'information - Partie 3: Composants d'assurance de sécurité (ISO/IEC 15408-3:2022)
Informacijska varnost, kibernetska varnost in varstvo zasebnosti - Merila za vrednotenje varnosti IT - 3. del: Komponente za zagotavljanje varnosti (ISO/IEC 15408-3:2022)
Ta dokument opredeljuje zahteve za zagotavljanje varnosti iz skupine standardov ISO/IEC 15408. Vključuje posamezne komponente za zagotavljanje varnosti, iz katerih so sestavljeni nivoji zanesljivosti vrednotenj in drugi paketi iz standarda ISO/IEC 15408-5, in merila za vrednotenje varnostnih profilov, konfiguracije varnostnih profilov, module varnostnih profilov in varnostne cilje.
General Information
Relations
Overview
EN ISO/IEC 15408-3:2023 (aligned with ISO/IEC 15408-3:2022) is the Part 3 specification of the ISO/IEC 15408 series-commonly known as the Common Criteria. This European adoption by CEN defines the security assurance components used to build evaluation assurance levels (EALs) and assurance packages. It establishes the assurance requirements and the criteria for evaluating Protection Profiles (PPs), PP‑Configurations, PP‑Modules and Security Targets (STs).
Key topics and technical requirements
- Assurance paradigm and evaluation scale: Describes the assurance approach, significance and causes of vulnerabilities, and the ISO/IEC 15408 evaluation assurance scale used to express confidence in security functions.
- Assurance class, family and component structure: Defines how assurance classes are organized into families and individual components, including naming, introductions and objectives.
- Component levelling and dependencies: Components are leveled (to indicate strength/rigor) and include explicit dependencies and application notes to guide evaluation scope.
- Assurance elements: Breaks components down into measurable elements (work units for evaluators) used during evaluation.
- Protection Profile and Security Target evaluation: Contains specific classes (e.g., APE - PP evaluation, ACE - PP‑Module/Configuration evaluation) and components such as APE_INT, APE_CCL, APE_SPD, APE_OBJ, APE_REQ for documenting PP/ST introductions, conformance claims, problem definitions, objectives and requirements.
- Taxonomy and application guidance: Provides a standardized taxonomy and guidance to ensure consistent interpretation across evaluations and national schemes.
Practical applications and users
- Evaluation laboratories and certification bodies use this document to structure and perform conformity assessments against Protection Profiles and Security Targets.
- Product vendors and developers rely on the assurance components to prepare Security Targets and evidence packages that meet required assurance levels.
- Security architects and system integrators consult it to design systems whose security claims can be evaluated and certified.
- Procurement teams and regulators reference the standard when specifying required assurance levels or accepting certified IT products for sensitive environments.
Related standards
- ISO/IEC 15408 (Common Criteria) - the series within which Part 3 sits.
- EN ISO/IEC 15408-5 - defines evaluation assurance levels and packages composed from the components in Part 3.
Keywords: EN ISO/IEC 15408-3:2023, ISO/IEC 15408-3:2022, Common Criteria, security assurance components, Protection Profile evaluation, Security Target, evaluation assurance levels, IT security assurance, cybersecurity standard.
Frequently Asked Questions
EN ISO/IEC 15408-3:2023 is a standard published by the European Committee for Standardization (CEN). Its full title is "Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 3: Security assurance components (ISO/IEC 15408-3:2022)". This standard covers: This document defines the assurance requirements of the ISO/IEC 15408 series. It includes the individual assurance components from which the evaluation assurance levels and other packages contained in ISO/IEC 15408-5 are composed, and the criteria for evaluation of Protection Profiles (PPs), PP-Configurations, PP-Modules, and Security Targets (STs).
This document defines the assurance requirements of the ISO/IEC 15408 series. It includes the individual assurance components from which the evaluation assurance levels and other packages contained in ISO/IEC 15408-5 are composed, and the criteria for evaluation of Protection Profiles (PPs), PP-Configurations, PP-Modules, and Security Targets (STs).
EN ISO/IEC 15408-3:2023 is classified under the following ICS (International Classification for Standards) categories: 35.030 - IT Security. The ICS classification helps identify the subject area and facilitates finding related standards.
EN ISO/IEC 15408-3:2023 has the following relationships with other standards: It is inter standard links to EN ISO/IEC 15408-3:2020, prEN ISO/IEC 15408-3. Understanding these relationships helps ensure you are using the most current and applicable version of the standard.
You can purchase EN ISO/IEC 15408-3:2023 directly from iTeh Standards. The document is available in PDF format and is delivered instantly after payment. Add the standard to your cart and complete the secure checkout process. iTeh Standards is an authorized distributor of CEN standards.
Standards Content (Sample)
SLOVENSKI STANDARD
01-maj-2024
Nadomešča:
SIST EN ISO/IEC 15408-3:2020
Informacijska varnost, kibernetska varnost in varovanje zasebnosti - Merila za
vrednotenje varnosti IT - 3. del: Komponente za zagotavljanje varnosti (ISO/IEC
15408-3:2022)
Information security, cybersecurity and privacy protection - Evaluation criteria for IT
security - Part 3: Security assurance components (ISO/IEC 15408-3:2022)
Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre -
Evaluationskriterien für IT-Sicherheit - Teil 3: Sicherheit Gewährleistungskomponenten
(ISO/IEC 15408-3:2022)
Sécurité de l'information, cybersécurité et protection de la vie privée - Critères
d'évaluation pour la sécurité des technologies de l'information - Partie 3: Composants
d'assurance de sécurité (ISO/IEC 15408-3:2022)
Ta slovenski standard je istoveten z: EN ISO/IEC 15408-3:2023
ICS:
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD EN ISO/IEC 15408-3
NORME EUROPÉENNE
EUROPÄISCHE NORM
December 2023
ICS 35.030
Supersedes EN ISO/IEC 15408-3:2020
English version
Information security, cybersecurity and privacy protection
- Evaluation criteria for IT security - Part 3: Security
assurance components (ISO/IEC 15408-3:2022)
Sécurité de l'information, cybersécurité et protection Informationssicherheit, Cybersicherheit und Schutz
de la vie privée - Critères d'évaluation pour la sécurité der Privatsphäre - Evaluationskriterien für IT-
des technologies de l'information - Partie 3: Sicherheit - Teil 3: Sicherheit
Composants d'assurance de sécurité (ISO/IEC 15408- Gewährleistungskomponenten (ISO/IEC 15408-
3:2022) 3:2022)
This European Standard was approved by CEN on 20 November 2023.
CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.
CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.
CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2023 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. EN ISO/IEC 15408-3:2023 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 3
European foreword
The text of ISO/IEC 15408-3:2022 has been prepared by Technical Committee ISO/IEC JTC 1
"Information technology” of the International Organization for Standardization (ISO) and has been
taken over as EN ISO/IEC 15408-3:2023 by Technical Committee CEN-CENELEC/ JTC 13 “Cybersecurity
and Data Protection” the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by June 2024, and conflicting national standards shall be
withdrawn at the latest by June 2024.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN-CENELEC shall not be held responsible for identifying any or all such patent rights.
This document supersedes EN ISO/IEC 15408-3:2020.
Any feedback and questions on this document should be directed to the users’ national standards body.
A complete listing of these bodies can be found on the CEN and CENELEC websites.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 15408-3:2022 has been approved by CEN-CENELEC as EN ISO/IEC 15408-3:2023
without any modification.
INTERNATIONAL ISO/IEC
STANDARD 15408-3
Fourth edition
2022-08
Information security, cybersecurity
and privacy protection — Evaluation
criteria for IT security —
Part 3:
Security assurance components
Sécurité de l'information, cybersécurité et protection de la vie
privée — Critères d'évaluation pour la sécurité des technologies de
l'information —
Partie 3: Composants d'assurance de sécurité
Reference number
ISO/IEC 15408-3:2022(E)
© ISO/IEC 2022
ISO/IEC 15408-3:2022(E)
© ISO/IEC 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2022 – All rights reserved
ISO/IEC 15408-3:2022(E)
Contents Page
Foreword .x
Introduction .xii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Overview . 5
5 Assurance paradigm .6
5.1 General . 6
5.2 ISO/IEC 15408 series approach . 6
5.3 Assurance approach . 6
5.3.1 General . 6
5.3.2 Significance of vulnerabilities . 6
5.3.3 Cause of vulnerabilities . 7
5.3.4 ISO/IEC 15408 series assurance . 7
5.3.5 Assurance through evaluation . 7
5.4 ISO/IEC 15408 series evaluation assurance scale . 8
6 Security assurance components . 8
6.1 General . 8
6.2 Assurance class structure . 8
6.2.1 General . 8
6.2.2 Class name . 8
6.2.3 Class introduction . 8
6.2.4 Assurance families . 9
6.3 Assurance family structure . 9
6.3.1 Family name . 9
6.3.2 Objectives . 9
6.3.3 Component levelling . 10
6.3.4 Application notes . 10
6.3.5 Assurance components . 10
6.4 Assurance component structure . 10
6.4.1 General . 10
6.4.2 Component identification . 11
6.4.3 Objectives . 11
6.4.4 Application notes . 11
6.4.5 Dependencies . 11
6.4.6 Assurance elements . 11
6.5 Assurance elements .12
6.6 Component taxonomy .12
7 Class APE: Protection Profile (PP) evaluation .12
7.1 General .12
7.2 PP introduction (APE_INT) . 13
7.2.1 Objectives .13
7.2.2 APE_INT.1 PP introduction . 13
7.3 Conformance claims (APE_CCL) . 14
7.3.1 Objectives . 14
7.3.2 APE_CCL.1 Conformance claims . 14
7.4 Security problem definition (APE_SPD) . 16
7.4.1 Objectives . 16
7.4.2 APE_SPD.1 Security problem definition . 16
7.5 Security objectives (APE_OBJ) . 16
7.5.1 Objectives . 16
7.5.2 Component levelling . 17
iii
© ISO/IEC 2022 – All rights reserved
ISO/IEC 15408-3:2022(E)
7.5.3 APE_OBJ.1 Security objectives for the operational environment . 17
7.5.4 APE_OBJ.2 Security objectives . 17
7.6 Extended components definition (APE_ECD) . 18
7.6.1 Objectives . 18
7.6.2 APE_ECD.1 Extended components definition . 18
7.7 Security requirements (APE_REQ) . 19
7.7.1 Objectives . 19
7.7.2 Component levelling . 19
7.7.3 APE_REQ.1 Direct rationale PP-Module security requirements . . 19
7.7.4 APE_REQ.2 Derived security requirements . 20
8 Class ACE: Protection Profile Configuration evaluation .22
8.1 General .22
8.2 PP-Module introduction (ACE_INT) . 22
8.2.1 Objectives .22
8.2.2 ACE_INT.1 PP-Module introduction . 22
8.3 PP-Module conformance claims (ACE_CCL) . 23
8.3.1 Objectives .23
8.3.2 ACE_CCL.1 PP-Module conformance claims . 23
8.4 PP-Module security problem definition (ACE_SPD) . 25
8.4.1 Objectives . 25
8.4.2 ACE_SPD.1 PP-Module security problem definition . 25
8.5 PP-Module security objectives (ACE_OBJ) . 26
8.5.1 Objectives . 26
8.5.2 Component levelling . 26
8.5.3 ACE_OBJ.1 PP-Module security objectives for the operational environment .26
8.5.4 ACE_OBJ.2 PP-Module security objectives. 27
8.6 PP-Module extended components definition (ACE_ECD). 27
8.6.1 Objectives . 27
8.6.2 ACE_ECD.1 PP-Module extended components definition .28
8.7 PP-Module security requirements (ACE_REQ) .28
8.7.1 Objectives .28
8.7.2 Component levelling .29
8.7.3 ACE_REQ.1 PP-Module stated security requirements .29
8.7.4 ACE_REQ.2 PP-Module derived security requirements .30
8.8 PP-Module consistency (ACE_MCO) . 31
8.8.1 Objectives . 31
8.8.2 ACE_MCO.1 PP-Module consistency . 31
8.9 PP-Configuration consistency (ACE_CCO) . 32
8.9.1 Objectives . 32
8.9.2 ACE_CCO.1 PP-Configuration consistency . 32
9 Class ASE: Security Target (ST) evaluation .36
9.1 General .36
9.2 ST introduction (ASE_INT) . 36
9.2.1 Objectives .36
9.2.2 ASE_INT.1 ST introduction .36
9.3 Conformance claims (ASE_CCL) . 37
9.3.1 Objectives . 37
9.3.2 ASE_CCL.1 Conformance claims . 37
9.4 Security problem definition (ASE_SPD) . 39
9.4.1 Objectives .39
9.4.2 ASE_SPD.1 Security problem definition .39
9.5 Security objectives (ASE_OBJ) .40
9.5.1 Objectives .40
9.5.2 Component levelling .40
9.5.3 ASE_OBJ.1 Security objectives for the operational environment .40
9.5.4 ASE_OBJ.2 Security objectives . 41
9.6 Extended components definition (ASE_ECD) . 42
iv
© ISO/IEC 2022 – All rights reserved
ISO/IEC 15408-3:2022(E)
9.6.1 Objectives . 42
9.6.2 ASE_ECD.1 Extended components definition . 42
9.7 Security requirements (ASE_REQ). 43
9.7.1 Objectives . 43
9.7.2 Component levelling . 43
9.7.3 ASE_REQ.1 Direct rationale security requirements . 43
9.7.4 ASE_REQ.2 Derived security requirements .44
9.8 TOE summary specification (ASE_TSS) . 45
9.8.1 Objectives . 45
9.8.2 Component levelling .46
9.8.3 ASE_TSS.1 TOE summary specification .46
9.8.4 ASE_TSS.2 TOE summary specification with architectural design summary .46
9.9 Consistency of composite product Security Target (ASE_COMP) . 47
9.9.1 Objectives . 47
9.9.2 Component levelling . 47
9.9.3 Application notes . 47
9.9.4 ASE_COMP.1 Consistency of Security Target (ST) .48
10 Class ADV: Development .49
10.1 General .49
10.2 Security Architecture (ADV_ARC) . 53
10.2.1 Objectives .53
10.2.2 Component levelling .53
10.2.3 Application notes .54
10.2.4 ADV_ARC.1 Security architecture description .54
10.3 Functional specification (ADV_FSP) . 55
10.3.1 Objectives . 55
10.3.2 Component levelling . 55
10.3.3 Application notes .56
10.3.4 ADV_FSP.1 Basic functional specification .58
10.3.5 ADV_FSP.2 Security-enforcing functional specification. 59
10.3.6 ADV_FSP.3 Functional specification with complete summary . 59
10.3.7 ADV_FSP.4 Complete functional specification .60
10.3.8 ADV_FSP.5 Complete semi-formal functional specification with additional
error information . 61
10.3.9 ADV_FSP.6 Complete semi-formal functional specification with additional
formal specification . 62
10.4 Implementation representation (ADV_IMP) .63
10.4.1 Objectives .63
10.4.2 Component levelling .64
10.4.3 Application notes .64
10.4.4 ADV_IMP.1 Implementation representation of the TSF .65
10.4.5 ADV_IMP.2 Complete mapping of the implementation representation of the
TSF .65
10.5 TSF internals (ADV_INT) .66
10.5.1 Objectives .66
10.5.2 Component levelling .66
10.5.3 Application notes .66
10.5.4 ADV_INT.1 Well-structured subset of TSF internals . 67
10.5.5 ADV_INT.2 Well-structured internals .68
10.5.6 ADV_INT.3 Minimally complex internals .68
10.6 Security policy modelling (ADV_SPM) . 69
10.6.1 Objectives .69
10.6.2 Component levelling . 70
10.6.3 Application notes . 70
10.6.4 ADV_SPM.1 Formal TOE security policy model . 70
10.7 TOE design (ADV_TDS) .72
10.7.1 Objectives .72
10.7.2 Component levelling .72
v
© ISO/IEC 2022 – All rights reserved
ISO/IEC 15408-3:2022(E)
10.7.3 Application notes .72
10.7.4 ADV_TDS.1 Basic design .73
10.7.5 ADV_TDS.2 Architectural design .74
10.7.6 ADV_TDS.3 Basic modular design . 75
10.7.7 ADV_TDS.4 Semiformal modular design . 76
10.7.8 ADV_TDS.5 Complete semiformal modular design . 78
10.7.9 ADV_TDS.6 Complete semiformal modular design with formal high-level
design presentation .79
10.8 Composite design compliance (ADV_COMP) .80
10.8.1 Objectives .80
10.8.2 Component levelling .80
10.8.3 Application notes .80
10.8.4 ADV_COMP.1 Design compliance with the base component-related user
guidance, ETR for composite evaluation and report of the base component
evaluation authority . . .81
11 Class AGD: Guidance documents .82
11.1 General .82
11.2 Operational user guidance (AGD_OPE) .82
11.2.1 Objectives .82
11.2.2 Component levelling .82
11.2.3 Application notes .82
11.2.4 AGD_OPE.1 Operational user guidance.83
11.3 Preparative procedures (AGD_PRE) .84
11.3.1 Objectives .84
11.3.2 Component levelling .84
11.3.3 Application notes .84
11.3.4 AGD_PRE.1 Preparative procedures .84
12 Class ALC: Life-cycle support .85
12.1 General .85
12.2 CM capabilities (ALC_CMC) .86
12.2.1 Objectives .86
12.2.2 Component levelling .87
12.2.3 Application notes .87
12.2.4 ALC_CMC.1 Labelling of the TOE .87
12.2.5 ALC_CMC.2 Use of the CM system .88
12.2.6 ALC_CMC.3 Authorization controls .89
12.2.7 ALC_CMC.4 Production support, acceptance procedures and automation . 91
12.2.8 ALC_CMC.5 Advanced support . 93
12.3 CM scope (ALC_CMS) .96
12.3.1 Objectives .96
12.3.2 Component levelling .96
12.3.3 Application notes .96
12.3.4 ALC_CMS.1 TOE CM coverage .96
12.3.5 ALC_CMS.2 Parts of the TOE CM coverage .97
12.3.6 ALC_CMS.3 Implementation representation CM coverage .98
12.3.7 ALC_CMS.4 Problem tracking CM coverage .99
12.3.8 ALC_CMS.5 Development tools CM coverage .99
12.4 Delivery (ALC_DEL) .100
12.4.1 Objectives .100
12.4.2 Component levelling . 101
12.4.3 Application notes . 101
12.4.4 ALC_DEL.1 Delivery procedures
...
SLOVENSKI STANDARD
01-maj-2024
Nadomešča:
SIST EN ISO/IEC 15408-3:2020
Informacijska varnost, kibernetska varnost in varstvo zasebnosti - Merila za
vrednotenje varnosti IT - 3. del: Komponente za zagotavljanje varnosti (ISO/IEC
15408-3:2022)
Information security, cybersecurity and privacy protection - Evaluation criteria for IT
security - Part 3: Security assurance components (ISO/IEC 15408-3:2022)
Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre -
Evaluationskriterien für IT-Sicherheit - Teil 3: Sicherheit Gewährleistungskomponenten
(ISO/IEC 15408-3:2022)
Sécurité de l'information, cybersécurité et protection de la vie privée - Critères
d'évaluation pour la sécurité des technologies de l'information - Partie 3: Composants
d'assurance de sécurité (ISO/IEC 15408-3:2022)
Ta slovenski standard je istoveten z: EN ISO/IEC 15408-3:2023
ICS:
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD EN ISO/IEC 15408-3
NORME EUROPÉENNE
EUROPÄISCHE NORM
December 2023
ICS 35.030
Supersedes EN ISO/IEC 15408-3:2020
English version
Information security, cybersecurity and privacy protection
- Evaluation criteria for IT security - Part 3: Security
assurance components (ISO/IEC 15408-3:2022)
Sécurité de l'information, cybersécurité et protection Informationssicherheit, Cybersicherheit und Schutz
de la vie privée - Critères d'évaluation pour la sécurité der Privatsphäre - Evaluationskriterien für IT-
des technologies de l'information - Partie 3: Sicherheit - Teil 3: Sicherheit
Composants d'assurance de sécurité (ISO/IEC 15408- Gewährleistungskomponenten (ISO/IEC 15408-
3:2022) 3:2022)
This European Standard was approved by CEN on 20 November 2023.
CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.
CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.
CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2023 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. EN ISO/IEC 15408-3:2023 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 3
European foreword
The text of ISO/IEC 15408-3:2022 has been prepared by Technical Committee ISO/IEC JTC 1
"Information technology” of the International Organization for Standardization (ISO) and has been
taken over as EN ISO/IEC 15408-3:2023 by Technical Committee CEN-CENELEC/ JTC 13 “Cybersecurity
and Data Protection” the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by June 2024, and conflicting national standards shall be
withdrawn at the latest by June 2024.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN-CENELEC shall not be held responsible for identifying any or all such patent rights.
This document supersedes EN ISO/IEC 15408-3:2020.
Any feedback and questions on this document should be directed to the users’ national standards body.
A complete listing of these bodies can be found on the CEN and CENELEC websites.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 15408-3:2022 has been approved by CEN-CENELEC as EN ISO/IEC 15408-3:2023
without any modification.
INTERNATIONAL ISO/IEC
STANDARD 15408-3
Fourth edition
2022-08
Information security, cybersecurity
and privacy protection — Evaluation
criteria for IT security —
Part 3:
Security assurance components
Sécurité de l'information, cybersécurité et protection de la vie
privée — Critères d'évaluation pour la sécurité des technologies de
l'information —
Partie 3: Composants d'assurance de sécurité
Reference number
ISO/IEC 15408-3:2022(E)
© ISO/IEC 2022
ISO/IEC 15408-3:2022(E)
© ISO/IEC 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2022 – All rights reserved
ISO/IEC 15408-3:2022(E)
Contents Page
Foreword .x
Introduction .xii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Overview . 5
5 Assurance paradigm .6
5.1 General . 6
5.2 ISO/IEC 15408 series approach . 6
5.3 Assurance approach . 6
5.3.1 General . 6
5.3.2 Significance of vulnerabilities . 6
5.3.3 Cause of vulnerabilities . 7
5.3.4 ISO/IEC 15408 series assurance . 7
5.3.5 Assurance through evaluation . 7
5.4 ISO/IEC 15408 series evaluation assurance scale . 8
6 Security assurance components . 8
6.1 General . 8
6.2 Assurance class structure . 8
6.2.1 General . 8
6.2.2 Class name . 8
6.2.3 Class introduction . 8
6.2.4 Assurance families . 9
6.3 Assurance family structure . 9
6.3.1 Family name . 9
6.3.2 Objectives . 9
6.3.3 Component levelling . 10
6.3.4 Application notes . 10
6.3.5 Assurance components . 10
6.4 Assurance component structure . 10
6.4.1 General . 10
6.4.2 Component identification . 11
6.4.3 Objectives . 11
6.4.4 Application notes . 11
6.4.5 Dependencies . 11
6.4.6 Assurance elements . 11
6.5 Assurance elements .12
6.6 Component taxonomy .12
7 Class APE: Protection Profile (PP) evaluation .12
7.1 General .12
7.2 PP introduction (APE_INT) . 13
7.2.1 Objectives .13
7.2.2 APE_INT.1 PP introduction . 13
7.3 Conformance claims (APE_CCL) . 14
7.3.1 Objectives . 14
7.3.2 APE_CCL.1 Conformance claims . 14
7.4 Security problem definition (APE_SPD) . 16
7.4.1 Objectives . 16
7.4.2 APE_SPD.1 Security problem definition . 16
7.5 Security objectives (APE_OBJ) . 16
7.5.1 Objectives . 16
7.5.2 Component levelling . 17
iii
© ISO/IEC 2022 – All rights reserved
ISO/IEC 15408-3:2022(E)
7.5.3 APE_OBJ.1 Security objectives for the operational environment . 17
7.5.4 APE_OBJ.2 Security objectives . 17
7.6 Extended components definition (APE_ECD) . 18
7.6.1 Objectives . 18
7.6.2 APE_ECD.1 Extended components definition . 18
7.7 Security requirements (APE_REQ) . 19
7.7.1 Objectives . 19
7.7.2 Component levelling . 19
7.7.3 APE_REQ.1 Direct rationale PP-Module security requirements . . 19
7.7.4 APE_REQ.2 Derived security requirements . 20
8 Class ACE: Protection Profile Configuration evaluation .22
8.1 General .22
8.2 PP-Module introduction (ACE_INT) . 22
8.2.1 Objectives .22
8.2.2 ACE_INT.1 PP-Module introduction . 22
8.3 PP-Module conformance claims (ACE_CCL) . 23
8.3.1 Objectives .23
8.3.2 ACE_CCL.1 PP-Module conformance claims . 23
8.4 PP-Module security problem definition (ACE_SPD) . 25
8.4.1 Objectives . 25
8.4.2 ACE_SPD.1 PP-Module security problem definition . 25
8.5 PP-Module security objectives (ACE_OBJ) . 26
8.5.1 Objectives . 26
8.5.2 Component levelling . 26
8.5.3 ACE_OBJ.1 PP-Module security objectives for the operational environment .26
8.5.4 ACE_OBJ.2 PP-Module security objectives. 27
8.6 PP-Module extended components definition (ACE_ECD). 27
8.6.1 Objectives . 27
8.6.2 ACE_ECD.1 PP-Module extended components definition .28
8.7 PP-Module security requirements (ACE_REQ) .28
8.7.1 Objectives .28
8.7.2 Component levelling .29
8.7.3 ACE_REQ.1 PP-Module stated security requirements .29
8.7.4 ACE_REQ.2 PP-Module derived security requirements .30
8.8 PP-Module consistency (ACE_MCO) . 31
8.8.1 Objectives . 31
8.8.2 ACE_MCO.1 PP-Module consistency . 31
8.9 PP-Configuration consistency (ACE_CCO) . 32
8.9.1 Objectives . 32
8.9.2 ACE_CCO.1 PP-Configuration consistency . 32
9 Class ASE: Security Target (ST) evaluation .36
9.1 General .36
9.2 ST introduction (ASE_INT) . 36
9.2.1 Objectives .36
9.2.2 ASE_INT.1 ST introduction .36
9.3 Conformance claims (ASE_CCL) . 37
9.3.1 Objectives . 37
9.3.2 ASE_CCL.1 Conformance claims . 37
9.4 Security problem definition (ASE_SPD) . 39
9.4.1 Objectives .39
9.4.2 ASE_SPD.1 Security problem definition .39
9.5 Security objectives (ASE_OBJ) .40
9.5.1 Objectives .40
9.5.2 Component levelling .40
9.5.3 ASE_OBJ.1 Security objectives for the operational environment .40
9.5.4 ASE_OBJ.2 Security objectives . 41
9.6 Extended components definition (ASE_ECD) . 42
iv
© ISO/IEC 2022 – All rights reserved
ISO/IEC 15408-3:2022(E)
9.6.1 Objectives . 42
9.6.2 ASE_ECD.1 Extended components definition . 42
9.7 Security requirements (ASE_REQ). 43
9.7.1 Objectives . 43
9.7.2 Component levelling . 43
9.7.3 ASE_REQ.1 Direct rationale security requirements . 43
9.7.4 ASE_REQ.2 Derived security requirements .44
9.8 TOE summary specification (ASE_TSS) . 45
9.8.1 Objectives . 45
9.8.2 Component levelling .46
9.8.3 ASE_TSS.1 TOE summary specification .46
9.8.4 ASE_TSS.2 TOE summary specification with architectural design summary .46
9.9 Consistency of composite product Security Target (ASE_COMP) . 47
9.9.1 Objectives . 47
9.9.2 Component levelling . 47
9.9.3 Application notes . 47
9.9.4 ASE_COMP.1 Consistency of Security Target (ST) .48
10 Class ADV: Development .49
10.1 General .49
10.2 Security Architecture (ADV_ARC) . 53
10.2.1 Objectives .53
10.2.2 Component levelling .53
10.2.3 Application notes .54
10.2.4 ADV_ARC.1 Security architecture description .54
10.3 Functional specification (ADV_FSP) . 55
10.3.1 Objectives . 55
10.3.2 Component levelling . 55
10.3.3 Application notes .56
10.3.4 ADV_FSP.1 Basic functional specification .58
10.3.5 ADV_FSP.2 Security-enforcing functional specification. 59
10.3.6 ADV_FSP.3 Functional specification with complete summary . 59
10.3.7 ADV_FSP.4 Complete functional specification .60
10.3.8 ADV_FSP.5 Complete semi-formal functional specification with additional
error information . 61
10.3.9 ADV_FSP.6 Complete semi-formal functional specification with additional
formal specification . 62
10.4 Implementation representation (ADV_IMP) .63
10.4.1 Objectives .63
10.4.2 Component levelling .64
10.4.3 Application notes .64
10.4.4 ADV_IMP.1 Implementation representation of the TSF .65
10.4.5 ADV_IMP.2 Complete mapping of the implementation representation of the
TSF .65
10.5 TSF internals (ADV_INT) .66
10.5.1 Objectives .66
10.5.2 Component levelling .66
10.5.3 Application notes .66
10.5.4 ADV_INT.1 Well-structured subset of TSF internals . 67
10.5.5 ADV_INT.2 Well-structured internals .68
10.5.6 ADV_INT.3 Minimally complex internals .68
10.6 Security policy modelling (ADV_SPM) . 69
10.6.1 Objectives .69
10.6.2 Component levelling . 70
10.6.3 Application notes . 70
10.6.4 ADV_SPM.1 Formal TOE security policy model . 70
10.7 TOE design (ADV_TDS) .72
10.7.1 Objectives .72
10.7.2 Component levelling .72
v
© ISO/IEC 2022 – All rights reserved
ISO/IEC 15408-3:2022(E)
10.7.3 Application notes .72
10.7.4 ADV_TDS.1 Basic design .73
10.7.5 ADV_TDS.2 Architectural design .74
10.7.6 ADV_TDS.3 Basic modular design . 75
10.7.7 ADV_TDS.4 Semiformal modular design . 76
10.7.8 ADV_TDS.5 Complete semiformal modular design . 78
10.7.9 ADV_TDS.6 Complete semiformal modular design with formal high-level
design presentation .79
10.8 Composite design compliance (ADV_COMP) .80
10.8.1 Objectives .80
10.8.2 Component levelling .80
10.8.3 Application notes .80
10.8.4 ADV_COMP.1 Design compliance with the base component-related user
guidance, ETR for composite evaluation and report of the base component
evaluation authority . . .81
11 Class AGD: Guidance documents .82
11.1 General .82
11.2 Operational user guidance (AGD_OPE) .82
11.2.1 Objectives .82
11.2.2 Component levelling .82
11.2.3 Application notes .82
11.2.4 AGD_OPE.1 Operational user guidance.83
11.3 Preparative procedures (AGD_PRE) .84
11.3.1 Objectives .84
11.3.2 Component levelling .84
11.3.3 Application notes .84
11.3.4 AGD_PRE.1 Preparative procedures .84
12 Class ALC: Life-cycle support .85
12.1 General .85
12.2 CM capabilities (ALC_CMC) .86
12.2.1 Objectives .86
12.2.2 Component levelling .87
12.2.3 Application notes .87
12.2.4 ALC_CMC.1 Labelling of the TOE .87
12.2.5 ALC_CMC.2 Use of the CM system .88
12.2.6 ALC_CMC.3 Authorization controls .89
12.2.7 ALC_CMC.4 Production support, acceptance procedures and automation . 91
12.2.8 ALC_CMC.5 Advanced support . 93
12.3 CM scope (ALC_CMS) .96
12.3.1 Objectives .96
12.3.2 Component levelling .96
12.3.3 Application notes .96
12.3.4 ALC_CMS.1 TOE CM coverage .96
12.3.5 ALC_CMS.2 Parts of the TOE CM coverage .97
12.3.6 ALC_CMS.3 Implementation representation CM coverage .98
12.3.7 ALC_CMS.4 Problem tracking CM coverage .99
12.3.8 ALC_CMS.5 Development tools CM coverage .99
12.4 Delivery (ALC_DEL) .100
12.4.1 Objectives .100
12.4.2 Component levelling . 101
12.4.3 Application notes . 101
12.4.4 ALC_DEL.1 Delivery procedures .
...
The EN ISO/IEC 15408-3:2023 standard serves as a critical component in the realm of information security, specifically within the domains of cybersecurity and privacy protection. The scope of this document is well-defined, as it outlines the assurance requirements necessary for the evaluation of IT security. By focusing on individual assurance components, it provides a structured approach to establishing Evaluation Assurance Levels (EALs) and packages, fundamental elements of the broader ISO/IEC 15408 series. One of the primary strengths of the EN ISO/IEC 15408-3:2023 standard lies in its comprehensive framework for evaluating Protection Profiles (PPs), PP-Configurations, PP-Modules, and Security Targets (STs). This detailed approach facilitates a robust assessment of security measures, ensuring that organizations can systematically evaluate their IT products and systems against well-defined security criteria. This level of granularity not only aids in the precise evaluation of security assurance but also enhances the credibility and reliability of the assessments performed under this standard. The relevance of EN ISO/IEC 15408-3:2023 in today's digital landscape cannot be overstated. As organizations increasingly face sophisticated cybersecurity threats, having a standardized set of evaluation criteria is paramount. This standard supports businesses in demonstrating their compliance with recognized security practices, ultimately fostering trust among stakeholders. By establishing clear security assurance components, the document aids organizations in effectively addressing and mitigating security risks, which is essential for maintaining data integrity and protecting sensitive information. In summary, the EN ISO/IEC 15408-3:2023 standard is a vital resource for information security, providing clear and comprehensive evaluation criteria essential for the assurance of IT security products and systems. Its structured framework for various security components and strong focus on assurance criteria enhance its utility and importance in contemporary cybersecurity practices.
La norme EN ISO/IEC 15408-3:2023 constitue un référentiel essentiel en matière de sécurité de l'information, de cybersécurité et de protection de la vie privée. Son objectif est de définir les exigences d'assurance des composants d'assurance de la série ISO/IEC 15408, offrant ainsi un cadre structuré pour l'évaluation de la sécurité des systèmes d'information. L'une des forces clés de cette norme réside dans sa capacité à établir des critères clairs et précis pour l'évaluation des Profils de Protection (PP), des Configurations de PP, des Modules de PP et des Cibles de Sécurité (ST). Ces critères permettent une évaluation cohérente et systématique, garantissant que les aspects critiques de la sécurité sont soigneusement examinés. En détaillant les composants d'assurance, la norme facilite également la détermination des niveaux d'assurance d'évaluation ainsi que des autres paquets contenus dans l'ISO/IEC 15408-5, renforçant ainsi le cadre de sécurité global. La pertinence de cette norme dans le contexte actuel ne saurait être sous-estimée, car elle répond à des besoins croissants en matière de cybersécurité et de protection des données. Avec la montée des cybermenaces et la nécessité accrue de protéger les informations sensibles, les critères définis dans cette norme jouent un rôle essentiel pour les organisations cherchant à valider et à renforcer leurs mesures de sécurité. En somme, la norme EN ISO/IEC 15408-3:2023 se présente comme un outil indispensable pour tout professionnel de la sécurité de l'information, offrant des directives claires pour l'évaluation de la sécurité des systèmes d'information et garantissant que les niveaux d'assurance soient adéquatement atténués face aux risques émergents.
The EN ISO/IEC 15408-3:2023 standard serves as a critical component in the realm of information security, particularly within the cybersecurity and privacy protection sectors. This document delineates the assurance requirements encapsulated in the ISO/IEC 15408 series, providing a comprehensive framework for evaluating IT security. One of the standout strengths of this standard is its structured approach to defining individual assurance components. By categorizing these components, it facilitates the creation of evaluation assurance levels, which are essential for evaluating the security posture of various IT systems. This structured methodology aids organizations in understanding how to achieve targeted security outcomes. Furthermore, the relevance of ISO/IEC 15408-3:2023 cannot be overstated, as it sets the criteria for evaluating Protection Profiles (PPs), PP-Configurations, PP-Modules, and Security Targets (STs). This is vital for stakeholders in ensuring their products meet rigorous security standards, ultimately fostering trust in the technology and services they provide. The standard also exemplifies a global consensus on security evaluation, which is imperative as organizations increasingly operate in interconnected environments. The adoption of this standard can enhance compliance with international security benchmarks, thereby streamlining the process of gaining market acceptance and regulatory approval. Overall, EN ISO/IEC 15408-3:2023 is an essential document that not only defines assurance components and their evaluations but also reinforces the importance of rigorous security standards in safeguarding information integrity and privacy within the rapidly evolving landscape of cybersecurity.
SIST EN ISO/IEC 15408-3:2024は、情報セキュリティ、サイバーセキュリティ及びプライバシー保護に関する重要な標準であり、その評価基準においても特に重要な役割を果たしています。この標準では、ISO/IEC 15408シリーズの保証要件を明確に定義しており、個々の保証コンポーネントを含むことから、評価保証レベルやISO/IEC 15408-5に含まれるその他のパッケージの構成要素となっています。 この文書の強みは、保護プロファイル(PP)、PP構成、PPモジュール、セキュリティターゲット(ST)に関する評価基準を詳細に示す点です。これにより、ITセキュリティの評価を行う上での透明性が高まり、評価を行う者及び評価対象の両者にとって信頼性のある基準を提供します。また、標準化されたプロセスにより、さまざまな技術や製品のセキュリティを比較しやすくなり、セキュリティの向上に寄与します。 さらに、ISO/IEC 15408-3:2023は、情報セキュリティとサイバーセキュリティの進展に合わせて改訂されており、最新の脅威や技術的な要件に対応する柔軟性を備えている点も評価できます。これにより、企業や組織が自らのセキュリティを実装し強化するための強力なフレームワークを提供しており、現代のセキュリティニーズに対する関連性が非常に高いものとなっています。 全体として、SIST EN ISO/IEC 15408-3:2024は、ITセキュリティの保証に関する必須の基準を提供し、企業の情報保護戦略とリスク管理における信用性を高めるための重要な要素であると言えます。この標準に基づいて実施される評価プロセスは、セキュリティコンポーネントの品質を保証し、利用者の安心感を向上させるために不可欠なものであると確信しています。
SIST EN ISO/IEC 15408-3:2024 문서는 정보 보안, 사이버 보안 및 개인정보 보호를 위한 평가 기준을 제공하는 중요한 기준입니다. 이 표준의 범위는 ISO/IEC 15408 시리즈의 보증 요구 사항을 정의하며, 평가 보증 수준 및 ISO/IEC 15408-5에 포함된 기타 패키지를 구성하는 개별 보증 구성 요소를 포함합니다. 이 표준의 주요 강점 중 하나는 보호 프로필(PP), PP 구성, PP 모듈 및 보안 목표(ST)에 대한 평가 기준을 명확히 설정하여 사용자가 필요로 하는 다양한 보안 평가를 체계적으로 수행할 수 있도록 돕는 점입니다. 이는 정보 시스템에 대한 신뢰성을 높이는 데 기여하며, 이로 인해 조직의 전반적인 보안 태세를 향상시키는 데 중요한 역할을 합니다. 또한, EN ISO/IEC 15408-3:2023 표준은 현대의 사이버 공격에 대한 방어를 고려하여 설계되었기 때문에 정보 기술의 다양한 분야에서 광범위하게 적용될 수 있습니다. 이 표준의 적절한 적용은 보안 목표를 명확히 하고, 정보 시스템의 안전성을 보장하는 데 필수적인 요소로 작용합니다. 즉, 이 표준은 정보 보안 평가를 위한 튼튼한 기반을 제공하며, IT 보안 분야 전문가들이 요구하는 신뢰성과 안전성을 획득하는 데 꼭 필요한 문서로 평가됩니다.
Die Norm EN ISO/IEC 15408-3:2023 bietet einen umfassenden Rahmen für die Bewertung von IT-Sicherheit, Cybersecurity und Datenschutz. Sie ist ein entscheidendes Dokument innerhalb der ISO/IEC 15408 Reihe, das sich insbesondere auf die Anforderungen an die Sicherheitsgarantien konzentriert. Die Norm definiert detailliert die einzelnen Sicherheitsgarantiekomponenten, die als Grundlage für die Bewertungssicherheitsstufen (Evaluation Assurance Levels, EALs) dienen, sowie die in ISO/IEC 15408-5 enthaltenen weiteren Pakete. Eine der größten Stärken dieser Norm liegt in ihrer klaren Struktur und Klarheit, was die Anforderungen an die Sicherheitsgarantien angeht. Sie ermöglicht es Organisationen, sich auf spezifische Sicherheitsmerkmale und -anforderungen zu konzentrieren, um sicherzustellen, dass ihre Systeme sowohl zuverlässig als auch sicher sind. Durch die systematische Definition von Schutzprofilen (Protection Profiles, PPs), PP-Konfigurationen, PP-Modulen und Sicherheitszielen (Security Targets, STs) wird der Evaluationsprozess vereinfacht und standardisiert, was die Zusammenarbeit zwischen verschiedenen Akteuren und die Implementierung von Sicherheitslösungen erleichtert. Ein weiterer entscheidender Aspekt der EN ISO/IEC 15408-3:2023 ist ihre Relevanz im Kontext der sich ständig weiterentwickelnden Bedrohungen im Bereich der Cybersecurity. Die Norm passt sich den neuesten Herausforderungen an und sorgt dafür, dass Unternehmen und Entwickler den aktuellen Standards zur Risikominderung und Sicherheitsgewährleistung Rechnung tragen können. Sie bietet eine solide Grundlage für die Entwicklung und Evaluierung von Sicherheitstechnologien und -lösungen, die sich an den Bedürfnissen und Anforderungen der modernen digitalisierten Welt orientieren. Insgesamt stellt die EN ISO/IEC 15408-3:2023 ein unverzichtbares Werkzeug dar, das Organisationen dabei unterstützt, ein hohes Maß an Sicherheit und Datenschutz zu gewährleisten und gleichzeitig die Konformität mit internationalen Standards sicherzustellen. Die Norm trägt dazu bei, Vertrauen zwischen Anbietern und Nutzern aufzubauen, indem sie transparente und überprüfbare Sicherheitsgarantien bereitstellt.
La norme EN ISO/IEC 15408-3:2023 se concentre sur les critères d'évaluation pour la sécurité de l'information, la cybersécurité et la protection de la vie privée, et représente un élément crucial de la série ISO/IEC 15408. Son champ d'application est clairement défini, fournissant des exigences d'assurance essentielles qui sont fondamentales pour la protection des systèmes d'information. L'un des points forts de cette norme est sa capacité à établir des composants d'assurance individuels. Ces composants constituent les fondations sur lesquelles reposent les niveaux d'assurance d'évaluation, offrant ainsi une approche systématique et rigoureuse pour l'évaluation de la sécurité. De plus, cette norme apporte une véritable cohérence dans le processus d'évaluation des Profils de Protection (PP), des Configurations de PP, des Modules de PP et des Cibles de Sécurité (ST), garantissant que chaque aspect des systèmes d'information est pris en compte de manière exhaustive. Un autre aspect pertinent de la norme est son intégration dans le cadre plus large de l'ISO/IEC 15408-5, où les différents niveaux d'assurance et les packages d'évaluation se conjuguent pour offrir un retour d'information structuré et scientifiquement validé sur la sécurité des systèmes. Cela démontre la pertinence continue de cette norme dans un contexte où les menaces à la sécurité évoluent rapidement et nécessitent une adaptation constante des mesures de protection. En somme, la norme EN ISO/IEC 15408-3:2023 joue un rôle fondamental dans l'évaluation de la sécurité des systèmes d'information en proposant des exigences d'assurance claires et en favorisant des méthodes de validation rigoureuses, ce qui renforce sa valeur pour les professionnels de la cybersécurité.
SIST EN ISO/IEC 15408-3:2024は、情報セキュリティ、サイバーセキュリティ、およびプライバシー保護に関する重要な標準であり、ISO/IEC 15408シリーズの保証要件を明確に定義しています。この標準は、評価保証レベルやISO/IEC 15408-5に含まれる他のパッケージを構成する個々の保証コンポーネントを含んでおり、保護プロファイル(PP)、PP構成、PPモジュール、およびセキュリティターゲット(ST)の評価基準を提供します。 この文書の強みは、情報技術のセキュリティ評価における透明性と一貫性を確保する点にあります。各保証要件が詳細に規定されているため、利害関係者はリスクを評価し、必要なセキュリティ対策を講じる際の明確な指針を得ることができます。また、保護プロファイルやセキュリティターゲットの評価基準が包括的であるため、技術的な適合性を保証し、実務における適用性を高めています。 この標準が持つ関連性は、急速に進化するサイバー脅威環境においても高いと言えます。企業や組織は、情報セキュリティに関する信頼性を高めるために、本標準を基にした評価プロセスを導入する必要があります。特に、個人情報保護やデータセキュリティがますます重要視される中で、ISO/IEC 15408-3のガイドラインは、遵守すべき重要なフレームワークとなります。 全体として、SIST EN ISO/IEC 15408-3:2024は、情報セキュリティ評価における実効性と一貫性を強化するための強力なツールを提供する標準であり、その適用によって、組織はサイバーセキュリティリスクを効果的に管理することが可能となります。
Die Norm EN ISO/IEC 15408-3:2023 ist ein wesentlicher Bestandteil der ISO/IEC 15408-Serie, die sich mit Informationssicherheit, Cybersicherheit und dem Schutz der Privatsphäre befasst. Der Umfang dieser Norm definiert die Anforderungen an die Sicherheit und stellt sicher, dass angemessene Sicherheitsvorkehrungen in IT-Systemen implementiert werden. Durch die Festlegung der einzelnen Sicherheitselemente bietet die Norm einen klaren Rahmen für die Evaluierung und Zertifizierung von IT-Sicherheitsprodukten. Ein herausragendes Merkmal der Norm ist die detaillierte Beschreibung der Sicherheitsgarantien, die erforderlich sind, um festzustellen, ob ein IT-System den geforderten Sicherheitsstandard erreicht. Diese Sicherheitselemente sind entscheidend für die Bestimmung der Evaluierungslevel und der damit verbundenen Pakete, die in ISO/IEC 15408-5 enthalten sind. Somit wird eine umfassende Grundlage für die Evaluierung von Schutzprofilen (PPs), PP-Konfigurationen, PP-Modulen und Sicherheitszielen (STs) geschaffen. Die Relevanz der EN ISO/IEC 15408-3:2023 ist unbestreitbar, insbesondere in einer Zeit, in der Unternehmen und Organisationen einem ständig wachsenden Spektrum an cyberbedingten Bedrohungen ausgesetzt sind. Die Norm gewährleistet, dass Sicherheitslösungen nicht nur den aktuellen Bedrohungen standhalten, sondern auch eine angemessene Sicherheit für die sensiblen Daten der Nutzer bieten. Diese Norm trägt dazu bei, ein höheres Maß an Vertrauen in IT-Sicherheitslösungen zu schaffen und fördert die Einhaltung internationaler Standards, was für den globalen Handel von entscheidender Bedeutung ist. Insgesamt stellt die EN ISO/IEC 15408-3:2023 einen unverzichtbaren Leitfaden für die Entwicklung und Bewertung von IT-Sicherheitslösungen dar, indem sie präzise Sicherheitsanforderungen und Evaluationskriterien definiert, die den Einsatz in einer zunehmend digitalisierten Welt unterstützen.
SIST EN ISO/IEC 15408-3:2024 표준은 정보 보안, 사이버 보안 및 개인정보 보호에 대한 평가 기준을 제시하여 IT 보안의 신뢰성을 강화하는 데 중요한 역할을 합니다. 이 문서는 ISO/IEC 15408 시리즈의 보증 요구 사항을 정의하며, 개별 보증 요소를 포함하여 ISO/IEC 15408-5에 포함된 평가 보증 수준 및 기타 패키지를 구성합니다. 이 표준의 주요 강점은 보안 보증 구성 요소의 명확한 정의입니다. 이를 통해 다양한 IT 보안 솔루션의 신뢰성을 평가할 수 있는 체계적인 기반을 제공하며, 이는 정보 통신 산업에서의 표준화 및 일관성을 촉진합니다. 또한, Protection Profiles (PPs), PP-Configurations, PP-Modules 및 Security Targets (STs)에 대한 평가 기준이 포함되어 있어, 사용자가 요구하는 특정 보안 목표를 충족하는지 여부를 신속하게 판단할 수 있도록 돕습니다. 이 템플릿은 사이버 보안의 요구 사항이 증가하는 현대 사회에서 매우 적절하며, 기업 및 기관들이 보다 강력한 보안 솔루션을 선택하는 데 필요한 기준을 제공합니다. EN ISO/IEC 15408-3:2023 표준은 정보의 기밀성, 무결성 및 가용성을 보장할 수 있는 효과적인 프레임워크를 제공하며, 정보 보안 분야의 전문가 및 기구에서 널리 활용될 수 있는 중요한 가이드라인입니다.
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.
Loading comments...