FprEN ISO/IEC 19896-2

SLOVENSKI STANDARD
oSIST prEN ISO/IEC 19896-2:2025
01-januar-2025
Informacijska varnost, kibernetska varnost in varovanje zasebnosti - Zahteve za
usposobljenost osebja za ugotavljanje skladnosti z varnostjo IT- 2. del: Zahteve
glede znanja in spretnosti za preizkuševalce in potrjevalce ISO/IEC 19790 (ISO/IEC
DIS 19896-2:2024)
Information security, cybersecurity and privacy protection - Requirements for the
competence of IT security conformance assessment body personnel - Part 2: Knowledge
and skills requirements for ISO/IEC 19790 testers and validators (ISO/IEC DIS 19896-
2:2024)
Sécurité de l'information, cybersécurité et protection de la vie privée - Exigences
relatives aux compétences du personnel des organismes d'évaluation de la conformité
de la sécurité TI - Partie 2: Exigences en matière de connaissances et de compétences
pour les testeurs de l'ISO/IEC 19790 (ISO/IEC DIS 19896-2:2024)
Ta slovenski standard je istoveten z: prEN ISO/IEC 19896-2
ICS:
03.100.30 Vodenje ljudi Management of human
resources
35.030 Informacijska varnost IT Security
oSIST prEN ISO/IEC 19896-2:2025 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

oSIST prEN ISO/IEC 19896-2:2025

oSIST prEN ISO/IEC 19896-2:2025
DRAFT
International
Standard
ISO/IEC
DIS
19896-2
ISO/IEC JTC 1/SC 27
Information security, cybersecurity
Secretariat: DIN
and privacy protection —
Voting begins on:
Requirements for the competence
2024-11-11
of IT security conformance
Voting terminates on:
assessment body personnel —
2025-02-03
Part 2:
Knowledge and skills requirements
for ISO/IEC 19790 testers and
validators
ICS: 35.030
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS.
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Reference number
© ISO/IEC 2024
ISO/IEC DIS 19896-2:2024(en)
oSIST prEN ISO/IEC 19896-2:2025
DRAFT
ISO/IEC DIS 19896-2:2024(en)
International
Standard
ISO/IEC
DIS
19896-2
ISO/IEC JTC 1/SC 27
Information security, cybersecurity
Secretariat: DIN
and privacy protection —
Voting begins on:
Requirements for the competence
of IT security conformance
Voting terminates on:
assessment body personnel —
Part 2:
Knowledge and skills requirements
for ISO/IEC 19790 testers and
validators
ICS: 35.030
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
© ISO/IEC 2024
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
BE CONSIDERED IN THE LIGHT OF THEIR
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
or ISO’s member body in the country of the requester.
NATIONAL REGULATIONS.
ISO copyright office
RECIPIENTS OF THIS DRAFT ARE INVITED
CP 401 • Ch. de Blandonnet 8
TO SUBMIT, WITH THEIR COMMENTS,
CH-1214 Vernier, Geneva
NOTIFICATION OF ANY RELEVANT PATENT
Phone: +41 22 749 01 11
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland Reference number
© ISO/IEC 2024
ISO/IEC DIS 19896-2:2024(en)
© ISO/IEC 2024 – All rights reserved
ii
oSIST prEN ISO/IEC 19896-2:2025
ISO/IEC DIS 19896-2:2024(en)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 2
5 Structure of this document . 2
6 Knowledge . 2
6.1 General .2
6.2 Testers .2
6.2.1 Tertiary education .2
6.2.2 Knowledge of standards .7
6.2.3 Knowledge of the validation program .8
6.2.4 Knowledge of the requirements of ISO/IEC 23532-2 .9
6.3 Validators .10
6.3.1 Tertiary education .10
6.3.2 Knowledge of standard . . .10
6.3.3 Knowledge of the validation program .10
6.3.4 Knowledge of the requirements of ISO/IEC 23532-2 and validation authority .11
7 Skills .12
7.1 Testers . 12
7.1.1 General . 12
7.1.2 Algorithm testing. 12
7.1.3 Physical security testing . 12
7.1.4 Side channel analysis . 12
7.1.5 Technology types . 12
7.2 Validators . 12
Annex A (informative) Example of an ISO/IEC 24759 testers’ and validators' log .13
Annex B (informative) Ontology of technology types . 14
Annex C (informative) Specific knowledge associated with the security of cryptographic
modules being tested for conformity to ISO/IEC 19790:2012 . 17
Bibliography .34

© ISO/IEC 2024 – All rights reserved
iii
oSIST prEN ISO/IEC 19896-2:2025
ISO/IEC DIS 19896-2:2024(en)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations,
governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of
information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of documents should be noted. This document was drafted in accordance with the editorial rules of the ISO/
IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any
patent rights identified during the development of the document will be in the Introduction and/or on the
ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www.iso.org/iso/foreword.html.
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee
SC 27, information security, cybersecurity and privacy protection.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.
A list of all parts in the ISO/IEC 19896 series can be found on the ISO website.
This second edition cancels and replaces the first edition (ISO/IEC 19896-2), which has been technically
revised. The main changes compared to the previous edition are the following:
— The document has been restructured
— Delete subclauses related to experience, education and effectiveness
— Technical changes have been introduced
— Rewrite knowledge and skill as the remaining part of the elements of competence; knowledge, skills,
experience, education and effectiveness according to CASCO’s comments
— Add competence requirements for the validators
— Update Annex C to be aligned with ISO/IEC 19790 and to avoid duplication

© ISO/IEC 2024 – All rights reserved
iv
oSIST prEN ISO/IEC 19896-2:2025
ISO/IEC DIS 19896-2:2024(en)
Introduction
This document provides the specialized requirements to demonstrate knowledge and skills requirements
of individuals in performing security testing projects in accordance with ISO/IEC 19790 and ISO/IEC 24759.
ISO/IEC 19790 provides the specification of security requirements for cryptographic modules. Many
validation schemes and recognition arrangements have been developed using it as a basis. ISO/IEC 19790
permits comparability between the results of independent security testing projects. ISO/IEC 24759 supports
this by providing a common set of testing requirements for testing a cryptographic module for conformance
with ISO/IEC 19790.
One of important factors in assuring comparability of the results of such validations is the knowledge and
skills requirements of the individual testers responsible for performing testing projects.
Other factor in assuring comparability of the results of such validations is the knowledge and skills
requirements of the individual validators responsible for performing validating projects.
ISO/IEC 23532-2, which is often specified as a standard to which the testing laboratory shall ensure, states
in 6.2 that the competence requirements for each function influencing the results of laboratory activities,
including requirements for education, qualification, training, technical knowledge, skills and experience are
documented and the personnel have the competence to perform laboratory activities for which they are
responsible and to evaluate the significance of deviations.
The audience for this document includes validation authorities, accreditation bodies for testing laboratory
or validation authority, testing laboratories, testers, validators and organizations offering professional
credentials and recognitions.
This document establishes a baseline for the knowledge and skills requirements of ISO/IEC 19790 testers
with the goal of establishing conformity in the requirements for the training of ISO/IEC 19790 testing
professionals associated with cryptographic module conformance testing programs and ISO/IEC 19790
validators with the goal of establishing conformity in the requirements of ISO/IEC 19790 validating
professionals associated with cryptographic module validation program.

© ISO/IEC 2024 – All rights reserved
v
oSIST prEN ISO/IEC 19896-2:2025

oSIST prEN ISO/IEC 19896-2:2025
DRAFT International Standard ISO/IEC DIS 19896-2:2024(en)
Information security, cybersecurity and privacy protection —
Requirements for the competence of IT security conformance
assessment body personnel —
Part 2:
Knowledge and skills requirements for ISO/IEC 19790 testers
and validators
1 Scope
This document provides the minimum requirements for the knowledge and skills requirements of
assessment body personnel performing testing activities and validating activities for a conformance scheme
using ISO/IEC 19790 and ISO/IEC 24759.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 17825, Information technology — Security techniques — Testing methods for the mitigation of non-
invasive attack classes against cryptographic modules
ISO/IEC 18367, Information technology — Security techniques — Cryptographic algorithms and security
mechanisms conformance testing
ISO/IEC 19790, Information technology — Security techniques — Security requirements for cryptographic modules
ISO/IEC 19896-1, IT security techniques — Competence requirements for information security testers and
evaluators — Part 1: Introduction, concepts and general requirements
ISO/IEC 20085-1, IT Security techniques — Test tool requirements and test tool calibration methods for use in
testing non-invasive attack mitigation techniques in cryptographic modules — Part 1: Test tools and techniques
ISO/IEC 20085-2, IT Security techniques — Test tool requirements and test tool calibration methods for use in
testing non-invasive attack mitigation techniques in cryptographic modules — Part 2: Test calibration methods
and apparatus
ISO/IEC 20543, Information technology — Security techniques — Test and analysis methods for random bit
generators within ISO/IEC 19790 and ISO/IEC 15408
ISO/IEC 23532-2, Information security, cybersecurity and privacy protection — Requirements for the
competence of IT security testing and evaluation laboratories — Part 2: Testing for ISO/IEC 19790
ISO/IEC 24759, Information technology — Security techniques — Test requirements for cryptographic modules
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 19896-1, ISO/IEC 23532-2 and
ISO/IEC 19790 apply.
© ISO/IEC 2024 – All rights reserved
oSIST prEN ISO/IEC 19896-2:2025
ISO/IEC DIS 19896-2:2024(en)
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
4 Abbreviated terms
AES advanced encryption standard
HDD hard disk drive
RSA rivest-shamir-adleman
SHA secure hash algorithm
SSD solid state drive
5 Structure of this document
This document is divided into the following clauses: Knowledge (Clause 5) and Skills (Clause 6). Each
clause corresponds to an aspect of the knowledge and skills requirements of individuals performing
testing activities or validating activities as introduced in ISO/IEC 19896-1 for a conformance scheme using
ISO/IEC 19790 and ISO/IEC 24759.
6 Knowledge
6.1 General
Knowledge is what a tester or a validator knows and can describe. The difference between a validator and
tester is described in more detail, plus how to use the standard for one or the other, e.g. If you are a tester,
you have to comply with the following sections (6.2), and if you are a validator you have to comply with the
following sections (6.3).
6.2 Testers
6.2.1 Tertiary education
6.2.1.1 General
Testers shall have educational qualifications such as an associate, bachelor, or higher degree that is relevant
to the security requirements addressed in ISO/IEC 19790 and the test requirements in ISO/IEC 24759. The
testers shall at a minimum demonstrate they have either:
a) successfully completed appropriate tertiary education with at least 3 years of study in disciplines
related to IT or IT security; or
b) experience equivalent to the tertiary education in disciplines related to IT, IT security or IT system
administration.
6.2.1.2 Technical specialties
In addition to the minimum level of educational requirements in 6.2.1.1, testers shall have educational
qualifications such as an associate, bachelor, or higher degree that addresses the specific technical
specialities. Examples of specific technical specialities include:
— cryptographic concepts;
© ISO/IEC 2024 – All rights reserved
oSIST prEN ISO/IEC 19896-2:2025
ISO/IEC DIS 19896-2:2024(en)
— engineering technology;
— electrical engineering;
— mechanical engineering;
— material engineering;
— chemical engineering;
— computer information technology;
— computer engineering;
— computer science;
— computer networks;
— cybersecurity;
— information systems;
— laboratory management;
— mathematics and physics;
— software development and security; or
— software engineering.
6.2.1.3 Specialty topics
ISO/IEC 19790:2012 and the test requirements in ISO/IEC 24759:2017 address the following specific
speciality knowledge topics. A tester shall, at a minimum, demonstrate knowledge in at least one specific
speciality topic.
A testing laboratory shall have knowledge in all the speciality areas as an aggregate of its technical staff.
ISO/IEC 19790:2012 and ISO/IEC 24759:2017 specify speciality topics:
a) software and firmware development:
1) programming languages (e.g., assembler and high-level);
2) compilers;
3) debugging tools;
4) product testing performed by vendor:
i) unit testing;
ii) integration testing;
iii) regression testing;
b) operating systems:
1) installation;
2) configuration;
3) operation;
4) architecture;
© ISO/IEC 2024 – All rights reserved
oSIST prEN ISO/IEC 19896-2:2025
ISO/IEC DIS 19896-2:2024(en)
5) system hardening;
6) virtual machines;
7) java runtime environment;
c) hardware development:
1) hardware embodiments:
i) single-chip;
ii) multi-chip embedded;
iii) multi-chip standalone;
2) technology:
i) single-chip fabrication;
ii) electrical components and design, schematics and concepts including logic design and HDL
representations;
iii) mechanical design and packaging;
3) manufacturing:
i) supply chain integrity;
ii) fabrication methods;
iii) initialization of parameters;
iv) packing and shipping;
v) testing and characterization;
4) hardware security features;
d) operational environments:
1) boot loader;
2) loading;
3) linking;
4) memory management and protection;
5) inter-process communication;
6) discretionary access control;
7) role-based access control;
8) executable forms;
9) audit mechanisms;
e) cryptographic algorithms, mechanisms and techniques:
1) cryptographic algorithms and security functions:
i) symmetric key;
ii) asymmetric key;
© ISO/IEC 2024 – All rights reserved
oSIST prEN ISO/IEC 19896-2:2025
ISO/IEC DIS 19896-2:2024(en)
iii) hashing;
iv) random bit generators;
v) message authentication;
vi) entropy;
vii) modes of operation;
2) sensitive security parameter management:
i) sensitive security parameter generation;
ii) sensitive security parameter establishment;
I) automated SSP transport or SSP agreement;
II) manual SSP entry or output via direct or electronic;
iii) sensitive security parameter entry and output;
iv) sensitive security parameter storage;
v) sensitive security parameter zeroization;
f) identification and authentication mechanisms:
1) identity-based authentication;
2) role-based authentication;
3) multi-factor–based authentication;
g) best practices in design and development:
1) design assurance such as configuration management, delivery, operation and development;
2) design by contract;
h) informal modelling;
1) finite state model;
i) non-invasive security;
1) non-invasive attacks:
i) DPA/DEMA;
ii) SPA/SEMA;
iii) timing attacks;
2) countermeasures:
i) physical countermeasures;
EXAMPLE 1 Precharge logic, dual-rail logic, current flattening, probe detection, adding noise, random
interrupts, jittered clock.
ii) Logical countermeasures;
EXAMPLE 2 Masking, hiding, dummy operation, balanced timing, shuffling, automatic re-keying.

© ISO/IEC 2024 – All rights reserved
oSIST prEN ISO/IEC 19896-2:2025
ISO/IEC DIS 19896-2:2024(en)
j) self-test mechanisms:
1) pre-operational tests;
2) conditional tests;
k) security mechanisms:
1) zeroization;
2) trusted path;
3) tamper evident devices;
4) epoxies, potting materials and adhesives (including chemical properties);
5) encapsulation enclosures and materials;
6) tamper mechanisms;
7) countermeasures against fault induction attacks;
EXAMPLE 3 Redundancy-based scheme, error detecting code, footprint
8) secure communication protocols (e.g., Secure Sockets Layer, Transport Layer Security, Internet Key
Exchange, Secure Socket Shell, Over the Air Rekeying, etc.);
9) security policy attributes;
10) split knowledge procedures;
l) design features:
1) ports and interfaces;
2) approved modes of operation;
3) specification of services;
4) specification of sensitive security parameters;
m) tools and test methods:
1) construction of test jigs (software or hardware);
2) environmental testing methods such as the use of temperature (e.g., heat and cold) and voltage (e.g.,
changes to input power);
i) temperature chambers (e.g., heating and cooling mechanisms);
ii) variable power supplies;
3) use of hand tools (e.g., saws, drills, prying tools, grinding, variable speed rotary tools, dental picks
and mirrors, etc.);
4) use of chemical solvents (e.g., acids and alkaline based);
5) artificial light sources;
6) magnification tools;
7) use of digital storage oscilloscopes or logic analysers;
8) use of volt-ohm-meter or digital multi-meter;
9) digital scanner;
© ISO/IEC 2024 – All rights reserved
oSIST prEN ISO/IEC 19896-2:2025
ISO/IEC DIS 19896-2:2024(en)
10) digital camera (including near or MACRO focus capabilities);
11) validation program supplied tools.
NOTE Calibration of tools are only required depending on the test method.
Additional information on specific knowledge association with the security of cryptographic modules is
specified in Annex C.
6.2.2 Knowledge of standards
6.2.2.1 General
The tester shall have knowledge of the normative references specified in Clause 2. The tester shall be able to
demonstrate an understanding or familiarity of one or more of the following topics.
6.2.2.2 ISO/IEC 19790 concepts
The tester shall have knowledge of the concepts in ISO/IEC 19790. ISO/IEC 19790 specifies the security
requirements for a cryptographic module utilized within a security system protecting sensitive information
in computer and telecommunication systems. ISO/IEC 19790 defines four security levels for each of 11
requirement areas with each security level increasing security over the preceding level for cryptographic
modules.
6.2.2.3 ISO/IEC 24759
6.2.2.3.1 General
ISO/IEC 24759 specifies the test requirements for cryptographic modules to be used by vendors and
testing laboratories. ISO/IEC 24759:2017 includes 11 sub-clauses corresponding to the 11 areas of
security requirements and six sub-clauses corresponding to ISO/IEC 19790:2012, Annexes A to F. These
corresponding security requirements are listed in ISO/IEC 19790:2012, 5.2.2.5 and 5.2.2.6, respectively.
6.2.2.3.2 Vendor requirements
ISO/IEC 24759 specifies all of the vendor evidence (VE) requirements that vendors provide to testing
laboratories, that are applicable to the module under test, as supporting evidence to demonstrate their
cryptographic module's conformity to the security requirements specified in ISO/IEC 19790:2012.
The vendor shall also satisfy any modifications, additions, or deletions to the VE evidence that the validation
authority has made to ISO/IEC 24759.
The tester shall be familiar with all vendor requirements.
6.2.2.3.3 Test requirements
ISO/IEC 24759 specifies the tester evidence (TE) requirements, applicable to the module under test, to
be used by testing laboratories to test whether the cryptographic module conforms to the requirements
specified in ISO/IEC 19790. The methods are developed to provide a high degree of objectivity during the
testing process and to ensure consistency across the testing laboratories.
The tester shall also satisfy any modifications, additions, or deletions to the TE evidence that the validation
authority has made to ISO/IEC 24759.

© ISO/IEC 2024 – All rights reserved
oSIST prEN ISO/IEC 19896-2:2025
ISO/IEC DIS 19896-2:2024(en)
6.2.2.3.4 Additional ISO/IEC standards
The tester shall be familiar with the following.
— ISO/IEC 17825 specifies the testing methods for the mitigation of non-invasive attack classes against
cryptographic modules.
— ISO/IEC 18367 specifies cryptographic algorithms and security mechanisms conformance testing.
— ISO/IEC 20085-1 specifies test tool requirements for use in testing non-invasive attack mitigation
techniques in cryptographic modules.
— ISO/IEC 20085-2 specifies test tool calibration methods for use in testing non-invasive attack mitigation
techniques in cryptographic modules.
— ISO/IEC 20543 specifies test and analysis methods for random bit generators within ISO/IEC 19790 and
ISO/IEC 15408.
6.2.3 Knowledge of the validation program
6.2.3.1 General
Validation programs, which typically operate under the auspices of an accreditation body, often define
aspects of their operation that are specific to the program. This is usually based on applicable legislation
and policies, such as national policies, that are applicable to their operation. Testers shall have knowledge of
the validation program and any specific aspects such as those listed in 6.2.3.2 to 6.2.3.7.
6.2.3.2 Organization
This aspect concerns the program’s organization, and the bodies that are involved in the program’s
operation. The bodies may be the testing laboratory, the validation authority, the laboratory accreditation
body, the vendor and the user
6.2.3.3 Communications
This aspect concerns how the program communicates relevant information to stakeholders, especially to the
vendors, the validation authority and the associated validators. This should include how communications
and information is protected.
6.2.3.4 Legal and regulatory mandates
This aspect concerns the legislative and/or regulatory framework under which the validation program
operates.
6.2.3.5 Policies
This aspect concerns specific policies that are applicable to the validation program. These can include
process and technical requirement related policies in connection to accepting cryptographic module
validation projects. The following are some examples.
a) Testing sufficiency: the tester should have knowledge of what is required in ensuring that a target
cryptographic module is tested sufficiently.
b) Disposition of evidence: the process for properly disposing of supporting evidence upon completion of a
project.
c) Confidentiality: any requirements for confidentiality (on the part of the tester and the non-disclosure of
information obtained during testing projects).

© ISO/IEC 2024 – All rights reserved
oSIST prEN ISO/IEC 19896-2:2025
ISO/IEC DIS 19896-2:2024(en)
d) Problem resolution: the course of action to be taken if a problem is encountered during the project
(whether the work continues once the problem is remedied, or the project ends immediately and the
remedied product needs to be re-submitted).
e) Language: any specific (natural) language in which documentation needs to be provided.
f) Requirements for recorded evidence: any recorded evidence documented by the tester that needs to be
submitted to the validation program.
g) Additional reporting policies: any specific reports required from the tester such as testing reports.
h) Implementation guidance: a validation authority can provide programmatic or clarification guidance
that should be considered by the tester.
i) Reuse: documentation and rationale required by the validation program to support the reuse of testing
evidence.
j) Any specific handling of the validation program identifiers, logos, trademarks, etc.
k) Handling and application of validation program interpretations.
l) A list or characterizations of suitable alternative approaches to testing when the validation program’s
recommended original testing is infeasible for a given target cryptographic module.
m) The policies by which the validation program determines what steps a tester took while testing.
6.2.3.6 Documentation
This aspect concerns the provision and use of any validation program specific documents. These can include
forms, templates, training material, and informational material. Validation program specific documents can
include documents such as:
— management manuals;
— frequently asked questions;
— implementation or programmatic guidance;
— manuals for program supplied tools.
6.2.3.7 Tools
The validation program can provide specific tools for testing, report generation, delivery or protection (i.e.,
encryption). Examples include:
— algorithmic test tools;
— generation of test vectors and resultant expected responses;
— documentation of testing activities and reporting;
— encryption tool for protection of test reports transmitted to the validation program;
— specification of particular encryption algorithm and signature methods.
6.2.4 Knowledge of the requirements of ISO/IEC 23532-2
Since testing laboratories are often required to be compliant with ISO/IEC 23532-2, the tester shall be
familiar with the requirements of ISO/IEC 23532-2 and how these are implemented in the validation
facility or facilities with which the tester is associated. If there are additional programmatic accreditation
documents associated with ISO/IEC 23532-2, that form the basis of the testing laboratories accreditation,
then the tester shall be familiar these documents as well.

© ISO/IEC 2024 – All rights reserved
oSIST prEN ISO/IEC 19896-2:2025
ISO/IEC DIS 19896-2:2024(en)
6.3 Validators
6.3.1 Tertiary education
6.3.1.1 General
Validators shall have educational qualifications such as an associate, bachelor, or higher degree that is
relevant to the security requirements addressed in ISO/IEC 19790, the test requirements in ISO/IEC 24759,
the requirements in ISO/IEC 23532-2 and the requirements for the validation authority. The validators shall
at a minimum demonstrate they have either:
a) successfully completed appropriate tertiary education with at least 3 years of study in disciplines
related to IT or IT security; or
b) experience equivalent to the tertiary education in disciplines related to IT, IT security or IT system
administration.
6.3.1.2 Technical specialties
In addition to the minimum level of educational requirements in 6.3.1.1, validators shall have educational
qualifications such as an associate, bachelor, or higher degree that addresses the specific technical
specialities. There are examples of specific technical specialities in 6.2.1.2.
6.3.1.3 Specialty topics
A validator shall, at a minimum, demonstrate knowledge in at least one specific speciality topic which is
addressed in 6.2.1.3. A validation authority shall have knowledge in all the speciality areas as an aggregate
of its technical staff.
6.3.2 Knowledge of standard
The validator shall have knowledge of the normative references specified in Clause 2. The validator shall
be able to demonstrate an understanding or familiarity of one or more of the topics which are referenced in
6.2.1.4.
6.3.3 Knowledge of the validation program
6.3.3.1 General
Validation programs, which typically operate under the auspices of an accreditation body, often define
aspects of their operation that are specific to the program. This is usually based on applicable legislation
and policies, such as national policies, that are applicable to their operation. To perform the validation, the
validator who would perform such reviews within the accreditation authority shall have the knowledge and
awareness of testing methods as a tester within a testing laboratory. Validators shall have knowledge of the
validation program and any specific aspects such as those listed in 6.3.3.2 to 6.3.3.7.
6.3.3.2 Organization
This aspect concerns the program’s organization, and the bodies that are involved in the program’s
operation. The bodies may be the testing laboratory, the validation authority, the laboratory accreditation
body, the validation authority accreditation body, the vendor and the user
6.3.3.3 Communications
This aspect concerns how the program communicates relevant information to stakeholders, especially to
testing laboratories, the vendors and the associated testers. This should include how communications and
information is protected.
© ISO/IEC 2024 – All rights reserved
oSIST prEN ISO/IEC 19896-2:2025
ISO/IEC DIS 19896-2:2024(en)
6.3.3.4 Legal and regulatory mandates
This aspect concerns the legislative and/or regulatory framework under which the validation program
operates.
6.3.3.5 Policies
This aspect concerns specific policies that are applicable to the validation program. These can include
process and technical requirement related policies in connection to accepting cryptographic module
validation projects. There are some examples of the policies in 6.2.3.5.
6.3.3.6 Documentation
This aspect concerns the provision and use of any validation program specific documents. These can include
forms, templates, training material, and informational material. Validation program specific documents can
include documents such as:
— management manuals;
— frequently asked questions;
— implementation or programmatic guidance;
— manuals for program supplied tools.
6.3.3.7 Tools
The validation program can provide specific tools for testing, report generation, delivery or protection (i.e.,
encryption). Examples include:
— algorithmic test tools;
— generation of test vectors and resultant expected responses;
— documentation of testing activities and reporting;
— encryption tool for protection of test reports transmitted to the validation program;
— specification of particular encryption algorithm and signature methods;
— documentation of validation activities and reporting;
— documentation of laboratory accreditation activities and reporting.
6.3.4 Knowledge of the requirements of ISO/IEC 23532-2 and validation authority
Since testing laboratories are often required to be compliant with ISO/IEC 23532-2 and the competence
requirements for the validation authority are required, the validator shall be familiar with the requirements
of ISO/IEC 23532-2 and how these are implemented in the validation authority or testing laboratories with
which the validator is associated. If there are additional programmatic accreditation documents associated
with ISO/IEC 17025 or the competence requirements for the validation authority, that forms the basis of
the laboratories accreditation or the validation authority accreditation, then the validator shall be familiar
these documents as well.
© ISO/IEC 2024 – All rights reserved
oSIST prEN ISO/IEC 19896-2:2025
ISO/IEC DIS 19896-2:2024(en)
7 Skills
7.1 Testers
7.1.1 General
Training for testers is often obtained through career experience in the IT industry, or during their association
with a testing laboratory, or because of the requirements of professional organizations.
TM TM
EXAMPLE Professional certifications such as the ISC2 ' CISSP credential are associated with a requirement
for continued professional development.
7.1.2 Algorithm testing
The tester shall have the ability to install, configure and execute the cryptographic algorithm validation
program or user interface driven algorithm test tools.
7.1.3 Physical security testing
The tester shall have the skills to perform the physical security tests which they are appropriately trained
for and skilled at.
7.1.4 Side channel analysis
The tester shall have the skills to perform the side channel tests which they are appropriately trained for
and skilled at.
7.1.5 Technology types
The skills and techniques required in the cryptographic module testing of different technology types can
vary. Testers shall be able to demonstrate that they have the necessary knowledge, skills and techniques
related to the technology types of cryptographic modules which they test.
NOTE 1 The validation program addresses cryptographic modules that represent many technology types which
are being considered for testing. A list of the technology types most commonly referenced and suggested fundamental
knowledge skills and techniques that testers need is given in Annex B.
NOTE 2 Many specialists professional certifications cover the body of knowledge that is needed by testers. Such
certifications can be national, regional or global in scope. It is beyond the scope of this document to catalogue all of
them, however some of these are listed in the Bibliography.
7.2 Validators
Training for validators is often obtained through career experience in the IT industry, or during their
association with a validation authority, or because of the requirements of professional organizations.
Validation programs, which typically operate under the auspices of an accreditation authority, often review
the test results provided by a testing laboratory. This review can provide feedback to the validation program
to allow monitoring of the testing laboratories competency as well as the consistency between testing
laboratories in the testing skills identified in this document.
A validator shall have the ability to apply and suggest interpretations of the security requirements
of ISO/IEC 19790 and the test requirements of ISO/IEC 24759, for example, when a new technology is
implemented.
© ISO/IEC 2024 – All rights reserved
oSIST prEN ISO/IEC 19896-2:2025
ISO/IEC DIS 19896-2:2024(en)
Annex A
(informative)
Example of an ISO/IEC 24759 testers’ and validators' log
Table A.1 provides an example of the ISO/IEC 24759 testers' log for recording all testing activities.
Table A.1 — Example of an ISO/IEC 24759 testers' log
Name
Competency Level:
Validation program Testing laboratory

Cryptographic module name Cryptographic module type

Overall Security Rating Cert ID (if known)

Vendor Dates IUT testing performed
Dates IUT received from vendor
Description of IUT
AS 01.01 Applicable test requirement as specified in ISO/IEC 24759
Description of IUTs design for conformance to the test requirement
Description of test method and results
Table A.2 provides an example of the ISO/IEC 24759 validators' log for recording all validation activities.
Table A.2 — Example of an ISO/IEC 24759 validators' log
Name
Competency Level:
Validation program Testing laboratory

Cryptographic module name Cryptographic module type

Overall Security Rating Cert ID (if known)

Vendor Dates test report received
Dates validation performed
Description of IUT
AS 01.01 Description of validation method and results

© ISO/IEC 2024 – All rights reserved
oSIST prEN ISO/IEC 19896-2:2025
ISO/IEC DIS 19896-2:2024
...