iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty!
CEN

prEN 17640

(Main)

Fixed time cybersecurity evaluation methodology for ICT products

Fixed time cybersecurity evaluation methodology for ICT products

This document describes the cybersecurity evaluation methodology for ICT products. It is intended for use for all three assurance levels as defined in the Cybersecurity Act (i.e. basic, substantial and high).
The methodology is comprised of different evaluation blocks including assessment activities that comply with the evaluation requirements of the CSA for the three levels.
Where appropriate, it can be applied both to 3rd party evaluation and self-assessment.
It is expected that this methodology may be used by different candidate schemes and verticals providing a common framework to evaluate ICT products.

Cybersicherheitsevaluationsmethodologie für IKT-Produkte

Dieses Dokument beschreibt eine Methodologie zur Evaluierung der Cybersicherheit von IKT-Produkten, die mit vorab festgelegten Ressourcen für Zeit und Arbeitsaufwand durchgeführt werden kann. Es soll für alle drei im CSA definierten Vertrauenswürdigkeitsstufen (d. h. niedrig, mittel und hoch) anwendbar sein.
Die Methodologie umfasst verschiedene Evaluierungsblöcke mit Bewertungsaufgaben, die den Evaluierungsanforderungen des CSA für die genannten drei Vertrauenswürdigkeitsstufen entsprechen.
Gegebenenfalls kann sie sowohl bei der Fremd- als auch bei der Selbstbeurteilung angewendet werden.

Méthode d'évaluation de la cybersécurité pour produits TIC

Le présent document décrit une méthodologie d'évaluation de la cybersécurité des produits TIC qui peut être implémentée à l'aide d'une durée et de ressources de charge de travail prédéfinies. Il est destiné à s'appliquer aux trois niveaux d'assurance définis dans le CSA (c'est-à-dire élémentaire, substantiel et élevé).
La méthodologie comprend différents blocs d'évaluation contenant des activités d'évaluation qui sont conformes aux exigences d'évaluation du CSA pour les trois niveaux d'assurance mentionnés.
Le cas échéant, elle peut être appliquée à la fois à une évaluation tierce et à une autoévaluation.

Metodologija ocenjevanja kibernetske varnosti za izdelke IKT za določen čas

General Information

Status
Not Published
ICS
35.030 - IT Security
Technical Committee
CEN/CLC/TC 13 - Cybersecurity and Data Protection
Current Stage
4599 - Dispatch of FV draft to CMC - Finalization for Vote
Due Date
28-Feb-2022
Completion Date
28-Feb-2022
Ref Project
oSIST prEN 17640:2021 - Fixed time cybersecurity evaluation methodology for ICT products

Buy Standard

prEN 17640:2021 - BARVE na PDF-str 9prEN 17640:2021 - BARVE na PDF-str 9
PreviousNext
Draft
prEN 17640:2021 - BARVE na PDF-str 9
English language
56 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (sample)

SLOVENSKI STANDARD
oSIST prEN 17640:2021
01-september-2021
Metodologija ocenjevanja kibernetske varnosti za izdelke IKT za določen čas
Fixed time cybersecurity evaluation methodology for ICT products
Cybersicherheitsevaluationsmethodologie für IKT-Produkte
Méthode d'évaluation de la cybersécurité pour produits TIC
Ta slovenski standard je istoveten z: prEN 17640
ICS:
35.030 Informacijska varnost IT Security
oSIST prEN 17640:2021 en,fr,de

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
oSIST prEN 17640:2021
---------------------- Page: 2 ----------------------
oSIST prEN 17640:2021
EUROPEAN STANDARD
DRAFT
prEN 17640
NORME EUROPÉENNE
EUROPÄISCHE NORM
July 2021
ICS 35.030
English version
Fixed time cybersecurity evaluation methodology for ICT
products

Méthode d'évaluation de la cybersécurité pour Cybersicherheitsevaluationsmethodologie für IKT-

produits TIC Produkte

This draft European Standard is submitted to CEN members for enquiry. It has been drawn up by the Technical Committee

CEN/CLC/JTC 13.

If this draft becomes a European Standard, CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal

Regulations which stipulate the conditions for giving this European Standard the status of a national standard without any

alteration.

This draft European Standard was established by CEN and CENELEC in three official versions (English, French, German). A

version in any other language made by translation under the responsibility of a CEN and CENELEC member into its own

language and notified to the CEN-CENELEC Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,

Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,

Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,

Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.

Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are

aware and to provide supporting documentation.Recipients of this draft are invited to submit, with their comments, notification

of any relevant patent rights of which they are aware and to provide supporting documentation.

Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change without

notice and shall not be referred to as a European Standard.
CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels

© 2021 CEN/CENELEC All rights of exploitation in any form and by any means Ref. No. prEN 17640:2021 E

reserved worldwide for CEN national Members and for
CENELEC Members.
---------------------- Page: 3 ----------------------
oSIST prEN 17640:2021
prEN 17640:2021 (E)
Contents Page

European foreword ............................................................................................................................................ 5

Introduction .......................................................................................................................................................... 6

1 Scope .......................................................................................................................................................... 8

2 Normative references .......................................................................................................................... 8

3 Terms and definitions ......................................................................................................................... 8

4 Conformance ......................................................................................................................................... 10

5 General concepts ................................................................................................................................. 12

5.1 Usage of this methodology ............................................................................................................... 12

5.2 Knowledge of the TOE ....................................................................................................................... 12

5.3 Development process evaluation .................................................................................................. 13

5.4 Attack Potential ................................................................................................................................... 13

5.5 Knowledge building ........................................................................................................................... 13

6 Evaluation tasks .................................................................................................................................. 14

6.1 Completeness check ........................................................................................................................... 14

6.1.1 Aim ........................................................................................................................................................... 14

6.1.2 Evaluation method ............................................................................................................................. 14

6.1.3 Evaluator qualification ..................................................................................................................... 14

6.1.4 Evaluator work units ......................................................................................................................... 14

6.2 Protection Profile Evaluation ......................................................................................................... 14

6.2.1 Aim ........................................................................................................................................................... 14

6.2.2 Evaluation method ............................................................................................................................. 14

6.2.3 Evaluator qualification ..................................................................................................................... 15

6.2.4 Evaluator work units ......................................................................................................................... 15

6.3 Security Target Evaluation .............................................................................................................. 16

6.3.1 Aim ........................................................................................................................................................... 16

6.3.2 Evaluation method ............................................................................................................................. 16

6.3.3 Evaluator qualification ..................................................................................................................... 16

6.3.4 Evaluator work units ......................................................................................................................... 16

6.4 Review of security functionalities ................................................................................................ 17

6.4.1 Aim ........................................................................................................................................................... 17

6.4.2 Evaluation method ............................................................................................................................. 17

6.4.3 Evaluator qualification ..................................................................................................................... 17

6.4.4 Evaluator work units - Work unit 1 .............................................................................................. 17

6.5 Development documentation ......................................................................................................... 17

6.5.1 Aim ........................................................................................................................................................... 17

6.5.2 Evaluation method ............................................................................................................................. 18

6.5.3 Evaluator qualification ..................................................................................................................... 18

6.5.4 Work units ............................................................................................................................................. 18

6.6 Evaluation of TOE Installation ....................................................................................................... 18

6.6.1 Aim ........................................................................................................................................................... 18

6.6.2 Evaluation method ............................................................................................................................. 18

6.6.3 Evaluator qualification ..................................................................................................................... 18

6.6.4 Evaluator work units ......................................................................................................................... 18

6.7 Conformance testing .......................................................................................................................... 19

6.7.1 Aim ........................................................................................................................................................... 19

6.7.2 Evaluation method ............................................................................................................................. 19

---------------------- Page: 4 ----------------------
oSIST prEN 17640:2021
prEN 17640:2021 (E)

6.7.3 Evaluator qualification ..................................................................................................................... 19

6.7.4 Evaluator work units ......................................................................................................................... 20

6.8 Vulnerability review .......................................................................................................................... 21

6.8.1 Aim ........................................................................................................................................................... 21

6.8.2 Evaluation method ............................................................................................................................. 21

6.8.3 Evaluator qualification ..................................................................................................................... 21

6.8.4 Evaluator work units ......................................................................................................................... 21

6.9 Vulnerability testing .......................................................................................................................... 22

6.9.1 Aim ........................................................................................................................................................... 22

6.9.2 Evaluation method ............................................................................................................................. 22

6.9.3 Evaluator qualification ..................................................................................................................... 22

6.9.4 Evaluator work units ......................................................................................................................... 23

6.10 Penetration testing ............................................................................................................................ 24

6.10.1 Aim ........................................................................................................................................................... 24

6.10.2 Evaluation method ............................................................................................................................. 24

6.10.3 Evaluator qualification ..................................................................................................................... 25

6.10.4 Evaluator work units ......................................................................................................................... 26

6.11 Basic crypto analysis ......................................................................................................................... 26

6.11.1 Aim ........................................................................................................................................................... 26

6.11.2 Evaluation method ............................................................................................................................. 26

6.11.3 Evaluator qualification ..................................................................................................................... 27

6.11.4 Evaluator work units ......................................................................................................................... 27

6.12 Extended crypto analysis ................................................................................................................. 28

6.12.1 Aim ........................................................................................................................................................... 28

6.12.2 Evaluation method ............................................................................................................................. 28

6.12.3 Evaluator qualification ..................................................................................................................... 28

6.12.4 Evaluator work units ......................................................................................................................... 28

Annex A (informative) Example for a structure of a Security Target............................................ 31

A.1 General ................................................................................................................................................... 31

A.2 Example structure .............................................................................................................................. 31

A.3 Typical content of an ST ................................................................................................................... 32

Annex B (normative) The concept of a Protection Profile ................................................................ 33

B.1 General ................................................................................................................................................... 33

B.2 Aim and basic principles of a Protection Profile (PP) ........................................................... 33

B.3 Guidance for schemes to implement the PP concept ............................................................. 33

Annex C (informative) Acceptance Criteria ............................................................................................ 34

C.1 Introduction ......................................................................................................................................... 34

C.2 Identification, Authentication Control, and Access Control ................................................ 34

C.3 Secure Boot ........................................................................................................................................... 37

C.4 Cryptography ....................................................................................................................................... 38

C.5 Secure State After Failure ................................................................................................................ 39

C.6 Least Functionality ............................................................................................................................. 40

C.7 Update Mechanism ............................................................................................................................. 41

Annex D (informative) Guidance for integrating the methodology into a scheme .................. 42

D.1 General ................................................................................................................................................... 42

---------------------- Page: 5 ----------------------
oSIST prEN 17640:2021
prEN 17640:2021 (E)

D.1.1 Introduction .......................................................................................................................................... 42

D.1.2 Perform a risk assessment, reviewing the vertical domain under consideration ...... 42

D.1.3 Assign the attack potential to the CSA levels ............................................................................ 42

D.1.4 Select the evaluation tasks required for this level ................................................................. 42

D.1.5 Review and set the parameters for the tasks ........................................................................... 42

D.1.6 Possible selection of additional or higher tasks ...................................................................... 43

D.1.7 Review and set the parameters for the additional tasks ...................................................... 43

D.1.8 Set up and maintain further scheme requirements and guidelines ................................. 43

D.2 Example .................................................................................................................................................. 44

Annex E (informative) Parameters of the methodology and the evaluation tasks .................. 47

E.1 General.................................................................................................................................................... 47

E.2 Parameters of the methodology .................................................................................................... 47

E.3 Parameters of the evaluation tasks .............................................................................................. 47

E.3.1 Parameters for 6.1 “Completeness check” ................................................................................. 47

E.3.2 Parameters for 6.2 “Protection Profile Evaluation” ............................................................... 47

E.3.3 Parameters for 6.3 “Security Target Evaluation” .................................................................... 47

E.3.4 Parameters for 6.4 “Review of security functionalities” ...................................................... 47

E.3.5 Parameters for 6.5 “Development documentation” ............................................................... 47

E.3.6 Parameters for 6.6 “Evaluation of TOE Installation” ............................................................. 47

E.3.7 Parameters for 6.7 “Conformance testing” ................................................................................ 48

E.3.8 Parameters for 6.8 “Vulnerability review” ................................................................................ 48

E.3.9 Parameters for 6.9 “Vulnerability testing” ................................................................................ 48

E.3.10 Parameters for 6.10 “Penetration testing” ................................................................................ 48

E.3.11 Parameters for 6.11 “Basic crypto analysis” ............................................................................. 48

E.3.12 Parameters for 6.12 “Extended crypto analysis” ..................................................................... 48

Annex F (normative) Calculating the Attack Potential ....................................................................... 49

F.1 General.................................................................................................................................................... 49

F.2 Factors for Attack Potential ............................................................................................................ 49

F.3 Numerical factors for attack potential ........................................................................................ 49

F.3.1 Default rating table ............................................................................................................................ 50

F.3.2 Adaptation of the rating table ........................................................................................................ 51

Annex G (normative) Reporting the results of an evaluation .......................................................... 54

G.1 General.................................................................................................................................................... 54

G.2 Written reporting ............................................................................................................................... 54

G.3 Oral defence of the results obtained ............................................................................................ 54

Bibliography ....................................................................................................................................................... 56

---------------------- Page: 6 ----------------------
oSIST prEN 17640:2021
prEN 17640:2021 (E)
European foreword

This document (prEN 17640:2021) has been prepared by Technical Committee CEN/JTC 13

“Cybersecurity and Data Protection”, the secretariat of which is held by DIN.
This document is currently submitted to the CEN Enquiry.
---------------------- Page: 7 ----------------------
oSIST prEN 17640:2021
prEN 17640:2021 (E)
Introduction

The foundation for a sound product certification is a reliable, transparent and repeatable evaluation

methodology. Several product or scheme dependent evaluation methodologies exist, however, in the

advent of the CSA [1] new schemes need new methodologies to evaluate the cybersecurity functionalities

of products. These new methodologies are required to describe evaluation tasks defined in the CSA (e.g.

Technical Documentation Review, Check Against Known Vulnerabilities). In addition, existing

cybersecurity evaluation methodologies (e.g. EN ISO/IEC 15408 and EN ISO/IEC 18045) are not

designed to be used in a fixed time, i.e. the duration of the evaluation can be extended considerable during

execution.

The CSA enables scheme developers to consider self-assessment as well as third party evaluations. The

self-assessment may be performed at assurance level “basic”, the third-party evaluations at assurance

level “basic”, “substantial” or “high”. And, depending on the requirements of the individual scheme, the

evaluation criteria and methodology might be subject to extra tailoring. This cybersecurity evaluation

methodology caters for all of these needs. This methodology has been designed so that it can (and needs

to be) adapted to the requirements of each scheme.

Scheme developers are encouraged to implement the evaluation methodology for the intended use of

the scheme, applicable for general purpose or in dedicated (vertical) domains, by selecting those aspects

needed for self-assessment at level “basic” or third party evaluation at any level required by the scheme.

This document provides the minimal set of evaluation activities defined in the CSA to achieve the desired

assurance level as well as optional tasks, which might be required by the scheme. Selection of the various

optional tasks is accompanied by guidelines so scheme developers can estimate the impact of their

choices. Further adaption to the risk situation in the scheme can be achieved by choosing the different

evaluation tasks defined in the methodology or using the parameters of the evaluation tasks, e.g. the

number of days for performing certain tasks.

If scheme developers choose tasks that are not defined in this evaluation methodology, it will be

responsibility of the scheme developer to define a set of companion requirements or re-use an applicable

evaluation methodology.

Nonetheless, it is expected that individual schemes will instantiate the general requirements laid out in

this evaluation methodology and provide extensive guidance for manufacturers (and all other parties)

about the concrete requirements to be fulfilled within the scheme.

Evaluators, testers and certifiers can use this methodology to conduct the assessment, testing or

evaluation of the products and to perform the actual evaluation/certification according to the

requirements set up by a given scheme. It also contains requirements for the level of skills and knowledge

of the evaluators/testers and thus will also be used by accreditation bodies or National Cybersecurity

Certification Authorities during accreditation or authorization, where appropriate, and monitoring of

conformity assessment bodies.

Manufacturers and developers will find the generic type of evidence required by each evaluation task

listed in the evaluation methodology to prepare for the assessment or evaluation. The evidence and

evaluation tasks are independent from the fact of whether the evaluation is done by the

manufacturer/developer (i.e. first party) or by some else (2nd/3rd party).

Users of certified products (regulators, user associations, governments, companies, consumers,

etc.) may also use this document to inform themselves about the assurance drawn from certain

certificates using this evaluation methodology. Again, it is expected that scheme developers provide

additional information, tailored to the domain of the scheme, about the assurance obtained by

evaluations / assessments under this methodology.
---------------------- Page: 8 ----------------------
oSIST prEN 17640:2021
prEN 17640:2021 (E)

Furthermore, this methodology is intended to enable scheme developers to create schemes which

attempt to reduce the burden on the manufacturer as much as possible (implying additional burden on

the evaluation lab and the certification body).

NOTE In this document the term “Conformity Assessment body” (CAB) is used for CABs doing the evaluation.

Other possible roles for CABs are not considered in this document.

It should be noted that this document cannot be used “stand alone”. Each domain (scheme) needs to

provide domain specific cybersecurity requirements for the objects to be evaluated / certified. This

methodology is intended to be used in conjunction with specifications containing such cybersecurity

requirements.

Figure 1 — Relationship of this document to the activities in product conformity assessment

---------------------- Page: 9 ----------------------
oSIST prEN 17640:2021
prEN 17640:2021 (E)
1 Scope

This document describes a cybersecurity evaluation methodology that can be implemented using pre-

defined time and workload resources, for ICT products. It is intended to be applicable for all three

assurance levels defined in the CSA (i.e. basic, substantial and high).

The methodology comprises different evaluation blocks including assessment activities that comply with

the evaluation requirements of the CSA for the mentioned three assurance levels.

Where appropriate, it can be applied both to 3rd party evaluation and self-assessment.

2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

• IEC Electropedia: available at https://www.electropedia.org/
• ISO Online browsing platform: available at https://www.iso.org/obp
3.1
confirm

declare that something has been reviewed in detail with an independent

determination of sufficiency
[SOURCE: EN ISO/IEC 15408-1:2009, definition 3.1.4 with NOTE removed]
3.2
certifying function
people or group of people responsible for deciding upon certification

Note 1 to entry: Depending on the scheme the certifying function may use evidence beyond the ETR as basis for the

certification decision.
3.3
determine

affirm a particular conclusion based on independent analysis with the objective of

reaching a particular conclusion

Note 1 to entry: The usage of this term implies a truly independent analysis, usually in the absence of any previous

analysis having been performed. Compare with the terms “confirm” or “verify” which imply that an analysis has

already been performed which needs to be reviewed.
[SOURCE: EN ISO/IEC 15408-1:2009, definition 3.1.22]
3.4
evaluation task parameter

parameter required to be set when using this document to define how the evaluation task shall be

executed by the evaluator
---------------------- Page: 10 ----------------------
oSIST prEN 17640:2021
prEN 17640:2021 (E)
3.5
Evaluation Technical Report (ETR)
documented information describing the results of the evaluation
3.6
evaluator
individual that performs an evaluation
3.7
ICT produ
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

CEN
EN ISO/IEC 18045:2020(Main)
Information technology - Security techniques - Methodology for IT security evaluation (ISO/IEC 18045:2008)
SIST EN ISO/IEC 18045:2020

ISO/IEC 18045:2008 is a companion document to ISO/IEC 15408, Information technology - Security techniques - Evaluation criteria for IT security. ISO/IEC 18045:2008 defines the minimum actions to be performed by an evaluator in order to conduct an ISO/IEC 15408 evaluation, using the criteria and evaluation evidence defined in ISO/IEC 15408. ISO/IEC 18045:2008 does not define evaluator actions for certain high assurance ISO/IEC 15408 components, where there is as yet no generally agreed guidance.

  • Standard
    302 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 15408-3:2020(Main)
Information technology - Security techniques - Evaluation criteria for IT security - Part 3: Security assurance components (ISO/IEC 15408-3:2008, Corrected version 2011-05)
SIST EN ISO/IEC 15408-3:2020

ISO/IEC 15408-3:2008 defines the assurance requirements of the evaluation criteria. It includes the evaluation assurance levels that define a scale for measuring assurance for component targets of evaluation (TOEs), the composed assurance packages that define a scale for measuring assurance for composed TOEs, the individual assurance components from which the assurance levels and packages are composed, and the criteria for evaluation of protection profiles and security targets.
ISO/IEC 15408-3:2008 defines the content and presentation of the assurance requirements in the form of assurance classes, families and components and provides guidance on the organization of new assurance requirements. The assurance components within the assurance families are presented in a hierarchical order.

  • Standard
    188 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 19790:2020(Main)
Information technology - Security techniques - Security requirements for cryptographic modules (ISO/IEC 19790:2012, including corrected version 2015-12)
SIST EN ISO/IEC 19790:2020

EN-ISO/IEC 19790 is a companion document to the “Evaluation criteria for IT security”, ISO/IEC 15408. This International Standard defines the minimum actions to be performed by an evaluator in order to conduct an ISO/IEC 15408 evaluation, using the criteria and evaluation evidence defined in ISO/IEC 15408. This International Standard does not define evaluator actions for certain high assurance ISO/IEC 15408 components, where there is as yet no generally agreed guidance.

  • Standard
    83 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 29134:2020(Main)
Information technology - Security techniques - Guidelines for privacy impact assessment (ISO/IEC 29134:2017)
SIST EN ISO/IEC 29134:2020

2019-08-21: WI initiated by CEN/CLC/JTC 8 transferred into CEN/CLC/JTC 13 (CEN/BT C122/2019)

  • Standard
    53 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    53 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 15408-2:2020(Main)
Information technology - Security techniques - Evaluation criteria for IT security - Part 2: Security functional components (ISO/IEC 15408-2:2008)
SIST EN ISO/IEC 15408-2:2020

ISO/IEC 15408-2:2008 defines the content and presentation of the security functional requirements to be assessed in a security evaluation using ISO/IEC 15408. It contains a comprehensive catalogue of predefined security functional components that will meet most common security needs of the marketplace. These are organized using a hierarchical structure of classes, families and components, and supported by comprehensive user notes.
ISO/IEC 15408-2:2008 also provides guidance on the specification of customized security requirements where no suitable predefined security functional components exist.

  • Standard
    241 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 15408-1:2020(Main)
Information technology - Security techniques - Evaluation criteria for IT security - Part 1: Introduction and general model (ISO/IEC 15408-1:2009)
SIST EN ISO/IEC 15408-1:2020

EN-ISO/IEC 15408-1 establishes the general concepts and principles of IT security evaluation and specifies the general model of evaluation given by various parts of the standard which in its entirety is meant to be used as the basis for evaluation of security properties of IT products. Part one provides an overview of all parts of ISO/IEC 15408 standard. It describes the various parts of the standard; defines the terms and abbreviations to be used in all parts of the standard; establishes the core concept of a Target of Evaluation (TOE); the evaluation context and describes the audience to which the evaluation criteria are addressed. An introduction to the basic security concepts necessary for evaluation of IT products is given. It defines the various operations by which the functional and assurance components given in ISO/IEC 15408-2 and ISO/IEC 15408-3 may be tailored through the use of permitted operations. The key concepts of protection profiles (PP), packages of security requirements and the topic of conformance are specified and the consequences of evaluation, evaluation results are described. This part of ISO/IEC 15408 gives guidelines for the specification of Security Targets (ST) and provides a description of the organization of components throughout the model. General information about the evaluation methodology are given in ISO/IEC 18045 and the scope of evaluation schemes is provided.

  • Standard
    74 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 27000:2020(Main)
Information technology - Security techniques - Information security management systems - Overview and vocabulary (ISO/IEC 27000:2018)
SIST EN ISO/IEC 27000:2020

EN ISO/IEC 27000 provides the overview of information security management systems (ISMS). It also provides terms and definitions commonly used in the ISMS family of standards.

  • Standard
    35 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 27001:2017(Main)
Information technology - Security techniques - Information security management systems - Requirements (ISO/IEC 27001:2013 including Cor 1:2014 and Cor 2:2015)
SIST EN ISO/IEC 27001:2017

This International Standard specifies the requirements for establishing, implementing, maintaining
and continually improving an information security management system within the context of the
organization. This International Standard also includes requirements for the assessment and treatment
of information security risks tailored to the needs of the organization. The requirements set out in this
International Standard are generic and are intended to be applicable to all organizations, regardless
of type, size or nature. Excluding any of the requirements specified in Clauses 4 to 10 is not acceptable
when an organization claims conformity to this International Standard.

  • Standard
    35 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    31 pages
    German language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    35 pages
    French language
    sale 10% off
    e-Library read for
    1 day
  • Standard – translation
    31 pages
    Slovenian language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 27002:2017(Main)
Information technology - Security techniques - Code of practice for information security controls (ISO/IEC 27002:2013 including Cor 1:2014 and Cor 2:2015)
SIST EN ISO/IEC 27002:2017

This International Standard gives guidelines for organizational information security standards and
information security management practices including the selection, implementation and management
of controls taking into consideration the organization’s information security risk environment(s).
This International Standard is designed to be used by organizations that intend to:
a) select controls within the process of implementing an Information Security Management System
based on ISO/IEC 27001;[10]
b) implement commonly accepted information security controls;
c) develop their own information security management guidelines.

  • Standard
    95 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard – translation
    89 pages
    Slovenian language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 27037:2016(Main)
Information technology - Security techniques - Guidelines for identification, collection, acquisition and preservation of digital evidence (ISO/IEC 27037:2012)
SIST EN ISO/IEC 27037:2017

This International Standard provides guidelines for specific activities in handling digital evidence, which are
identification, collection, acquisition and preservation of digital evidence that may be of evidential value. This
International Standard provides guidance to individuals with respect to common situations encountered
throughout the digital evidence handling process and assists organizations in their disciplinary procedures and
in facilitating the exchange of potential digital evidence between jurisdictions.
This International Standard gives guidance for the following devices and/or functions that are used in various
circumstances:
 Digital storage media used in standard computers like hard drives, floppy disks, optical and magneto
optical disks, data devices with similar functions,
 Mobile phones, Personal Digital Assistants (PDAs), Personal Electronic Devices (PEDs), memory cards,
 Mobile navigation systems,
 Digital still and video cameras (including CCTV),
 Standard computer with network connections,
 Networks based on TCP/IP and other digital protocols, and
 Devices with similar functions as above.
NOTE 1 The above list of devices is an indicative list and not exhaustive.
NOTE 2 Circumstances include the above devices that exist in various forms. For example, an automotive system may
include mobile navigation system, data storage and sensory system.

  • Standard
    48 pages
    English language
    sale 10% off
    e-Library read for
    1 day