EN ISO/IEC 19896-1:2025

SLOVENSKI STANDARD
oSIST prEN ISO/IEC 19896-1:2024
01-december-2024
Informacijska varnost, kibernetska varnost in varovanje zasebnosti - Zahteve za
usposobljenost osebja za ugotavljanje skladnosti z varnostjo IT- 1. del: Pregled in
pojmi (ISO/IEC DIS 19896-1:2024)
Information security, cybersecurity and privacy protection - Requirements for the
competence of IT security conformance assessment body personnel - Part 1: Overview
and concepts
Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre - Anforderungen an
die Kompetenz des Personals von Konformitätsbewertungsstellen für IT-Sicherheit - Teil
1: Überblick und Konzepte (ISO/IEC DIS 19896-1:2024)
Sécurité de l'information, cybersécurité et protection de la vie privée - Exigences
relatives aux compétences du personnel des organismes d'évaluation de la conformité
de la sécurité TI - Partie 1: Vue d'ensemble et concepts (ISO/IEC DIS 19896-1:2024)
Ta slovenski standard je istoveten z: prEN ISO/IEC 19896-1
ICS:
03.100.30 Vodenje ljudi Management of human
resources
35.030 Informacijska varnost IT Security
oSIST prEN ISO/IEC 19896-1:2024 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

oSIST prEN ISO/IEC 19896-1:2024

oSIST prEN ISO/IEC 19896-1:2024
DRAFT
International
Standard
ISO/IEC
DIS
19896-1
ISO/IEC JTC 1/SC 27
Information security, cybersecurity
Secretariat: DIN
and privacy protection —
Voting begins on:
Requirements for the competence
2024-09-30
of IT security conformance
Voting terminates on:
assessment body personnel —
2024-12-23
Part 1:
Overview and concepts
ICS: 35.030
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS.
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Reference number
© ISO/IEC 2024
ISO/IEC DIS 19896-1:2024(en)
oSIST prEN ISO/IEC 19896-1:2024
DRAFT
ISO/IEC DIS 19896-1:2024(en)
International
Standard
ISO/IEC
DIS
19896-1
ISO/IEC JTC 1/SC 27
Information security, cybersecurity
Secretariat: DIN
and privacy protection —
Voting begins on:
Requirements for the competence
of IT security conformance
Voting terminates on:
assessment body personnel —
Part 1:
Overview and concepts
ICS: 35.030
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
© ISO/IEC 2024
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
BE CONSIDERED IN THE LIGHT OF THEIR
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
or ISO’s member body in the country of the requester.
NATIONAL REGULATIONS.
ISO copyright office
RECIPIENTS OF THIS DRAFT ARE INVITED
CP 401 • Ch. de Blandonnet 8
TO SUBMIT, WITH THEIR COMMENTS,
CH-1214 Vernier, Geneva
NOTIFICATION OF ANY RELEVANT PATENT
Phone: +41 22 749 01 11
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland Reference number
© ISO/IEC 2024
ISO/IEC DIS 19896-1:2024(en)
© ISO/IEC 2024 – All rights reserved
ii
oSIST prEN ISO/IEC 19896-1:2024
ISO/IEC DIS 19896-1:2024(en)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Concepts . 3
5 Elements of competence . 3
5.1 Competences . . .3
5.2 Knowledge .4
5.3 Skills . .4
5.3.1 General .4
5.3.2 Testers and evaluators .4
5.3.3 Validators and certifiers .5
6 Competency levels . 6
6.1 General .6
6.2 Testers and evaluators .6
6.2.1 Competency level 1 . .6
6.2.2 Competency level 2 . .6
6.2.3 Competency level 3 . .6
6.3 Validators and certifiers .6
6.3.1 Competency Level 1 .6
6.3.2 Competency Level 2 .7
6.3.3 Competency Level 3 .7
7 Measurement of elements of competence . 7
7.1 Knowledge .7
7.2 Skills . .7
7.3 Recording elements of competence .8
Annex A (informative) Framework for describing competence requirements . 9
Annex B (informative) Example records of experience and competence .10
Bibliography .11

© ISO/IEC 2024 – All rights reserved
iii
oSIST prEN ISO/IEC 19896-1:2024
ISO/IEC DIS 19896-1:2024(en)
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out through
ISO technical committees. Each member body interested in a subject for which a technical committee
has been established has the right to be represented on that committee. International organizations,
governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely
with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the
ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use of (a)
patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed patent
rights in respect thereof. As of the date of publication of this document, ISO had not received notice of (a)
patent(s) which may be required to implement this document. However, implementers are cautioned that
this may not represent the latest information, which may be obtained from the patent database available at
www.iso.org/patents. ISO shall not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
This second edition cancels and replaces the first edition (ISO/IEC 19896-1), which has been technically
revised.
The main changes are as follows:
— the document has been restructured;
— delete subclauses subclauses related to experience, education and effectiveness
— technical changes have been introduced; and
— add competence concepts for the validators and the certifiers.
— rewrite knowledge and skill as the remaining part of the elements of competence; knowledge, skills,
experience, education and effectiveness according to CASCO’s comments.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html.

© ISO/IEC 2024 – All rights reserved
iv
oSIST prEN ISO/IEC 19896-1:2024
ISO/IEC DIS 19896-1:2024(en)
Introduction
The objective of the ISO/IEC 19896 series is to provide the fundamental concepts related to the topic of the
competence of the individuals responsible for performing IT product security evaluations and conformance
testing as well as those individuals performing certification and validations. The ISO/IEC 19896 series
provides the framework and the specialized requirements that specify the minimum competence of
individuals performing IT product security evaluations and conformance testing, certification and validation
using established standards.
In pursuit of this objective, the ISO/IEC 19896 series comprises the following:
a) the terms and definitions relating to the topic of competence in IT product security evaluators and
testers;
b) the fundamental concepts relating to competence in IT product security evaluations and conformance
testing;
c) the minimum competence requirements for IT product security evaluators and testers to conduct IT
product testing/evaluation;
d) the terms and definitions relating to the topic of competence in IT product security certifiers and
validators;
e) the fundamental concepts relating to competence in IT product security certifications and validation; and
f) the minimum competence requirements for IT product security certifiers and validators to conduct IT
product validation/certification.
The ISO/IEC 19896 series is of interest to:
a) information security evaluation and conformance-testing specialists;
b) information security certification bodies for evaluation;
c) information security certification bodies for conformance-testing;
d) information security evaluation and conformance-testing laboratories;
e) vendors or technology providers whose IT products can be the subject of information security assurance
evaluations or conformance-testing; and
f) organizations offering professional credentials or recognitions.
The ISO/IEC 19896 series is organized in parts to address the competence of evaluation and testing
professionals as follows:
In this document, the introduction and concepts provide an overview of the definitions, fundamental
concepts and a general description of the framework used to communicate the competence concepts for
certain specialized areas. This material is aimed at providing the fundamental knowledge necessary to use
the framework presented in the other parts of the ISO/IEC 19896 series appropriately.
ISO/IEC 19896-2 describes the minimum set of competence requirements at each competency level for
conformance testers and validators working with ISO/IEC 19790, ISO/IEC 24759 and associated standards.
ISO/IEC 19896-3 describes the minimum set of competence requirements at each competency level for
information security evaluators and certifiers working with ISO/IEC 15408 series, ISO/IEC 18045 and
associated standards.
© ISO/IEC 2024 – All rights reserved
v
oSIST prEN ISO/IEC 19896-1:2024

oSIST prEN ISO/IEC 19896-1:2024
DRAFT International Standard ISO/IEC DIS 19896-1:2024(en)
Information security, cybersecurity and privacy protection —
Requirements for the competence of IT security conformance
assessment body personnel —
Part 1:
Overview and concepts
1 Scope
This document defines terms and establishes an organized set of concepts and relationships to understand
the competency requirements for information security assurance conformance-testing and evaluation
specialists, thereby establishing a basis for shared understanding of the concepts and principles central to
the ISO/IEC 19896 series across its user communities. It provides fundamental information to users of the
ISO/IEC 19896 series.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 23532series:2021, Information security, cybersecurity and privacy protection — Requirements for the
competence of IT security testing and evaluation laboratories
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 23532-1, ISO/IEC 23532-2 and
the following apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
certifier
certification body personnel assigned to perform certification activities in accordance with a given
evaluation standard and associated evaluation methodology
Note 1 to entry: An example of evaluation standards is ISO/IEC 15408 series with the associated evaluation
methodology given in ISO/IEC 18045.
3.2
certification body
third-party conformity assessment body operating certification schemes
Note 1 to entry: Certification body is called a validation authority in ISO/IEC 19790 and ISO/IEC 24759 and evaluation
authority in ISO/IEC 15408 and ISO/IEC 18045.

© ISO/IEC 2024 – All rights reserved
oSIST prEN ISO/IEC 19896-1:2024
ISO/IEC DIS 19896-1:2024(en)
3.3
certification scheme
certification system related to specified products, to which the same specified requirements, specific rules
and procedures apply
3.4
competence
ability to apply knowledge and skills to achieve intended results
Note 1 to entry: [SOURCE: ISO/IEC 17024:2012, 3.6]
3.5
conformance-tester
tester
individual assigned to perform test activities in accordance with a given conformance testing standard and
associated testing methodology
Note 1 to entry: An example of such a standard is ISO/IEC 19790 and the testing methodology specified in
ISO/IEC 24759.
3.6
evaluator
individual assigned to perform evaluations in accordance with a given evaluation standard and associated
evaluation methodology
Note 1 to entry: An example of evaluation standards is ISO/IEC 15408 series with the associated evaluation
methodology given in ISO/IEC 18045.
3.7
knowledge
facts, information, truths, principles or understanding acquired through experience or education
Note 1 to entry: An example of knowledge is the ability to describe
...