ISO/IEC TR 15443-2:2012

TECHNICAL ISO/IEC
REPORT TR
15443-2
Second edition
2012-11-15


Information technology — Security
techniques — Security assurance
framework
Part 2:
Analysis
Technologies de l'information — Techniques de sécurité — Assurance
de la sécurité cadre
Partie 2: Analyses




Reference number
ISO/IEC TR 15443-2:2012(E)
©
ISO/IEC 2012

---------------------- Page: 1 ----------------------
ISO/IEC TR 15443-2:2012(E)

COPYRIGHT PROTECTED DOCUMENT


©  ISO/IEC 2012
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56  CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO/IEC 2012 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC TR 15443-2:2012(E)
Contents Page
Foreword . v
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms, definitions and abbreviated terms . 1
4 A framework for the analysis of IT security assurance . 2
5 Criteria for the analysis SACA paradigms . 2
5.1 Availability of recognition agreements and arrangements . 2
5.1.1 Discussion . 2
5.1.2 Criteria . 2
5.2 Geographical and political considerations . 3
5.2.1 Discussion . 3
5.2.2 Criteria . 3
6 Criteria for the analysis of SACA schemes and SACA systems . 3
6.1 Independence . 3
6.1.1 Discussion . 3
6.1.2 Criteria . 3
6.2 Scheme competence . 4
6.2.1 Discussion . 4
6.2.2 Criteria . 4
6.3 Assessment conformity . 4
6.3.1 Discussion . 4
6.3.2 Criteria . 5
6.4 Support to security assurance users and providers . 5
6.4.1 Discussion . 5
6.4.2 Criteria . 5
6.5 Provision of interpretations of standards and methods . 5
6.5.1 Discussion . 5
6.5.2 Criteria . 5
6.6 Scheme related policies. 6
6.6.1 Discussion . 6
6.6.2 Criteria . 6
6.7 SACA systems . 6
6.7.1 Discussion . 6
6.7.2 Criteria . 6
6.8 Commercial considerations . 6
6.8.1 Discussion . 6
6.8.2 Criteria . 7
6.9 SACA results . 7
6.9.1 Discussion . 7
6.9.2 Criteria . 7
6.10 SACA Marks and symbols . 7
6.10.1 Discussion . 7
6.10.2 Criteria . 7
7 Criteria for the analysis of SACA bodies . 8
7.1 Independence . 8
7.1.1 Discussion . 8
7.1.2 Criteria . 8
© ISO/IEC 2012 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC TR 15443-2:2012(E)
7.2 Accreditation .9
7.2.1 Discussion .9
7.2.2 Criteria .9
7.3 SACA body competence .9
7.3.1 Discussion .9
7.3.2 Criteria .9
7.4 Commercial considerations .10
7.4.1 Discussion .10
7.4.2 Criteria .10
8 Criteria for the analysis of SACA methods .11
8.1 General criteria for SACA methods .11
8.1.1 Discussion .11
8.1.2 Criteria .11
8.2 Confidence in the assurance method .11
8.2.1 Discussion .11
8.2.2 Criteria .11
8.3 Independent Confirmation .12
8.3.1 Discussion .12
8.3.2 Criteria .12
8.4 Trust Policies .12
8.4.1 Discussion .12
8.4.2 Criteria .13
8.5 Maturity of the assurance method .13
8.5.1 Discussion .13
8.5.2 Criteria .13
9 Criteria for the analysis of standards, specifications and SACA documents .13
9.1 The standards development organization .13
9.1.1 Discussion .13
9.1.2 Criteria .13
9.2 The standard or specification .14
9.2.1 Discussion .14
9.2.2 Criteria .14
10 Criteria for the analysis of the SACA results .14
10.1 Documentation produced .14
10.1.1 Discussion .14
10.1.2 Criteria .14
10.2 Identification of the components of the deliverable .15
10.2.1 Discussion .15
10.2.2 Criteria .16
10.3 Scopes and boundaries of the target of the assessment .16
10.3.1 Discussion .16
10.3.2 Criteria .16
10.4 Functionality of the deliverable assessed .16
10.4.1 Discussion .16
10.4.2 Criteria .16
10.5 Supply chain criteria .17
10.5.1 Discussion .17
10.5.2 Criteria .17
10.6 Analysis of the security problem .17
10.6.1 Discussion .17
10.6.2 Criteria .17
10.7 Lifecycle .17
10.7.1 Discussion .17
10.7.2 Criteria .18
10.8 Operational considerations .18
10.8.1 Discussion .18
10.8.2 Criteria .18

iv © ISO/IEC 2012 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC TR 15443-2:2012(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
In exceptional circumstances, when the joint technical committee has collected data of a different kind from
that which is normally published as an International Standard (“state of the art”, for example), it may decide to
publish a Technical Report. A Technical Report is entirely informative in nature and shall be subject to review
every five years in the same manner as an International Standard.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC TR 15443-2 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Security techniques.
This second edition of ISO/IEC TR 15443-2 cancels and replaces the first edition (ISO/IEC TR 15443-2:2005)
and ISO/IEC TR 15443-3:2007, which have been technically revised.
ISO/IEC TR 15443 consists of the following parts, under the general title Information technology — Security
techniques — Security assurance framework:
 Part 1: Introduction and concepts
 Part 2: Analysis
© ISO/IEC 2012 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO/IEC TR 15443-2:2012(E)
Introduction
This part of ISO/IEC TR 15443 is intended to be used together with ISO/IEC TR 15443-1. ISO/IEC TR 15443-
1 introduced and discussed the concepts of assurance describing a model whereby the security assurance
requirements for a deliverable can be satisfied through the presentation of a security case supported by
security evidence that was obtained through making security assurance arguments in the development of a
security assurance claim, IT security assurance arguments are verified by the application of security
assurance conformity assessment methods and a Mark or symbol awarded appropriately.
ISO/IEC TR 15443-1 introduced the notion of methods for obtaining confidence in the security assurance
claims made for a deliverable. This includes methods based on national or international agreed standards,
specifications and methods as well as de-facto standards, specifications and methodologies which have as a
characteristic a specified and systematic repeatable method for obtaining security assurance. These may be
supplemented by a governing conformity assessment scheme that has responsibility for the oversight of the
conformity of the application of the standard or specification and the testing method and often undertakes
other duties such as awarding security assurance Marks.
By defining such a framework, this part of ISO/IEC TR 15443 guides the IT professional in the selection, and
possible combination, of the assurance method(s) suitable for a given IT security product, system, or service
and its specific environment.
Intended users of this part of ISO/IEC TR 15443 include those specifying security assurance cases including:
 acquirers (an individual or organization that acquires or procures a system, software product or software
service from a supplier);
 developer (an individual or organization that performs development activities, including requirements
analysis, design, testing and possibly integration during the software life cycle process)
 maintainer (an individual or organization that performs maintenance activities);
 supplier (an individual or organization that enters into a contract with the acquirer for the supply of a
system, software product or software service under the terms of the contract);
 user (an individual or organization that uses the deliverable to perform a specific function);
 evaluator, tester or assessor (an individual or organization that performs an evaluation; an evaluator may,
for example, be a testing laboratory, the quality department of a software development organization, a
government organization or a user);
The objective of this part of ISO/IEC TR 15443 is to describe criteria that may be used in an analysis to
support obtaining confidence in a variety of IT security assurance conformity assessment (SACA) paradigms,
and to relate the described criteria to the security assurance model of ISO/IEC TR 15443-1. The emphasis is
to identify criteria, often qualitative, and where possible quantitative, that can be used to support the degree of
confidence that can be placed in the claims, results and Marks obtained from the associated SACA
paradigms.
To provide such a framework it is necessary to characterize the criteria that can be used to assess the quality
of the subject paradigm. Many of the criteria proposed in this framework rely on subjective analysis, with
elements of assessment that may rely upon individual, organizational, and national norms, cultures and
beliefs.
vi © ISO/IEC 2012 – All rights reserved

---------------------- Page: 6 ----------------------
TECHNICAL REPORT ISO/IEC TR 15443-2:2012(E)

Information technology — Security techniques — Security
assurance framework
Part 2:
Analysis
1 Scope
This part of ISO/IEC TR 15443 builds on the concepts presented in ISO/IEC TR 15443-1. It provides a
discussion of the attributes of security assurance conformity assessment methods that contribute towards
making assurance claims and providing assurance evidence to fulfil meeting the assurance requirements for a
deliverable.
This part of ISO/IEC TR 15443 proposes criteria for comparing and analysing different SACA methods. The
reader is cautioned that the methods used as examples in this part of ISO/IEC TR 15443 are considered to
represent popularly used methods at the time of its writing. New methods may appear, and modification or
withdrawal of the methods cited may occur. It is intended that the criteria can be used to describe and
compare any SACA method whatever its provenance.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
)
1
ISO/IEC TR 15443-1:— , Information technology — Security techniques — Security assurance framework —
Part 1: Introduction and concepts
3 Terms, definitions and abbreviated terms
For the purposes of this document, the terms, definitions and abbreviated terms given in ISO/IEC TR 15443-1
and the following apply.
CAP Certificate Authorising Participants
CCP Certificate Consuming Participants
CCRA Common Criteria Recognition Arrangement
CCMC Common Criteria Management Committee
PCI Payment Card Industry

)
1
To be published.
© ISO/IEC 2012 – All rights reserved 1

---------------------- Page: 7 ----------------------
ISO/IEC TR 15443-2:2012(E)
4 A framework for the analysis of IT security assurance
The framework provided in the following clauses presents criteria that will generally be assessed subjectively
and that may be used in gaining confidence in various elements of a SACA paradigm. Criteria for the analysis
of SACA paradigms, schemes and systems are presented in clause 6, criteria related to assessing SACA
bodies are given in clause 7, criteria related to assessing various methods are found in clause 8; criteria for
assessing SDOs and standards are found in clause 9 and criteria for assessing the SACA results are offered
in clause 10.
The criteria catalogued in this document are intended to be used in support of obtaining confidence in a SACA
results. Depending on the objectives of the user of the catalogue some criteria may not be appropriate and still
others may need to be defined.
Several CASCO standards exist that should guide stakeholders in a SACA paradigm in the definition and
operation of various elements of the paradigm including the SACA schemes, bodies, and systems employed.
Those whose objective is to assess these should be familiar with the relevant CASCO documents which have
been discussed in clause 9 of part 1 of this Technical Report. Further, obtaining confidence in the SACA
results means that criteria for the quality of the results must be considered.
The structure of the following clauses includes a discussion of the topic to be considered, and the identified
criteria to be considered with explanatory notes and examples as appropriate.
5 Criteria for the analysis SACA paradigms
There are many examples of SACA schemes. These include the full range of organizations ranging from
internal departments within a development or integrating organization, commercially operated schemes,
industry-sponsored schemes, as well as those operated by government departments and agencies.
5.1 Availability of recognition agreements and arrangements
5.1.1 Discussion
It is usually the responsibility of a SACA scheme to participate in appropriate recognition agreements and
arrangements. Consideration of any such recognition agreements or arrangements may be an important
criterion to the producers of deliverables with a wide range of acquirers
5.1.2 Criteria
a) Formal or informal recognition agreements or arrangements are in place;
b) The value to the SACA stakeholders of any recognition agreements or arrangements;
NOTE The stakeholders may consider if such agreements or arrangements are made at international, national,
political or industry levels and if such agreements or arrangements facilitate the objectives of the stakeholders.
c) Agreements or arrangements that are made include consideration of development, issuance and
operation of arrangements for the recognition and acceptance of results produced by SACA bodies
undertaking similar conformity assessment and related activities.
EXAMPLE ISO/IEC Guide 68:2002
2 © ISO/IEC 2012 – All rights reserved

---------------------- Page: 8 ----------------------
ISO/IEC TR 15443-2:2012(E)
5.2 Geographical and political considerations
5.2.1 Discussion
The SACA paradigm may include operations at international, national, regional, political or at an industry level.
Consumers of the assurance provided and other stakeholders may specify SACA schemes with jurisdiction in
particular areas. This then becomes a consideration for those selecting a SACA paradigm.
5.2.2 Criteria
a) The SACA paradigm operates in appropriate geo-political areas;
b) Cultural differences between the geographies are considered by stakeholders;
c) The existence of Interpretations of standards and specifications in different geo-political areas, or regional
policies.
NOTE If interpretations are made differently in different geographical regions then the assessment of the SACA
results and the value of the Marks awarded in each region should be reviewed to ensure that commensurate confidence is
obtained in each case.
6 Criteria for the analysis of SACA schemes and SACA systems
6.1 Independence
6.1.1 Discussion
A SACA scheme is an organization that is trusted to validate the SACA claims made by others.
Confidence in the
...