Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Methodology for IT security evaluation

This document defines the minimum actions to be performed by an evaluator in order to conduct an ISO/IEC 15408 series evaluation, using the criteria and evaluation evidence defined in the ISO/IEC 15408 series.

Sécurité de l'information, cybersécurité et protection de la vie privée — Critères d'évaluation pour la sécurité des technologies de l'information — Méthodologie pour l'évaluation de sécurité

General Information

Status
Published
Publication Date
08-Aug-2022
Current Stage
6060 - International Standard published
Due Date
15-Jun-2021
Completion Date
09-Aug-2022
Ref Project

RELATIONS

Buy Standard

Standard
ISO/IEC 18045:2022 - Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Methodology for IT security evaluation Released:9. 08. 2022
English language
423 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

INTERNATIONAL ISO/IEC
STANDARD 18045
Third edition
2022-08
Information security, cybersecurity
and privacy protection — Evaluation
criteria for IT security — Methodology
for IT security evaluation
Sécurité de l'information, cybersécurité et protection de la vie
privée — Critères d'évaluation pour la sécurité des technologies de
l'information — Méthodologie pour l'évaluation de sécurité
Reference number
ISO/IEC 18045:2022(E)
© ISO/IEC 2022
---------------------- Page: 1 ----------------------
ISO/IEC 18045:2022(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2022

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on

the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below

or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 18045:2022(E)
Table of Contents

LIST OF FIGURES ...................................................................................................................................................................................... ix

LIST OF TABLES .......................................................................................................................................................................................... x

FOREWORD ................................................................................................................................................................................................ xi

INTRODUCTION ....................................................................................................................................................................................... xii

SCOPE .................................................................................................................................................................................................. 1

NORMATIVE REFERENCES ............................................................................................................................................................ 1

TERMS AND DEFINITIONS ............................................................................................................................................................ 1

ABBREVIATED TERMS ................................................................................................................................................................... 4

TERMINOLOGY ................................................................................................................................................................................. 4

VERB USAGE ...................................................................................................................................................................................... 4

GENERAL EVALUATION GUIDANCE ............................................................................................................................................ 5

RELATIONSHIP BETWEEN THE ISO/IEC 15408 SERIES AND ISO/IEC 18045 STRUCTURES .................................... 5

EVALUATION PROCESS AND RELATED TASKS ....................................................................................................................... 5

9.1 GENERAL .................................................................................................................................................................................................................. 5

9.2 EVALUATION PROCESS OVERVIEW ....................................................................................................................................................................... 6

9.2.1 Objectives ................................................................................................................................................................................................................ 6

9.2.2 Responsibilities of the roles ............................................................................................................................................................................ 6

9.2.3 Relationship of roles .......................................................................................................................................................................................... 6

9.2.4 General evaluation model ............................................................................................................................................................................... 7

9.2.5 Evaluator verdicts ............................................................................................................................................................................................... 7

9.3 EVALUATION INPUT TASK ...................................................................................................................................................................................... 9

9.3.1 Objectives ................................................................................................................................................................................................................ 9

9.3.2 Application notes ................................................................................................................................................................................................. 9

9.3.3 Management of evaluation evidence sub-task .................................................................................................................................... 10

9.4 EVALUATION SUB-ACTIVITIES.............................................................................................................................................................................10

9.5 EVALUATION OUTPUT TASK ................................................................................................................................................................................10

9.5.1 Objectives ............................................................................................................................................................................................................. 10

9.5.2 Management of evaluation outputs ......................................................................................................................................................... 11

9.5.3 Application notes .............................................................................................................................................................................................. 11

9.5.4 Write OR sub-task ............................................................................................................................................................................................ 11

9.5.5 Write ETR sub-task .......................................................................................................................................................................................... 11

CLASS APE: PROTECTION PROFILE EVALUATION ............................................................................................................... 19

10.1 GENERAL ................................................................................................................................................................................................................19

10.2 RE-USING THE EVALUATION RESULTS OF CERTIFIED PPS .............................................................................................................................19

10.3 PP INTRODUCTION (APE_INT) ........................................................................................................................................................................20

10.3.1 Evaluation of sub-activity (APE_INT.1) ............................................................................................................................................ 20

10.4 CONFORMANCE CLAIMS (APE_CCL) ................................................................................................................................................................21

10.4.1 Evaluation of sub-activity (APE_CCL.1) ............................................................................................................................................ 21

10.5 SECURITY PROBLEM DEFINITION (APE_SPD) ................................................................................................................................................31

10.5.1 Evaluation of sub-activity (APE_SPD.1) ........................................................................................................................................... 31

10.6 SECURITY OBJECTIVES (APE_OBJ) ...................................................................................................................................................................32

10.6.1 Evaluation of sub-activity (APE_OBJ.1) ............................................................................................................................................ 32

10.6.2 Evaluation of sub-activity (APE_OBJ.2) ............................................................................................................................................ 33

10.7 EXTENDED COMPONENTS DEFINITION (APE_ECD) ......................................................................................................................................36

10.7.1 Evaluation of sub-activity (APE_ECD.1) ........................................................................................................................................... 36

© ISO/IEC 2022 – All rights reserved
iii
---------------------- Page: 3 ----------------------
ISO/IEC 18045:2022(E)

10.8 SECURITY REQUIREMENTS (APE_REQ) ..........................................................................................................................................................40

10.8.1 Evaluation of sub-activity (APE_REQ.1) ........................................................................................................................................... 40

10.8.2 Evaluation of sub-activity (APE_REQ.2) ........................................................................................................................................... 45

CLASS ACE: PROTECTION PROFILE CONFIGURATION EVALUATION ............................................................................ 49

11.1 GENERAL ................................................................................................................................................................................................................49

11.2 PP-MODULE INTRODUCTION (ACE_INT) ......................................................................................................................................................51

11.2.1 Evaluation of sub-activity (ACE_INT.1) ............................................................................................................................................ 51

11.3 PP-MODULE CONFORMANCE CLAIMS (ACE_CCL) ........................................................................................................................................53

11.3.1 Evaluation of sub-activity (ACE_CCL.1) ............................................................................................................................................ 53

11.4 PP-MODULE SECURITY PROBLEM DEFINITION (ACE_SPD) ........................................................................................................................ 58

11.4.1 Evaluation of sub-activity (ACE_SPD.1) ........................................................................................................................................... 58

11.5 PP-MODULE SECURITY OBJECTIVES (ACE_OBJ) ...........................................................................................................................................59

11.5.1 Evaluation of sub-activity (ACE_OBJ.1) ............................................................................................................................................ 59

11.5.2 Evaluation of sub-activity (ACE_OBJ.2) ............................................................................................................................................ 60

11.6 PP-MODULE EXTENDED COMPONENTS DEFINITION (ACE_ECD) .............................................................................................................. 63

11.6.1 Evaluation of sub-activity (ACE_ECD.1) ........................................................................................................................................... 63

11.7 PP-MODULE SECURITY REQUIREMENTS (ACE_REQ) .................................................................................................................................. 67

11.7.1 Evaluation of sub-activity (ACE_REQ.1) ........................................................................................................................................... 67

11.7.2 Evaluation of sub-activity (ACE_REQ.2) ........................................................................................................................................... 72

11.8 PP-MODULE CONSISTENCY (ACE_MCO) .......................................................................................................................................................76

11.8.1 Evaluation of sub-activity (ACE_MCO.1) .......................................................................................................................................... 76

11.9 PP-CONFIGURATION CONSISTENCY (ACE_CCO) ...........................................................................................................................................79

11.9.1 Evaluation of sub-activity (ACE_CCO.1) ........................................................................................................................................... 79

CLASS ASE: SECURITY TARGET EVALUATION ...................................................................................................................... 87

12.1 GENERAL ................................................................................................................................................................................................................87

12.2 APPLICATION NOTES ............................................................................................................................................................................................87

12.2.1 Re-using the evaluation results of certified PPs............................................................................................................................ 87

12.3 ST INTRODUCTION (ASE_INT) .........................................................................................................................................................................88

12.3.1 Evaluation of sub-activity (ASE_INT.1) ............................................................................................................................................ 88

12.4 CONFORMANCE CLAIMS (ASE_CCL) ................................................................................................................................................................91

12.4.1 Evaluation of sub-activity (ASE_CCL.1) ............................................................................................................................................ 91

12.5 SECURITY PROBLEM DEFINITION (ASE_SPD) ............................................................................................................................................. 105

12.5.1 Evaluation of sub-activity (ASE_SPD.1) ......................................................................................................................................... 105

12.6 SECURITY OBJECTIVES (ASE_OBJ) ................................................................................................................................................................ 106

12.6.1 Evaluation of sub-activity (ASE_OBJ.1) ......................................................................................................................................... 106

12.6.2 Evaluation of sub-activity (ASE_OBJ.2) ......................................................................................................................................... 107

12.7 EXTENDED COMPONENTS DEFINITION (ASE_ECD) ................................................................................................................................... 109

12.7.1 Evaluation of sub-activity (ASE_ECD.1) ........................................................................................................................................ 109

12.8 SECURITY REQUIREMENTS (ASE_REQ) ....................................................................................................................................................... 113

12.8.1 Evaluation of sub-activity (ASE_REQ.1) ........................................................................................................................................ 113

12.8.2 Evaluation of sub-activity (ASE_REQ.2) ........................................................................................................................................ 119

12.9 TOE SUMMARY SPECIFICATION (ASE_TSS) ................................................................................................................................................ 124

12.9.1 Evaluation of sub-activity (ASE_TSS.1) ......................................................................................................................................... 124

12.9.2 Evaluation of sub-activity (ASE_TSS.2) ......................................................................................................................................... 125

12.10 CONSISTENCY OF COMPOSITE PRODUCT SECURITY TARGET (ASE_COMP) ..................................................................................... 127

12.10.1 General ......................................................................................................................................................................................................... 127

12.10.2 Evaluation of sub-activity (ASE_COMP.1) .................................................................................................................................... 127

CLASS ADV: DEVELOPMENT .................................................................................................................................................... 132

13.1 GENERAL ............................................................................................................................................................................................................. 132

13.2 APPLICATION NOTES ......................................................................................................................................................................................... 132

13.3 SECURITY ARCHITECTURE (ADV_ARC) ....................................................................................................................................................... 133

13.3.1 Evaluation of sub-activity (ADV_ARC.1) ........................................................................................................................................ 133

13.4 FUNCTIONAL SPECIFICATION (ADV_FSP) ................................................................................................................................................... 137

13.4.1 Evaluation of sub-activity (ADV_FSP.1) ........................................................................................................................................ 137

13.4.2 Evaluation of sub-activity (ADV_FSP.2) ........................................................................................................................................ 140

© ISO/IEC 2022 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC 18045:2022(E)

13.4.3 Evaluation of sub-activity (ADV_FSP.3) ........................................................................................................................................ 145

13.4.4 Evaluation of sub-activity (ADV_FSP.4) ........................................................................................................................................ 150

13.4.5 Evaluation of sub-activity (ADV_FSP.5) ........................................................................................................................................ 155

13.4.6 Evaluation of sub-activity (ADV_FSP.6) ........................................................................................................................................ 161

13.5 IMPLEMENTATION REPRESENTATION (ADV_IMP) .................................................................................................................................... 161

13.5.1 Evaluation of sub-activity (ADV_IMP.1) ........................................................................................................................................ 161

13.5.2 Evaluation of sub-activity (ADV_IMP.2) ........................................................................................................................................ 164

13.6 TSF INTERNALS (ADV_INT) .......................................................................................................................................................................... 166

13.6.1 Evaluation of sub-activity (ADV_INT.1) ........................................................................................................................................ 166

13.6.2 Evaluation of sub-activity (ADV_INT.2) ........................................................................................................................................ 169

13.6.3 Evaluation of sub-activity (ADV_INT.3) ........................................................................................................................................ 171

13.7 FORMAL TSF MODEL (ADV_SPM) ............................................................................................................................................................... 173

13.7.1 Evaluation of sub-activity (ADV_SPM.1) ....................................................................................................................................... 173

13.8 TOE DESIGN (ADV_TDS) ............................................................................................................................................................................... 180

13.8.1 Evaluation of sub-activity (ADV_TDS.1) ........................................................................................................................................ 180

13.8.2 Evaluation of sub-activity (ADV_TDS.2) ........................................................................................................................................ 183

13.8.3 Evaluation of sub-activity (ADV_TDS.3) ........................................................................................................................................ 188

13.8.4 Evaluation of sub-activity (ADV_TDS.4) ........................................................................................................................................ 197

13.8.5 Evaluation of sub-activity (ADV_TDS.5) ........................................................................................................................................ 206

13.8.6 Evaluation of sub-activity (ADV_TDS.6) ........................................................................................................................................ 213

13.9 COMPOSITE DESIGN COMPLIANCE (ADV_COMP) ....................................................................................................................................... 214

13.9.1 General ......................................................................................................................................................................................................... 214

13.9.2 Evaluation of sub-activity (ADV_COMP.1) .................................................................................................................................... 214

CLASS AGD: GUIDANCE DOCUMENTS ................................................................................................................................... 216

14.1 GENERAL .............................................................................................................................................................................................................216

14.2 APPLICATION NOTES .........................................................................................................................................................................................216

14.3 OPERATIONAL USER GUIDANCE (AGD_OPE) .............................................................................................................................................. 216

14.3.1 Evaluation of sub-activity (AGD_OPE.1)........................................................................................................................................ 216

14.4 PREPARATIVE PROCEDURES (AGD_PRE) .................................................................................................................................................... 219

14.4.1 Evaluation of sub-activity (AGD_PRE.1) ........................................................................................................................................ 219

CLASS ALC: LIFE-CYCLE SUPPORT ......................................................................................................................................... 221

15.1 GENERAL .............................................................................................................................................................................................................221

15.2 CM CAPABILITIES (ALC_CMC) ...................................................................................................................................................................... 222

15.2.1 Evaluation of sub-activity (ALC_CMC.1) ........................................................................................................................................ 222

15.2.2 Evaluation of sub-activity (ALC_CMC.2) ........................................................................................................................................ 223

15.2.3 Evaluation of sub-activity (ALC_CMC.3) ........................................................................................................................................ 224

15.2.4 Evaluation of sub-activity (ALC_CMC.4) ........................................................................................................................................ 228

15.2.5 Evaluation of sub-activity (ALC_CMC.5) ........................................................................................................................................ 233

15.3 CM SCOPE (ALC_CMS) ...................................................................................................................................................................................240

15.3.1 Evaluation of sub-activity (ALC_CMS.1) ........................................................................................................................................ 240

15.3.2 Evaluation of sub-activity (ALC_CMS.2) ........................................................................................................................................ 241

15.3.3 Evaluation of sub-activity (ALC_CMS.3) ........................................................................................................................................ 242

15.3.4 Evaluation of sub-activity (ALC_CMS.4) ........................................................................................................................................ 243

15.3.5 Evaluation of sub-activity (ALC_CMS.5) ........................................................................................................................................ 244

15.4 DELIVERY (ALC_DEL) ....................................................................................................................................................................................245

15.4.1 Evaluation of sub-activity (ALC_DEL.1) ........................................................................................................................................ 245

15.5 DEVELOPMENT SECURITY (ALC_DVS) ..................................................................................

...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.