ISO/IEC 18045:2022
(Main)Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Methodology for IT security evaluation
Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Methodology for IT security evaluation
This document defines the minimum actions to be performed by an evaluator in order to conduct an ISO/IEC 15408 series evaluation, using the criteria and evaluation evidence defined in the ISO/IEC 15408 series.
Sécurité de l'information, cybersécurité et protection de la vie privée — Critères d'évaluation pour la sécurité des technologies de l'information — Méthodologie pour l'évaluation de sécurité
General Information
RELATIONS
Standards Content (sample)
INTERNATIONAL ISO/IEC
STANDARD 18045
Third edition
2022-08
Information security, cybersecurity
and privacy protection — Evaluation
criteria for IT security — Methodology
for IT security evaluation
Sécurité de l'information, cybersécurité et protection de la vie
privée — Critères d'évaluation pour la sécurité des technologies de
l'information — Méthodologie pour l'évaluation de sécurité
Reference number
ISO/IEC 18045:2022(E)
© ISO/IEC 2022
---------------------- Page: 1 ----------------------
ISO/IEC 18045:2022(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO/IEC 2022 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 18045:2022(E)
Table of Contents
LIST OF FIGURES ...................................................................................................................................................................................... ix
LIST OF TABLES .......................................................................................................................................................................................... x
FOREWORD ................................................................................................................................................................................................ xi
INTRODUCTION ....................................................................................................................................................................................... xii
SCOPE .................................................................................................................................................................................................. 1
NORMATIVE REFERENCES ............................................................................................................................................................ 1
TERMS AND DEFINITIONS ............................................................................................................................................................ 1
ABBREVIATED TERMS ................................................................................................................................................................... 4
TERMINOLOGY ................................................................................................................................................................................. 4
VERB USAGE ...................................................................................................................................................................................... 4
GENERAL EVALUATION GUIDANCE ............................................................................................................................................ 5
RELATIONSHIP BETWEEN THE ISO/IEC 15408 SERIES AND ISO/IEC 18045 STRUCTURES .................................... 5
EVALUATION PROCESS AND RELATED TASKS ....................................................................................................................... 5
9.1 GENERAL .................................................................................................................................................................................................................. 5
9.2 EVALUATION PROCESS OVERVIEW ....................................................................................................................................................................... 6
9.2.1 Objectives ................................................................................................................................................................................................................ 6
9.2.2 Responsibilities of the roles ............................................................................................................................................................................ 6
9.2.3 Relationship of roles .......................................................................................................................................................................................... 6
9.2.4 General evaluation model ............................................................................................................................................................................... 7
9.2.5 Evaluator verdicts ............................................................................................................................................................................................... 7
9.3 EVALUATION INPUT TASK ...................................................................................................................................................................................... 9
9.3.1 Objectives ................................................................................................................................................................................................................ 9
9.3.2 Application notes ................................................................................................................................................................................................. 9
9.3.3 Management of evaluation evidence sub-task .................................................................................................................................... 10
9.4 EVALUATION SUB-ACTIVITIES.............................................................................................................................................................................10
9.5 EVALUATION OUTPUT TASK ................................................................................................................................................................................10
9.5.1 Objectives ............................................................................................................................................................................................................. 10
9.5.2 Management of evaluation outputs ......................................................................................................................................................... 11
9.5.3 Application notes .............................................................................................................................................................................................. 11
9.5.4 Write OR sub-task ............................................................................................................................................................................................ 11
9.5.5 Write ETR sub-task .......................................................................................................................................................................................... 11
CLASS APE: PROTECTION PROFILE EVALUATION ............................................................................................................... 19
10.1 GENERAL ................................................................................................................................................................................................................19
10.2 RE-USING THE EVALUATION RESULTS OF CERTIFIED PPS .............................................................................................................................19
10.3 PP INTRODUCTION (APE_INT) ........................................................................................................................................................................20
10.3.1 Evaluation of sub-activity (APE_INT.1) ............................................................................................................................................ 20
10.4 CONFORMANCE CLAIMS (APE_CCL) ................................................................................................................................................................21
10.4.1 Evaluation of sub-activity (APE_CCL.1) ............................................................................................................................................ 21
10.5 SECURITY PROBLEM DEFINITION (APE_SPD) ................................................................................................................................................31
10.5.1 Evaluation of sub-activity (APE_SPD.1) ........................................................................................................................................... 31
10.6 SECURITY OBJECTIVES (APE_OBJ) ...................................................................................................................................................................32
10.6.1 Evaluation of sub-activity (APE_OBJ.1) ............................................................................................................................................ 32
10.6.2 Evaluation of sub-activity (APE_OBJ.2) ............................................................................................................................................ 33
10.7 EXTENDED COMPONENTS DEFINITION (APE_ECD) ......................................................................................................................................36
10.7.1 Evaluation of sub-activity (APE_ECD.1) ........................................................................................................................................... 36
© ISO/IEC 2022 – All rights reservediii
---------------------- Page: 3 ----------------------
ISO/IEC 18045:2022(E)
10.8 SECURITY REQUIREMENTS (APE_REQ) ..........................................................................................................................................................40
10.8.1 Evaluation of sub-activity (APE_REQ.1) ........................................................................................................................................... 40
10.8.2 Evaluation of sub-activity (APE_REQ.2) ........................................................................................................................................... 45
CLASS ACE: PROTECTION PROFILE CONFIGURATION EVALUATION ............................................................................ 49
11.1 GENERAL ................................................................................................................................................................................................................49
11.2 PP-MODULE INTRODUCTION (ACE_INT) ......................................................................................................................................................51
11.2.1 Evaluation of sub-activity (ACE_INT.1) ............................................................................................................................................ 51
11.3 PP-MODULE CONFORMANCE CLAIMS (ACE_CCL) ........................................................................................................................................53
11.3.1 Evaluation of sub-activity (ACE_CCL.1) ............................................................................................................................................ 53
11.4 PP-MODULE SECURITY PROBLEM DEFINITION (ACE_SPD) ........................................................................................................................ 58
11.4.1 Evaluation of sub-activity (ACE_SPD.1) ........................................................................................................................................... 58
11.5 PP-MODULE SECURITY OBJECTIVES (ACE_OBJ) ...........................................................................................................................................59
11.5.1 Evaluation of sub-activity (ACE_OBJ.1) ............................................................................................................................................ 59
11.5.2 Evaluation of sub-activity (ACE_OBJ.2) ............................................................................................................................................ 60
11.6 PP-MODULE EXTENDED COMPONENTS DEFINITION (ACE_ECD) .............................................................................................................. 63
11.6.1 Evaluation of sub-activity (ACE_ECD.1) ........................................................................................................................................... 63
11.7 PP-MODULE SECURITY REQUIREMENTS (ACE_REQ) .................................................................................................................................. 67
11.7.1 Evaluation of sub-activity (ACE_REQ.1) ........................................................................................................................................... 67
11.7.2 Evaluation of sub-activity (ACE_REQ.2) ........................................................................................................................................... 72
11.8 PP-MODULE CONSISTENCY (ACE_MCO) .......................................................................................................................................................76
11.8.1 Evaluation of sub-activity (ACE_MCO.1) .......................................................................................................................................... 76
11.9 PP-CONFIGURATION CONSISTENCY (ACE_CCO) ...........................................................................................................................................79
11.9.1 Evaluation of sub-activity (ACE_CCO.1) ........................................................................................................................................... 79
CLASS ASE: SECURITY TARGET EVALUATION ...................................................................................................................... 87
12.1 GENERAL ................................................................................................................................................................................................................87
12.2 APPLICATION NOTES ............................................................................................................................................................................................87
12.2.1 Re-using the evaluation results of certified PPs............................................................................................................................ 87
12.3 ST INTRODUCTION (ASE_INT) .........................................................................................................................................................................88
12.3.1 Evaluation of sub-activity (ASE_INT.1) ............................................................................................................................................ 88
12.4 CONFORMANCE CLAIMS (ASE_CCL) ................................................................................................................................................................91
12.4.1 Evaluation of sub-activity (ASE_CCL.1) ............................................................................................................................................ 91
12.5 SECURITY PROBLEM DEFINITION (ASE_SPD) ............................................................................................................................................. 105
12.5.1 Evaluation of sub-activity (ASE_SPD.1) ......................................................................................................................................... 105
12.6 SECURITY OBJECTIVES (ASE_OBJ) ................................................................................................................................................................ 106
12.6.1 Evaluation of sub-activity (ASE_OBJ.1) ......................................................................................................................................... 106
12.6.2 Evaluation of sub-activity (ASE_OBJ.2) ......................................................................................................................................... 107
12.7 EXTENDED COMPONENTS DEFINITION (ASE_ECD) ................................................................................................................................... 109
12.7.1 Evaluation of sub-activity (ASE_ECD.1) ........................................................................................................................................ 109
12.8 SECURITY REQUIREMENTS (ASE_REQ) ....................................................................................................................................................... 113
12.8.1 Evaluation of sub-activity (ASE_REQ.1) ........................................................................................................................................ 113
12.8.2 Evaluation of sub-activity (ASE_REQ.2) ........................................................................................................................................ 119
12.9 TOE SUMMARY SPECIFICATION (ASE_TSS) ................................................................................................................................................ 124
12.9.1 Evaluation of sub-activity (ASE_TSS.1) ......................................................................................................................................... 124
12.9.2 Evaluation of sub-activity (ASE_TSS.2) ......................................................................................................................................... 125
12.10 CONSISTENCY OF COMPOSITE PRODUCT SECURITY TARGET (ASE_COMP) ..................................................................................... 127
12.10.1 General ......................................................................................................................................................................................................... 127
12.10.2 Evaluation of sub-activity (ASE_COMP.1) .................................................................................................................................... 127
CLASS ADV: DEVELOPMENT .................................................................................................................................................... 132
13.1 GENERAL ............................................................................................................................................................................................................. 132
13.2 APPLICATION NOTES ......................................................................................................................................................................................... 132
13.3 SECURITY ARCHITECTURE (ADV_ARC) ....................................................................................................................................................... 133
13.3.1 Evaluation of sub-activity (ADV_ARC.1) ........................................................................................................................................ 133
13.4 FUNCTIONAL SPECIFICATION (ADV_FSP) ................................................................................................................................................... 137
13.4.1 Evaluation of sub-activity (ADV_FSP.1) ........................................................................................................................................ 137
13.4.2 Evaluation of sub-activity (ADV_FSP.2) ........................................................................................................................................ 140
© ISO/IEC 2022 – All rights reserved---------------------- Page: 4 ----------------------
ISO/IEC 18045:2022(E)
13.4.3 Evaluation of sub-activity (ADV_FSP.3) ........................................................................................................................................ 145
13.4.4 Evaluation of sub-activity (ADV_FSP.4) ........................................................................................................................................ 150
13.4.5 Evaluation of sub-activity (ADV_FSP.5) ........................................................................................................................................ 155
13.4.6 Evaluation of sub-activity (ADV_FSP.6) ........................................................................................................................................ 161
13.5 IMPLEMENTATION REPRESENTATION (ADV_IMP) .................................................................................................................................... 161
13.5.1 Evaluation of sub-activity (ADV_IMP.1) ........................................................................................................................................ 161
13.5.2 Evaluation of sub-activity (ADV_IMP.2) ........................................................................................................................................ 164
13.6 TSF INTERNALS (ADV_INT) .......................................................................................................................................................................... 166
13.6.1 Evaluation of sub-activity (ADV_INT.1) ........................................................................................................................................ 166
13.6.2 Evaluation of sub-activity (ADV_INT.2) ........................................................................................................................................ 169
13.6.3 Evaluation of sub-activity (ADV_INT.3) ........................................................................................................................................ 171
13.7 FORMAL TSF MODEL (ADV_SPM) ............................................................................................................................................................... 173
13.7.1 Evaluation of sub-activity (ADV_SPM.1) ....................................................................................................................................... 173
13.8 TOE DESIGN (ADV_TDS) ............................................................................................................................................................................... 180
13.8.1 Evaluation of sub-activity (ADV_TDS.1) ........................................................................................................................................ 180
13.8.2 Evaluation of sub-activity (ADV_TDS.2) ........................................................................................................................................ 183
13.8.3 Evaluation of sub-activity (ADV_TDS.3) ........................................................................................................................................ 188
13.8.4 Evaluation of sub-activity (ADV_TDS.4) ........................................................................................................................................ 197
13.8.5 Evaluation of sub-activity (ADV_TDS.5) ........................................................................................................................................ 206
13.8.6 Evaluation of sub-activity (ADV_TDS.6) ........................................................................................................................................ 213
13.9 COMPOSITE DESIGN COMPLIANCE (ADV_COMP) ....................................................................................................................................... 214
13.9.1 General ......................................................................................................................................................................................................... 214
13.9.2 Evaluation of sub-activity (ADV_COMP.1) .................................................................................................................................... 214
CLASS AGD: GUIDANCE DOCUMENTS ................................................................................................................................... 216
14.1 GENERAL .............................................................................................................................................................................................................216
14.2 APPLICATION NOTES .........................................................................................................................................................................................216
14.3 OPERATIONAL USER GUIDANCE (AGD_OPE) .............................................................................................................................................. 216
14.3.1 Evaluation of sub-activity (AGD_OPE.1)........................................................................................................................................ 216
14.4 PREPARATIVE PROCEDURES (AGD_PRE) .................................................................................................................................................... 219
14.4.1 Evaluation of sub-activity (AGD_PRE.1) ........................................................................................................................................ 219
CLASS ALC: LIFE-CYCLE SUPPORT ......................................................................................................................................... 221
15.1 GENERAL .............................................................................................................................................................................................................221
15.2 CM CAPABILITIES (ALC_CMC) ...................................................................................................................................................................... 222
15.2.1 Evaluation of sub-activity (ALC_CMC.1) ........................................................................................................................................ 222
15.2.2 Evaluation of sub-activity (ALC_CMC.2) ........................................................................................................................................ 223
15.2.3 Evaluation of sub-activity (ALC_CMC.3) ........................................................................................................................................ 224
15.2.4 Evaluation of sub-activity (ALC_CMC.4) ........................................................................................................................................ 228
15.2.5 Evaluation of sub-activity (ALC_CMC.5) ........................................................................................................................................ 233
15.3 CM SCOPE (ALC_CMS) ...................................................................................................................................................................................240
15.3.1 Evaluation of sub-activity (ALC_CMS.1) ........................................................................................................................................ 240
15.3.2 Evaluation of sub-activity (ALC_CMS.2) ........................................................................................................................................ 241
15.3.3 Evaluation of sub-activity (ALC_CMS.3) ........................................................................................................................................ 242
15.3.4 Evaluation of sub-activity (ALC_CMS.4) ........................................................................................................................................ 243
15.3.5 Evaluation of sub-activity (ALC_CMS.5) ........................................................................................................................................ 244
15.4 DELIVERY (ALC_DEL) ....................................................................................................................................................................................245
15.4.1 Evaluation of sub-activity (ALC_DEL.1) ........................................................................................................................................ 245
15.5 DEVELOPMENT SECURITY (ALC_DVS) ..................................................................................
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.