ISO/IEC TS 9569:2023
(Main)Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Patch Management Extension for the ISO/IEC 15408 series and ISO/IEC 18045
Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Patch Management Extension for the ISO/IEC 15408 series and ISO/IEC 18045
This document specifies patch management (PAM) security assurance requirements and is intended to be used as an extension of the ISO/IEC 15408 series and ISO/IEC 18045. The security assurance requirements specified in this document do not include evaluation or test activities on the final target of evaluation (TOE), but focus on the initial TOE and on the life cycle processes used by manufacturers. Additionally, this document gives guidance to facilitate the evaluation of the TOE, including the patch and development processes which support the patch management. This document lists options for evaluation authorities (or mutual recognition agreements) on how to utilize the additional assurance and additional evidence in their processes to enable the developer to consistently re-certify their updated or patched TOEs to the benefit of the users. The implementation of these options using an evaluation scheme is out of the scope of this document.
Sécurité de l'information, cybersécurité et protection de la vie privée — Critères d'évaluation pour la sécurité des TI — Extension pour la gestion des correctifs concernant la série ISO/IEC 15408 et l'ISO/IEC 18045
General Information
Buy Standard
Standards Content (Sample)
TECHNICAL ISO/IEC TS
SPECIFICATION 9569
First edition
2023-11
Information security, cybersecurity
and privacy protection — Evaluation
criteria for IT security — Patch
Management Extension for the ISO/
IEC 15408 series and ISO/IEC 18045
Sécurité de l'information, cybersécurité et protection de la vie
privée — Critères d'évaluation pour la sécurité des TI — Extension
pour la gestion des correctifs concernant la série ISO/IEC 15408 et
l'ISO/IEC 18045
Reference number
ISO/IEC TS 9569:2023(E)
© ISO/IEC 2023
---------------------- Page: 1 ----------------------
ISO/IEC TS 9569:2023(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2023
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2023 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC TS 9569:2023(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Overview . 4
4.1 Background information . 4
4.2 Proposed approach . 6
4.3 Non-public vulnerabilities . 6
5 Patch management family .7
5.1 General . 7
5.2 Patch management (ALC_PAM) . 7
5 . 2 .1 Obje c t i ve s . 7
5.2.2 Component levelling . 7
5.2.3 Application notes . 7
5.2.4 ALC_PAM.1 Patch management. 8
5.3 E valuation work units for ALC_PAM . 9
5.3.1 Action ALC_PAM.1.1E .
...
FINAL
TECHNICAL ISO/IEC DTS
DRAFT
SPECIFICATION 9569
ISO/IEC JTC 1/SC 27
Information security, cybersecurity
Secretariat: DIN
and privacy protection — Evaluation
Voting begins on:
2023-08-16 criteria for IT security — Patch
Management Extension for the ISO/
Voting terminates on:
2023-10-11
IEC 15408 series and ISO/IEC 18045
Sécurité de l'information, cybersécurité et protection de la vie
privée — Critères d'évaluation pour la sécurité des TI — Extension
pour la gestion des correctifs concernant la série ISO/IEC 15408 et
l'ISO/IEC 18045
RECIPIENTS OF THIS DRAFT ARE INVITED TO
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
Reference number
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO-
ISO/IEC DTS 9569:2023(E)
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN-
DARDS TO WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS. © ISO/IEC 2023
---------------------- Page: 1 ----------------------
ISO/IEC DTS 9569:2023(E)
FINAL
TECHNICAL ISO/IEC DTS
DRAFT
SPECIFICATION 9569
ISO/IEC JTC 1/SC 27
Information security, cybersecurity
Secretariat: DIN
and privacy protection — Evaluation
Voting begins on:
criteria for IT security — Patch
Management Extension for the ISO/
Voting terminates on:
IEC 15408 series and ISO/IEC 18045
Sécurité de l'information, cybersécurité et protection de la vie
privée — Critères d'évaluation pour la sécurité des TI — Extension
pour la gestion des correctifs concernant la série ISO/IEC 15408 et
l'ISO/IEC 18045
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2023
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
RECIPIENTS OF THIS DRAFT ARE INVITED TO
ISO copyright office
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
CP 401 • Ch. de Blandonnet 8
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
CH-1214 Vernier, Geneva
DOCUMENTATION.
Phone: +41 22 749 01 11
IN ADDITION TO THEIR EVALUATION AS
Reference number
Email: copyright@iso.org
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO
ISO/IEC DTS 9569:2023(E)
Website: www.iso.org
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
Published in Switzerland
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN
DARDS TO WHICH REFERENCE MAY BE MADE IN
ii
© ISO/IEC 2023 – All rights reserved
NATIONAL REGULATIONS. © ISO/IEC 2023
---------------------- Page: 2 ----------------------
ISO/IEC DTS 9569:2023(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Overview . 4
4.1 Background information . 4
4.2 Proposed approach . 6
4.3 Nonpublic vulnerabilities . 6
5 Patch mana
...
© ISO #### – All rights reserved
Style Definition
ISO/IEC CD TS DTS 9569 2023(E) .
Formatted: Font: 11 pt, French (Switzerland)
ISO /IEC JTC 1/SC 27/
Formatted
...
Date: 20222023-07-2628 Formatted: zzCover, Left
Formatted: French (Switzerland)
Secretariat: XXXXDIN
Formatted: zzCover, Left, Don't adjust space between
Latin and Asian text, Don't adjust space between Asian
Information security, cybersecurity and privacy protection — Evaluation criteria for IT security
text and numbers
— Patch Management Extension for the ISO/IEC 15408 series and ISO/IEC 18045
Formatted
...
Formatted
...
Formatted: zzCover, Left, Space After: 0 pt, Don't
adjust space between Latin and Asian text, Don't adjust
space between Asian text and numbers
Formatted: English (United States)
Formatted: Font: 11 pt, English (United States)
Formatted: zzCover, Line spacing: single, Don't adjust
space between Latin and Asian text, Don't adjust space
between Asian text and numbers
Formatted
WD stage .
Warning for WDs and CDs
This document is not an ISO International Standard. It is distributed for review and comment. It is subject to
change without notice and may not be referred to as an International Standard.
Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of
which they are aware and to provide supporting documentation.
To help you, this guide on writing standards was produced by the ISO/TMB and is available at
https://www.iso.org/iso/how-to-write-standards.pdf
A model manuscript of a draft International Standard (known as “The Rice Model”) is available at
https://www.iso.org/iso/model_document-rice_model.pdf
---------------------- Page: 1 ----------------------
© ISO 20XX
Sécurité de l'information, cybersécurité et protection de la vie privée — Critères d'évaluation pour la
sécurité des TI — Extension pour la gestion des correctifs concernant la série ISO/IEC 15408 et
l'ISO/IEC 18045
---------------------- Page: 2 ----------------------
ISO #####-#:####(X/IEC DTS 9569:2023(E)
Formatted: Font: 11.5 pt
Formatted: Space After: 0 pt, Line spacing: single
Formatted: Font: 11.5 pt
© ISO 2023
Formatted: Font: 11 pt
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no
Formatted
part of this publication may be reproduced or utilized otherwise in any form or by any means,
Formatted: Font: 11 pt, Font color: Blue
electronic or mechanical, including photocopying, or posting on the internet or an intranet, without
prior written permission. Permission can be requested from either ISO at the address below or Formatted: Indent: Left: 0 cm, Right: 0 cm, Border:
Left: (No border), Right: (No border)
ISO’sISO's member body in the country of the requester.
Formatted: Font: 11 pt, Font color: Blue
ISO copyright officeCopyright Office
Formatted: Font: 11 pt, Font color: Blue
Formatted: Font: 11 pt, Font color: Blue
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Formatted: Font: 11 pt, Font color: Blue
Formatted: Indent: Left: 0 cm, First line: 0 cm, Right: 0
Phone: + 41 22 749 01 11
cm, Border: Left: (No border), Right: (No border)
Formatted: Font: 11 pt, Font color: Blue
Email: copyright@iso.org
Email: copyright@iso.org
Formatted: Font: 11 pt, Font color: Blue, English (United
Kingdom)
Website: www.iso.orgwww.iso.org
Formatted: Font: 11 pt, Font color: Blue, English (United
Kingdom)
Published in Switzerland.
Formatted: Font: 11 pt, Font color: Blue, English (United
Kingdom)
Formatted: Font: 11 pt, Font color: Blue, English (United
Kingdom)
Formatted: Indent: Left: 0 cm, First line: 0 cm, Right: 0
cm, Border: Bottom: (No border), Left: (No border),
Right: (No border)
Formatted: Font: 11 pt, Font color: Blue, English (United
Kingdom)
Formatted: Font: 11 pt, Font color: Blue, English (United
Kingdom)
Formatted: Font: 11 pt
Formatted: Space After: 0 pt, Line spacing: single
2 © ISO #### – All rights reserved
ii © ISO/IEC 2023 – All rights reserved
---------------------- Page: 3 ----------------------
ISO #####-#:####(X/IEC DTS 9569:2023(E)
Formatted: Font: 11.5 pt
Formatted: Font: 11 pt
Formatted: Space After: 0 pt, Line spacing: single
Contents
Formatted: Font: 11.5 pt
Formatted: Space Before: 48 pt, Don't adjust space
between Latin and Asian text, Don't adjust space
between Asian text and numbers
Foreword . vi
Introduction . vii
1 Scope . 1
2 Normative references .
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.