iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
ISO

ISO/IEC TS 24462:2024

(Main)

Information security, cybersecurity and privacy protection — Ontology building blocks for security and risk assessment

Information security, cybersecurity and privacy protection — Ontology building blocks for security and risk assessment

This document defines an inventory of building blocks conceptually associated with different types of assessments of information and communication technology (ICT) trustworthiness. These assessments apply to areas such as governance, risk management, security evaluation, secure development lifecycle (SDL), supply chain integrity and privacy. This document also defines an ontology that organizes these building blocks and provides instructions for using the inventory of building blocks and the ontology. Formalizing the types, categories, and structural characteristics of building blocks in the area of ICT trustworthiness assessment aims to increase efficiency and improve future harmonization in standards development and their use. Building blocks can refer to structural components as well as semantic components. These components can be connected to a variety of concepts and activities related to trustworthiness assessments, including process related, such as traceability or elements of assessment methodologies.

Sécurité de l'information, cybersécurité et protection de la vie privée — Blocs de construction pour l'ontologie de l'évaluation de la sécurité et des risques

General Information

Status
Published
Publication Date
04-Mar-2024
ICS
35.030 - IT Security
Technical Committee
ISO/IEC JTC 1 - Information technology
Drafting Committee
ISO/IEC JTC 1/WG 13 - Trustworthiness
Current Stage
6060 - International Standard published
Start Date
05-Mar-2024
Due Date
13-Sep-2023
Completion Date
05-Mar-2024
Ref Project

Buy Standard

ISO/IEC TS 24462:2024 - Information security, cybersecurity and privacy protection — Ontology building blocks for security and risk assessment Released:5. 03. 2024ISO/IEC TS 24462:2024 - Information security, cybersecurity and privacy protection — Ontology building blocks for security and risk assessment Released:5. 03. 2024
PreviousNext
Technical specification
ISO/IEC TS 24462:2024 - Information security, cybersecurity and privacy protection — Ontology building blocks for security and risk assessment Released:5. 03. 2024
English language
41 pages
sale 15% off
Preview
sale 15% off
Preview
ISO/IEC DTS 24462 - Information security, cybersecurity and privacy protection — Ontology building blocks for security and risk assessment Released:20. 11. 2023ISO/IEC DTS 24462 - Information security, cybersecurity and privacy protection — Ontology building blocks for security and risk assessment Released:20. 11. 2023
PreviousNext
Draft
ISO/IEC DTS 24462 - Information security, cybersecurity and privacy protection — Ontology building blocks for security and risk assessment Released:20. 11. 2023
English language
43 pages
sale 15% off
Preview
sale 15% off
Preview
REDLINE ISO/IEC DTS 24462 - Information security, cybersecurity and privacy protection — Ontology building blocks for security and risk assessment Released:20. 11. 2023REDLINE ISO/IEC DTS 24462 - Information security, cybersecurity and privacy protection — Ontology building blocks for security and risk assessment Released:20. 11. 2023
PreviousNext
Draft
REDLINE ISO/IEC DTS 24462 - Information security, cybersecurity and privacy protection — Ontology building blocks for security and risk assessment Released:20. 11. 2023
English language
43 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)

Technical
Specification
ISO/IEC TS 24462
First edition
Information security, cybersecurity
2024-03
and privacy protection — Ontology
building blocks for security and risk
assessment
Sécurité de l'information, cybersécurité et protection de la vie
privée — Blocs de construction pour l'ontologie de l'évaluation de
la sécurité et des risques
Reference number
ISO/IEC TS 24462:2024(en) © ISO/IEC 2024

---------------------- Page: 1 ----------------------
ISO/IEC TS 24462:2024(en)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2024
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland

© ISO/IEC 2024 – All rights reserved
ii

---------------------- Page: 2 ----------------------
ISO/IEC TS 24462:2024(en)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and abbreviated terms. 3
5 Background . 4
6 Methodology . 4
7 Building blocks: collection and structure . 7
7.1 General .7
7.2 Application security assessment .8
7.3 Risk assessment .8
7.4 Application security controls validation .9
7.5 Risk analysis .9
8 Ontology capturing relationships among BBs . 10
8.1 General .10
8.2 Building block: application security assessment . 13
8.3 Building block: risk assessment .
...

FINAL
TECHNICAL ISO/IEC DTS
DRAFT
SPECIFICATION 24462
ISO/IEC JTC 1/SC 27
Information security, cybersecurity
Secretariat: DIN
and privacy protection — Ontology
Voting begins on:
2023-12-04 building blocks for security and risk
assessment
Voting terminates on:
2024-01-29
RECIPIENTS OF THIS DRAFT ARE INVITED TO
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
Reference number
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO-
ISO/IEC DTS 24462:2023(E)
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN-
DARDS TO WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS. © ISO/IEC 2023

---------------------- Page: 1 ----------------------
ISO/IEC DTS 24462:2023(E)
FINAL
TECHNICAL ISO/IEC DTS
DRAFT
SPECIFICATION 24462
ISO/IEC JTC 1/SC 27
Information security, cybersecurity
Secretariat: DIN
and privacy protection — Ontology
Voting begins on:
building blocks for security and risk
assessment
Voting terminates on:
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2023
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
RECIPIENTS OF THIS DRAFT ARE INVITED TO
ISO copyright office
SUBMIT, WITH THEIR COMMENTS, NOTIFICATION
OF ANY RELEVANT PATENT RIGHTS OF WHICH
CP 401 • Ch. de Blandonnet 8
THEY ARE AWARE AND TO PROVIDE SUPPOR TING
CH-1214 Vernier, Geneva
DOCUMENTATION.
Phone: +41 22 749 01 11
IN ADDITION TO THEIR EVALUATION AS
Reference number
Email: copyright@iso.org
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO­
ISO/IEC DTS 24462:2023(E)
Website: www.iso.org
LOGICAL, COMMERCIAL AND USER PURPOSES,
DRAFT INTERNATIONAL STANDARDS MAY ON
Published in Switzerland
OCCASION HAVE TO BE CONSIDERED IN THE
LIGHT OF THEIR POTENTIAL TO BECOME STAN­
DARDS TO WHICH REFERENCE MAY BE MADE IN
ii
  © ISO/IEC 2023 – All rights reserved
NATIONAL REGULATIONS. © ISO/IEC 2023

---------------------- Page: 2 ----------------------
ISO/IEC DTS 24462:2023(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and abbreviated terms.4
5 Background . 4
6 Methodology .5
7 Building blocks: collection and structure . 7
7.1 General . 7
7.2 Application security assessment . 9
7.3 Risk assessment .
...

Style Definition
ISO/IEC DTS 24462:2023(XE) .
Formatted: Font: 11 pt, English (United Kingdom)
ISO/IEC JTC 1/SC27/WG3
Formatted
...
Secretariat: DIN Formatted: zzCover, Left
Formatted
...
Date: 2023-08-2811-20
Formatted: Font: Not Bold
Formatted: zzCover, Left, Space After: 0 pt, Don't
Information Security, Cybersecuritysecurity, cybersecurity and Privacy
adjust space between Latin and Asian text, Don't adjust
Protectionprivacy protection — Ontology Building Blocksbuilding blocks for
space between Asian text and numbers
Securitysecurity and Risk Assessmentrisk assessment
Formatted: Font: 11 pt
Formatted: zzCover, Line spacing: single, Don't adjust
space between Latin and Asian text, Don't adjust space
between Asian text and numbers
Formatted
...

WD/CD/DIS/FDIS stage

Warning for WDs and CDs
This document is not an ISO International Standard. It is distributed for review and comment. It is subject to
change without notice and may not be referred to as an International Standard.
Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of
which they are aware and to provide supporting documentation.


A model manuscript of a draft International Standard (known as “The Rice Model”) is available at
https://www.iso.org/iso/model_document-rice_model.pdf

© ISO #### – All rights reserved

---------------------- Page: 1 ----------------------
© ISO 20XX

---------------------- Page: 2 ----------------------
ISO/IEC TS DTS 24462:2023(XE)
Formatted: Font: 11.5 pt, Bold
Formatted: Normal
Formatted: Font: 11.5 pt, Bold
© ISO 2023
Formatted: Font: 11.5 pt, Bold
Formatted
All rights reserved. Unless otherwise specified, or required in the context of its implementation,
no part of this publication may be reproduced or utilized otherwise in any form or by any means,
Formatted: Font: 11 pt, Font color: Blue
electronic or mechanical, including photocopying, or posting on the internet or an intranet,
Formatted: Indent: Left: 0 pt, Right: 0 pt, Border: Left:
without prior written permission. Permission can be requested from either ISO at the address
(No border), Right: (No border)
below or ISO’sISO's member body in the country of the requester.
Formatted: Font: 11 pt, Font color: Blue
ISO copyright officeCopyright Office
Formatted: Font: 11 pt, Font color: Blue
Formatted: Font: 11 pt, Font color: Blue
CP 401 • Ch. de Blandonnet 8
Formatted: Font: 11 pt
CH-1214 Vernier, Geneva
Formatted: Font: 11 pt, Font color: Blue
Phone: + 41 22 749 01 11
Formatted: Font: 11 pt, Font color: Blue
Formatted: Indent: Left: 0 pt, First line: 0 pt, Right: 0
Email: copyright@iso.org
pt, Border: Left: (No border), Right: (No border)
Email: copyright@iso.org
Formatted: Font: 11 pt, Font color: Blue, English
Website: www.iso.orgwww.iso.org (United Kingdom)
Formatted: Font: 11 pt, Font color: Blue, English
Published in Switzerland.
(United Kingdom)
Formatted: Font: 11 pt, Font color: Blue, English
(United Kingdom)
Formatted: Font: 11 pt, Font color: Blue, English
(United Kingdom)
Formatted: Indent: Left: 0 pt, First line: 0 pt, Right: 0
pt, Border: Bottom: (No border), Left: (No border),
Right: (No border)
Formatted: Font: 11 pt, Font color: Blue, English
(United Kingdom)
Formatted: Font: 11 pt, Font color: Blue, English
(United Kingdom)
Formatted: Font: 11 pt
Formatted: Space After: 0 pt, Line spacing: single
2 © ISO #### – All rights reserved
ii © ISO/IEC 2023 – All rights reserved

---------------------- Page: 3 ----------------------
ISO TS /IEC DTS 24462:2023(XE)
Formatted: Font: 11.5 pt, Bold
Formatted: Font: 11.5 pt, Bold
Formatted: Normal
Formatted: Font: 11.5 pt, Bold
Formatted: Space Before: 48 pt, Don't adjust space
Contents
between Latin and Asian text, Don't adjust space
between Asian text and numbers
This template allows you to work with default MS Word functions and styles. You can use these if you want
to maintain the Table of Contents automatically and apply auto-numbering.
To update the Table of Contents please select it and press "F9".


Foreword . v
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Symbols and abbreviated terms .
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO/IEC 20243-2:2023(Main)
Information technology — Open Trusted Technology ProviderTM Standard (O-TTPS) — Part 2: Assessment procedures for the O-TTPS

ISO/IEC 20243-2:2018 specifies the procedures to be utilized by an assessor when conducting a conformity assessment to the mandatory requirements in the Open Trusted Technology Provider? Standard (O-TTPS).1 These Assessment Procedures are intended to ensure the repeatability, reproducibility, and objectivity of assessments against the O-TTPS. Though the primary audience for this document is the assessor, an Information Technology (IT) provider who is undergoing assessment or preparing for assessment, may also find this document useful.

  • Standard
    50 pages
    English language
    sale 15% off
  • Draft
    50 pages
    English language
    sale 15% off
ISO
ISO/IEC 20243-1:2023(Main)
Information technology — Open Trusted Technology ProviderTM Standard (O-TTPS) — Part 1: Requirements and recommendations for mitigating maliciously tainted and counterfeit products

ISO/IEC 20243-1:2018 (O-TTPS) is a set of guidelines, requirements, and recommendations that address specific threats to the integrity of hardware and software COTS ICT products throughout the product life cycle. This release of the Standard addresses threats related to maliciously tainted and counterfeit products. The provider's product life cycle includes the work it does designing and developing products, as well as the supply chain aspects of that life cycle, collectively extending through the following phases: design, sourcing, build, fulfillment, distribution, sustainment, and disposal. While this Standard cannot fully address threats that originate wholly outside any span of control of the provider ? for example, a counterfeiter producing a fake printed circuit board assembly that has no original linkage to the Original Equipment Manufacturer (OEM) ? the practices detailed in the Standard will provide some level of mitigation. An example of such a practice would be the use of security labeling techniques in legitimate products.

  • Standard
    31 pages
    English language
    sale 15% off
  • Draft
    31 pages
    English language
    sale 15% off
ISO
ISO/IEC 21964-1:2018(Main)
Information technology — Destruction of data carriers — Part 1: Principles and definitions

This standard defines terms and principles for the destruction of data carriers.

  • Standard
    6 pages
    English language
    sale 15% off
ISO
ISO/IEC 21964-3:2018(Main)
Information technology — Destruction of data carriers — Part 3: Process of destruction of data carriers

This standard defines the requirements for the process of destruction of data carriers and is applicable for the responsible authority and for all parties who are involved in the destruction process.

  • Standard
    8 pages
    English language
    sale 15% off
ISO
ISO/IEC 21964-2:2018(Main)
Information technology — Destruction of data carriers — Part 2: Requirements for equipment for destruction of data carriers

This standard applies to machines for the destruction of data carriers. This standard specifies the requirements for machines in order to ensure the safe destruction of data carriers.

  • Standard
    9 pages
    English language
    sale 15% off
ISO
ISO/IEC 20648:2016(Main)
Information technology — TLS specification for storage systems

ISO/IEC 20648:2016 details the requirements for use of the Transport Layer Security (TLS) protocol in conjunction with data storage technologies. The requirements set out in this specification are intended to facilitate secure interoperability of storage clients and servers as well as non-storage technologies that may have similar interoperability needs. ISO/IEC 20648:2016 is relevant to anyone involved in owning, operating or using data storage devices. This includes senior managers, acquirers of storage product and service, and other non-technical managers or users, in addition to managers and administrators who have specific responsibilities for information security and/or storage security, storage operation, or who are responsible for an organization's overall security program and security policy development. It is also relevant to anyone involved in the planning, design and implementation of the architectural aspects of storage security.

  • Standard
    11 pages
    English language
    sale 15% off
ISO
ISO/IEC 11889-1:2015(Main)
Information technology — Trusted platform module library — Part 1: Architecture

ISO/IEC 11889-1:2015 defines the architectural elements of the Trusted Platform Module (TPM), a device which enables trust in computing platforms in general. Some TPM concepts are explained adequately in the context of the TPM itself. Other TPM concepts are explained in the context of how a TPM helps establish trust in a computing platform. When describing how a TPM helps establish trust in a computing platform, ISO/IEC 11889-1:2015 provides some guidance for platform requirements. However, the scope of ISO/IEC 11889 is limited to TPM requirements. ISO/IEC 11889-1:2015 illustrates TPM security and privacy techniques in the context of a platform through the use of cryptography. It includes definitions of how different cryptographic techniques are implemented by a TPM. The scope of ISO/IEC 11889 does not include cryptographic analysis or guidance about the applicability of different algorithms for specific uses cases. TPM requirements in ISO/IEC 11889-1:2015 are general, covering concepts like integrity protection, isolation and confidentially. Defining a specific strength of function or assurance level is out of scope for ISO/IEC 11889. This approach limits the guarantees provided by ISO/IEC 11889 itself, but it does allow the TPM architectural elements defined to be adapted to meet diverse implementation and platform specific needs.

  • Standard
    257 pages
    English language
    sale 15% off
ISO
ISO/IEC 11889-3:2015(Main)
Information technology — Trusted Platform Module Library — Part 3: Commands

ISO/IEC 11889 contains the definitions of the Trusted Platform Module (TPM) commands. These commands make use of the constants, flags, structures, and union definitions defined in ISO/IEC 11889-2. The detailed description of the operation of the commands is written in the C language with extensive comments. The behavior of the C code in this ISO/IEC 11889-3:2015 is normative but does not fully describe the behavior of a TPM. The combination of this ISO/IEC 11889-3:2015 and ISO/IEC 11889-4 is sufficient to fully describe the required behavior of a TPM. ISO/IEC 11889-3:2015 and ISO/IEC 11889-4 is written to define the behavior of a compliant TPM. In some cases it is not possible to provide a compliant implementation. In those cases, any implementation provided by the vendor that meets the general description of the function provided in this part of ISO/IEC 11889 would be compliant.

  • Standard
    457 pages
    English language
    sale 15% off
ISO
ISO/IEC 11889-4:2015(Main)
Information technology — Trusted Platform Module Library — Part 4: Supporting Routines

ISO/IEC 11889-4:2015 contains C code that describes the algorithms and methods used by the command code in ISO/IEC 11889-3. The code in ISO/IEC 11889-4:2015 augments ISO/IEC 11889-2 and ISO/IEC 11889-3 to provide a complete description of a TPM, including the supporting framework for the code that performs the command actions. Any code in ISO/IEC 11889-4:2015 may be replaced by code that provides similar results when interfacing to the action code in ISO/IEC 11889-3. The behavior of code in this ISO/IEC 11889-4:2015 that is not included in an annex is normative, as observed at the interfaces with ISO/IEC 11889-3 code. Code in an annex is provided for completeness, that is, to allow a full implementation of ISO/IEC 11889 from the provided code. The code in ISO/IEC 11889-3 and this ISO/IEC 11889-4:2015 is written to define the behavior of a compliant TPM. In some cases (e.g., firmware update), it is not possible to provide a compliant implementation. In those cases, any implementation provided by the vendor that meets the general description of the function provided in ISO/IEC 11889-3 would be compliant. The code in ISO/IEC 11889-3 and this ISO/IEC 11889-4:2015 is not written to meet any particular level of conformance nor does ISO/IEC 11889 require that a TPM meet any particular level of conformance.

  • Standard
    556 pages
    English language
    sale 15% off
ISO
ISO/IEC 11889-2:2015(Main)
Information technology — Trusted Platform Module Library — Part 2: Structures

ISO/IEC 11889-2:2015 contains the definitions of the constants, flags, structure, and union definitions used to communicate with the TPM. Values defined in ISO/IEC 11889-2:2015 are used by the TPM commands defined in ISO/IEC 11899-3 and by the functions in ISO/IEC 11889-4.

  • Standard
    159 pages
    English language
    sale 15% off