ISO/IEC 15408-4:2022

INTERNATIONAL ISO/IEC
STANDARD 15408-4
First edition
2022-08
Information security, cybersecurity
and privacy protection — Evaluation
criteria for IT security —
Part 4:
Framework for the specification of
evaluation methods and activities
Sécurité de l'information, cybersécurité et protection de la vie privée
— Critères d'évaluation pour la sécurité des technologies de
l'information —
Partie 4: Cadre prévu pour la spécification des méthodes d'évaluation
et des activités connexes
Reference number
© ISO/IEC 2022
© ISO/IEC 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2022 – All rights reserved

Contents Page
Foreword .iv
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 General model of evaluation methods and evaluation activities .1
4.1 Concepts and model . 1
4.2 Deriving evaluation methods and evaluation activities . 3
4.3 Verb usage in the description of evaluation methods and evaluation activities . 5
4.4 Conventions for the description of evaluation methods and evaluation activities . 6
5 Structure of an evaluation method .6
5.1 Overview . 6
5.2 Specification of an evaluation method . 7
5.2.1 Overview . 7
5.2.2 Identification of evaluation methods . 8
5.2.3 Entity responsible for the evaluation method . 9
5.2.4 Scope of the evaluation method . 9
5.2.5 Dependencies . 9
5.2.6 Required input from the developer or other entities . 9
5.2.7 Required tool types . 10
5.2.8 Required evaluator competences . 10
5.2.9 Requirements for reporting . 10
5.2.10 Rationale for the evaluation method . 10
5.2.11 Additional verb definitions .12
5.2.12 Set of evaluation activities.12
6 Structure of evaluation activities .12
6.1 Overview .12
6.2 Specification of an evaluation activity .12
6.2.1 Unique identification of the evaluation activity .12
6.2.2 Objective of the evaluation activity .12
6.2.3 Evaluation activity links to SFRs, SARs, and other evaluation activities .13
6.2.4 Required input from the developer or other entities .13
6.2.5 Required tool types . 13
6.2.6 Required evaluator competences . 13
6.2.7 Assessment strategy .13
6.2.8 Pass/fail criteria . 14
6.2.9 Requirements for reporting . 15
6.2.10 Rationale for the evaluation activity . 15
Bibliography .16
iii
© ISO/IEC 2022 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria
needed for the different types of document should be noted. This document was drafted in
accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or
www.iec.ch/members_experts/refdocs).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents) or the IEC
list of patent declarations received (see https://patents.iec.ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see
www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
A list of all parts in the ISO/IEC 15408 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.
iv
© ISO/IEC 2022 – All rights reserved

Legal notice
The governmental organizations listed below contributed to the development of this version of the
Common Criteria for Information Technology Security Evaluations. As the joint holders of the copyright
in the Common Criteria for Information Technology Security Evaluations (called CC), they hereby
grant non-exclusive license to ISO/IEC to use CC in the continued development/maintenance of the
ISO/IEC 15408 series of standards. However, these governmental organizations retain the right to use,
copy, distribute, translate or modify CC as they see fit.
Australia The Australian Signals Directorate
Canada Communications Security Establishment
France Agence Nationale de la Sécurité des Systèmes d'Information
Germany Bundesamt für Sicherheit in der Informationstechnik
Japan Information-technology Promotion Agency
Netherlands Netherlands National Communications Security Agency
New Zealand Government Communications Security Bureau
Republic of Korea National Security Research Institute
Spain Ministerio de Asuntos Económicos y Transformación Digital
Sweden FMV, Swedish Defence Materiel Administration
United Kingdom National Cyber Security Centre
United States The National Security Agency
v
© ISO/IEC 2022 – All rights reserved

Introduction
The ISO/IEC 15408 series permits comparability between the results of independent security
evaluations, by providing a common set of requirements for the security functionality of IT
products and for assurance measures applied to these IT products during a security evaluation.
ISO/IEC 18045 provides a companion methodology for some of the assurance requirements specified in
the ISO/IEC 15408 series.
The model of security evaluation in ISO/IEC 15408-1 identifies that high-level generic evaluation
activities are defined in ISO/IEC 18045, but that more specific evaluation activities (EAs) can be defined
as technology-specific adaptations of these generic activities for particular evaluation contexts, e.g. for
security functional requirements (SFRs)or security assurance requirements (SARs) applied to specific
technologies or target of evaluation (TOE) types. Specification of such evaluation activities is already
occurring amongst practitioners and this creates a need for a specification for defining such evaluation
activities.
This document describes a framework that can be used for deriving evaluation activities from work
units of ISO/IEC 18045 and grouping them into evaluation methods (EMs). Evaluation activities
or evaluation methods can be included in protection profiles (PPs) and any documents supporting
them. Where a PP, PP-Configuration, PP-Module, package, or Security Target (ST) identifies that
specific evaluation methods/evaluation activities are to be used, then the evaluators are required
by ISO/IEC 18045 to follow and report the relevant evaluation methods/evaluation activities when
assigning evaluator verdicts. As noted in ISO/IEC 15408-1, in some cases an evaluation authority can
decide not to approve the use of particular evaluation methods/evaluation activities: in such a case,
the evaluation authority can decide not to carry out evaluations following an ST that requires those
evaluation methods/evaluation activities.
This document also allows for evaluation activities to be defined for extended SARs, in which case
derivation of the evaluation activities relates to equivalent action elements and work units defined
for that extended SAR. Where reference is made in this document to the use of ISO/IEC 18045 or
ISO/IEC 15408-3 for SARs (such as when defining rationales for evaluation activities), then, in the case
of an extended SAR, the reference applies instead to the equivalent action elements and work units
defined for that extended SAR.
For clarity, this document specifies how to define evaluation methods and evaluation activities but does
not itself specify instances of evaluation methods or evaluation activities.
The following NOTE appears in other parts of the ISO/IEC 15408 series and in ISO/IEC 18045 to describe
the use of bold and italic type in those documents. This document does not use those conventions, but
the NOTE has been retained for alignment with the rest of the series.
NOTE This document uses bold and italic type in some cases to distinguish terms from the rest of the text.
The relationship between components within a family is highlighted using a bolding convention. This convention
calls for the use of bold type for all new requirements. For hierarchical components, requirements are presented
in bold type when they are enhanced or modified beyond the requirements of the previous component. In
addition, any new or enhanced permitted operations beyond the previous component are also highlighted using
bold type.
The use of italics indicates text that has a precise meaning. For security assurance requirements the convention
is for special verbs relating to evaluation.
vi
© ISO/IEC 2022 – All rights reserved

INTERNATIONAL STANDARD ISO/IEC 15408-4:2022(E)
Information security, cybersecurity and privacy
protection — Evaluation criteria for IT security —
Part 4:
Framework for the specification of evaluation methods and
activities
1 Scope
This document provides a standardized framework for specifying objective, repeatable and
reproducible evaluation methods and evaluation activities.
This document does not specify how to evaluate, adopt, or maintain evaluation methods and evaluation
activities. These aspects are a matter for those originating the evaluation methods and evaluation
activities in their particular area of interest.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 15408-1, Information security, cybersecurity and privacy protection — Evaluation criteria for IT
security — Part 1: Introduction and general model
ISO/IEC 15408-2, Information security, cybersecurity and privacy protection — Evaluation criteria for IT
security — Part 2: Security functional components
ISO/IEC 15408-3, Information security, cybersecurity and privacy protection — Evaluation criteria for IT
security — Part 3: Security assurance components
ISO/IEC 18045, Information security, cybersecurity and privacy protection — Methodology for IT
security evaluation
3 Terms and definitions
For the purposes of this document, the terms and definitions in ISO/IEC 15408-1, ISO/IEC 15408-2,
ISO/IEC 15408-3, and ISO/IEC 18045 apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www. iso. org/o bp
— IEC Electropedia: available at https:// www.e lectropedia. org/
4 General model of evaluation methods and evaluation activities
4.1 Concepts and model
ISO/IEC 18045 defines a generic set of work units that an evaluator carries out in order to reach a
verdict for most of the assurance classes, families and components defined in ISO/IEC 15408-3. The
© ISO/IEC 2022 – All rights reserved

relationship between the structure of a SAR in ISO/IEC 15408-3 and the work units in ISO/IEC 18045 is
described in ISO/IEC 18045 and summarized in Figure 1.
Figure 1 — Mapping of ISO/IEC 15408-3 and ISO/IEC 18045 structures to structures of this
document
For the purposes of defining new evaluation methods and evaluation activities, the main point to
note is that each action (representing an evaluator action element in ISO/IEC 15408-3 or an implied
evaluator action element) is represented in ISO/IEC 18045 as a set of work units that are carried out by
an evaluator.
This document specifies the ways in which new evaluation activities can be derived from the generic
work units in ISO/IEC 18045, and combined into an evaluation method that is intended for use in some
particular evaluation context. A typical example of such an evaluation context would be a particular
TOE type or particular technology type.
EXAMPLE 1
TOE type: a network device
Technology type: specific cryptographic functions
If evaluation methods and evaluation activities are required to be used with a particular PP, PP-Module,
PP-Configuration, then a PP or PP-Module or PP-Configuration shall identify this requirement in its
conformance statement. If evaluation methods and evaluation activities are required to be used with
a particular package, then the package shall identify this requirement in the security requirement
section. If Evaluation Methods and Evaluation Activities are claimed by an ST as a result of that ST
claiming conformance to a PP, PP-Configuration, or package, then the ST shall identify the EMs/EAs
used in its conformance claim. No formal claim of conformance to ISO/IEC 15408-4 is made in any of
these cases (the contents of PPs, PP-Modules, PP-Configurations and packages are described in more
detail in ISO/IEC 15408-1).
A PP, PP-Configuration, PP-Module or package may use more than one evaluation method or separate
set of evaluation activities.
EXAMPLE 2 Multiple evaluation methods can be used where separate evaluation methods have been defined
for cryptographic operations and for secure channel protocols used in a PP.
© ISO/IEC 2022 – All rights reserved

NOTE Where exact conformance is used, ISO/IEC 15408-1 states that evaluation methods/evaluation
activities are not allowed to be defined in a PP-Configuration: the evaluation methods/evaluation activities to be
used are included in the PPs and PP-Modules and not in the PP-Configuration).
When a PP, PP-Module, PP-Configuration, or package identifies that certain evaluation methods/
evaluation activities are to be used, then this is done using a standard wording that states the
requirement and references the definition of the evaluation methods/evaluation activities to be used.
An ST shall only identify required evaluation methods and evaluation activities that are included in
a PP, PP-Module, PP-Configuration or package to which the ST claims conformance (i.e. the ST itself
shall not add, modify or remove any evaluation methods or evaluation activities). An ST shall include
identification of all evaluation methods/evaluation activities that it requires (i.e. including any that are
required by PPs, PP-Modules, PP-Configurations, or packages to which the ST claims conformance), so
that there is a single list that can be checked and referenced by evaluators and readers of the ST.
Evaluation methods and evaluation activities may be defined within the document that requires them
(e.g. as part of a PP), or externally in a different document (or in a combination of both). Although
identification is required as described above, it is not necessary to reproduce the text of the evaluation
methods/evaluation activities in other documents (e.g, an ST does not have to include the full text of the
evaluation methods/evaluation activities from a PP to which it claims conformance).
4.2 Deriving evaluation methods and evaluation activities
In general, defining evaluation activities and evaluation methods may start either from an SAR, aiming
to make some or all parts of its work units more specific, or from an SFR, aiming to define specific
aspects of work units related to that SFR.
When starting from an SAR, a guideline for the process is as follows.
a) Identify the relevant ISO/IEC 18045 work units from which to derive at least one individual
evaluation activity or groups of evaluation activities.
b) For each work unit from which an evaluation activity is derived:
1) define the new evaluation activities in terms of the specific work to be carried out and
evaluation criteria as described in 6.2 (including, if required, pass/fail criteria as described in
6.2.8);
2) group evaluation activities into an evaluation method if necessary;
3) state the rationale for the new evaluation activities and the evaluation method under which
they are grouped as described in 5.2.10 and 6.2.10.
EXAMPLE A rationale can include reference to the developer action, and content and presentation
elements of the work units from which they are derived.
A guideline for starting from an SFR would be as follows.
a) Identify the relevant SFR.
b) Identify the SARs (from ISO/IEC 15408-3 or a set of extended SARs, or both) to be addressed for
that particular SFR, and the corresponding ISO/IEC 18045 work units.
c) Define the new evaluation activities in terms of the specific work to be carried out and evaluation
criteria as described in 6.2 (including, if required, pass/fail criteria as described in 6.2.8).
EXAMPLE Evaluation activities can be defined to examine the presentation of a specific SFR in the
TOE Summary Specification (derived from ASE), to examine the presentation of the SFR in the guidance
documentation (derived from AGD), and to carry out specific tests of the SFR (derived from ATE).
d) Map the affected work units for the SARs to the new evaluation activities.
© ISO/IEC 2022 – All rights reserved

e) State the rationale for the new evaluation activities, and the evaluation method under which they
are grouped, as described in 5.2.10 and 6.2.10.
Although an author may choose to start from SARs or SFRs, it is noted that SARs ultimately cover all
SFRs. Starting from SFRs as described above is a technique that can be useful when clarifying the detail
of how an SAR applies to a particular SFR, and that can be useful for presenting SFRs alongside the
description of their evaluation activities.
It is not required to have a 1:1 mapping between work units and new evaluation activities, and the
actual correspondence is documented in a rationale (as described in 5.2.10). The derivation may be
made in terms of individual work units or groups of work units, and this is depicted in Figure 2. In
case a) of Figure 2 the author maps each work unit from ISO/IEC 18045 to a corresponding evaluation
activity, while in case b) the author maps different numbers of work units and evaluation activities,
whilst still addressing all aspects of an action (i.e. the collection of work units).
Figure 2 — Alternative approaches to mapping ISO/IEC 18045 to derived evaluation activities
Other approaches are possible depending on the content of the specific work units and evaluation
activities: even where the same number of work units and evaluation activities exist, a simple 1:1
mapping is sometimes not possible and therefore a mapping at the action level may be appropriate.
Some more detailed mapping situations are described in the examples below.
NOTE These examples assume that the evaluation activities described are being defined by a community
that can judge the suitability of the rationale for completeness of the evaluation activities. The examples
are concerned only with the form and structure of the mappings, not with the nature or acceptance of the
completeness rationale.
EXAMPLE 1
© ISO/IEC 2022 – All rights reserved

For a TOE type that includes both software and hardware, additional evaluation activities can be defined to deal
with the manufacturing environment and its processes. Considering the ALC_DVS family, a possible approach
would be to adopt all the existing ALC_DVS work units for the software development environment and to define
additional evaluation activities for each of the relevant hardware and manufacturing aspects. These aspects can
include extensions of the normal ALC_DVS scope to additional items such as protection of hardware design in the
development environment, secure transfer of software from the development environment to the manufacturing
environment, security of the manufacturing site, and protection of the manufactured product while awaiting
delivery. They can also include new aspects related to objects and processes that arise only in the manufacturing
environment, such as:
— confirming that the firmware used on a manufacturing line is reliably obtained from the authorized version
created on the firmware build system;
— checking configuration management of test programs for testing the TOE on the manufacturing line;
— confirming that processes to disable test or debug interfaces on the TOE operate correctly and reliably;
— examining the physical and logical security of key management systems used to inject keys or certificates
into the TOE during manufacture.
In this example the original ALC_DVS.1.1E action is mapped to include all the new evaluation activities, but an
alternative approach would be to define additional evaluation activities for each individual work unit for ALC_
DVS.1E, identifying the additional activities to cover the manufacturing environment for that work unit.
EXAMPLE 2
If AVA_VAN.1 vulnerability analysis is applied to a particular type of TOE, where there is a specific need to
achieve consistency in the public domain vulnerability sources used then a possible approach would be to
define an evaluation activity that covers the AVA_VAN work unit dealing with searching public domain sources
by specifying the particular sources to be used, perhaps along with particular searches to be carried out and
decision criteria for selecting a resulting list of potential vulnerabilities to be analysed and tested. In this example
the original AVA_VAN.1-3 work unit is mapped to the new evaluation activity.
EXAMPLE 3
For an evaluation method to be used with hardware such as an integrated circuit, evaluation activities can be
defined to examine the circuit's architecture, defining required inputs that give the evaluator specific details
about the operations and information available through the circuit’s interfaces. The definition of these required
inputs can then make clear that the relevant interfaces include the circuit's physical surface, its executable
programming instructions, and its communication interfaces.
Further evaluation activities within the evaluation method can examine the circuit's resistance against physical
probing in order to prevent manipulating or disabling TSF features.
For testing activities, evaluation activities within the evaluation method can define a required input that presents
the circuit's design as a flow chart of security functions permeating through the circuit's subsystems. The flow
chart can then be used by the evaluator to create test cases and to confirm the test coverage of the circuit.
EXAMPLE 4
For a TOE type such as a network device that provides cryptographically verifiable firmware updates, evaluation
activities can give specific details of how the evaluator is required to review the Security Target and guidance
documentation to confirm certain specific characteristics required of the cryptographic update process.
Other evaluation activities can define specific test cases covering the verification of the current firmware, the
availability of updates, fetching updates, verifying the source of the updates using cryptographic signatures, and
the use of specific types of invalid update in order to test the TOE's acceptance functions.
4.3 Verb usage in the description of evaluation methods and evaluation activities
Where a verb is defined in ISO/IEC 15408-1 then the description of evaluation activities shall use those
verbs only in accordance with the definitions. Alternative verbs may be used in an evaluation method
for use in its evaluation activities provided that the alternative verbs are defined in the evaluation
© ISO/IEC 2022 – All rights reserved

method. Any such verb definition shall make clear the extent to which evaluator judgement (as opposed
to simple checking) is involved.
EXAMPLE An evaluation method that includes automated test generation for a protocol can define a verb
“cover”, applied to enumerated types in a protocol parameter, to mean trying all defined and undefined values of
the parameter within the available parameter length. Then evaluation activities can be written in forms such as
“The evaluator shall cover the PaymentMode field”.
Evaluator action verbs such as check, examine, report and record are used in this document with the
meanings defined in ISO/IEC 15408-1.
4.4 Conventions for the description of evaluation methods and evaluation activities
The paragraphs below describe conventions used in ISO/IEC 15408-3 and ISO/IEC 18045 that support
consistency in the description of evaluation methods and evaluation activities.
All work unit and sub-task verbs are preceded by the auxiliary verb “shall” and by presenting both the
verb and the “shall” in bold italic type face. The auxiliary verb “shall” is used only when the provided
text is mandatory and therefore only within the work units and sub-tasks. The work units and sub-
tasks contain mandatory activities that the evaluator must perform in order to assign verdicts.
Guidance text accompanying work units and sub-tasks gives further explanation on how to apply the
work units and sub-tasks in an evaluation.
5 Structure of an evaluation method
5.1 Overview
An evaluation method and its constituent evaluation activities are defined for use in a particular
evaluation context. For example, separate evaluation methods may be defined for specific technology
areas which can range from specific functions up to specific product types or even. in extreme cases, for
a specific product when the product is evaluated for unique features but where there is a requirement
to have the product evaluated using a separately defined method that supports visibility, repeatability
and reproducibility of the evaluation.
EXAMPLE Evaluation contexts for which separate evaluation methods can be defined are:
— specific product types like network devices, smart cards, biometric devices, mobile devices;
— specific security functions reused for multiple product types, such as cryptographic functions, cryptographic
protocols, digital certificate validation, identification and authentication schemes.
An evaluation method comprises a collection of individual evaluation activities, with additional
information about the way in which the evaluation activities collectively meet a goal related to an
identified evaluation context.
The description of an evaluation method includes:
a) identification of the entity that is responsible for definition and maintenance of the evaluation
method;
b) the intended scope of the evaluation method, identifying the objective for deriving the evaluation
activities in the evaluation method, the evaluation context in which it is intended to be applied, and
any known limitation of, or aspects not intended to be covered by, the evaluation method;
c) any tool types and/or evaluator competences required to carry out the evaluation activities
contained in the evaluation method;
d) any requirements for reporting on the results of applying the evaluation method;
© ISO/IEC 2022 – All rights reserved

e) identification of each work unit in ISO/IEC 18045 (or equivalent for an extended SAR) that is
addressed by the evaluation activities in the evaluation method;
f) identification of any extended SARs from which an evaluation method is derived (if applicable);
g) any additional verbs used in the description of evaluation activities in place of verbs defined in
ISO/IEC 15408-1.
Further description of the content, including identification of which content elements are mandatory,
and how content elements may be distributed between evaluation method and its evaluation activities,
is given in 5.2 and 6.2 and is summarised in Table 1. Where a content element is optional (e.g.
identification of specific evaluator competences, or required tool types), then that part may simply be
omitted from the relevant definition: it is not necessary to include a blank section.
5.2 Specification of an evaluation method
5.2.1 Overview
An evaluation method is specified in terms of the information identified in 5.2.2 to 5.2.12. No specific
format is required for providing or presenting this information, except where stated for individual
elements in 5.2.2 to 5.2.12. The purpose of specifying the description of an evaluation method in 5.2.2 to
5.2.12 is to ensure that the assurance techniques used in an evaluation can be unambiguously identified,
and that the evaluation method is used appropriately (in the context for which it was intended) and in a
way that supports consistent evaluation results.
In general, the description of an evaluation method can be taken to include the descriptions of the
individual evaluation activities that it contains. This means that aspects of the evaluation method
description may be deduced from the evaluation activity descriptions.
Figure 3 illustrates the content described in this document for an evaluation method. It does not define
a mandatory structure for describing an evaluation method.
Figure 3 — Contents of an evaluation method
© ISO/IEC 2022 – All rights reserved

The contents shown in Figure 3 are described in more detail in 5.2 and 6.2, and a summary of the
mandatory and optional requirements for specifying evaluation methods and evaluation activities is
given in Table 1.
Table 1 — Distribution of content between evaluation method (EM) and evaluation activities
(EA)
Content element Evaluation method Evaluation activity
Identifier Mandatory Mandatory
Entity Responsible Mandatory N/A
Scope Mandatory N/A
Dependencies Optional at EM or EA level
Required inputs Mandatory at EM or EA level
Required tool types Optional at EM or EA level
Required evaluator competences Optional at EM or EA level
Requirements for reporting Optional at EM or EA level
Rationale Mandatory at EM or EA level
Evaluation activities Mandatory N/A
Additional verb definitions Optional N/A
Objective N/A Mandatory
Evaluation activity links to SFRs, N/A Optional
SARs and other evaluation activities
Assessment strategy N/A Mandatory
Pass/fail criteria N/A Optional
N/A: not applicable to the evaluation method or evaluation activity.
5.2.2 Identification of evaluation methods
The definition of an evaluation method shall include a unique identifier in order to unambiguously
identify the set of evaluation activities to be applied in any given evaluation. An identifier should be
assigned at the evaluation method level (rather than just at the level of the evaluation activities it
contains), reflecting the fact that an evaluation method is intended to be applied as a whole, and is
subject to rationale and defined purpose and objectives at this level. If a set of evaluation activities has
been grouped into an evaluation method, then it shall only be identified as the same evaluation method
when the complete set of evaluation activities in the evaluation method is used, with the same rationale
as contained in the original evaluation method. If there is a need to divide the evaluation method into
smaller subsets of evaluation activities, then a separate evaluation method, with its own rationale, shall
be defined for each subset.
EXAMPLE 1 A unique identifier expressed by the title and version number of a supporting document or PP
containing the evaluation method.
EXAMPLE 2 An identifier obtained from a registration authority.
As described in 5.2.10, an evaluation method may be overlain by another evaluation method (e.g. for
use in other PPs or PP-Modules). In such a case, if the original evaluation method rationale still holds (as
described in 5.2.10), then the identifier of the original evaluation method shall be used. However, if the
rationale is changed as part of the overlay, then a separate identifier defined in the relevant PP-Module,
PP-Configuration or PP shall be used. The intention here is to ensure that a significant change to the
rationale results in a different identifier being used.
© ISO/IEC 2022 – All rights reserved

5.2.3 Entity responsible for the evaluation method
The definition of an evaluation method shall state the entity that is responsible for definition and
maintenance of the evaluation method.
EXAMPLE Examples of responsible entities are evaluation authorities, standards bodies, industry working
groups, or technical communities.
5.2.4 Scope of the evaluation method
The definition of an evaluation method shall describe its scope, including:
a) the objective of the evaluation method in terms of a brief statement summarising the assurance
goals and a high-level statement of how these are implemented by the evaluation activities within
the evaluation method;
b) the evaluation context in which the evaluation method is intended to be applied. For example,
this can describe a TOE type such as a smart card or network device, or a type of function such
as cryptographic functions using certain algorithms and modes applied to certain types of data
transmission and data storage;
c) any known limitation of the evaluation method, or aspects not intended to be covered by the
evaluation method.
Evaluation activities can be defined to apply specifically to one or more SFRs. When an evaluation
method includes such SFR-specific evaluation activities, then a subsection of the scope shall identify the
individual SFRs that the evaluation method is defined to address and the location where the SFRs are
defined (e.g. ISO/IEC 15408-2 or extended SFRs defined in a PP). For extended SFRs that are not defined
in ISO/IEC 15408-2, the identification of the location is particularly important since the same SFR name
can be used in different sources to refer to SFRs with different content (if the evaluation method is not
specific to any SFRs, then this subsection is not required).
Similarly, evaluation activities can be defined to apply specifically to one or more extended SARs (i.e.
SARs that are not defined in ISO/IEC 15408-3). When an evaluation method includes such evaluation
activities, then a subsection of the scope shall identify the relevant extended SARs and the location
where they are defined (e.g. in a PP). As with extended SFRs, the identification of the location is
particularly important since the same SAR name can be used in different sources to refer to SARs with
different content (if the evaluation method does not apply to any extended SARs, then this subsection is
not required).
NOTE The rationale for completeness of the evaluation method (see 5.2.10) can give further information
relevant to the scope of the evaluation method.
5.2.5 Dependencies
The definition of an evaluation method shall describe any dependencies on other evaluation methods,
evaluation activities or on some of the generic actions in ISO/IEC 18045.
EXAMPLE An evaluation method that relies on information obtained from some other developer action
element in ISO/IEC 15408-3 or some action in ISO/IEC 18045.
Dependencies may be identified either at the level of the evaluation method, or at the level of an
individual evaluation activity contained within the evaluation method.
5.2.6 Required input from the developer or other entities
The definition of an evaluation method shall identify any developer input required to perform the
evaluation activity. This may be done either at the level of the evaluation method, or at the level of
an individual evaluation activity included in the evaluation method. The description of the inputs may
also be made by reference to those defined for the generic SAR from which the evaluation activities are
© ISO/IEC 2022 – All rights reserved

derived, as defined in ISO/IEC 15408-3 (or the equivalent generic definition if dealing with an extended
SAR).
EXAMPLE The inputs for an evaluation method dealing with media encryption TOEs can define a
requirement for description of particular details of a key hierarchy.
5.2.7 Required tool types
If the evaluation activities require any tool types, then those shall be listed as part of the definition of
the evaluation method. The tool types may be identified either at the level of the evaluation method, or
at the level of an individual evaluation activity contained within the evaluation method.
5.2.8 Required evaluator competences
An evaluation method may identify specific evaluator competences required for its evaluation activities
[3]
(see Bibliographic entry ). If specific evaluator competences are identified, then this may be done
either at the level of the evaluation method, or at the level of individual evaluation activities contained
within the evaluation method (or a combination of both).
5.2.9 Requirements for reporting
The description of the evaluation method may include a description of reporting requirements. This
description may be given at the level of the evaluation method, at the level of individual evaluation
activities, or at both levels.
EXAMPLE 1 The evaluation method level can give general reporting requirements, but with some evaluation
activities also requiring particular observations, justifications, or answers to specific questions to be included.
Any stated requirements for reporting shall be consistent with the req
...