ISO/IEC TR 15443-3:2007

TECHNICAL ISO/IEC
REPORT TR
15443-3
First edition
2007-12-15


Information technology — Security
techniques — A framework for IT security
assurance —
Part 3:
Analysis of assurance methods
Technologies de l'information — Techniques de sécurité — Un canevas
pour l'assurance de la sécurité dans les technologies de l'information —
Partie 3: Analyses des méthodes d'assurance



Reference number
ISO/IEC TR 15443-3:2007(E)
©
ISO/IEC 2007

---------------------- Page: 1 ----------------------
ISO/IEC TR 15443-3:2007(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.


COPYRIGHT PROTECTED DOCUMENT


©  ISO/IEC 2007
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO 2007 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC TR 15443-3:2007(E)
Contents Page
Foreword. v
Introduction . vi
1 Scope .1
1.1 Purpose.1
1.2 Application .1
1.3 Field of Application.1
1.4 Limitations.1
2 Terms and definitions .1
3 Abbreviated terms .4
4 Understanding Assurance .4
4.1 Setting the assurance goal .4
4.2 Applying assurance methods.7
4.3 Assessing assurance results .12
4.4 Example .14
5 Comparing, selecting and composing assurance.14
5.1 Selecting the assurance approach .14
5.2 Composing assurance methods .16
5.3 Comparing assurance methods.17
5.4 Focus on assurance properties .18
6 Guidance.23
6.1 Developmental Assurance (DA) .24
6.2 Integration Assurance (IA).25
6.3 Operational Assurance (OA).29
Annex A — Tabular comparisons .33
A.1 Methods and their target groups.33
A.2 Available Assurance Methods.34
Annex B — Assurance properties of selected methods.35
B.1 ISO/IEC 15408.35
B.2 ISO/IEC 19790.38
B.3 ISO/IEC 21827.40
B.4 ISO/IEC 13335.41
B.5 ISO/IEC 27001 and ISO/IEC 27002.43
B.6 IT Baseline Protection Manual.46
B.7 COBIT.48
B.8 ISO 9000.50
Annex C — Composition of assurance methods .53
C.1 ISO/IEC 15408 + IT Baseline Protection Manual .53
C.2 ISO/IEC 27002 + IT Baseline Protection.53
C.3 ISO/IEC 27001 and ISO/IEC 27002.53
C.4 ISO/IEC 27002 + ISO 9000 .54
C.5 COBIT + IT Baseline Protection.54
Annex D — Case Studies .55
D.1 A chip-card manufacturer's assurance composition strategy.55
D.2 A service provider assures the upgrade of business processes .56
Annex E — Determination of the assurance goal .57
E.1 Risk Assessment .57
© ISO 2007 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC TR 15443-3:2007(E)
E.2 Risk Management. 57
E.3 Security Model. 58
E.4 Organizational security policy. 59
E.5 Applicable Assurance goal . 60
E.6 Security Measures . 60
E.7 Example: ISO/IEC 15408 . 61
Bibliography . 62

iv © ISO 2007 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC TR 15443-3:2007(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
In exceptional circumstances, the joint technical committee may propose the publication of a Technical Report
of one of the following types:
– type 1, when the required support cannot be obtained for the publication of an International Standard,
despite repeated efforts;
– type 2, when the subject is still under technical development or where for any other reason there is the
future but not immediate possibility of an agreement on an International Standard;
– type 3, when the joint technical committee has collected data of a different kind from that which is
normally published as an International Standard (“state of the art”, for example).
Technical Reports of types 1 and 2 are subject to review within three years of publication, to decide whether
they can be transformed into International Standards. Technical Reports of type 3 do not necessarily have to
be reviewed until the data they provide are considered to be no longer valid or useful.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC TR 15443-3, which is a Technical Report of type 3, was prepared by Joint Technical Committee
ISO/IEC JTC 1, Information technology, Subcommittee SC 27, IT Security techniques.
ISO/IEC TR 15443 consists of the following parts, under the general title Information technology ― Security
techniques — A framework for IT security assurance:
– Part 1: Overview and framework
– Part 2: Assurance methods
– Part 3: Analysis of assurance methods

© ISO 2007 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO/IEC TR 15443-3:2007(E)
Introduction
The objective of this Technical Report is to present a variety of assurance methods, and to guide the IT
Security Professional in the selection of an appropriate assurance method (or combination of methods) to
achieve confidence that a given deliverable satisfies its stated IT security assurance requirements. This report
examines assurance methods and approaches proposed by various types of organisations whether they are
approved or de-facto standards.
In pursuit of this objective, this Technical Report comprises the following:
– a framework model to position existing assurance methods and to show their relationships;
– a collection of assurance methods, their description and reference;
– a presentation of common and unique properties specific to assurance methods;
– qualitative, and where possible, quantitative comparison of existing assurance methods;
– identification of assurance schemes currently associated with assurance methods;
– a description of relationships between the different assurance methods; and
– guidance to the application, composition and recognition of assurance methods.
This Technical Report is organised in three parts to address the assurance approach, analysis, and
relationships as follows:
Part 1: Overview and framework provides an overview of the fundamental concepts and general description of
assurance methods. This material is aimed at understanding Part 2 and Part 3 of this Technical Report. Part 1
targets IT security managers and others responsible for developing a security assurance program,
determining the security assurance of their deliverable, entering an assurance assessment audit (e.g.
ISO 9000, ISO/IEC 21827, ISO/IEC 15408-3), or other assurance activities.
Part 2: Assurance methods describes a variety of assurance methods and approaches and relates them to the
security assurance framework model of Part 1. The emphasis is to identify qualitative properties of the
assurance methods that contribute to assurance. This material is catering to an IT security professional for the
understanding of how to obtain assurance in a given life cycle stage of deliverable.
Part 3: Analysis of assurance methods analyses the various assurance methods with respect to their
assurance properties. The analysis will aid the Assurance Authority in deciding the relative value of each
Assurance Approach and determining the assurance approach(es) that will provide the assurance results
most appropriate to their needs within the specific context of their operating environment. Furthermore, the
analysis will also aid the Assurance Authority to use the assurance results to achieve the desired confidence
of the deliverable. The material in this part targets the IT security professional who needs to select assurance
methods and approaches.
This Technical Report analyses assurance methods that may not be unique to IT security; however, guidance
given in this Technical Report will be limited to IT security requirements. Similarly, additional terms and
concepts defined in other International standardisation initiatives (i.e. CASCO) and International guides (e.g.
ISO/IEC Guide 2) will be incorporated, however, guidance will be provided specific to the field of IT security
and is not intended for general quality management and assessment, or IT conformity.
vi © ISO 2007 – All rights reserved

---------------------- Page: 6 ----------------------
TECHNICAL REPORT ISO/IEC TR 15443-3:2007(E)

Information technology — Security techniques — A framework
for IT security assurance —
Part 3:
Analysis of assurance methods
1 Scope
1.1 Purpose
The purpose of this part of ISO/IEC TR 15443 is to provide general guidance to an assurance authority in the
choice of the appropriate type of international communications techology (ICT) assurance methods and to lay
the framework for the analysis of specific assurance methods for specific environments.
1.2 Application
This part of ISO/IEC TR 15443 will allow the user to match specific assurance requirements and/or typical
assurance situations with the general characteristics offered by available assurance methods.
1.3 Field of Application
The guidance of this part of ISO/IEC TR 15443 is applicable to the development, implementation and
operation of ICT products and ICT systems with security requirements.
1.4 Limitations
Security requirements may be complex, assurance methods are of great diversity, and organisational
resources and cultures differ considerably.
Therefore the advice given in this part of ISO/IEC TR 15443 will be qualitative and summary, and the user
may need to analyse on his own which methods presented in Part 2 of this Technical Report will suit best his
specific deliverables and organisational security requirements.
2 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC TR 15443-1,
ISO/IEC TR 15443-2 and the following apply.
2.1
assets
anything that has value to the organization
2.2
assessment
systematic examination of the extent to which an entity is capable of fulfilling specified requirements;
synonymous to evaluation when applied to a deliverable
[ISO/IEC 14598-1]
© ISO 2007 – All rights reserved 1

---------------------- Page: 7 ----------------------
ISO/IEC TR 15443-3:2007(E)
2.3
assessment method
action of applying specific documented assessment criteria to a deliverable for the purpose of determining
acceptance or release of that deliverable
2.4
assurance authority
person or organisation delegated the authority for decisions (i.e. selection, specification, acceptance,
enforcement) related to a deliverable’s assurance that ultimately leads to the establishment of confidence in
the deliverable
NOTE In specific schemes or organisations, the term for assurance authority could be different such as evaluation
authority.
2.5
assurance administrator
responsible (accountable) person for the selection, implementation, or acceptance deliverable
2.6
assurance goal
overall security expectations to be satisfied through application of formal and informal assessment activities
2.7
assurance concern
general type of assurance objective pursued by a major group of assurance authorities
NOTE In this part of ISO/IEC TR 15443, assurance concern is used for the purpose of establishing analyses and
conclusions for assurance guidance given to that group of users.
2.8
deliverable
IT security product, system, service, process, or environment factor (i.e. personnel, organisation) in particular
as object of an assurance assessment
NOTE 1 An object may be a Protection Profile (PP) or Security Target (ST) as defined by ISO/IEC15408-1.
NOTE 2 ISO 9000 holds that a service is a type of product and “product and/or service” when used in the ISO 9000
family of standards.
NOTE 3 For the purpose of this part of ISO/IEC TR 15443, and similar to the usage in ISO 9000, the term product will
generally be used in place of deliverable throughout the document.
2.9
environment
environment of life cycle process execution (i.e. people, facilities and other resources) and associated
environment assurance characteristics (e.g. reputation, certification)
NOTE In ISO/IEC TR 15443 environment assurance contrasts with product assurance and process assurance.
2.10
information security management system
ISMS
part of the overall management system based on business risk approach, to establish, implement, operate,
monitor, review, maintain and improve information security
[ISO/IEC 27001:2005, definition 3.7]
2.11
method
a way of performing something according to a plan to obtain reproducible results in a systematic and traceable
manner
2 © ISO 2007 – All rights reserved

---------------------- Page: 8 ----------------------
ISO/IEC TR 15443-3:2007(E)
2.12
metric
quantitative scale and method, which can be used for measurement
2.13
process capability
ability of a process to achieve a required goal
2.14
product
IT security product, system, service
NOTE 1 For the purpose of this part of ISO/IEC TR 15443, and similar to its usage in ISO 9000, the term product will
be used in place of deliverable throughout the document.
NOTE 2 The term product is synonymous with deliverable.
2.15
residual risk
risk remaining after risk treatment
2.16
risk assessment
overall process of risk analysis and risk evaluation
[ISO/IEC Guide 73:2002, definition 3.3.1]
NOTE 1 Risk evaluation is the process of comparing the estimated risk against given risk criteria to determine the
significance of the risk.
NOTE 2 For the purpose of this part of ISO/IEC TR 15443, risk assessment, risk analysis and threat-risk-analysis are
summarily called risk assessment.
2.17
risk treatment
process of selection and implementation of measures to modify risk
2.18
security
all aspects related to defining, achieving, and maintaining confidentiality, integrity, availability, non-repudiation,
accountability, authenticity, and reliability
[ISO/IEC 13335-1:2004, definition 2.11]
2.19
security objective
statement of intent to counter identified threats and/or satisfy identified organisation security policies and
assumptions
[ISO/IEC 15408-1:2005, definition 2.42]
2.20
security policy
set of rules internal to an organizational unit that regulate how this unit protects the management of its assets
conform to specified organizational objectives within its legal and cultural context
2.21
stage
period within the life cycle of a deliverable comprising processes and activities
NOTE Adapted from ISO/IEC 15288.
© ISO 2007 – All rights reserved 3

---------------------- Page: 9 ----------------------
ISO/IEC TR 15443-3:2007(E)
3 Abbreviated terms
For the purposes of this document, the abbreviated terms given in ISO/IEC TR 15443-1, ISO/IEC TR 15443-2
and the following apply.
COBIT Control Objectives for Information and related Technology, a method of ISACA
DA Developmental Assurance
IA Integration Assurance
ISACA Information Systems Audit and Control Association
ISSEA International Systems Security Engineering Association
OA Operation Assurance
ST Security Target
4 Understanding Assurance
Objective of assurance is to provide confidence that the product will operate securely in a given context. This
clause gives consideration to some basic issues while detail analysis and guidance is presented in the
remainder of this part of ISO/IEC TR 15443.
In terms of the concepts developed in Parts 1 and 2 of ISO/IEC TR 15443, this means that the product
satisfies a given assurance goal. This goal has to be set in a more or less formal manner. The user of
assurance has to be aware of the residual risk.
Confidence will be gained by use and interpretation of assurance results which may be already available or
which may be gained by the application of assurance methods. These methods need to be properly selected
and applied.
Numerous methods are available, and many are presented in Part 2 of ISO/IEC TR 15443. Some basic
aspects of their application is explained in 4.2.
The user of the assurance result may present a varying level of sophistication. This sophistication may guide
the associated level of rigor (refer to Subclause 4.2.1) of assurance methods, the extent application (refer to
Subclause 4.2.2), and the Life Cycle stages to be covered (refer to Subclause 4.2.3).
Particular attention is to be given to the assessment of an assurance result. To gain higher levels of
confidence formal assessment or certification may be required (refer to Subclause 4.3).
4.1 Setting the assurance goal
The assurance goals will depend on the assurance requirements to be satisfied:
– A product provider may have generic assurance requirements intended to satisfy the specific
requirements of more than one user, i.e. those of a user community of its product, system or service.
– A product user typically has very specific assurance requirements, usually depending on a specific
security policy of the user's organization.
The following explains this aspect and relates it to appropriate assurance offerings and use.
NOTE 1 The example comparison of Annex A.1 distinguishes between Hardware vendor, Software vendor, Network
provider, Server operator, Content provider and Enterprise as user. In this example, the vendors clearly belong to the first
group of assurance providers, and the user organization clearly belongs to the assurance user group. However, the others
are both providers and users of assurance.
4 © ISO 2007 – All rights reserved

---------------------- Page: 10 ----------------------
ISO/IEC TR 15443-3:2007(E)
NOTE 2 An organization may need to combine assurance results arising from two or more sources of assurance into a
consistent compound assurance result. This is an important aspect and will be covered in subclause 5.2 and 6.2.3.1 of this
Part of ISO/IEC 15443. This situation arises i.e. when multiple results of assurance are available to a user of assurance, or
when a provider of assurance is projecting the use of two or more assurance methods.
Subclauses 4.1.1 and 4.1.2 typically relate to the assurance of product during development and integration.
This difference of assurance concern is discussed in subclause 6.
NOTE 3 It is important to understand that the operation of a product typically is under the sole responsibility and
supervision of the user organization even if security services are subcontracted to a service provider. Therefore
subclauses 4.1.1 and 4.1.2 are not directly applicable to Operational Assurance.
4.1.1 Offering assurance
From the perspective of an organisation offering products, systems or services commercially (or to internal
customers) the appropriate assurance method(s) will differ based on the prospective user or user community,
their organizational size and expertise. Assurance will have to be customized according to these differences.
In particular, assurance has to be sufficiently generic if a community of users is the recipient.
Providing assurances usually is an important factor in terms of additional time-to-market and/or cost involved.
Organization providing assurance will have to weigh the benefit against its cost.
Given the above, the first two steps in the decision process are to identify:
– why the user might be willing to pay for assurance;
– to what purpose the user intends to put the assurance.
Taking these steps further we can derive customer assurance requirements and eventually derive the
applicable assurance methods.
Customer Assurance
Requirements
Product Assurance
Requirements
Assurance Methods

Figure 1 — Assurance Offering
In conclusion assurance may typically be offered as presented in Table 1.
The customer assurance requirements are identified in the form of assurance statement provided by the
assurance method.
The supporting assurance arguments and in particular their assurance rigor (refer to Table 3) must be taken
into consideration. The majority of assurance methods produce more than one type of assurance requirement
and the assurance rigor varies depending upon the method. Thus the combination of assurance methods
selected must be done carefully in order to ensure that the users’ assurance requirements and ultimately their
assurance goals are ultimately satisfied.
© ISO 2007 – All rights reserved 5

---------------------- Page: 11 ----------------------
ISO/IEC TR 15443-3:2007(E)
Table 1 — Assurance types offered
Required
Assurance offered Target customer Customer assurance requirements assessment
rigor
Content labelling;
Pass Through
End user meaningful and recognisable to the end Low
Assurance
user
Mark, label, seal;
labelling referring to generic assurance
needs;
Marketing
Generic user community presented in a very brief or encapsulated Low
Assurance
manner;
meaningful and recognisable to end user,
i.e. recognized "Quality Mark".
Proprietary form of assurance statement;
Internal
Internal customer provided internal to the organization and Any
Assurance
based on trust
Labelling including extensive supporting
External
Specific user community arguments and materials: High
Assurance
may have restricted circulation
Mark or Seal;
intended to create trust through belief;
meaningful and recognisable to end user,
i.e. recognized "Quality Mark".
Small Organisation
Small organisations Medium
Assurance
Note: Usually, due to their small
organizational size less expertise is
available to verify presented assurance
claims
Detailed assurance statement
Large Organisation
Large organisations High
Note: Expertise is available to verify
Assurance
assurance claims
Certificate or Fit-for-purpose statem
...