ISO/IEC FDIS 15408-4

FINAL DRAFT
International
Standard
ISO/IEC
FDIS
15408-4
ISO/IEC JTC 1/SC 27
Information security, cybersecurity
Secretariat: DIN
and privacy protection —
Voting begins on:
Evaluation criteria for IT security —
2025-12-08
Part 4:
Voting terminates on:
2026-02-02
Framework for the specification of
evaluation methods and activities
Sécurité de l'information, cybersécurité et protection de la vie
privée — Critères d'évaluation pour la sécurité des technologies
de l'information —
Partie 4: Cadre prévu pour la spécification des méthodes
d'évaluation et des activités connexes
RECIPIENTS OF THIS DRAFT ARE INVITED TO SUBMIT,
WITH THEIR COMMENTS, NOTIFICATION OF ANY
RELEVANT PATENT RIGHTS OF WHICH THEY ARE AWARE
AND TO PROVIDE SUPPOR TING DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO­
ISO/CEN PARALLEL PROCESSING LOGICAL, COMMERCIAL AND USER PURPOSES, DRAFT
INTERNATIONAL STANDARDS MAY ON OCCASION HAVE
TO BE CONSIDERED IN THE LIGHT OF THEIR POTENTIAL
TO BECOME STAN DARDS TO WHICH REFERENCE MAY BE
MADE IN NATIONAL REGULATIONS.
Reference number
ISO/IEC FDIS 15408­4:2025(en) © ISO/IEC 2025

FINAL DRAFT
International
Standard
ISO/IEC
FDIS
15408-4
ISO/IEC JTC 1/SC 27
Information security, cybersecurity
Secretariat: DIN
and privacy protection —
Voting begins on:
Evaluation criteria for IT security —
Part 4:
Voting terminates on:
Framework for the specification of
evaluation methods and activities
Sécurité de l'information, cybersécurité et protection de la vie
privée — Critères d'évaluation pour la sécurité des technologies
de l'information —
Partie 4: Cadre prévu pour la spécification des méthodes
d'évaluation et des activités connexes
RECIPIENTS OF THIS DRAFT ARE INVITED TO SUBMIT,
WITH THEIR COMMENTS, NOTIFICATION OF ANY
RELEVANT PATENT RIGHTS OF WHICH THEY ARE AWARE
AND TO PROVIDE SUPPOR TING DOCUMENTATION.
© ISO/IEC 2025
IN ADDITION TO THEIR EVALUATION AS
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO­
ISO/CEN PARALLEL PROCESSING
LOGICAL, COMMERCIAL AND USER PURPOSES, DRAFT
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
INTERNATIONAL STANDARDS MAY ON OCCASION HAVE
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
TO BE CONSIDERED IN THE LIGHT OF THEIR POTENTIAL
or ISO’s member body in the country of the requester.
TO BECOME STAN DARDS TO WHICH REFERENCE MAY BE
MADE IN NATIONAL REGULATIONS.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland Reference number
ISO/IEC FDIS 15408­4:2025(en) © ISO/IEC 2025

© ISO/IEC 2025 – All rights reserved
ii
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms, definitions and abbreviated terms . 1
4 General model of evaluation methods and evaluation activities . 2
4.1 Concepts and model .2
4.2 Deriving evaluation methods and evaluation activities .3
4.3 Verb usage in the description of evaluation methods and evaluation activities .6
4.4 Conventions for the description of evaluation methods and evaluation activities .6
5 Structure of an evaluation method . 6
5.1 Overview .6
5.2 Specification of an evaluation method .7
5.2.1 Overview .7
5.2.2 Identification of evaluation methods .8
5.2.3 Entity responsible for the evaluation method .8
5.2.4 Scope of the evaluation method .9
5.2.5 Dependencies .9
5.2.6 Required input from the developer or other entities .9
5.2.7 Required tool types .10
5.2.8 Required evaluator competences .10
5.2.9 Requirements for reporting .10
5.2.10 Rationale for the evaluation method .10
5.2.11 Additional verb definitions . 12
5.2.12 Set of evaluation activities. 12
6 Structure of evaluation activities .12
6.1 Overview . 12
6.2 Specification of an evaluation activity . 12
6.2.1 Unique identification of the evaluation activity . 12
6.2.2 Objective of the evaluation activity . 12
6.2.3 Evaluation activity links to SFRs, SARs, and other evaluation activities . 13
6.2.4 Required input from the developer or other entities . 13
6.2.5 Required tool types . 13
6.2.6 Required evaluator competences . 13
6.2.7 Assessment strategy . 13
6.2.8 Pass/fail criteria .14
6.2.9 Requirements for reporting . 15
6.2.10 Rationale for the evaluation activity . 15
Bibliography .16

© ISO/IEC 2025 – All rights reserved
iii
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations,
governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/
IEC Directives, Part 2 (see www.iso.org/directives or www.iec.ch/members_experts/refdocs).
ISO and IEC draw attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of any
claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC had not
received notice of (a) patent(s) which may be required to implement this document. However, implementers
are cautioned that this may not represent the latest information, which may be obtained from the patent
database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall not be held
responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www.iso.org/iso/foreword.html.
In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection, in collaboration with the
European Committee for Standardization (CEN) Technical Committee CEN/CLC/JTC 13, Cybersecurity and
data protection, in accordance with the Agreement on technical cooperation between ISO and CEN (Vienna
Agreement).
This second edition cancels and replaces the first edition (ISO/IEC 15408-4:2022), which has been
technically revised.
The main changes are as follows:
— minor typographical and editorial errors corrected.
A list of all parts in the ISO 15408 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.

© ISO/IEC 2025 – All rights reserved
iv
Introduction
The model of security evaluation in ISO/IEC 15408-1 identifies that high-level generic evaluation activities
are defined in ISO/IEC 18045, but that more specific evaluation activities (EAs) can be defined as technology-
specific adaptations of these generic activities for particular evaluation contexts, e.g. for security functional
requirements (SFRs) or security assurance requirements (SARs) applied to specific technologies or
target of evaluation (TOE) types. Specification of such evaluation activities is already occurring amongst
practitioners, and this creates a need for a specification for defining such evaluation activities.
This document describes a framework that can be used for deriving evaluation activities from work units
of ISO/IEC 18045 and grouping them into evaluation methods (EMs). Evaluation activities or evaluation
methods can be included in protection profiles (PPs) and any documents supporting them. Where a PP, PP-
Configuration, PP-Module, package, or Security Target (ST) identifies that specific evaluation methods/
evaluation activities must be used, the evaluators are required by ISO/IEC 18045 to follow and report
the relevant evaluation methods/evaluation activities when assigning evaluator verdicts. As noted in
ISO/IEC 15408-1, in some cases an evaluation authority can decide not to approve the use of particular
evaluation methods/evaluation activities. In such a case, the evaluation authority can decide not to carry out
evaluations following an ST that requires those evaluation methods/evaluation activities.
This document also allows for evaluation activities to be defined for extended SARs, in which case derivation
of the evaluation activities relates to equivalent evaluator action elements and work units defined for that
extended SAR. Where reference is made in this document to the use of ISO/IEC 18045 or ISO/IEC 15408-3
for SARs (such as when defining rationales for evaluation activities), then, in the case of an extended SAR,
the reference applies instead to the equivalent evaluator action elements and work units defined for that
extended SAR.
For clarity, this document specifies how to define evaluation methods and evaluation activities but does not
itself specify instances of evaluation methods or evaluation activities.

© ISO/IEC 2025 – All rights reserved
v
FINAL DRAFT International Standard ISO/IEC FDIS 15408-4:2025(en)
Information security, cybersecurity and privacy protection —
Evaluation criteria for IT security —
Part 4:
Framework for the specification of evaluation methods and
activities
1 Scope
This document specifies requirements and a standardized framework for specifying objective, repeatable
and reproducible evaluation methods and evaluation activities.
This document does not specify how to evaluate, adopt, or maintain evaluation methods and evaluation
activities. These aspects are a matter for those originating the evaluation methods and evaluation activities
in their particular area of interest.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes
requirements of this document. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 15408-1, Information security, cybersecurity and privacy protection — Evaluation criteria for IT
security — Part 1: Introduction and general model
ISO/IEC 15408-2, Information security, cybersecurity and privacy protection — Evaluation criteria for IT
security — Part 2: Security functional components
1)
ISO/IEC 15408-3:— , Information security, cybersecurity and privacy protection — Evaluation criteria for IT
security — Part 3: Security assurance components
2)
ISO/IEC 18045:— , Information security, cybersecurity and privacy protection — Evaluation criteria for IT
security — Requirements and methodology for IT security evaluation
3 Terms, definitions and abbreviated terms
For the purposes of this document, the terms and definitions given in ISO/IEC 15408-1, ISO/IEC 15408-2,
ISO/IEC 15408-3, ISO/IEC 18045 apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
1) Under preparation. Stage at the time of publication: ISO/IEC FDIS 15408-3:2025.
2) Under preparation. Stage at the time of publication: ISO/IEC FDIS 18045:2025.

© ISO/IEC 2025 – All rights reserved
4 General model of evaluation methods and evaluation activities
4.1 Concepts and model
ISO/IEC 18045 defines a generic set of work units that an evaluator carries out in order to reach a verdict
for most of the assurance classes, families and components defined in ISO/IEC 15408-3. The relationship
between the structure of a SAR in ISO/IEC 15408-3 and the work units in ISO/IEC 18045 is described in
ISO/IEC 18045 and summarized in Figure 1 showing that the derivation is flexible and not required to be
simply 1:1).
Figure 1 — Mapping of P3 and CEM to this document
For the purposes of defining new evaluation methods and evaluation activities, the main point to note is that
each action (representing an evaluator action element in ISO/IEC 15408-3 or an implied evaluator action
element) is represented in ISO/IEC 18045 as a set of work units that are carried out by an evaluator.
This document specifies the ways in which new evaluation activities can be derived from the generic work
units in ISO/IEC 18045, and combined into an evaluation method that is intended for use in some particular
evaluation context. A typical example of such an evaluation context is a particular TOE type or particular
technology type.
EXAMPLE 1
— TOE type: a network device
— Technology type: specific cryptographic functions
If evaluation methods (EM) and evaluation activities (EA) are required to be used with a particular PP, PP-
Module or PP-Configuration, then a PP or PP-Module or PP-Configuration shall identify this requirement in
its conformance statement. If evaluation methods and evaluation activities are required to be used with a
particular package, then the package shall identify this requirement in the security requirement section.
If EMs and EAs are claimed by an ST as a result of that ST claiming conformance to a PP, PP-Configuration,
or package, then the ST shall identify the EMs/EAs used in its conformance claim. No formal claim of
conformance to this document made in any of these cases.
NOTE 1 The contents of PPs, PP-Modules, PP-Configurations and packages are described in more detail in
ISO/IEC 15408-1.
© ISO/IEC 2025 – All rights reserved
A PP, PP-Configuration, PP-Module or package may use more than one evaluation method or separate set of
evaluation activities.
EXAMPLE 2 Multiple evaluation methods can be used where separate evaluation methods have been defined for
cryptographic operations and for secure channel protocols used in a PP.
NOTE 2 Where exact conformance is used, ISO/IEC 15408-1 states that evaluation methods/evaluation activities
are not allowed to be defined in a PP-Configuration: the evaluation methods/evaluation activities to be used are
included in the PPs and PP-Modules and not in the PP-Configuration).
When a PP, PP-Module, PP-Configuration, or package identifies that certain evaluation methods/evaluation
activities shall be used, then this is done using a standard wording that states the requirement and
references the definition of the evaluation methods/evaluation activities to be used. An ST shall only
identify required evaluation methods and evaluation activities that are included in a PP, PP-Module, PP-
Configuration or package to which the ST claims conformance (i.e. the ST itself shall not add, modify or
remove any evaluation methods or evaluation activities). An ST shall include identification of all evaluation
methods/evaluation activities that it requires (i.e. including any that are required by PPs, PP-Modules, PP-
Configurations, or packages to which the ST claims conformance), so that there is a single list that can be
checked and referenced by evaluators and readers of the ST.
Evaluation methods and evaluation activities may be defined as part of a PP or required externally in a
different document (or in a combination of both). Although identification is required as described in the
paragraph above, it is not necessary to reproduce the text of the evaluation methods/evaluation activities in
other documents. For example, an ST is not required to include the full text of the evaluation methods and
evaluation activities from a PP to which it claims conformance.
4.2 Deriving evaluation methods and evaluation activities
In general, defining evaluation activities and evaluation methods can start either from an SAR, aiming to
make some or all parts of its work units more specific, or from an SFR, aiming to define specific aspects of
work units related to that SFR.
When starting from an SAR, the process is as follows.
— Identify the relevant ISO/IEC 18045 work units from which at least one individual evaluation activity or
groups of evaluation activities shall be derived;
— For each work unit from which an evaluation activity is derived:
— define the new evaluation activities in terms of the specific work to be carried out and evaluation
criteria as described in 6.2 (including, if required, pass/fail criteria as described in 6.2.8);
— group evaluation activities into an evaluation method if necessary;
— state the rationale for the new evaluation activities and the evaluation method under which they are
grouped as described in 5.2.10 and 6.2.10.
EXAMPLE 1 A rationale can include reference to the developer action, and content and presentation elements of the
work units from which they are derived.
A process for starting from an SFR is as follows:
— identify the relevant SFR,
— identify the SARs (from ISO/IEC 15408-3 or a set of extended SARs, or both) to be addressed for
that particular SFR, and the corresponding ISO/IEC 18045 work units,
— define the new evaluation activities in terms of the specific work to be carried out and evaluation
criteria as described in 6.2 (including, if required, pass/fail criteria as described in 6.2.8). For
example, evaluation activities can be defined to:

© ISO/IEC 2025 – All rights reserved
— examine the presentation of a specific SFR in the TOE Summary Specification [derived from class
ASE (Security Target (ST) evaluation) (see ISO/IEC 15408-3:—, Clause 9)],
— examine the presentation of the SFR in the guidance documentation [derived from class AGD
(Guidance documents) (see ISO/IEC 15408-3:—, Clause 11)],
— to carry out specific tests of the SFR [derived from class ATE (Tests) (see ISO/IEC 15408-3:—,
Clause 13)].
— map the affected work units for the SARs to the new evaluation activities;
— state the rationale for the new evaluation activities, and the evaluation method under which they are
grouped, as described in 5.2.10 and 6.2.10.
Although an author may choose to start from SARs or SFRs, it is noted that SARs ultimately cover all SFRs.
Starting from SFRs as described here is a technique that can be useful when clarifying the detail of how an
SAR applies to a particular SFR, and that can be useful for presenting SFRs alongside the description of their
evaluation activities.
It is not required to have a 1:1 mapping between work units and new evaluation activities, and the actual
correspondence is documented in a rationale (as described in 5.2.10). The derivation may be made in terms
of individual work units or groups of work units, and this is depicted in Figure 2. In case a) of Figure 2, the
author maps each work unit from ISO/IEC 18045 to a corresponding evaluation activity, while in case b), the
author maps different numbers of work units and evaluation activities, while still addressing all aspects of
an action (i.e. the collection of work units).
Figure 2 — Alternative approaches to mapping CEM to derived evaluation activities
Other approaches are possible depending on the content of the specific work units and evaluation activities:
even where the same number of work units and evaluation activities exist, a simple 1:1 mapping is sometimes

© ISO/IEC 2025 – All rights reserved
not possible and therefore a mapping at the action level can be appropriate. Some more detailed mapping
situations are described in the examples below.
NOTE These examples assume that the evaluation activities described are being defined by a community that can
judge the suitability of the rationale for completeness of the evaluation activities. The examples are concerned only
with the form and structure of the mappings, not with the nature or acceptance of the completeness rationale.
EXAMPLE 2 For a TOE type that includes both software and hardware, additional evaluation activities can be defined
to deal with the manufacturing environment and its processes. Considering the ALC_DVS (Developer environment
security) (see ISO/IEC 15408-3:—, 12.5) family, a possible approach is to adopt all the existing ALC_DVS (Developer
environment security) (see ISO/IEC 15408-3:—, 12.5) work units for the software development environment and to
define additional evaluation activities for each of the relevant hardware and manufacturing aspects. These aspects
can include extensions of the normal ALC_DVS (Developer environment security) (see ISO/IEC 15408-3:—, 12.5)
scope to additional items such as protection of hardware design in the development environment, secure transfer of
software from the development environment to the manufacturing environment, security of the manufacturing site,
and protection of the manufactured product while awaiting delivery. They can also include new aspects related to
objects and processes that arise only in the manufacturing environment, such as:
— confirming that the firmware used on a manufacturing line is reliably obtained from the authorized version
created on the firmware build system;
— checking configuration management of test programs for testing the TOE on the manufacturing line;
— confirming that processes to disable test or debug interfaces on the TOE operate correctly and reliably;
— examining the physical and logical security of key management systems used to inject keys or certificates into the
TOE during manufacture.
In this example, the original ALC_DVS.1.1E (see ISO/IEC 15408-3:—, 12.5.4) action is mapped to include all
the new evaluation activities. An alternative approach is to define additional evaluation activities for each
individual work unit for ALC_DVS.1.1E (see ISO/IEC 15408-3:—, 12.5.4), identifying the additional activities
to cover the manufacturing environment for that work unit.
EXAMPLE 3 Another example can be if AVA_VAN.1 (Vulnerability survey) (see ISO/IEC 15408-3:—, 14.3.3)
vulnerability analysis is applied to a particular type of TOE, and there is a specific requirement to achieve consistency
in the public domain vulnerability sources used. A possible approach is to define an evaluation activity that covers
the AVA_VAN (Vulnerability analysis) (see ISO/IEC 15408-3:—, 14.3) work unit dealing with searching public domain
sources by specifying the particular sources to be used. It is possible to do this with particular searches to be carried
out and decision criteria for selecting a resulting list of potential vulnerabilities to be analysed and tested. In this
example the original AVA_VAN.1–3 (see ISO/IEC 18045:—, 16.3.1.5.2) work unit is mapped to the new evaluation
activity.
EXAMPLE 4
— For an evaluation method to be used with hardware such as an integrated circuit, evaluation activities can be
defined to examine the circuit's architecture, defining required inputs that give the evaluator specific details about
the operations and information available through the circuit's interfaces. The definition of these required inputs
can then make clear that the relevant interfaces include the circuit's physical surface, its executable programming
instructions, and its communication interfaces.
— Further evaluation activities within the evaluation method can examine the circuit's resistance against physical
probing in order to prevent manipulating or disabling TSF features.
— For testing activities, evaluation activities within the evaluation method can define a required input that presents
the circuit's design as a flow chart of security functions permeating through the circuit's subsystems. The flow
chart can then be used by the evaluator to create test cases and to confirm the test coverage of the circuit.
EXAMPLE 5
— For a TOE type such as a network device that provides cryptographically verifiable firmware updates, evaluation
activities can give specific details of how the evaluator is required to review the Security Target and guidance
documentation to confirm certain specific characteristics required of the cryptographic update process.
— Other evaluation activities can define specific test cases covering the verification of the current firmware, the
availability of updates, fetching updates, verifying the source of the updates using cryptographic signatures, and
the use of specific types of invalid update in order to test the TOE's acceptance functions.

© ISO/IEC 2025 – All rights reserved
4.3 Verb usage in the description of evaluation methods and evaluation activities
Where a verb is defined in ISO/IEC 15408-1 then the description of evaluation activities shall use those verbs
only in accordance with the definitions. Alternative verbs may be used in an evaluation method for use in
its evaluation activities provided that the alternative verbs are defined in the evaluation method. Any such
verb definition shall make clear the extent to which evaluator judgement (as opposed to simple checking) is
involved.
EXAMPLE An evaluation method that includes automated test generation for a protocol can define a verb “cover”,
applied to enumerated types in a protocol parameter, to mean trying all defined and undefined values of the parameter
within the available parameter length. Then evaluation activities can be written in forms such as “The evaluator shall
cover the PaymentMode field”.
4.4 Conventions for the description of evaluation methods and evaluation activities
Conventions used in ISO/IEC 15408-3 and ISO/IEC 18045 support consistency within, and between, the
descriptions of evaluation methods and evaluation activities.
All work unit and sub-task verbs are preceded by the auxiliary verb “shall” and by presenting both the
verb and the “shall” in bold italic type face. The auxiliary verb “shall” is used only when the provided text is
mandatory and therefore only within the work units and sub-tasks. The work units and sub-tasks contain
mandatory activities that the evaluator shall perform in order to assign verdicts.
Guidance text accompanying work units and sub-tasks gives further explanation on how to apply the work
units and sub-tasks in an evaluation.
5 Structure of an evaluation method
5.1 Overview
An evaluation method and its constituent evaluation activities are defined for use in a particular evaluation
context. For example, separate evaluation methods may be defined for specific technology areas which can
range from specific functions up to specific product types or even in extreme cases, for a specific product
when the product is evaluated for unique features but where there is a requirement to have the product
evaluated using a separately defined method that supports visibility, repeatability and reproducibility of the
evaluation.
EXAMPLE Evaluation contexts for which separate evaluation methods can be defined are:
— specific product types like network devices, smart cards, biometric devices, mobile devices;
— specific security functions reused for multiple product types, such as cryptographic functions, cryptographic
protocols, digital certificate validation, identification and authentication schemes.
An evaluation method comprises a collection of individual evaluation activities, with additional information
about the way in which the evaluation activities collectively meet a goal related to an identified evaluation
context.
The description of an evaluation method includes:
— identification of the entity that is responsible for definition and maintenance of the evaluation method;
— the intended scope of the evaluation method, identifying the objective for deriving the evaluation
activities in the evaluation method, the evaluation context in which it is intended to be applied, and any
known limitation of, or aspects not intended to be covered by, the evaluation method;
— any tool types and/or evaluator competences required to carry out the evaluation activities contained in
the evaluation method;
— any requirements for reporting on the results of applying the evaluation method;

© ISO/IEC 2025 – All rights reserved
— identification of each work unit in ISO/IEC 18045 (or equivalent for an extended SAR) that is addressed
by the evaluation activities in the evaluation method;
— identification of any extended SARs from which an evaluation method is derived (if applicable);
— any additional verbs used in the description of evaluation activities in place of verbs defined in
ISO/IEC 15408-1.
Further description of the content, including identification of which content elements are mandatory,
and how content elements may be distributed between evaluation method and its evaluation activities, is
given in 5.2 and 6.2 and is summarized in Table 1. Where a content element is optional (e.g. identification
of specific evaluator competences, or required tool types), then that part may simply be omitted from the
relevant definition: it is not necessary to include a blank section.
5.2 Specification of an evaluation method
5.2.1 Overview
An evaluation method is specified in terms of the information identified in 5.2.2 to 5.2.12. No specific
format is required for providing or presenting this information, except where stated for individual elements
in 5.2.2 to 5.2.12. The purpose of specifying the description of an evaluation method in 5.2.2 to 5.2.12 is
to ensure that the assurance techniques used in an evaluation can be unambiguously identified, and that
the evaluation method is used appropriately (in the context for which it was intended) and in a way that
supports consistent evaluation results.
In general, the description of an evaluation method can be taken to include the descriptions of the individual
evaluation activities that it contains. This means that aspects of the evaluation method description may be
deduced from the evaluation activity descriptions.
Figure 3 illustrates the content described in this document for an evaluation method. It does not define a
mandatory structure for describing an evaluation method.
Figure 3 — Contents of an evaluation method

© ISO/IEC 2025 – All rights reserved
The contents shown in Figure 3 are described in more detail in 5.2.2 to 5.2.12 and 6.2. A summary of the
mandatory and optional requirements for specifying evaluation methods and evaluation activities is given
in Table 1.
Table 1 — Distribution of content between evaluation methods and evaluation activities
Content element Evaluation method Evaluation activity
Identifier Mandatory Mandatory
Entity Responsible Mandatory Not applicable
Scope Mandatory Not applicable
Dependencies Optional Optional
Required inputs Mandatory Mandatory
Required tool types Optional Optional
Required evaluator competences Optional Optional
Requirements for reporting Optional Optional
Rationale Mandatory Mandatory
Evaluation activities Mandatory Not applicable
Additional verb definitions Optional Not applicable
Objective Not applicable Mandatory
Evaluation activity links to SFRs, SARs and other evaluation activities Not applicable Optional
Assessment strategy Not applicable Mandatory
Pass/fail criteria Not applicable Optional
5.2.2 Identification of evaluation methods
The definition of an evaluation method shall include a unique identifier in order to unambiguously identify
the set of evaluation activities to be applied in any given evaluation. An identifier shall be assigned at the
evaluation method level (rather than just at the level of the evaluation activities it contains), reflecting the
fact that an evaluation method is intended to be applied as a whole, and is subject to rationale and defined
purpose and objectives at this level. If a set of evaluation activities has been grouped into an evaluation
method, then it shall only be identified as the same evaluation method when the complete set of evaluation
activities in the evaluation method is used, with the same rationale as contained in the original evaluation
method. If there is a need to divide the evaluation method into smaller subsets of evaluation activities, then
a separate evaluation method, with its own rationale, shall be defined for each subset.
EXAMPLE 1 A unique identifier expressed by the title and version number of a supporting document or PP
containing the evaluation method.
EXAMPLE 2 An identifier obtained from a registration authority.
As described in 5.2.10, an evaluation method may be overlain by another evaluation method (e.g. for use in
other PPs or PP-Modules). In such a case, if the original evaluation method rationale still holds (as described
in 5.2.10), then the identifier of the original evaluation method shall be used. However, if the rationale is
changed as part of the overlay, then a separate identifier defined in the relevant PP-Module, PP-Configuration
or PP shall be used. The intention here is to ensure that a significant change to the rationale results in a
different identifier being used.
5.2.3 Entity responsible for the evaluation method
The definition of an evaluation method shall state the entity that is responsible for the definition and
maintenance of the evaluation method.
EXAMPLE Examples of responsible entities are evaluation authorities, standards bodies, industry working
groups, or technical communities.

© ISO/IEC 2025 – All rights reserved
5.2.4 Scope of the evaluation method
The definition of an evaluation method shall describe its scope, including:
— the objective of the evaluation method in terms of a brief statement summarizing the assurance goals and a
high-level statement of how these are implemented by the evaluation activities within the evaluation method;
— the evaluation context in which the evaluation method is intended to be applied. For example, this can
describe a TOE type such as a smart card or network device, or a type of function such as cryptographic
functions using certain algorithms and modes applied to certain types of data transmission and data
storage;
— any known limitation of the evaluation method, or aspects not intended to be covered by the
evaluation method.
Evaluation activities can be defined to apply specifically to one or more SFRs. When an evaluation
method includes such SFR-specific evaluation activities, then a subsection of the scope shall identify the
individual SFRs that the evaluation method is defined to address and the location where the SFRs are
defined (e.g. ISO/IEC 15408-2 or extended SFRs defined in a PP). For extended SFRs that are not defined in
ISO/IEC 15408-2, the identification of the location is particularly important since the same SFR name can be
used in different sources to refer to SFRs with different content (if the evaluation method is not specific to
any SFRs, then this subsection is not required).
Similarly, evaluation activities can be defined to apply specifically to one or more extended SARs (i.e. SARs
that are not defined in ISO/IEC 15408-3). When an evaluation method includes such evaluation activities,
then a subsection of the scope shall identify the relevant extended SARs and the location where they are
defined (e.g. in a PP). As with extended SFRs, the identification of the location is particularly important since
the same SAR name can be used in different sources to refer to SARs with different content (if the evaluation
method does not apply to any extended SARs, then this subsection is not required).
NOTE The rationale for completeness of the evaluation method (see 5.2.10) can give further information relevant
to the scope of the evaluation method.
5.2.5 Dependencies
The definition of an evaluation method shall describe any dependencies on:
— other evaluation methods,
— evaluation activities, or
— some of the generic actions in ISO/IEC 18045.
EXAMPLE An evaluation method that relies on information obtained from some other developer action element
in ISO/IEC 15408-3 or some action in ISO/IEC 18045.
Dependencies may be identified either at the level of the evaluation method, or at the level of an individual
evaluation activity contained within the evaluation method.
5.2.6 Required input from the developer or other entities
The definition of an evaluation method shall identify any developer input required to perform the evaluation
activity. This may be done either at the level of the evaluation method, or at the level of an individual
evaluation activity included in the evaluation method. The description of the inputs may also be made by
reference to those defined for the generic SAR from which the evaluation activities are derived, as defined in
ISO/IEC 15408-3 (or the equivalent generic definition if dealing with an extended SAR).
EXAMPLE The inputs for an evaluation method dealing with media encryption TOEs can define a requirement for
description of particular details of a key hierarchy.

© ISO/IEC 2025 – All rights reserved
5.2.7 Required tool types
If the evaluation activities require any tool types, then those shall be listed as part of the definition of the
evaluation method. The tool types may be identified either at the level of the evaluation method, or at the
level of an individual evaluation activity contained within the evaluation method.
5.2.8 Required evaluator competences
An evaluation method may identify spec
...