iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty!
ISO

ISO/IEC DIS 15408-5

(Main)

Information security, cybersecurity and privacy protection -- Evaluation criteria for IT security

Information security, cybersecurity and privacy protection -- Evaluation criteria for IT security

Titre manque

General Information

Status
Published
ICS
35.030 - IT Security
Technical Committee
ISO/IEC JTC 1/SC 27 - Information security, cybersecurity and privacy protection
Drafting Committee
ISO/IEC JTC 1/SC 27/WG 3 - Security evaluation, testing and specification
Current Stage
4060 - Close of voting
Start Date
22-Aug-2020
Completion Date
21-Aug-2020
Ref Project

Buy Standard

ISO/IEC DIS 15408-5ISO/IEC DIS 15408-5
PreviousNext
Draft
ISO/IEC DIS 15408-5 - Information security, cybersecurity and privacy protection -- Evaluation criteria for IT security
English language
26 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (sample)

DRAFT INTERNATIONAL STANDARD
ISO/IEC DIS 15408-5
ISO/IEC JTC 1/SC 27 Secretariat: DIN
Voting begins on: Voting terminates on:
2020-05-29 2020-08-21
Information security, cybersecurity and privacy
protection — Evaluation criteria for IT security —
Part 5:
Pre-defined packages of security requirements
ICS: 35.030
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENT AND APPROVAL. IT IS
THEREFORE SUBJECT TO CHANGE AND MAY
NOT BE REFERRED TO AS AN INTERNATIONAL
STANDARD UNTIL PUBLISHED AS SUCH.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
This document is circulated as received from the committee secretariat.
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
Reference number
NATIONAL REGULATIONS.
ISO/IEC DIS 15408-5:2020(E)
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION. ISO/IEC 2020
---------------------- Page: 1 ----------------------
ISO/IEC DIS 15408-5:2020(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2020

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2020 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC DIS 15408-5:2020(E)
Contents Page

Foreword ..........................................................................................................................................................................................................................................v

Introduction ................................................................................................................................................................................................................................vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and Definitions .................................................................................................................................................................................... 1

4 E valuation Assurance Levels .................................................................................................................................................................... 1

4.1 Family Name.............................................................................................................................................................................................. 1

4.2 E valuation assurance level (EAL) overview ................................................................................................................... 1

4.2.1 General...................................................................................................................................................................................... 1

4.2.2 Relationship between assurances and assurance levels ............................................................... 2

4.3 E valuation assurance level (EAL) objectives ................................................................................................................. 4

4.4 E valuation assurance levels ......................................................................................................................................................... 5

4.4.1 General...................................................................................................................................................................................... 5

4.4.2 Evaluation assurance level 1 (EAL1) - functionally tested .......................................................... 5

4.4.3 Evaluation assurance level 2 (EAL2) - structurally tested ........................................................... 6

4.4.4 Evaluation assurance level 3 (EAL3) - methodically tested and checked ....................... 7

4.4.5 Evaluation assurance level 4 (EAL4) - methodically designed, tested and

reviewed .................................................................................................................................................................................. 9

4.4.6 Evaluation assurance level 5 (EAL5) – semiformally verified designed and

tested ........................................................................................................................................... ............................................10

4.4.7 Evaluation assurance level 6 (EAL6) – verified design and tested ....................................11

4.4.8 Evaluation assurance level 7 (EAL7) - formally verified design and tested ..............13

5 Composed Assurance Packages..........................................................................................................................................................14

5.1 Family Name...........................................................................................................................................................................................14

5.2 Composed assurance package (CAP) overview .......................................................................................................15

5.2.1 General...................................................................................................................................................................................15

5.2.2 Relationship between assurances and assurance packages ...................................................15

5.3 Composed assurance package (CAP) objectives .....................................................................................................16

5.4 Packages in the CAP family ........................................................................................................................................................18

5.4.1 Composition assurance package A (CAP-A) - Structurally composed ............................18

5.4.2 Composition assurance packagel B (CAP-B) - Methodically composed ........................19

5.4.3 Composition assurance package C (CAP-C) - Methodically composed,

tested and reviewed ...................................................................................................................................................20

6 Composite Product Package (COMP) ............................................................................................................................................21

6.1 Package name ........................................................................................................................................................................................21

6.2 Package type ..........................................................................................................................................................................................21

6.3 Package overview ..............................................................................................................................................................................21

6.4 Objectives..................................................................................................................................................................................................21

6.5 Security assurance components ...........................................................................................................................................22

7 Protection Profile Assurances (PPA) ............................................................................................................................................22

7.1 Family Name...........................................................................................................................................................................................22

7.2 PPA family overview ........................................................................................................................................................................22

7.3 PPA family objectives ......................................................................................................................................................................23

7.4 PPA Packages .........................................................................................................................................................................................23

7.4.1 Protection Profile Assurance Package - Direct Rationale PP (PPA-DR) .........................23

7.4.2 Protection Profile Assurance Package - Standard (PPA-STD) ................................................23

8 Security Target Assurances (STA) ....................................................................................................................................................24

8.1 Family Name...........................................................................................................................................................................................24

8.2 STA family overview ........................................................................................................................................................................24

8.3 STA family objectives ......................................................................................................................................................................25

8.4 STA Packages..........................................................................................................................................................................................25

© ISO/IEC 2020 – All rights reserved iii
---------------------- Page: 3 ----------------------
ISO/IEC DIS 15408-5:2020(E)

8.4.1 Security Target Assurance Package – Direct Rationale (STA-DR).......................................25

8.4.2 Security Target Assurance Package - Standard (STA-STD) .......................................................26

iv © ISO/IEC 2020 – All rights reserved
---------------------- Page: 4 ----------------------
ISO/IEC DIS 15408-5:2020(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are

members of ISO or IEC participate in the development of International Standards through technical

committees established by the respective organization to deal with particular fields of technical

activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international

organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the

work. In the field of information technology, ISO and IEC have established a joint technical committee,

ISO/IEC JTC 1.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for

the different types of document should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/ directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject

of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent

rights. Details of any patent rights identified during the development of the document will be in the

Introduction and/or on the ISO list of patent declarations received (see www .iso .org/ patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso .org/

iso/ foreword .html.

This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 27, IT Security techniques.
A list of all parts in the ISO/IEC 15408 series can be found on the ISO website.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/ members .html.
This is the first edition of ISO/IEC 15408-5.
© ISO/IEC 2020 – All rights reserved v
---------------------- Page: 5 ----------------------
ISO/IEC DIS 15408-5:2020(E)
Introduction

This document provides pre-defined packages of security requirements. Such security requirements

may be useful for stakeholders as they strive for conformity between evaluations. Packages of security

requirements may also help reduce the effort in developing PPs and STs.

ISO/IEC 15408-1 defines the term “package” and describes the fundamental concepts.

This document presents:

• evaluation assurance level (EAL) family of packages that specify pre-defined sets of security

assurance components that may be referenced in PPs and STs and which specify appropriate

security assurances to be provided during an evaluation of a TOE.

• composition assurance (CAP) family of packages that specify sets of security assurance components

used for specifying appropriate security assurances to be provided during an evaluation of

composed TOEs.

• composite product (COMP) package that specifies a set of security assurance components used for

specifying appropriate security assurances to be provided during an evaluation of a composite

product TOEs.

• Protection Profile Assurance (PPA) family of packages that specify sets of security assurance

components used for specifying appropriate security assurances to be provided during a protection

profile evaluation.

• Security Target Assurance (STA) family of packages that specify sets of security assurance

components used for specifying appropriate security assurances to be provided during a Security

Target evaluation.

The audience for this document includes consumers, developers, and evaluators of secure IT products.

vi © ISO/IEC 2020 – All rights reserved
---------------------- Page: 6 ----------------------
DRAFT INTERNATIONAL STANDARD ISO/IEC DIS 15408-5:2020(E)
Information security, cybersecurity and privacy
protection — Evaluation criteria for IT security —
Part 5:
Pre-defined packages of security requirements
1 Scope

This document provides packages of security assurance and security functional requirements that

have been identified as useful in support of common usage by stakeholders.

EXAMPLE Examples of provided packages include the evaluation assurance levels (EAL) and the composed

assurance packages (CAPs).
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 15408-1, Information security, cybersecurity and privacy protection— Evaluation criteria for IT

security — Part 1: Introduction and general requirements

ISO/IEC 15408-3, Information security, cybersecurity and privacy protection— Evaluation criteria for IT

security — Part 3: Security assurance components
3 Terms and Definitions

For the purposes of this document, the terms and definitions given in ISO/IEC 15408-1 apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

• IEC Electropedia: available at http:// www .electropedia .org/
• ISO Online browsing platform: available at http:// www .iso .org/ obp
4 E valuation Assurance Levels
4.1 Family Name
The name of this family of packages is Evaluation Assurance Levels (EALs).
4.2 E valuation assurance level (EAL) overview
4.2.1 General

The Evaluation Assurance Levels (EALs) provide an increasing scale that balances the level of

assurance obtained with the cost and feasibility of acquiring that degree of assurance. The approach of

© ISO/IEC 2020 – All rights reserved 1
---------------------- Page: 7 ----------------------
ISO/IEC DIS 15408-5:2020(E)

ISO/IEC 15408-1 identifies the separate concepts of assurance in a TOE at the end of the evaluation, and

of maintenance of that assurance during the operational use of the TOE.

NOTE Not all families and components given in ISO/IEC 15408-3 are included in the EALs. This is not to

say that these do not provide meaningful and desirable assurances. Instead, it is expected that these families

and components will be considered for augmentation of an EAL in those Protection Profiles (PPs) and Security

Targets (STs) for which they provide utility. Additionally, some classes found in ISO/IEC 15408-3 are not relevant

for the EALs. Examples of such classes include the APE and ACO classes.
A set of assurance components have been chosen for each EAL.

A higher level of assurance than that provided by a given EAL can be achieved by:

a) including additional assurance components from other assurance families; or

b) replacing an assurance component with a higher-level assurance component from the same

assurance family.
4.2.2 Relationship between assurances and assurance levels

Figure 1 illustrates the relationship between the SARs found in ISO/IEC 15408-3 and the assurance

levels defined in this document. While assurance components further decompose into assurance

elements, assurance elements cannot be individually referenced by assurance levels.

NOTE The arrow in the figure represents a reference from an EAL to an assurance component within the

class where it is defined.
2 © ISO/IEC 2020 – All rights reserved
---------------------- Page: 8 ----------------------
ISO/IEC DIS 15408-5:2020(E)
Figure 1 — Assurance and assurance level association

Table 1 represents a summary of the EALs. The columns represent a hierarchically ordered set of EALs,

while the rows represent assurance families. Each number in the resulting matrix identifies a specific

assurance component where applicable.

Those items marked in grey are not applicable in the EAL specification. However, they may be used to

augment the EAL package.

NOTE Although the ALC_FLR and ALC_TDA families are not shown in Table 1, they are often used as an

augmentation to the EALs.
© ISO/IEC 2020 – All rights reserved 3
---------------------- Page: 9 ----------------------
ISO/IEC DIS 15408-5:2020(E)
Table 1 — Evaluation assurance level summary
Assurance class Assurance Assurance Components by Evaluation Assurance Level
Family
EAL1 EAL2 EAL3 EAL4 EAL5 EAL6 EAL7
Development ADV_ARC 1 1 1 1 1 1
ADV_FSP 1 2 3 4 5 5 6
ADV_IMP 1 1 2 2
ADV_INT 2 3 3
ADV_SPM 1 1
ADV_TDS 1 2 3 4 5 6
Guidance documents AGD_OPE 1 1 1 1 1 1 1
AGD_PRE 1 1 1 1 1 1 1
Life-cycle support ALC_CMC 1 2 3 4 4 5 5
ALC_CMS 1 2 3 4 5 5 5
ALC_DEL 1 1 1 1 1 1
ALC_DVS 1 1 1 2 2
ALC_LCD 1 1 1 1 2
ALC_TAT 1 2 3 3
ST evaluation ASE_CCL 1 1 1 1 1 1 1
ASE_ECD 1 1 1 1 1 1 1
ASE_INT 1 1 1 1 1 1 1
ASE_OBJ 1 2 2 2 2 2 2
ASE_REQ 1 2 2 2 2 2 2
ASE_SPD 1 1 1 1 1 1
ASE_TSS 1 1 1 1 1 1 1
Tests ATE_COV 1 2 2 2 3 3
ATE_DPT 1 1 3 3 4
ATE_FUN 1 1 1 1 2 2
ATE_IND 1 2 2 2 2 2 3
Vulnerability assessment AVA_VAN 1 2 2 3 4 5 5
4.3 E valuation assurance level (EAL) objectives

As outlined in 4.4, seven hierarchically ordered evaluation assurance levels are defined in this document

for the rating of a TOE's assurance. They are hierarchically ordered inasmuch as each EAL represents

more assurance than all lower EALs. The increase in assurance from EAL to EAL is accomplished by

substitution of a hierarchically higher assurance component from the same assurance family (i.e.

increasing rigour, scope, and/or depth) and from the addition of assurance components from other

assurance families (i.e. adding new requirements).

These EALs consist of an appropriate combination of assurance components as described in

ISO/IEC 15408-3. More precisely, each EAL includes no more than one component of each assurance

family and all the assurance dependencies of every component are addressed.

The notion of “augmentation” allows the addition of assurance components (from assurance families not

already included in the EAL) or the substitution of assurance components (with another hierarchically

higher assurance component in the same assurance family) to an EAL. Of the assurance constructs

defined in ISO/IEC 15408-1, only EALs may be augmented. The notion of an “EAL minus a constituent

assurance component” is not recognized by the standard as a valid claim. Augmentation carries with it

4 © ISO/IEC 2020 – All rights reserved
---------------------- Page: 10 ----------------------
ISO/IEC DIS 15408-5:2020(E)

the obligation on the part of the claimant to justify the utility and added value of the added assurance

component to the EAL. An EAL may also be augmented with extended assurance requirements.

NOTE An EAL cannot be augmented if it is included in an ST that claims exact conformance to a PP.

4.4 E valuation assurance levels
4.4.1 General

Subclause 4.4 provides definitions of the EALs, highlighting differences between the specific

requirements and the prose characterisations of those requirements using bold type.

4.4.2 Evaluation assurance level 1 (EAL1) - functionally tested
4.4.2.1 Package Name

The name of the package is: Evaluation assurance level 1 (EAL1) - functionally tested.

4.4.2.2 Package Type
This is an assurance Package.
4.4.2.3 Package overview

EAL1 is applicable where some confidence in correct operation is required, but the threats to security

are not viewed as serious. It will be of value where independent assurance is required to support

the contention that due care has been exercised with respect to the protection of personal or similar

information.

EAL1 requires only a limited ST. It is sufficient to simply state the required SFRs for the TOE, rather

than deriving them from threats, OSPs and assumptions through security objectives.

EAL1 provides an evaluation of the TOE as made available to the customer, including independent testing

against a specification, and an examination of the guidance documentation provided. It is intended that

an EAL1 evaluation could be successfully conducted without assistance from the developer of the TOE,

and for minimal outlay.

An evaluation at this level should provide evidence that the TOE functions in a manner consistent with

its documentation.
4.4.2.4 Package objectives

EAL1 provides a basic level of assurance by a limited ST and an analysis of the SFRs in that ST

using a functional and interface specification and guidance documentation, to understand the

security behaviour.

The analysis is supported by a search for potential vulnerabilities in the public domain and

independent testing (functional and penetration) of the TSF.

EAL1 also provides assurance through unique identification of the TOE and of the relevant

evaluation documents.
This EAL provides a meaningful increase in assurance over unevaluated IT.
4.4.2.5 Assurance components
Table 2 gives the assurance components included in EAL 1.
© ISO/IEC 2020 – All rights reserved 5
---------------------- Page: 11 ----------------------
ISO/IEC DIS 15408-5:2020(E)
Table 2 — EAL1
Assurance Class Assurance components
ADV: Development ADV_FSP.1 Basic functional specification
AGD: Guidance documents AGD_OPE.1 Operational user guidance
AGD_PRE.1 Preparative procedures
ALC: Life-cycle support ALC_CMC.1 Labelling of the TOE
ALC_CMS.1 TOE CM coverage
ASE: ST evaluation ASE_CCL.1 Conformance claims
ASE_ECD.1 Extended components definition
ASE_INT.1 ST introduction
ASE_OBJ.1 Security objectives for the operational environment
ASE_REQ.1 Stated security requirements
ASE_TSS.1 TOE summary specification
ATE: Tests ATE_IND.1 Independent testing - conformance
AVA: Vulnerability assessment AVA_VAN.1 Vulnerability survey
4.4.3 Evaluation assurance level 2 (EAL2) - structurally tested
4.4.3.1 Package Name

The name of the package is: Evaluation assurance level 2 (EAL2) –structurally tested.

4.4.3.2 Package Type
This is an assurance Package.
4.4.3.3 Package overview

EAL2 requires the co-operation of the developer in terms of the delivery of design information and test

results but should not demand more effort on the part of the developer than is consistent with good

commercial practice. As such it should not require a substantially increased investment of cost or time.

EAL2 is therefore applicable in those circumstances where developers or users require a low to

moderate level of independently assured security in the absence of ready availability of the complete

development record. Such a situation may arise when securing legacy systems, or where access to the

developer may be limited.
4.4.3.4 Objectives

EAL2 provides assurance by a full ST and an analysis of the SFRs in that ST, using a functional and

interface specification, guidance documentation and a basic description of the architecture of the

TOE, to understand the security behaviour.

The analysis is supported by independent testing of the TSF, evidence of developer testing based

on the functional specification, selective independent confirmation of the developer test

results, and a vulnerability analysis (based upon the functional specification, TOE design,

security architecture description and guidance evidence provided) demonstrating resistance to

penetration attackers with a basic attack potential.

EAL2 also provides assurance through use of a configuration management system and evidence of

secure delivery procedures.
6 © ISO/IEC 2020 – All rights reserved
---------------------- Page: 12 ----------------------
ISO/IEC DIS 15408-5:2020(E)

This EAL represents a meaningful increase in assurance from EAL1 by requiring developer testing,

a vulnerability analysis (in addition to the search of the public domain), and independent testing

based upon more detailed TOE specifications.
4.4.3.5 Assurance components
Table 3 gives the assurance components included in EAL 2.
Table 3 — EAL2
Assurance Class Assurance components
ADV: Development ADV_ARC.1 Security architecture description
ADV_FSP.2 Security-enforcing functional specification
ADV_TDS.1 Basic design
AGD: Guidance documents AGD_OPE.1 Operational user guidance
AGD_PRE.1 Preparative procedures
ALC: Life-cycle support ALC_CMC.2 Use of a CM system
ALC_CMS.2 Parts of the TOE CM coverage
ALC_DEL.1 Delivery procedures
ASE: ST evaluation ASE_CCL.1 Conformance claims
ASE_ECD.1 Extended components definition
ASE_INT.1 ST introduction
ASE_OBJ.2 Security objectives
ASE_REQ.2 Derived security requirements
ASE_SPD.1 Security Problem definition
ASE_TSS.1 TOE summary specification
ATE: Tests ATE_COV.1 Evidence of coverage
ATE_FUN.1 Functional testing
ATE_IND.2 Independent testing - sample
AVA: Vulnerability assessment AVA_VAN.2 Vulnerability analysis
4.4.4 Evaluation assurance level 3 (EAL3) - methodically tested and checked
4.4.4.1 Package Name

The name of the package is: Evaluation assurance level 3 (EAL3) –methodically tested and checked.

4.4.4.2 Package Type
This is an assurance Package.
4.4.4.3 Package overview

EAL3 permits a conscientious developer to gain maximum assurance from positive security engineering

at the design stage without substantial alteration of existing sound development practices.

EAL3 is applicable in those circumstances where developers or users require a moderate level of

independently assured security and require a thorough investigation of the TOE and its development

without substantial re-engineering.
© ISO/IEC 2020 – All rights reserved 7
---------------------- Page: 13 ----------------------
ISO/IEC DIS 15408-5:2020(E)
4.4.4.4 Objectives

EAL3 provides assurance by a full ST and an analysis of the SFRs in that ST, using a functional and

interface specification, guidance documentation, and an architectural description of the design of

the TOE, to understand the security behaviour.

The analysis is supported by independent testing of the TSF, evidence of developer testing based on

the functional specification and TOE design, selective independent confirmation of the developer test

results, and a vulnerability analysis (based upon the functional specification, TOE design, security

architecture description and guidance evidence provided) demonstrating resistance to penetration

attackers with a basic attack potential.

EAL3 also provides assurance through the use of development environment controls, TOE

configuration management, and evidence of secure delivery procedures.

This EAL represents a meaningful increase in assurance from EAL2 by requiring more complet

...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO/IEC 11770-4:2017/Amd 2:2021(Amendment)
Leakage-resilient password-authenticated key agreement with additional stored secrets
    • sale 15% off
    • Standard
      39 pages
      English language
    • sale 15% off
    • Draft
      39 pages
      English language
    • sale 15% off
    • Draft
      40 pages
      English language
ISO
ISO/IEC TS 27570:2021(Main)
Privacy protection -- Privacy guidelines for smart cities

The document takes a multiple agency as well as a citizen-centric viewpoint. It provides guidance on: — smart city ecosystem privacy protection; — how standards can be used at a global level and at an organizational level for the benefit of citizens; and — processes for smart city ecosystem privacy protection. This document is applicable to all types and sizes of organizations, including public and private companies, government entities, and not-for-profit organizations that provide services in ...view more

    • sale 15% off
    • Technical specification
      37 pages
      English language
    • sale 15% off
    • Draft
      37 pages
      English language
ISO
ISO/IEC TS 27100:2020(Main)
Information technology -- Cybersecurity -- Overview and concepts

This document provides an overview of cybersecurity. This document: — describes cybersecurity and relevant concepts, including how it is related to and different from information security; — establishes the context of cybersecurity; — does not cover all terms and definitions applicable to cybersecurity; and — does not limit other standards in defining new cybersecurity-related terms for use. This document is applicable to all types and sizes of organization (e.g. commercial enterprises, governme...view more

    • sale 15% off
    • Technical specification
      17 pages
      English language
    • sale 15% off
    • Draft
      17 pages
      English language
ISO
ISO/IEC 27014:2020(Main)
Information security, cybersecurity and privacy protection -- Governance of information security

This document provides guidance on concepts, objectives and processes for the governance of information security, by which organizations can evaluate, direct, monitor and communicate the information security-related processes within the organization. The intended audience for this document is: — governing body and top management; — those who are responsible for evaluating, directing and monitoring an information security management system (ISMS) based on ISO/IEC 27001; — those responsible for in...view more

    • sale 15% off
    • Standard
      16 pages
      English language
    • sale 15% off
    • Draft
      16 pages
      English language
    • sale 15% off
    • Draft
      15 pages
      English language
ISO
ISO/IEC 20897-1:2020(Main)
Information security, cybersecurity and privacy protection -- Physically unclonable functions

This document specifies the security requirements for physically unclonable functions (PUFs). Specified security requirements concern the output properties, tamper-resistance and unclonability of a single and a batch of PUFs. Since it depends on the application which security requirements a PUF needs to meet, this documents also describes the typical use cases of a PUF. Amongst PUF use cases, random number generation is out of scope in this document.

    • sale 15% off
    • Standard
      16 pages
      English language
    • sale 15% off
    • Draft
      16 pages
      English language
    • sale 15% off
    • Draft
      16 pages
      English language
ISO
ISO/IEC 18032:2020(Main)
Information security -- Prime number generation

This document specifies methods for generating and testing prime numbers as required in cryptographic protocols and algorithms. Firstly, this document specifies methods for testing whether a given number is prime. The testing methods included in this document are divided into two groups: — probabilistic primality tests, which have a small error probability. All probabilistic tests described here can declare a composite to be a prime; — deterministic methods, which are guaranteed to give the righ...view more

    • sale 15% off
    • Standard
      33 pages
      English language
    • sale 15% off
    • Draft
      33 pages
      English language
    • sale 15% off
    • Draft
      36 pages
      English language
ISO
ISO/IEC 19772:2020(Main)
Information security -- Authenticated encryption

This document specifies five methods for authenticated encryption, i.e. defined ways of processing a data string with the following security objectives: — data confidentiality, i.e. protection against unauthorized disclosure of data; — data integrity, i.e. protection that enables the recipient of data to verify that it has not been modified; — data origin authentication, i.e. protection that enables the recipient of data to verify the identity of the data originator. All five methods specified i...view more

    • sale 15% off
    • Standard
      26 pages
      English language
    • sale 15% off
    • Draft
      25 pages
      English language
ISO
ISO/IEC 11770-5:2020(Main)
Information security -- Key management

This document specifies mechanisms to establish shared symmetric keys between groups of entities. It defines: — symmetric key-based key establishment mechanisms for multiple entities with a key distribution centre (KDC); and — symmetric key establishment mechanisms based on a general tree-based logical key structure with both individual rekeying and batch rekeying. It also defines key establishment mechanisms based on a key chain with group forward secrecy, group backward secrecy or both group f...view more

    • sale 15% off
    • Standard
      18 pages
      English language
    • sale 15% off
    • Draft
      18 pages
      English language
    • sale 15% off
    • Draft
      18 pages
      English language
ISO
ISO/IEC 19989-2:2020(Main)
Information security -- Criteria and methodology for security evaluation of biometric systems

For security evaluation of biometric verification systems and biometric identification systems, this document is dedicated to the security evaluation of biometric recognition performance applying the ISO/IEC 15408 series. It provides requirements and recommendations to the developer and the evaluator for the supplementary activities on biometric recognition performance specified in ISO/IEC 19989-1. The evaluation of presentation attack detection techniques is out of the scope of this document ex...view more

    • sale 15% off
    • Standard
      33 pages
      English language
    • sale 15% off
    • Draft
      42 pages
      English language
ISO
ISO/IEC 19989-1:2020(Main)
Information security -- Criteria and methodology for security evaluation of biometric systems

For security evaluation of biometric recognition performance and presentation attack detection for biometric verification systems and biometric identification systemsthis document specifies: — extended security functional components to SFR Classes in ISO/IEC 15408-2; — supplementary activities to methodology specified in ISO/IEC 18045 for SAR Classes of ISO/IEC 15408-3. This document introduces the general framework for the security evaluation of biometric systems, including extended security fu...view more

    • sale 15% off
    • Standard
      62 pages
      English language
    • sale 15% off
    • Draft
      83 pages
      English language
ISO
ISO/IEC 19989-3:2020(Main)
Information security -- Criteria and methodology for security evaluation of biometric systems

For security evaluation of biometric verification systems and biometric identification systems, this document is dedicated to security evaluation of presentation attack detection applying the ISO/IEC 15408 series. It provides recommendations and requirements to the developer and the evaluator for the supplementary activities on presentation attack detection specified in ISO/IEC 19989-1. This document is applicable only to TOEs for single biometric characteristic type but for the selection of a c...view more

    • sale 15% off
    • Standard
      18 pages
      English language
    • sale 15% off
    • Draft
      25 pages
      English language
ISO
ISO/IEC 27035-3:2020(Main)
Information technology -- Information security incident management

This document gives guidelines for information security incident response in ICT security operations. This document does this by firstly covering the operational aspects in ICT security operations from a people, processes and technology perspective. It then further focuses on information security incident response in ICT security operations including information security incident detection, reporting, triage, analysis, response, containment, eradication, recovery and conclusion. This document is...view more

    • sale 15% off
    • Standard
      31 pages
      English language
    • sale 15% off
    • Draft
      32 pages
      English language
ISO
ISO/IEC 13888-1:2020(Main)
Information security -- Non-repudiation

This document serves as a general model for subsequent parts specifying non-repudiation mechanisms using cryptographic techniques. The ISO/IEC 13888 series provides non-repudiation mechanisms for the following phases of non-repudiation: — evidence generation; — evidence transfer, storage and retrieval; and — evidence verification. Dispute arbitration is outside the scope of the ISO/IEC 13888 series.

    • sale 15% off
    • Standard
      20 pages
      English language
    • sale 15% off
    • Draft
      20 pages
      English language
ISO
ISO/IEC 13888-3:2020(Main)
Information security -- Non-repudiation

This document specifies mechanisms for the provision of specific, communication-related, non‑repudiation services using asymmetric cryptographic techniques.

    • sale 15% off
    • Standard
      13 pages
      English language
    • sale 15% off
    • Draft
      14 pages
      English language
ISO
ISO/IEC 18033-4:2011/Amd 1:2020(Amendment)
ZUC
    • sale 15% off
    • Standard
      12 pages
      English language
    • sale 15% off
    • Draft
      11 pages
      English language
ISO
ISO/IEC 29184:2020(Main)
Information technology -- Online privacy notices and consent

This document specifies controls which shape the content and the structure of online privacy notices as well as the process of asking for consent to collect and process personally identifiable information (PII) from PII principals. This document is applicable in any online context where a PII controller or any other entity processing PII informs PII principals of processing.

    • sale 15% off
    • Standard
      25 pages
      English language
    • sale 15% off
    • Draft
      25 pages
      English language
ISO
ISO/IEC 27009:2020(Main)
Information security, cybersecurity and privacy protection -- Sector-specific application of ISO/IEC 27001 -- Requirements
oSIST ISO/IEC DIS 27009:2019

This document specifies the requirements for creating sector-specific standards that extend ISO/IEC 27001, and complement or amend ISO/IEC 27002 to support a specific sector (domain, application area or market). This document explains how to: — include requirements in addition to those in ISO/IEC 27001, — refine or interpret any of the ISO/IEC 27001 requirements, — include controls in addition to those of ISO/IEC 27001:2013, Annex A and ISO/IEC 27002, — modify any of the controls of ISO/IEC 2700...view more

    • sale 15% off
    • Standard
      18 pages
      English language
    • sale 10% off
    • Draft
      24 pages
      English language
    • e-Library read for
      1 day
ISO
ISO/IEC 27006:2015/Amd 1:2020(Amendment)
ISO/IEC 27006:2015/Amd 1:2020
    • sale 15% off
    • Standard
      2 pages
      English language
    • sale 15% off
    • Standard
      2 pages
      French language
ISO
ISO/IEC 20085-2:2020(Main)
IT Security techniques -- Test tool requirements and test tool calibration methods for use in testing non-invasive attack mitigation techniques in cryptographic modules

This document specifies the test calibration methods and apparatus used when calibrating test tools for cryptographic modules under ISO/IEC 19790 and ISO/IEC 24759 against the test metrics defined in ISO/IEC 17825 for mitigation of non-invasive attack classes.

    • sale 15% off
    • Standard
      17 pages
      English language
ISO
ISO/IEC 9797-3:2011/Amd 1:2020(Amendment)
ISO/IEC 9797-3:2011/Amd 1:2020
    • sale 15% off
    • Standard
      2 pages
      English language