IT security techniques - Competence requirements for information security testers and evaluators - Part 3: Knowledge, skills and effectiveness requirements for ISO/IEC 15408 evaluators (ISO/IEC 19896-3:2018)

This document provides the specialized requirements to demonstrate competence of individuals in
performing IT product security evaluations in accordance with ISO/IEC 15408 (all parts) and ISO/IEC
18045.

IT-Sicherheitstechniken - Kompetenzanforderungen an Tester und Evaluatoren von Informationssicherheit - Teil 3: Anforderungen an die Kenntnisse, Fähigkeiten und Effektivität von Evaluatoren nach ISO/IEC 15408 (ISO/IEC 19896‑3:2018)

Techniques de sécurité IT - Exigences en matière de compétences des spécialistes en tests et évaluations de la sécurité de l'information - Partie 3: Exigences en matière de connaissances, compétences et efficacité des spécialistes en évaluations ISO/IEC 15408 (ISO/IEC 19896-3:2018)

Le présent document fournit les exigences spécifiques permettant de démontrer la compétence des personnes pour effectuer des évaluations de la sécurité des produits IT conformément à l'ISO/IEC 15408 (toutes les parties) et à l'ISO/IEC 18045.

IT varnostne tehnike - Zahteve za usposobljenost za preskuševalce in ocenjevalce informacijske varnosti - 3. del: Zahteve glede znanja, veščin in učinkovitosti za ocenjevalce ISO/IEC 15408 (ISO/IEC 19896-3:2018)

General Information

Status
Not Published
Public Enquiry End Date
13-Nov-2022
Technical Committee
Current Stage
4020 - Public enquire (PE) (Adopted Project)
Start Date
22-Sep-2022
Due Date
09-Feb-2023

Buy Standard

Draft
oSIST prEN ISO/IEC 19896-3:2022
English language
39 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)

SLOVENSKI STANDARD
oSIST prEN ISO/IEC 19896-3:2022
01-november-2022
IT varnostne tehnike - Zahteve za usposobljenost za preskuševalce in ocenjevalce

informacijske varnosti - 3. del: Zahteve glede znanja, veščin in učinkovitosti za

ocenjevalce ISO/IEC 15408 (ISO/IEC 19896-3:2018)

IT security techniques - Competence requirements for information security testers and

evaluators - Part 3: Knowledge, skills and effectiveness requirements for ISO/IEC 15408

evaluators (ISO/IEC 19896-3:2018)
IT-Sicherheitstechniken - Kompetenzanforderungen an Tester und Evaluatoren von

Informationssicherheit - Teil 3: Anforderungen an die Kenntnisse, Fähigkeiten und

Effektivität von Evaluatoren nach ISO/IEC 15408 (ISO/IEC 19896‑3:2018)

Techniques de sécurité IT - Exigences en matière de compétences des spécialistes en

tests et évaluations de la sécurité de l'information - Partie 3: Exigences en matière de

connaissances, compétences et efficacité des spécialistes en évaluations ISO/IEC
15408 (ISO/IEC 19896-3:2018)
Ta slovenski standard je istoveten z: prEN ISO/IEC 19896-3
ICS:
03.100.30 Vodenje ljudi Management of human
resources
35.030 Informacijska varnost IT Security
oSIST prEN ISO/IEC 19896-3:2022 en,fr,de

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
oSIST prEN ISO/IEC 19896-3:2022
---------------------- Page: 2 ----------------------
oSIST prEN ISO/IEC 19896-3:2022
INTERNATIONAL ISO/IEC
STANDARD 19896-3
First edition
2018-08
IT security techniques — Competence
requirements for information security
testers and evaluators —
Part 3:
Knowledge, skills and effectiveness
requirements for ISO/IEC 15408
evaluators
Techniques de sécurité IT — Exigences en matière de compétences des
spécialistes en tests et évaluations de la sécurité de l'information —
Partie 3: Exigences en matière de connaissances, compétences et
efficacité des spécialistes en évaluations ISO/IEC 15408
Reference number
ISO/IEC 19896-3:2018(E)
ISO/IEC 2018
---------------------- Page: 3 ----------------------
oSIST prEN ISO/IEC 19896-3:2022
ISO/IEC 19896-3:2018(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2018

All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may

be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting

on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address

below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2018 – All rights reserved
---------------------- Page: 4 ----------------------
oSIST prEN ISO/IEC 19896-3:2022
ISO/IEC 19896-3:2018(E)
Contents Page

Foreword ..........................................................................................................................................................................................................................................v

Introduction ................................................................................................................................................................................................................................vi

1 Scope ................................................................................................................................................................................................................................. 1

2 Normative references ...................................................................................................................................................................................... 1

3 Terms and definitions ..................................................................................................................................................................................... 1

4 Knowledge ................................................................................................................................................................................................................... 2

4.1 General ........................................................................................................................................................................................................... 2

4.2 Knowledge of ISO/IEC 15408 and ISO/IEC 18045 .................................................................................................. 2

4.2.1 ISO/IEC 15408-1 .............................................................................................................................................................. 2

4.2.2 ISO/IEC 15408-2 .............................................................................................................................................................. 2

4.2.3 ISO/IEC 15408-3 .............................................................................................................................................................. 2

4.2.4 ISO/IEC 18045 ................................................................................................................................................................... 3

4.3 Knowledge of the assurance paradigm .............................................................................................................................. 3

4.3.1 Knowledge of the evaluation authority ........................................................................................................ 3

4.3.2 Knowledge of the evaluation scheme ............................................................................................................ 3

4.3.3 Knowledge of the laboratory and it’s management system ....................................................... 4

4.4 Knowledge of information security ...................................................................................................................................... 4

4.5 Knowledge of the technology being evaluated ............................................................................................................ 5

4.5.1 Knowledge of the technology being evaluated ...................................................................................... 5

4.5.2 Protection Profiles, packages and supporting documents .......................................................... 5

4.6 Knowledge required for specific assurance classes ................................................................................................ 5

4.7 Knowledge required when evaluating specific security functional requirements....................... 6

4.8 Knowledge needed when evaluating specific technologies ............................................................................. 6

5 Skills .................................................................................................................................................................................................................................. 6

5.1 Basic evaluation skills ....................................................................................................................................................................... 6

5.1.1 Evaluation methods ........................................................................................................................................... ............ 6

5.1.2 Evaluation tools ................................................................................................................................................................ 6

5.2 Core evaluation skills given in ISO/IEC 15408-3 and ISO/IEC 18045 .................................................... 7

5.2.1 Evaluation principles ................................................................................................................................................... 7

5.2.2 Evaluation methods and activities.................................................................................................................... 7

5.3 Skills required when evaluating specific security assurance classes....................................................... 8

5.3.1 General...................................................................................................................................................................................... 8

5.3.2 ADV (Development) Class ........................................................................................................................................ 8

5.3.3 AGD (Guidance Documents) Class .................................................................................................................... 9

5.3.4 ALC (Life-Cycle Support) Class ............................................................................................................................ 9

5.3.5 ASE and APE (ST and PP evaluation) Classes .................. .....................................................................10

5.3.6 ATE (Tests) Class ...................................................................... .....................................................................................10

5.3.7 AVA (Vulnerability Assessment) Class ........................................................................................................11

5.3.8 ACO (Composition) Class .......................................................................................................................................12

5.4 Skills required when evaluating specific security functional requirement classes ..................12

5.4.1 General...................................................................................................................................................................................12

5.4.2 Skills required when evaluating the FCS (Cryptographic support) Class ....................13

5.5 Skills needed when evaluating specific technologies .........................................................................................13

6 Experience................................................................................................................................................................................................................13

7 Education ...................................................................................................................................................................................................................13

8 Effectiveness ...........................................................................................................................................................................................................14

8.1 General ........................................................................................................................................................................................................14

8.2 Effectiveness of the evaluation ...............................................................................................................................................14

8.3 Evaluation scheme responsibilities for evaluator effectiveness................................................................14

8.4 Effectiveness in performing timely evaluations ......................................................................................................14

8.5 Effectiveness in performing accurate evaluations.................................................................................................14

© ISO/IEC 2018 – All rights reserved iii
---------------------- Page: 5 ----------------------
oSIST prEN ISO/IEC 19896-3:2022
ISO/IEC 19896-3:2018(E)

8.6 Effectiveness in reporting results ........................................................................................................................................14

Annex A (informative) Technology types: Knowledge and skills .........................................................................................15

Annex B (informative) Examples of knowledge required for evaluating security assurance

requirement classes .......................................................................................................................................................................................20

Annex C (informative) Examples of knowledge required for evaluating security functional

requirement classes .......................................................................................................................................................................................27

Bibliography .............................................................................................................................................................................................................................30

iv © ISO/IEC 2018 – All rights reserved
---------------------- Page: 6 ----------------------
oSIST prEN ISO/IEC 19896-3:2022
ISO/IEC 19896-3:2018(E)
Foreword

ISO (the International Organization for Standardization) and IEC (the International Electrotechnical

Commission) form the specialized system for worldwide standardization. National bodies that are

members of ISO or IEC participate in the development of International Standards through technical

committees established by the respective organization to deal with particular fields of technical

activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international

organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the

work. In the field of information technology, ISO and IEC have established a joint technical committee,

ISO/IEC JTC 1.

The procedures used to develop this document and those intended for its further maintenance are

described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for

the different types of document should be noted. This document was drafted in accordance with the

editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).

Attention is drawn to the possibility that some of the elements of this document may be the subject

of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent

rights. Details of any patent rights identified during the development of the document will be in the

Introduction and/or on the ISO list of patent declarations received (see www .iso .org/patents).

Any trade name used in this document is information given for the convenience of users and does not

constitute an endorsement.

For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and

expressions related to conformity assessment, as well as information about ISO's adherence to the

World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso

.org/iso/foreword .html.

This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology,

Subcommittee SC 27, IT Security techniques.
A list of all parts in the ISO/IEC 19896 series can be found on the ISO website.

Any feedback or questions on this document should be directed to the user’s national standards body. A

complete listing of these bodies can be found at www .iso .org/members .html.
© ISO/IEC 2018 – All rights reserved v
---------------------- Page: 7 ----------------------
oSIST prEN ISO/IEC 19896-3:2022
ISO/IEC 19896-3:2018(E)
Introduction

The ISO/IEC 15408 series permits comparability between the results of independent security

evaluations. It does so by providing a common set of requirements for the security functionality of IT

products and for assurance measures applied to these IT products during a security evaluation. Many

certification and evaluation schemes as well as evaluation authorities have been developed using the

ISO/IEC 15408 series and ISO/IEC 18045 as a basis, which permits comparability between the results

of evaluation projects.

One important factor in assuring comparability of the results of such evaluations is to understand

that the evaluation process includes the specification of both objective and subjective assurance

measures. Hence, the competence of the individual evaluators is important when the comparability and

repeatability of evaluation results are the foundation for mutual recognition.

ISO/IEC 17025, provides general requirements for the competence of testing and calibration

laboratories. In ISO/IEC 17025:2017, 5.2.1, it is stated that "Personnel performing specific tasks shall be

qualified on the basis of appropriate education, training, experience and/or demonstrated skills".

This document establishes a baseline for the minimum competence of ISO/IEC 15408 evaluators

with the goal of establishing conformity in the requirements for the training of ISO/IEC 15408

evaluator professionals associated with IT product evaluation schemes and authorities. It provides

the specialized requirements to demonstrate the competence of individuals in performing IT product

security evaluations in accordance with ISO/IEC 15408 (all parts) and ISO/IEC 18045. ISO/IEC 15408-

1 describes the general framework for competences including the various elements of competence;

knowledge, skills, experience, education and effectiveness. This document includes knowledge and

skills especially in the following areas.
— Information security

Knowledge: Information security principles, information security properties, information security

threats and vulnerabilities
Skills: Understand information security requirements, understand the context
— Information security evaluation
Knowledge: Knowledge of ISO/IEC 15408 (all parts) and ISO/IEC 18045, laboratory
management system

Skills: Basic evaluation skills, core evaluation skills, skills required when evaluating specific

security assurance classes, skills required when evaluating specific security functional

requirements classes
— Information systems architecture
Knowledge: Technology being evaluated
Skills: Understand the interaction of security components and information
— Information security testing

Knowledge: Information security testing techniques, information security testing tools, product

development lifecycle, test types

Skills: Create and manage an information security test plan, design information security tests,

prepare and conduct information security tests

The audience for this document includes validation and certification authorities, testing laboratory

accreditation bodies, evaluation schemes, laboratories, evaluators and organizations offering

professional credentialing.
vi © ISO/IEC 2018 – All rights reserved
---------------------- Page: 8 ----------------------
oSIST prEN ISO/IEC 19896-3:2022
INTERNATIONAL STANDARD ISO/IEC 19896-3:2018(E)
IT security techniques — Competence requirements for
information security testers and evaluators —
Part 3:
Knowledge, skills and effectiveness requirements for ISO/
IEC 15408 evaluators
1 Scope

This document provides the specialized requirements to demonstrate competence of individuals

in performing IT product security evaluations in accordance with ISO/IEC 15408 (all parts) and

ISO/IEC 18045.
2 Normative references

The following documents are referred to in the text in such a way that some or all of their content

constitutes requirements of this document. For dated references, only the edition cited applies. For

undated references, the latest edition of the referenced document (including any amendments) applies.

ISO/IEC 19896-1, IT security techniques — Competence requirements for information security testers and

evaluators — Part 1: Introduction, concepts and general requirements

ISO/IEC 15408 (all parts), Information technology — Security techniques — Evaluation criteria for IT

security

ISO/IEC 18045, Information technology — Security techniques — Methodology for IT security evaluation

ISO/IEC 17025, General requirements for the competence of testing and calibration laboratories

3 Terms and definitions

For the purposes of this document, the terms and definitions given in ISO/IEC 19896-1, ISO/IEC 15408-

1, ISO/IEC 17025, ISO/IEC 18045 and the following apply.

ISO and IEC maintain terminological databases for use in standardization at the following addresses:

— ISO Online browsing platform: available at https: //www .iso .org/obp
— IEC Electropedia: available at http: //www .electropedia .org/
3.1
evaluation scheme

organization implementing policies and a set of rules established by an evaluation authority, defining

the evaluation environment, including criteria and methodology required to conduct IT security

evaluations
3.2
subjective method
method based on a given person's experience, and understanding
© ISO/IEC 2018 – All rights reserved 1
---------------------- Page: 9 ----------------------
oSIST prEN ISO/IEC 19896-3:2022
ISO/IEC 19896-3:2018(E)
4 Knowledge
4.1 General

Knowledge is what an evaluator knows and can describe. Subclauses 4.2 to 4.8 address the knowledge

that is needed for evaluation to ISO/IEC 15408 (all parts) and ISO/IEC 18045.
4.2 Knowledge of ISO/IEC 15408 and ISO/IEC 18045
4.2.1 ISO/IEC 15408-1
All evaluators shall have knowledge of:
a) the terms and definitions defined in ISO/IEC 15408-1;
b) the terms and definitions defined in ISO/IEC 18045;
c) the context for ISO/IEC 15408 evaluations;
d) the general model for the ISO/IEC 15408 series given in ISO/IEC 15408-1;

e) tailoring security requirements: operations, dependencies between components and extended

components;
f) protection profiles and packages;
g) evaluation results; and
h) the specification of security targets.
4.2.2 ISO/IEC 15408-2

All evaluators shall have knowledge of those security functional requirements (SFRs) of ISO/IEC 15408-

2 which are used for the technology types the evaluator is authorized to work with, as well as any

dependent SFRs. The classes of SFRs given in ISO/IEC 15408-2 are:
a) security audit (FAU);
b) communication (FCO);
c) cryptographic support (FCS);
d) user data protection (FDP);
e) identification and authentication (FIA);
f) security management (FMT);
g) privacy (FPR);
h) protection of the target of evaluation security functions (FPT);
i) resource utilisation (FRU);
j) target of evaluation access (FTA); and
k) trusted path/channels (FTP).
4.2.3 ISO/IEC 15408-3

All evaluators shall have knowledge of the security assurance requirements (SARs) given in ISO/

IEC 15408-3 which are specified by Security Targets (ST) that the evaluator is authorized to work with.

2 © ISO/IEC 2018 – All rights reserved
---------------------- Page: 10 ----------------------
oSIST prEN ISO/IEC 19896-3:2022
ISO/IEC 19896-3:2018(E)

The knowledge of particular SAR components shall include those to which the evaluator is authorized

to work at. The classes of SARs given in ISO/IEC 15408-3 are:
a) development (ADV);
b) guidance documentation (AGD);
c) life-cycle support (ALC);
d) security target structure (ASE);
e) protection profile structure (APE);
f) tests (ATE);
g) vulnerability assessment (AVA); and
h) composition (ACO).
4.2.4 ISO/IEC 18045
All evaluators shall have knowledge of:

a) the evaluation process: this process is described in ISO/IEC 18045:2008, Clause 8; and

b) security evaluation method and activities: this information is given in ISO/IEC 18045.

4.3 Knowledge of the assurance paradigm
4.3.1 Knowledge of the evaluation authority

All evaluators shall have knowledge of the requirements of the evaluation authority or evaluation

authorities that are applicable to the evaluation schemes for which they are authorized to work.

NOTE Examples of such evaluation authorities include "Common Criteria Recognition Agreement (CCRA)"

and the "Senior Officials Group Information Systems Security (SOG-IS)".
Requirements from evaluation authorities can include topics such as:
a) the scope of the evaluation authority;
b) recognition arrangements;
c) evaluation authority policies;
d) guidance to evaluation schemes, validators and evaluators;
e) interpretations;
f) supporting documents;
g) knowledge of related standards; and
h) quality requirements.
4.3.2 Knowledge of the evaluation scheme

Evaluation schemes typically define operational aspects such as policies, and procedures that are

specific to the evaluation scheme. Such items are often based on the scope of the evaluation scheme.

All evaluators shall have knowledge of:

a) The requirements of the evaluation scheme or schemes for which they are authorized to work;

© ISO/IEC 2018 – All rights reserved 3
---------------------- Page: 11 ----------------------
oSIST prEN ISO/IEC 19896-3:2022
ISO/IEC 19896-3:2018(E)
EXAMPLE
— any sector specific policies, regulations and legislation;
— laboratory approval requirements for the evaluation scheme;

— evaluation scheme policies in regard to evaluation projects including entry criteria, time limits, report

requirements, site visit requirements;
— guidance to validators and evaluators;
— evaluation scheme specific interpretations;
— evaluation scheme specific guidance;
— approved protection profiles and their supporting documents;
— evaluation scheme specific assurance methods and activities; and
— reporting requirements.
b) the competence requirements of the evaluation scheme for evaluators.

NOTE See ISO/IEC 18045:2008, A.5 for guidance to evaluation schemes on this topic.

4.3.3 Knowledge of the laboratory and it’s management system
All evaluators shall have knowledge of:

a) the laboratory’s management system, including policies, processes and procedures that are

applicable to evaluators;
b) laboratory approved methods; and
c) laboratory competence requirements.

NOTE Management systems vary greatly in their implementations. However, items such as document

control, record control, control of nonconforming testing and/or calibration work, handling of technical records,

and conflict of interest are often the direct responsibility of evaluators. Most laboratory management systems

are based on ISO/IEC 17025.
4.4 Knowledge of information security
All evaluators shall have knowledge of:
a) security principles;
b) security properties;
c) mechanisms of attack;
d) concepts of attack potential;
e) secure development life cycles;
f) security testing; and
g) vulnerabilities and weaknesses.
4 © ISO/IEC 2018 – All rights reserved
---------------------- Page: 12 ----------------------
oSIST prEN ISO/IEC 19896-3:2022
ISO/IEC 19896-3:2018(E)
4.5 Knowledge of the technology being evaluated
4.5.1 Knowledge of the technology being evaluated

ISO/IEC 15408 (all parts) and ISO/IEC 18045 can be used in the evaluation of a wide variety of

information technologies. These technologies are often classified into various technology types by

evaluation schemes, evaluation authorities or others.

All evaluators shall have knowledge of the information technology types being evaluated by them,

including the common security architectures deployed for that technology type.

NOTE Annex A provides an informative list of knowledge topics presented by commonly identified

technology types.
EXAMPLE Commonly identified technology types include:
— access control devices and systems;
— encryption, key management and PKI systems, products for digital signatures;
— databases;
— operating systems;
— network and network-related devices and systems;
— mobile devices and systems;
— multi-function devices;
— ICs, smart cards and smart-card related devices and systems;
— hardware devices;
— detection devices and systems; and
— data protection, biometric systems and devices, trusted computing.
4.5.2 Protection Profiles, packages and supporting documents

All evaluators shall have knowledge of the following, where they are applicable for the information

technology evaluated by them:

a) protection profiles, packages and any related supporting documents specified in connection with

the evaluator's work;

b) the knowledge required to meet any additional evaluation methods and assurance activities

specified as applicable to an evaluation;

c) how to determine if any interpretations or guidance in regard to protection profiles, packages and

related supporting documents have been issued and whether they are applicable to a particular

evaluation project.
4.6 Knowledge required for specific assurance classes

Evaluators need the knowledge required by the evaluation methods and activities specified for the

assurance classes for which they are authorized to work. Examples for the knowledge required by ISO/

IEC 18045 are given in Annex B.
© ISO/IEC 2018 – All rights reserved 5
---------------------- Page: 13 ----------------------
oSIST prEN ISO/IEC 19896-3:2022
ISO/IEC 19896-3:2018(E)

4.7 Knowledge required when evaluating specific security functional requirements

Evaluators shall have the knowledge required as given by the security functional requirements they

are authorized to evaluate as specified in ISO/IEC 15408-2. Examples for the knowledge required by

ISO/IEC 15408-2 are given in Annex C.
4.8 Knowledge needed when evaluating specific technologies

Since technology can vary and are continually evolving it is not possible to identify all the skills

required. Annex A provides an informative list of both knowledge and skills for many technologies. In

addition, the Bibliography gives many technology related references.

Technology related knowledge can be obtained through experience with that technology. Such

experience can be developed by:
a) participating in education in regard to the technology;
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.