Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 1: Introduction and general model (ISO/IEC DIS 15408-1:2024)

This document establishes the general concepts and principles of IT security evaluation and specifies the general model of evaluation given by various parts of the standard which in its entirety is meant to be used as the basis for evaluation of security properties of IT products.
This document provides an overview of all parts of the ISO/IEC 15408 series. It describes the various parts of the ISO/IEC 15408 series; defines the terms and abbreviations to be used in all parts of the standard; establishes the core concept of a Target of Evaluation (TOE); describes the evaluation context and describes the audience to which the evaluation criteria is addressed. An introduction to the basic security concepts necessary for evaluation of IT products is given.
This document introduces:
—    the key concepts of Protection Profiles (PP), PP-Modules, PP-Configurations, packages, Security Targets (ST), and conformance types;
—    a description of the organization of security components throughout the model;
—    the various operations by which the functional and assurance components given in ISO/IEC 15408‑2 and ISO/IEC 15408‑3 can be tailored through the use of permitted operations;
—    general information about the evaluation methods given in ISO/IEC 18045;
—    guidance for the application of ISO/IEC 15408‑4 in order to develop evaluation methods (EM) and evaluation activities (EA) derived from ISO/IEC 18045;
—    general information about the pre-defined Evaluation Assurance Levels (EALs) defined in ISO/IEC 15408‑5;
—    information in regard to the scope of evaluation schemes.

Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre - Evaluationskriterien für IT-Sicherheit - Teil 1: Einführung und allgemeines Modell

Sécurité de l'information, cybersécurité et protection de la vie privée - Critères d'évaluation pour la sécurité des technologies de l'information - Partie 1: Introduction et modèle général (ISO/IEC DIS 15408-1:2024)

Informacijska varnost, kibernetska varnost in varovanje zasebnosti - Merila za vrednotenje varnosti IT - 1. del: Uvod in splošni model (ISO/IEC DIS 15408-1:2024)

General Information

Status
Not Published
Public Enquiry End Date
10-Nov-2024
Technical Committee
Current Stage
4020 - Public enquire (PE) (Adopted Project)
Start Date
16-Sep-2024
Due Date
03-Feb-2025

Relations

Buy Standard

Draft
prEN ISO/IEC 15408-1:2024 - BARVE
English language
150 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)


SLOVENSKI STANDARD
01-november-2024
Informacijska varnost, kibernetska varnost in varovanje zasebnosti - Merila za
vrednotenje varnosti IT - 1. del: Uvod in splošni model (ISO/IEC DIS 15408-1:2024)
Information security, cybersecurity and privacy protection - Evaluation criteria for IT
security - Part 1: Introduction and general model (ISO/IEC DIS 15408-1:2024)
Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre -
Evaluationskriterien für IT-Sicherheit - Teil 1: Einführung und allgemeines Modell
Sécurité de l'information, cybersécurité et protection de la vie privée - Critères
d'évaluation pour la sécurité des technologies de l'information - Partie 1: Introduction et
modèle général (ISO/IEC DIS 15408-1:2024)
Ta slovenski standard je istoveten z: prEN ISO/IEC 15408-1
ICS:
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

DRAFT
International
Standard
ISO/IEC
DIS
15408-1
ISO/IEC JTC 1/SC 27
Information security, cybersecurity
Secretariat: DIN
and privacy protection —
Voting begins on:
Evaluation criteria for IT security —
2024-08-19
Part 1:
Voting terminates on:
2024-11-11
Introduction and general model
Sécurité de l'information, cybersécurité et protection de la vie
privée — Critères d'évaluation pour la sécurité des technologies
de l'information —
Partie 1: Introduction et modèle général
ICS: 35.030
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS.
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Reference number
© ISO/IEC 2024
ISO/IEC DIS 15408-1:2024(en)
DRAFT
ISO/IEC DIS 15408-1:2024(en)
International
Standard
ISO/IEC
DIS
15408-1
ISO/IEC JTC 1/SC 27
Information security, cybersecurity
Secretariat: DIN
and privacy protection —
Voting begins on:
Evaluation criteria for IT security —
2024-08-19
Part 1:
Voting terminates on:
2024-11-11
Introduction and general model
Sécurité de l'information, cybersécurité et protection de la vie
privée — Critères d'évaluation pour la sécurité des technologies
de l'information —
Partie 1: Introduction et modèle général
ICS: 35.030
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
© ISO/IEC 2024
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
BE CONSIDERED IN THE LIGHT OF THEIR
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
or ISO’s member body in the country of the requester.
NATIONAL REGULATIONS.
ISO copyright office
RECIPIENTS OF THIS DRAFT ARE INVITED
CP 401 • Ch. de Blandonnet 8
TO SUBMIT, WITH THEIR COMMENTS,
CH-1214 Vernier, Geneva
NOTIFICATION OF ANY RELEVANT PATENT
Phone: +41 22 749 01 11
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland Reference number
© ISO/IEC 2024
ISO/IEC DIS 15408-1:2024(en)
© ISO/IEC 2024 – All rights reserved
ii
ISO/IEC DIS 15408-1:2024(en)
Contents Page
Foreword .vi
Introduction .viii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 2
4 Abbreviated terms .13
5 Overview .15
5.1 General . 15
5.2 ISO/IEC 15408 series description . 15
5.2.1 General . 15
5.2.2 Audience . . 15
5.3 Target of evaluation (TOE) .18
5.3.1 General .18
5.3.2 TOE boundaries .19
5.3.3 Different representations of the TOE .19
5.3.4 Different configurations of the TOE .19
5.3.5 Operational environment of the TOE . 20
5.4 Presentation of material in this document . 20
6 General model .20
6.1 Background . 20
6.2 Assets and security controls .21
6.3 Core constructs of the paradigm of the ISO/IEC 15408 series . 23
6.3.1 General . 23
6.3.2 Conformance types .24
6.3.3 Communicating security requirements.24
6.3.4 Meeting the needs of consumers (risk owners) .27
7 Specifying security requirements .28
7.1 Security problem definition (SPD) . 28
7.1.1 General . 28
7.1.2 Threats . 28
7.1.3 Organizational security policies (OSPs) . 29
7.1.4 Assumptions . 29
7.2 Security objectives . 30
7.2.1 General . 30
7.2.2 Security objectives for the TOE . 30
7.2.3 Security objectives for the operational environment .31
7.2.4 Relation between security objectives and the SPD .31
7.2.5 Tracing between security objectives and the SPD .31
7.2.6 Providing a justification for the tracing .32
7.2.7 On countering threats.32
7.2.8 Security objectives: conclusion . 33
7.3 Security requirements . . 33
7.3.1 General . 33
7.3.2 Security Functional Requirements (SFRs) . 33
7.3.3 Security assurance requirements (SARs) . 36
7.3.4 Security requirements: conclusion . 36
8 Security components .38
8.1 Hierarchical structure of security components . 38
8.1.1 General . 38
8.1.2 Class . 38
8.1.3 Family . 38
8.1.4 Component . 38

© ISO/IEC 2024 – All rights reserved
iii
----------------------
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.