SIST EN ISO/IEC 15408-3:2024
(Main)Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 3: Security assurance components (ISO/IEC 15408-3:2022)
Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 3: Security assurance components (ISO/IEC 15408-3:2022)
This document defines the assurance requirements of the ISO/IEC 15408 series. It includes the individual assurance components from which the evaluation assurance levels and other packages contained in ISO/IEC 15408-5 are composed, and the criteria for evaluation of Protection Profiles (PPs), PP-Configurations, PP-Modules, and Security Targets (STs).
Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre - Evaluationskriterien für IT-Sicherheit - Teil 3: Sicherheit Gewährleistungskomponenten (ISO/IEC 15408-3:2022)
Dieses Dokument definiert die Vertrauenswürdigkeitsanforderungen der Normenreihe ISO/IEC15408. Es beinhaltet die einzelnen Vertrauenswürdigkeitskomponenten, aus denen sich die in ISO/IEC15408-5 enthaltenen Vertrauenswürdigkeitsstufen und andere Pakete zusammensetzen, sowie die Kriterien für die Evaluierung von Schutzprofilen(PP), PP-Konfigurationen, PP-Modulen und Sicherheitsvorgaben(ST).
Sécurité de l'information, cybersécurité et protection de la vie privée - Critères d'évaluation pour la sécurité des technologies de l'information - Partie 3: Composants d'assurance de sécurité (ISO/IEC 15408-3:2022)
Informacijska varnost, kibernetska varnost in varstvo zasebnosti - Merila za vrednotenje varnosti IT - 3. del: Komponente za zagotavljanje varnosti (ISO/IEC 15408-3:2022)
Ta dokument opredeljuje zahteve za zagotavljanje varnosti iz skupine standardov ISO/IEC 15408. Vključuje posamezne komponente za zagotavljanje varnosti, iz katerih so sestavljeni nivoji zanesljivosti vrednotenj in drugi paketi iz standarda ISO/IEC 15408-5, in merila za vrednotenje varnostnih profilov, konfiguracije varnostnih profilov, module varnostnih profilov in varnostne cilje.
General Information
- Status
- Published
- Public Enquiry End Date
- 13-Oct-2023
- Publication Date
- 11-Apr-2024
- Technical Committee
- ITC - Information technology
- Current Stage
- 6060 - National Implementation/Publication (Adopted Project)
- Start Date
- 20-Mar-2024
- Due Date
- 25-May-2024
- Completion Date
- 12-Apr-2024
Relations
- Effective Date
- 01-May-2024
- Effective Date
- 22-May-2024
Overview
EN ISO/IEC 15408-3:2023 (aligned with ISO/IEC 15408-3:2022) is the Part 3 specification of the ISO/IEC 15408 series-commonly known as the Common Criteria. This European adoption by CEN defines the security assurance components used to build evaluation assurance levels (EALs) and assurance packages. It establishes the assurance requirements and the criteria for evaluating Protection Profiles (PPs), PP‑Configurations, PP‑Modules and Security Targets (STs).
Key topics and technical requirements
- Assurance paradigm and evaluation scale: Describes the assurance approach, significance and causes of vulnerabilities, and the ISO/IEC 15408 evaluation assurance scale used to express confidence in security functions.
- Assurance class, family and component structure: Defines how assurance classes are organized into families and individual components, including naming, introductions and objectives.
- Component levelling and dependencies: Components are leveled (to indicate strength/rigor) and include explicit dependencies and application notes to guide evaluation scope.
- Assurance elements: Breaks components down into measurable elements (work units for evaluators) used during evaluation.
- Protection Profile and Security Target evaluation: Contains specific classes (e.g., APE - PP evaluation, ACE - PP‑Module/Configuration evaluation) and components such as APE_INT, APE_CCL, APE_SPD, APE_OBJ, APE_REQ for documenting PP/ST introductions, conformance claims, problem definitions, objectives and requirements.
- Taxonomy and application guidance: Provides a standardized taxonomy and guidance to ensure consistent interpretation across evaluations and national schemes.
Practical applications and users
- Evaluation laboratories and certification bodies use this document to structure and perform conformity assessments against Protection Profiles and Security Targets.
- Product vendors and developers rely on the assurance components to prepare Security Targets and evidence packages that meet required assurance levels.
- Security architects and system integrators consult it to design systems whose security claims can be evaluated and certified.
- Procurement teams and regulators reference the standard when specifying required assurance levels or accepting certified IT products for sensitive environments.
Related standards
- ISO/IEC 15408 (Common Criteria) - the series within which Part 3 sits.
- EN ISO/IEC 15408-5 - defines evaluation assurance levels and packages composed from the components in Part 3.
Keywords: EN ISO/IEC 15408-3:2023, ISO/IEC 15408-3:2022, Common Criteria, security assurance components, Protection Profile evaluation, Security Target, evaluation assurance levels, IT security assurance, cybersecurity standard.
Frequently Asked Questions
SIST EN ISO/IEC 15408-3:2024 is a standard published by the Slovenian Institute for Standardization (SIST). Its full title is "Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 3: Security assurance components (ISO/IEC 15408-3:2022)". This standard covers: This document defines the assurance requirements of the ISO/IEC 15408 series. It includes the individual assurance components from which the evaluation assurance levels and other packages contained in ISO/IEC 15408-5 are composed, and the criteria for evaluation of Protection Profiles (PPs), PP-Configurations, PP-Modules, and Security Targets (STs).
This document defines the assurance requirements of the ISO/IEC 15408 series. It includes the individual assurance components from which the evaluation assurance levels and other packages contained in ISO/IEC 15408-5 are composed, and the criteria for evaluation of Protection Profiles (PPs), PP-Configurations, PP-Modules, and Security Targets (STs).
SIST EN ISO/IEC 15408-3:2024 is classified under the following ICS (International Classification for Standards) categories: 35.030 - IT Security. The ICS classification helps identify the subject area and facilitates finding related standards.
SIST EN ISO/IEC 15408-3:2024 has the following relationships with other standards: It is inter standard links to SIST EN ISO/IEC 15408-3:2020, oSIST prEN ISO/IEC 15408-3:2024. Understanding these relationships helps ensure you are using the most current and applicable version of the standard.
You can purchase SIST EN ISO/IEC 15408-3:2024 directly from iTeh Standards. The document is available in PDF format and is delivered instantly after payment. Add the standard to your cart and complete the secure checkout process. iTeh Standards is an authorized distributor of SIST standards.
Standards Content (Sample)
SLOVENSKI STANDARD
01-maj-2024
Nadomešča:
SIST EN ISO/IEC 15408-3:2020
Informacijska varnost, kibernetska varnost in varovanje zasebnosti - Merila za
vrednotenje varnosti IT - 3. del: Komponente za zagotavljanje varnosti (ISO/IEC
15408-3:2022)
Information security, cybersecurity and privacy protection - Evaluation criteria for IT
security - Part 3: Security assurance components (ISO/IEC 15408-3:2022)
Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre -
Evaluationskriterien für IT-Sicherheit - Teil 3: Sicherheit Gewährleistungskomponenten
(ISO/IEC 15408-3:2022)
Sécurité de l'information, cybersécurité et protection de la vie privée - Critères
d'évaluation pour la sécurité des technologies de l'information - Partie 3: Composants
d'assurance de sécurité (ISO/IEC 15408-3:2022)
Ta slovenski standard je istoveten z: EN ISO/IEC 15408-3:2023
ICS:
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD EN ISO/IEC 15408-3
NORME EUROPÉENNE
EUROPÄISCHE NORM
December 2023
ICS 35.030
Supersedes EN ISO/IEC 15408-3:2020
English version
Information security, cybersecurity and privacy protection
- Evaluation criteria for IT security - Part 3: Security
assurance components (ISO/IEC 15408-3:2022)
Sécurité de l'information, cybersécurité et protection Informationssicherheit, Cybersicherheit und Schutz
de la vie privée - Critères d'évaluation pour la sécurité der Privatsphäre - Evaluationskriterien für IT-
des technologies de l'information - Partie 3: Sicherheit - Teil 3: Sicherheit
Composants d'assurance de sécurité (ISO/IEC 15408- Gewährleistungskomponenten (ISO/IEC 15408-
3:2022) 3:2022)
This European Standard was approved by CEN on 20 November 2023.
CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.
CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.
CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2023 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. EN ISO/IEC 15408-3:2023 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 3
European foreword
The text of ISO/IEC 15408-3:2022 has been prepared by Technical Committee ISO/IEC JTC 1
"Information technology” of the International Organization for Standardization (ISO) and has been
taken over as EN ISO/IEC 15408-3:2023 by Technical Committee CEN-CENELEC/ JTC 13 “Cybersecurity
and Data Protection” the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by June 2024, and conflicting national standards shall be
withdrawn at the latest by June 2024.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN-CENELEC shall not be held responsible for identifying any or all such patent rights.
This document supersedes EN ISO/IEC 15408-3:2020.
Any feedback and questions on this document should be directed to the users’ national standards body.
A complete listing of these bodies can be found on the CEN and CENELEC websites.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 15408-3:2022 has been approved by CEN-CENELEC as EN ISO/IEC 15408-3:2023
without any modification.
INTERNATIONAL ISO/IEC
STANDARD 15408-3
Fourth edition
2022-08
Information security, cybersecurity
and privacy protection — Evaluation
criteria for IT security —
Part 3:
Security assurance components
Sécurité de l'information, cybersécurité et protection de la vie
privée — Critères d'évaluation pour la sécurité des technologies de
l'information —
Partie 3: Composants d'assurance de sécurité
Reference number
ISO/IEC 15408-3:2022(E)
© ISO/IEC 2022
ISO/IEC 15408-3:2022(E)
© ISO/IEC 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2022 – All rights reserved
ISO/IEC 15408-3:2022(E)
Contents Page
Foreword .x
Introduction .xii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Overview . 5
5 Assurance paradigm .6
5.1 General . 6
5.2 ISO/IEC 15408 series approach . 6
5.3 Assurance approach . 6
5.3.1 General . 6
5.3.2 Significance of vulnerabilities . 6
5.3.3 Cause of vulnerabilities . 7
5.3.4 ISO/IEC 15408 series assurance . 7
5.3.5 Assurance through evaluation . 7
5.4 ISO/IEC 15408 series evaluation assurance scale . 8
6 Security assurance components . 8
6.1 General . 8
6.2 Assurance class structure . 8
6.2.1 General . 8
6.2.2 Class name . 8
6.2.3 Class introduction . 8
6.2.4 Assurance families . 9
6.3 Assurance family structure . 9
6.3.1 Family name . 9
6.3.2 Objectives . 9
6.3.3 Component levelling . 10
6.3.4 Application notes . 10
6.3.5 Assurance components . 10
6.4 Assurance component structure . 10
6.4.1 General . 10
6.4.2 Component identification . 11
6.4.3 Objectives . 11
6.4.4 Application notes . 11
6.4.5 Dependencies . 11
6.4.6 Assurance elements . 11
6.5 Assurance elements .12
6.6 Component taxonomy .12
7 Class APE: Protection Profile (PP) evaluation .12
7.1 General .12
7.2 PP introduction (APE_INT) . 13
7.2.1 Objectives .13
7.2.2 APE_INT.1 PP introduction . 13
7.3 Conformance claims (APE_CCL) . 14
7.3.1 Objectives . 14
7.3.2 APE_CCL.1 Conformance claims . 14
7.4 Security problem definition (APE_SPD) . 16
7.4.1 Objectives . 16
7.4.2 APE_SPD.1 Security problem definition . 16
7.5 Security objectives (APE_OBJ) . 16
7.5.1 Objectives . 16
7.5.2 Component levelling . 17
iii
© ISO/IEC 2022 – All rights reserved
ISO/IEC 15408-3:2022(E)
7.5.3 APE_OBJ.1 Security objectives for the operational environment . 17
7.5.4 APE_OBJ.2 Security objectives . 17
7.6 Extended components definition (APE_ECD) . 18
7.6.1 Objectives . 18
7.6.2 APE_ECD.1 Extended components definition . 18
7.7 Security requirements (APE_REQ) . 19
7.7.1 Objectives . 19
7.7.2 Component levelling . 19
7.7.3 APE_REQ.1 Direct rationale PP-Module security requirements . . 19
7.7.4 APE_REQ.2 Derived security requirements . 20
8 Class ACE: Protection Profile Configuration evaluation .22
8.1 General .22
8.2 PP-Module introduction (ACE_INT) . 22
8.2.1 Objectives .22
8.2.2 ACE_INT.1 PP-Module introduction . 22
8.3 PP-Module conformance claims (ACE_CCL) . 23
8.3.1 Objectives .23
8.3.2 ACE_CCL.1 PP-Module conformance claims . 23
8.4 PP-Module security problem definition (ACE_SPD) . 25
8.4.1 Objectives . 25
8.4.2 ACE_SPD.1 PP-Module security problem definition . 25
8.5 PP-Module security objectives (ACE_OBJ) . 26
8.5.1 Objectives . 26
8.5.2 Component levelling . 26
8.5.3 ACE_OBJ.1 PP-Module security objectives for the operational environment .26
8.5.4 ACE_OBJ.2 PP-Module security objectives. 27
8.6 PP-Module extended components definition (ACE_ECD). 27
8.6.1 Objectives . 27
8.6.2 ACE_ECD.1 PP-Module extended components definition .28
8.7 PP-Module security requirements (ACE_REQ) .28
8.7.1 Objectives .28
8.7.2 Component levelling .29
8.7.3 ACE_REQ.1 PP-Module stated security requirements .29
8.7.4 ACE_REQ.2 PP-Module derived security requirements .30
8.8 PP-Module consistency (ACE_MCO) . 31
8.8.1 Objectives . 31
8.8.2 ACE_MCO.1 PP-Module consistency . 31
8.9 PP-Configuration consistency (ACE_CCO) . 32
8.9.1 Objectives . 32
8.9.2 ACE_CCO.1 PP-Configuration consistency . 32
9 Class ASE: Security Target (ST) evaluation .36
9.1 General .36
9.2 ST introduction (ASE_INT) . 36
9.2.1 Objectives .36
9.2.2 ASE_INT.1 ST introduction .36
9.3 Conformance claims (ASE_CCL) . 37
9.3.1 Objectives . 37
9.3.2 ASE_CCL.1 Conformance claims . 37
9.4 Security problem definition (ASE_SPD) . 39
9.4.1 Objectives .39
9.4.2 ASE_SPD.1 Security problem definition .39
9.5 Security objectives (ASE_OBJ) .40
9.5.1 Objectives .40
9.5.2 Component levelling .40
9.5.3 ASE_OBJ.1 Security objectives for the operational environment .40
9.5.4 ASE_OBJ.2 Security objectives . 41
9.6 Extended components definition (ASE_ECD) . 42
iv
© ISO/IEC 2022 – All rights reserved
ISO/IEC 15408-3:2022(E)
9.6.1 Objectives . 42
9.6.2 ASE_ECD.1 Extended components definition . 42
9.7 Security requirements (ASE_REQ). 43
9.7.1 Objectives . 43
9.7.2 Component levelling . 43
9.7.3 ASE_REQ.1 Direct rationale security requirements . 43
9.7.4 ASE_REQ.2 Derived security requirements .44
9.8 TOE summary specification (ASE_TSS) . 45
9.8.1 Objectives . 45
9.8.2 Component levelling .46
9.8.3 ASE_TSS.1 TOE summary specification .46
9.8.4 ASE_TSS.2 TOE summary specification with architectural design summary .46
9.9 Consistency of composite product Security Target (ASE_COMP) . 47
9.9.1 Objectives . 47
9.9.2 Component levelling . 47
9.9.3 Application notes . 47
9.9.4 ASE_COMP.1 Consistency of Security Target (ST) .48
10 Class ADV: Development .49
10.1 General .49
10.2 Security Architecture (ADV_ARC) . 53
10.2.1 Objectives .53
10.2.2 Component levelling .53
10.2.3 Application notes .54
10.2.4 ADV_ARC.1 Security architecture description .54
10.3 Functional specification (ADV_FSP) . 55
10.3.1 Objectives . 55
10.3.2 Component levelling . 55
10.3.3 Application notes .56
10.3.4 ADV_FSP.1 Basic functional specification .58
10.3.5 ADV_FSP.2 Security-enforcing functional specification. 59
10.3.6 ADV_FSP.3 Functional specification with complete summary . 59
10.3.7 ADV_FSP.4 Complete functional specification .60
10.3.8 ADV_FSP.5 Complete semi-formal functional specification with additional
error information . 61
10.3.9 ADV_FSP.6 Complete semi-formal functional specification with additional
formal specification . 62
10.4 Implementation representation (ADV_IMP) .63
10.4.1 Objectives .63
10.4.2 Component levelling .64
10.4.3 Application notes .64
10.4.4 ADV_IMP.1 Implementation representation of the TSF .65
10.4.5 ADV_IMP.2 Complete mapping of the implementation representation of the
TSF .65
10.5 TSF internals (ADV_INT) .66
10.5.1 Objectives .66
10.5.2 Component levelling .66
10.5.3 Application notes .66
10.5.4 ADV_INT.1 Well-structured subset of TSF internals . 67
10.5.5 ADV_INT.2 Well-structured internals .68
10.5.6 ADV_INT.3 Minimally complex internals .68
10.6 Security policy modelling (ADV_SPM) . 69
10.6.1 Objectives .69
10.6.2 Component levelling . 70
10.6.3 Application notes . 70
10.6.4 ADV_SPM.1 Formal TOE security policy model . 70
10.7 TOE design (ADV_TDS) .72
10.7.1 Objectives .72
10.7.2 Component levelling .72
v
© ISO/IEC 2022 – All rights reserved
ISO/IEC 15408-3:2022(E)
10.7.3 Application notes .72
10.7.4 ADV_TDS.1 Basic design .73
10.7.5 ADV_TDS.2 Architectural design .74
10.7.6 ADV_TDS.3 Basic modular design . 75
10.7.7 ADV_TDS.4 Semiformal modular design . 76
10.7.8 ADV_TDS.5 Complete semiformal modular design . 78
10.7.9 ADV_TDS.6 Complete semiformal modular design with formal high-level
design presentation .79
10.8 Composite design compliance (ADV_COMP) .80
10.8.1 Objectives .80
10.8.2 Component levelling .80
10.8.3 Application notes .80
10.8.4 ADV_COMP.1 Design compliance with the base component-related user
guidance, ETR for composite evaluation and report of the base component
evaluation authority . . .81
11 Class AGD: Guidance documents .82
11.1 General .82
11.2 Operational user guidance (AGD_OPE) .82
11.2.1 Objectives .82
11.2.2 Component levelling .82
11.2.3 Application notes .82
11.2.4 AGD_OPE.1 Operational user guidance.83
11.3 Preparative procedures (AGD_PRE) .84
11.3.1 Objectives .84
11.3.2 Component levelling .84
11.3.3 Application notes .84
11.3.4 AGD_PRE.1 Preparative procedures .84
12 Class ALC: Life-cycle support .85
12.1 General .85
12.2 CM capabilities (ALC_CMC) .86
12.2.1 Objectives .86
12.2.2 Component levelling .87
12.2.3 Application notes .87
12.2.4 ALC_CMC.1 Labelling of the TOE .87
12.2.5 ALC_CMC.2 Use of the CM system .88
12.2.6 ALC_CMC.3 Authorization controls .89
12.2.7 ALC_CMC.4 Production support, acceptance procedures and automation . 91
12.2.8 ALC_CMC.5 Advanced support . 93
12.3 CM scope (ALC_CMS) .96
12.3.1 Objectives .96
12.3.2 Component levelling .96
12.3.3 Application notes .96
12.3.4 ALC_CMS.1 TOE CM coverage .96
12.3.5 ALC_CMS.2 Parts of the TOE CM coverage .97
12.3.6 ALC_CMS.3 Implementation representation CM coverage .98
12.3.7 ALC_CMS.4 Problem tracking CM coverage .99
12.3.8 ALC_CMS.5 Development tools CM coverage .99
12.4 Delivery (ALC_DEL) .100
12.4.1 Objectives .100
12.4.2 Component levelling . 101
12.4.3 Application notes . 101
12.4.4 ALC_DEL.1 Delivery procedures
...
SLOVENSKI STANDARD
01-maj-2024
Nadomešča:
SIST EN ISO/IEC 15408-3:2020
Informacijska varnost, kibernetska varnost in varstvo zasebnosti - Merila za
vrednotenje varnosti IT - 3. del: Komponente za zagotavljanje varnosti (ISO/IEC
15408-3:2022)
Information security, cybersecurity and privacy protection - Evaluation criteria for IT
security - Part 3: Security assurance components (ISO/IEC 15408-3:2022)
Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre -
Evaluationskriterien für IT-Sicherheit - Teil 3: Sicherheit Gewährleistungskomponenten
(ISO/IEC 15408-3:2022)
Sécurité de l'information, cybersécurité et protection de la vie privée - Critères
d'évaluation pour la sécurité des technologies de l'information - Partie 3: Composants
d'assurance de sécurité (ISO/IEC 15408-3:2022)
Ta slovenski standard je istoveten z: EN ISO/IEC 15408-3:2023
ICS:
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD EN ISO/IEC 15408-3
NORME EUROPÉENNE
EUROPÄISCHE NORM
December 2023
ICS 35.030
Supersedes EN ISO/IEC 15408-3:2020
English version
Information security, cybersecurity and privacy protection
- Evaluation criteria for IT security - Part 3: Security
assurance components (ISO/IEC 15408-3:2022)
Sécurité de l'information, cybersécurité et protection Informationssicherheit, Cybersicherheit und Schutz
de la vie privée - Critères d'évaluation pour la sécurité der Privatsphäre - Evaluationskriterien für IT-
des technologies de l'information - Partie 3: Sicherheit - Teil 3: Sicherheit
Composants d'assurance de sécurité (ISO/IEC 15408- Gewährleistungskomponenten (ISO/IEC 15408-
3:2022) 3:2022)
This European Standard was approved by CEN on 20 November 2023.
CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.
CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.
CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2023 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. EN ISO/IEC 15408-3:2023 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 3
European foreword
The text of ISO/IEC 15408-3:2022 has been prepared by Technical Committee ISO/IEC JTC 1
"Information technology” of the International Organization for Standardization (ISO) and has been
taken over as EN ISO/IEC 15408-3:2023 by Technical Committee CEN-CENELEC/ JTC 13 “Cybersecurity
and Data Protection” the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by June 2024, and conflicting national standards shall be
withdrawn at the latest by June 2024.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN-CENELEC shall not be held responsible for identifying any or all such patent rights.
This document supersedes EN ISO/IEC 15408-3:2020.
Any feedback and questions on this document should be directed to the users’ national standards body.
A complete listing of these bodies can be found on the CEN and CENELEC websites.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 15408-3:2022 has been approved by CEN-CENELEC as EN ISO/IEC 15408-3:2023
without any modification.
INTERNATIONAL ISO/IEC
STANDARD 15408-3
Fourth edition
2022-08
Information security, cybersecurity
and privacy protection — Evaluation
criteria for IT security —
Part 3:
Security assurance components
Sécurité de l'information, cybersécurité et protection de la vie
privée — Critères d'évaluation pour la sécurité des technologies de
l'information —
Partie 3: Composants d'assurance de sécurité
Reference number
ISO/IEC 15408-3:2022(E)
© ISO/IEC 2022
ISO/IEC 15408-3:2022(E)
© ISO/IEC 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2022 – All rights reserved
ISO/IEC 15408-3:2022(E)
Contents Page
Foreword .x
Introduction .xii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Overview . 5
5 Assurance paradigm .6
5.1 General . 6
5.2 ISO/IEC 15408 series approach . 6
5.3 Assurance approach . 6
5.3.1 General . 6
5.3.2 Significance of vulnerabilities . 6
5.3.3 Cause of vulnerabilities . 7
5.3.4 ISO/IEC 15408 series assurance . 7
5.3.5 Assurance through evaluation . 7
5.4 ISO/IEC 15408 series evaluation assurance scale . 8
6 Security assurance components . 8
6.1 General . 8
6.2 Assurance class structure . 8
6.2.1 General . 8
6.2.2 Class name . 8
6.2.3 Class introduction . 8
6.2.4 Assurance families . 9
6.3 Assurance family structure . 9
6.3.1 Family name . 9
6.3.2 Objectives . 9
6.3.3 Component levelling . 10
6.3.4 Application notes . 10
6.3.5 Assurance components . 10
6.4 Assurance component structure . 10
6.4.1 General . 10
6.4.2 Component identification . 11
6.4.3 Objectives . 11
6.4.4 Application notes . 11
6.4.5 Dependencies . 11
6.4.6 Assurance elements . 11
6.5 Assurance elements .12
6.6 Component taxonomy .12
7 Class APE: Protection Profile (PP) evaluation .12
7.1 General .12
7.2 PP introduction (APE_INT) . 13
7.2.1 Objectives .13
7.2.2 APE_INT.1 PP introduction . 13
7.3 Conformance claims (APE_CCL) . 14
7.3.1 Objectives . 14
7.3.2 APE_CCL.1 Conformance claims . 14
7.4 Security problem definition (APE_SPD) . 16
7.4.1 Objectives . 16
7.4.2 APE_SPD.1 Security problem definition . 16
7.5 Security objectives (APE_OBJ) . 16
7.5.1 Objectives . 16
7.5.2 Component levelling . 17
iii
© ISO/IEC 2022 – All rights reserved
ISO/IEC 15408-3:2022(E)
7.5.3 APE_OBJ.1 Security objectives for the operational environment . 17
7.5.4 APE_OBJ.2 Security objectives . 17
7.6 Extended components definition (APE_ECD) . 18
7.6.1 Objectives . 18
7.6.2 APE_ECD.1 Extended components definition . 18
7.7 Security requirements (APE_REQ) . 19
7.7.1 Objectives . 19
7.7.2 Component levelling . 19
7.7.3 APE_REQ.1 Direct rationale PP-Module security requirements . . 19
7.7.4 APE_REQ.2 Derived security requirements . 20
8 Class ACE: Protection Profile Configuration evaluation .22
8.1 General .22
8.2 PP-Module introduction (ACE_INT) . 22
8.2.1 Objectives .22
8.2.2 ACE_INT.1 PP-Module introduction . 22
8.3 PP-Module conformance claims (ACE_CCL) . 23
8.3.1 Objectives .23
8.3.2 ACE_CCL.1 PP-Module conformance claims . 23
8.4 PP-Module security problem definition (ACE_SPD) . 25
8.4.1 Objectives . 25
8.4.2 ACE_SPD.1 PP-Module security problem definition . 25
8.5 PP-Module security objectives (ACE_OBJ) . 26
8.5.1 Objectives . 26
8.5.2 Component levelling . 26
8.5.3 ACE_OBJ.1 PP-Module security objectives for the operational environment .26
8.5.4 ACE_OBJ.2 PP-Module security objectives. 27
8.6 PP-Module extended components definition (ACE_ECD). 27
8.6.1 Objectives . 27
8.6.2 ACE_ECD.1 PP-Module extended components definition .28
8.7 PP-Module security requirements (ACE_REQ) .28
8.7.1 Objectives .28
8.7.2 Component levelling .29
8.7.3 ACE_REQ.1 PP-Module stated security requirements .29
8.7.4 ACE_REQ.2 PP-Module derived security requirements .30
8.8 PP-Module consistency (ACE_MCO) . 31
8.8.1 Objectives . 31
8.8.2 ACE_MCO.1 PP-Module consistency . 31
8.9 PP-Configuration consistency (ACE_CCO) . 32
8.9.1 Objectives . 32
8.9.2 ACE_CCO.1 PP-Configuration consistency . 32
9 Class ASE: Security Target (ST) evaluation .36
9.1 General .36
9.2 ST introduction (ASE_INT) . 36
9.2.1 Objectives .36
9.2.2 ASE_INT.1 ST introduction .36
9.3 Conformance claims (ASE_CCL) . 37
9.3.1 Objectives . 37
9.3.2 ASE_CCL.1 Conformance claims . 37
9.4 Security problem definition (ASE_SPD) . 39
9.4.1 Objectives .39
9.4.2 ASE_SPD.1 Security problem definition .39
9.5 Security objectives (ASE_OBJ) .40
9.5.1 Objectives .40
9.5.2 Component levelling .40
9.5.3 ASE_OBJ.1 Security objectives for the operational environment .40
9.5.4 ASE_OBJ.2 Security objectives . 41
9.6 Extended components definition (ASE_ECD) . 42
iv
© ISO/IEC 2022 – All rights reserved
ISO/IEC 15408-3:2022(E)
9.6.1 Objectives . 42
9.6.2 ASE_ECD.1 Extended components definition . 42
9.7 Security requirements (ASE_REQ). 43
9.7.1 Objectives . 43
9.7.2 Component levelling . 43
9.7.3 ASE_REQ.1 Direct rationale security requirements . 43
9.7.4 ASE_REQ.2 Derived security requirements .44
9.8 TOE summary specification (ASE_TSS) . 45
9.8.1 Objectives . 45
9.8.2 Component levelling .46
9.8.3 ASE_TSS.1 TOE summary specification .46
9.8.4 ASE_TSS.2 TOE summary specification with architectural design summary .46
9.9 Consistency of composite product Security Target (ASE_COMP) . 47
9.9.1 Objectives . 47
9.9.2 Component levelling . 47
9.9.3 Application notes . 47
9.9.4 ASE_COMP.1 Consistency of Security Target (ST) .48
10 Class ADV: Development .49
10.1 General .49
10.2 Security Architecture (ADV_ARC) . 53
10.2.1 Objectives .53
10.2.2 Component levelling .53
10.2.3 Application notes .54
10.2.4 ADV_ARC.1 Security architecture description .54
10.3 Functional specification (ADV_FSP) . 55
10.3.1 Objectives . 55
10.3.2 Component levelling . 55
10.3.3 Application notes .56
10.3.4 ADV_FSP.1 Basic functional specification .58
10.3.5 ADV_FSP.2 Security-enforcing functional specification. 59
10.3.6 ADV_FSP.3 Functional specification with complete summary . 59
10.3.7 ADV_FSP.4 Complete functional specification .60
10.3.8 ADV_FSP.5 Complete semi-formal functional specification with additional
error information . 61
10.3.9 ADV_FSP.6 Complete semi-formal functional specification with additional
formal specification . 62
10.4 Implementation representation (ADV_IMP) .63
10.4.1 Objectives .63
10.4.2 Component levelling .64
10.4.3 Application notes .64
10.4.4 ADV_IMP.1 Implementation representation of the TSF .65
10.4.5 ADV_IMP.2 Complete mapping of the implementation representation of the
TSF .65
10.5 TSF internals (ADV_INT) .66
10.5.1 Objectives .66
10.5.2 Component levelling .66
10.5.3 Application notes .66
10.5.4 ADV_INT.1 Well-structured subset of TSF internals . 67
10.5.5 ADV_INT.2 Well-structured internals .68
10.5.6 ADV_INT.3 Minimally complex internals .68
10.6 Security policy modelling (ADV_SPM) . 69
10.6.1 Objectives .69
10.6.2 Component levelling . 70
10.6.3 Application notes . 70
10.6.4 ADV_SPM.1 Formal TOE security policy model . 70
10.7 TOE design (ADV_TDS) .72
10.7.1 Objectives .72
10.7.2 Component levelling .72
v
© ISO/IEC 2022 – All rights reserved
ISO/IEC 15408-3:2022(E)
10.7.3 Application notes .72
10.7.4 ADV_TDS.1 Basic design .73
10.7.5 ADV_TDS.2 Architectural design .74
10.7.6 ADV_TDS.3 Basic modular design . 75
10.7.7 ADV_TDS.4 Semiformal modular design . 76
10.7.8 ADV_TDS.5 Complete semiformal modular design . 78
10.7.9 ADV_TDS.6 Complete semiformal modular design with formal high-level
design presentation .79
10.8 Composite design compliance (ADV_COMP) .80
10.8.1 Objectives .80
10.8.2 Component levelling .80
10.8.3 Application notes .80
10.8.4 ADV_COMP.1 Design compliance with the base component-related user
guidance, ETR for composite evaluation and report of the base component
evaluation authority . . .81
11 Class AGD: Guidance documents .82
11.1 General .82
11.2 Operational user guidance (AGD_OPE) .82
11.2.1 Objectives .82
11.2.2 Component levelling .82
11.2.3 Application notes .82
11.2.4 AGD_OPE.1 Operational user guidance.83
11.3 Preparative procedures (AGD_PRE) .84
11.3.1 Objectives .84
11.3.2 Component levelling .84
11.3.3 Application notes .84
11.3.4 AGD_PRE.1 Preparative procedures .84
12 Class ALC: Life-cycle support .85
12.1 General .85
12.2 CM capabilities (ALC_CMC) .86
12.2.1 Objectives .86
12.2.2 Component levelling .87
12.2.3 Application notes .87
12.2.4 ALC_CMC.1 Labelling of the TOE .87
12.2.5 ALC_CMC.2 Use of the CM system .88
12.2.6 ALC_CMC.3 Authorization controls .89
12.2.7 ALC_CMC.4 Production support, acceptance procedures and automation . 91
12.2.8 ALC_CMC.5 Advanced support . 93
12.3 CM scope (ALC_CMS) .96
12.3.1 Objectives .96
12.3.2 Component levelling .96
12.3.3 Application notes .96
12.3.4 ALC_CMS.1 TOE CM coverage .96
12.3.5 ALC_CMS.2 Parts of the TOE CM coverage .97
12.3.6 ALC_CMS.3 Implementation representation CM coverage .98
12.3.7 ALC_CMS.4 Problem tracking CM coverage .99
12.3.8 ALC_CMS.5 Development tools CM coverage .99
12.4 Delivery (ALC_DEL) .100
12.4.1 Objectives .100
12.4.2 Component levelling . 101
12.4.3 Application notes . 101
12.4.4 ALC_DEL.1 Delivery procedures .
...
SIST EN ISO/IEC 15408-3:2024는 정보 보안, 사이버 보안 및 개인 정보 보호를 위한 중요한 표준 문서로, IT 보안 평가 기준에 대한 신뢰성을 명확하게 정의하고 있습니다. 이 문서는 ISO/IEC 15408 시리즈의 신뢰성 요구사항을 상세히 설명하며, 평가 보증 수준 및 ISO/IEC 15408-5에 포함된 기타 패키지가 구성되는 개별 보증 구성 요소들을 포함합니다. 이 표준의 주요 강점 중 하나는 보호 프로필(Protection Profiles, PPs), PP-구성(PP-Configurations), PP-모듈(PP-Modules) 및 보안 목표(Security Targets, STs)의 평가 기준을 명시하고 있어, 사용자가 시스템의 보안 수준을 통합적으로 평가할 수 있도록 지원한다는 점입니다. SIST EN ISO/IEC 15408-3:2024는 현재 정보 보안 환경에서 매우 시의적절한 문서로, 강력하고 일관된 평가 체계를 제공하기 때문에 사이버 보안 전문가와 조직들이 신뢰할 수 있는 보안 솔루션을 개발하는 데 기여합니다. 이는 정보 기술 보안 평가 시 필요한 구조적 기준을 제시하여, 더욱 효과적인 보안 예방 조치를 취할 수 있도록 돕습니다. 따라서 이 표준은 IT 보안 분야에서의 안전성을 극대화하는 데 기여하고 있으며, 사이버 보안 및 개인 정보 보호의 필수 기준으로 자리잡고 있습니다.
SIST EN ISO/IEC 15408-3:2024に関するレビューは、その範囲、強み、関連性に重点を置いています。この標準化文書は、ISO/IEC 15408シリーズの保証要件を定義しており、特にITセキュリティの評価基準において重要な役割を果たします。 この文書に含まれる個々の保証コンポーネントは、ISO/IEC 15408-5に含まれる評価保証レベルや他のパッケージの構成要素となっており、情報セキュリティやサイバーセキュリティ、プライバシー保護の分野での評価基準設定に貢献します。特に、Protection Profiles (PPs)、PP-Configurations、PP-Modules、またはSecurity Targets (STs)の評価基準を提供することで、これらの要素の整合性と有効性を確保しています。 この標準の強みは、その明確な要件定義にあります。ITセキュリティの評価において、具体的な保証コンポーネントに基づいて評価プロセスを構築できるため、組織はリスク管理やセキュリティの強化に対して体系的かつ効果的なアプローチを取ることができます。また、標準に則った評価基準を用いることで、異なる技術や製品間の比較が容易になり、透明性と信頼性が向上します。 さらに、SIST EN ISO/IEC 15408-3:2024は、急速に進化するサイバーセキュリティの環境において、関連性を持ち続けるために必要な更新がされていることも特筆すべき点です。情報セキュリティに関する新たな懸念に迅速に対応し、保証要件を見直すことで、最新の技術動向や脅威に適応する力を持っています。 このようにして、SIST EN ISO/IEC 15408-3:2024は、情報セキュリティとプライバシー保護のための効果的な評価基準を提供し、関連する組織にとって不可欠なリソースとなっています。その適用により、企業や機関は情報セキュリティの強化とリスク低減を図り、持続可能なサイバーセキュリティ対策を実現することができます。
The SIST EN ISO/IEC 15408-3:2024 standard provides a comprehensive framework for information security, cybersecurity, and privacy protection through its evaluation criteria for IT security. This document is pivotal in defining the assurance requirements that are essential for the ISO/IEC 15408 series, offering clear guidelines for establishing assurance components crucial for the evaluation of Information Technology (IT) security. One of the strengths of this standard is its detailed articulation of individual assurance components, which are integral for determining evaluation assurance levels. This structured approach enables organizations to effectively assess the security features and capabilities of their IT systems. By laying out precise criteria for Protection Profiles (PPs), PP-Configurations, PP-Modules, and Security Targets (STs), the standard ensures that users can methodically evaluate and enhance their cybersecurity posture. The relevance of SIST EN ISO/IEC 15408-3:2024 cannot be overstated, especially amid rising concerns over cybersecurity threats and the need for robust privacy protection mechanisms. As organizations globally strive to implement rigorous IT security measures, this standard serves as a guideline that aligns with best practices, helping organizations establish trust and compliance within their cybersecurity frameworks. Overall, the SIST EN ISO/IEC 15408-3:2024 standard is a commendable resource that underscores its commitment to advancing the field of information security through well-defined assurance components and evaluation methodologies, making it a critical tool for any entity focusing on enhancing its cybersecurity measures and ensuring data protection.
SIST EN ISO/IEC 15408-3:2024는 정보 보안, 사이버 보안 및 개인정보 보호에 대한 평가 기준을 설정하는 중요한 문서로, IT 보안의 보증 구성 요소를 다룹니다. 이 문서의 범위는 ISO/IEC 15408 시리즈의 보증 요구 사항을 정의하며, 이는 각각의 보증 구성 요소가 포함되어 있습니다. 이 요소들은 ISO/IEC 15408-5에 포함된 평가 보증 수준 및 기타 패키지를 형성하는 데 필수적입니다. 이 표준의 강점 중 하나는 Protection Profiles (PPs), PP-Configurations, PP-Modules 및 Security Targets (STs)에 대한 평가 기준을 명확히 규정함으로써 IT 보안 평가 및 인증 과정의 일관성을 높인다는 점입니다. 이러한 명확한 지침은 보안 제품 및 시스템 개발자에게 중요한 정보로 작용하여, 이들이 자사의 제품을 국제적으로 인정받는 보안 기준에 맞출 수 있도록 지원합니다. 또한 SIST EN ISO/IEC 15408-3:2024는 사이버 보안 환경이 발전됨에 따라 기존 기준의 유효성을 지속적으로 검토하고 갱신하는 노력의 일환으로, 보안 보증 구성 요소를 현대화합니다. 이는 현재와 미래의 사이버 위협에 대응하기 위한 필수적인 조치로, 보안 관련 산업이 발전하는 데 큰 도움이 됩니다. 결론적으로, 이 문서는 정보 보안 및 사이버 보안의 평가 기준을 정의함으로써 관련 업계의 발전을 지원하고, 국제적으로 인정받는 보증 요구 사항을 통해 기업들이 신뢰성을 높일 수 있는 기반을 제공합니다. SIST EN ISO/IEC 15408-3:2024의 내용은 정보 보안의 중요성을 다시 한번 강조하며, 모든 이해당사자에게 필수적인 기준으로 자리 잡고 있습니다.
La norme SIST EN ISO/IEC 15408-3:2024 est un document fondamental qui définit les exigences d'assurance dans le domaine de la sécurité de l'information, de la cybersécurité et de la protection de la vie privée. En tant que partie intégrante de la série ISO/IEC 15408, cette norme spécifie les composants d'assurance qui sont essentiels pour garantir un niveau adéquat de sécurité des systèmes d'information. L'un des principaux atouts de cette norme est sa capacité à décomposer les différents éléments qui composent les niveaux d'assurance d'évaluation. Cela permet une compréhension claire et précise des exigences nécessaires pour atteindre des niveaux de sécurité appropriés. Les critères d'évaluation des Profiels de Protection (PP), des Configurations de PP, des Modules de PP et des Cibles de Sécurité (ST) sont également abordés de manière exhaustive, facilitant ainsi le processus d'évaluation et d'accréditation des produits informatiques. En termes de portée, la norme SIST EN ISO/IEC 15408-3:2024 est d'une grande pertinence pour les organisations soucieuses de la sécurité de leurs systèmes. En établissant des bases solides pour l'évaluation des systèmes de sécurité, elle contribue à instaurer une confiance accrue auprès des utilisateurs et des clients. Les composants d'assurance décrits dans ce document permettent aux évaluateurs de formuler des recommandations claires et actionnables pour améliorer le niveau de sécurité global des systèmes. Enfin, cette norme reflète l'engagement continuel envers l'évolution des meilleures pratiques en matière de sécurité informatique, intégrant des retours d'expérience et les développements technologiques récents dans le domaine. En somme, la SIST EN ISO/IEC 15408-3:2024 est un document essentiel pour quiconque souhaite garantir une sécurité robuste et durable dans un environnement numérique de plus en plus complexe.
La norme SIST EN ISO/IEC 15408-3:2024 est une référence incontournable en matière de sécurité de l'information, de cybersécurité et de protection de la vie privée. Elle spécifie les exigences d'assurance essentielles au sein de la série ISO/IEC 15408, renforçant ainsi le cadre global de l'évaluation de la sécurité des technologies de l'information. Le principal atout de cette norme réside dans sa structure détaillée des composants d'assurance de sécurité. En définissant clairement les critères d'évaluation pour les Profils de Protection (PP), les Configurations de PP, les Modules de PP et les Cibles de Sécurité (ST), elle permet aux organismes d'évaluation de fournir des analyses systématiques qui garantissent le niveau d'assurance requis. Ce système contribue non seulement à établir la confiance dans les systèmes informatiques, mais aussi à standardiser les pratiques d'évaluation à l'échelle internationale. De plus, la pertinence de cette norme s'étend à son adaptabilité face à l'évolution rapide des menaces de cybersécurité. En incluant des composants d'assurance qui peuvent être ajustés et appliqués selon les besoins spécifiques des organisations, elle offre un cadre flexible tout en maintenant des exigences rigoureuses. En résumé, la SIST EN ISO/IEC 15408-3:2024 s'affirme comme un instrument essentiel pour toute entité cherchant à améliorer ses pratiques en matière de sécurité de l'information. Elle permet non seulement une évaluation cohérente et exhaustive, mais elle aligne également les exigences de sécurité avec les préoccupations contemporaines liées à la cybersécurité et à la protection des données.
Die SIST EN ISO/IEC 15408-3:2024 bietet eine umfassende Grundlage zur Bewertung der Informationssicherheit, Cybersicherheit und des Datenschutzes. Dieses Dokument legt die Sicherheitsanforderungen der ISO/IEC 15408-Serie fest und konzentriert sich auf die Sicherstellung der Vertrauenswürdigkeit von IT-Systemen. Es umfasst die einzelnen Sicherheitsaussicherungskomponenten, die die Basis für die verschiedenen Evaluierungsstufen und -pakete in ISO/IEC 15408-5 bilden. Ein wesentlicher Vorteil dieser Norm ist ihre detaillierte Strukturierung der Anforderungen, die es Organisationen ermöglicht, spezifische Sicherheitsbedürfnisse zu adressieren. Die Definition der Kriterien zur Evaluierung von Schutzprofilen (PPs), PP-Konfigurationen, PP-Modulen und Sicherheitszielen (STs) gewährleistet eine konsistente und nachvollziehbare Beurteilung der Sicherheit. Dadurch wird die Nachvollziehbarkeit der Sicherheitsmaßnahmen erhöht und potenzielle Risiken können effektiver identifiziert und gemindert werden. Ein weiterer Stärke der SIST EN ISO/IEC 15408-3:2024 liegt in ihrer Relevanz für moderne IT-Landschaften. Angesichts der stetig steigenden Bedrohungen im Bereich der Cybersicherheit ist es unerlässlich, dass Unternehmen über klare, standardisierte Bewertungsgrundlagen verfügen. Die Norm bietet ein flexibles Rahmenwerk, das an verschiedene Technologien und Sicherheitsumgebungen anpassbar ist, was sie besonders wertvoll für Organisationen macht, die ihre Sicherheitsstandards verbessern wollen. Zusammenfassend lässt sich sagen, dass die SIST EN ISO/IEC 15408-3:2024 eine entscheidende Rolle in der Evaluierung von IT-Sicherheit spielt, indem sie klare Anforderungen definiert und eine strukturierte Herangehensweise an die Sicherheitsbewertung bietet. Sie trägt damit wesentlich zur Erhöhung der Gesamtvertrauenswürdigkeit von IT-Systemen bei und ermöglicht es Organisationen, proaktive Maßnahmen zur Sicherstellung ihrer Informationssicherheit zu ergreifen.
SIST EN ISO/IEC 15408-3:2024は、情報セキュリティ、サイバーセキュリティ、およびプライバシー保護に関する評価基準を提供する重要な標準です。この文書は、ISO/IEC 15408シリーズの保証要件を明確に定義しており、特にセキュリティ保証コンポーネントに焦点を当てています。その範囲は、評価保証レベルとISO/IEC 15408-5に含まれるその他のパッケージを構成する個々の保証コンポーネントを含んでいます。 この標準の強みは、その明確な構造と包括性にあります。PP(保護プロファイル)、PP-構成、PP-モジュール、およびST(セキュリティターゲット)の評価基準が詳細に示されているため、評価のプロセスがスムーズになり、さまざまな組織のニーズに応じたセキュリティ評価を行うことが可能です。また、現代の情報セキュリティの脅威に対抗するための適切なフレームワークを提供し、サイバーセキュリティの向上に寄与することが期待されます。 適用可能性の幅広さも、SIST EN ISO/IEC 15408-3:2024の大きな魅力です。この標準は、企業や組織が自身のITセキュリティに関する信頼性を確保するための指針を示すことができ、特にサイバー攻撃が常態化している現代において、その重要性は一層増しています。情報セキュリティ分野におけるこの標準の採用は、特に信頼性と安全性を重視するユーザーや顧客に対して、より高い評価を得る要素となるでしょう。 SIST EN ISO/IEC 15408-3:2024は、情報セキュリティとサイバーセキュリティの評価基準として、整然とした基準を提供し、求められる保証水準に対する明瞭な指針を示すことで、多くの分野における実装や評価を助ける重要な役割を果たしています。
Die SIST EN ISO/IEC 15408-3:2024 legt umfassend die Anforderungen an die Sicherheitsgarantien im Bereich der Informationssicherheit, Cybersicherheit und den Datenschutz fest. Der Schwerpunkt dieses Standards liegt auf den einzelnen Sicherheitsgarantiekriterien, die für die Bewertung der IT-Sicherheit unverzichtbar sind. Die klare Definition der Sicherheitsgarantien ermöglicht eine strukturierte und transparente Beurteilung von Schutzprofilen (PPs), PP-Konfigurationen, PP-Modulen und Sicherheitszielen (STs). Ein herausragendes Merkmal dieses Standards ist seine umfassende Systematik, die eine Verbindung zwischen den einzelnen Sicherheitsgarantiekomponenten und den Bewertungsstufen herstellt. Dies sorgt für eine hohe Relevanz und Praktikabilität im Sicherheitsbewertungsprozess. Die detaillierten Kriterien fördern nicht nur eine einheitliche Bewertung, sondern bieten auch Vorgaben, um Sicherheitsrisiken systematisch zu identifizieren und zu mindern. Die SIST EN ISO/IEC 15408-3:2024 ist von zentraler Bedeutung für Unternehmen, die sich im Bereich der IT-Sicherheit positionieren möchten. Sie unterstützt Organisationen dabei, Vertrauen in ihre Sicherheitsbewertungen zu schaffen und die erforderlichen Maßnahmen zur Wahrung von Datenschutz und Cybersicherheit zu implementieren. Dadurch wird die Wichtigkeit des Standards nicht nur in technischer Hinsicht, sondern auch in Bezug auf gesetzliche Compliance und Marktanforderungen deutlich. Insgesamt zeigt dieser Standard eine klare Richtung in der Harmonisierung der Sicherheitsbewertung und der damit verbundenen Prozesse auf. Die Aktualität und Anpassungsfähigkeit an sich verändernde Bedrohungslandschaften verdeutlichen die Relevanz von SIST EN ISO/IEC 15408-3:2024 für jedes Unternehmen, das IT-Sicherheit als strategisches Element betrachtet.
The SIST EN ISO/IEC 15408-3:2024 standard presents a comprehensive framework that defines the assurance requirements critical for information security, cybersecurity, and privacy protection. This standard plays an integral role in the larger ISO/IEC 15408 series by detailing the individual assurance components necessary for establishing evaluation assurance levels. One of the notable strengths of this standard is its clearly defined structure that categorizes assurance components, providing a systematic approach for organizations to assess the security of IT products and systems. By doing so, it not only aids in the evaluation of Protection Profiles (PPs), PP-Configurations, PP-Modules, and Security Targets (STs), but also ensures that stakeholders have a clear understanding of the evaluation criteria necessary for effective IT security assessments. The relevance of the SIST EN ISO/IEC 15408-3:2024 standard is underscored by the increasing complexity of cybersecurity threats and the corresponding necessity for robust security assurance methodologies. As organizations navigate evolving technological landscapes, this standard equips them with the tools and guidelines needed to uphold strong security protocols, thereby fostering trust and confidence in IT solutions. Moreover, this document aligns with global best practices, making it an essential reference for practitioners involved in information security evaluations. By adhering to the security assurance components specified in this standard, organizations can systematically manage risks and ensure compliance with both regulatory and societal expectations regarding privacy and cybersecurity. In summary, the SIST EN ISO/IEC 15408-3:2024 standard is pivotal in establishing a solid foundation for evaluating IT security, thereby enhancing the overall effectiveness of information security measures across diverse applications.
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.
Loading comments...