SIST EN ISO/IEC 15408-2:2024
(Main)Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 2: Security functional components (ISO/IEC 15408-2:2022)
Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 2: Security functional components (ISO/IEC 15408-2:2022)
This document defines the required structure and content of security functional components for the purpose of security evaluation. It includes a catalogue of functional components that will meet the common security functionality requirements of many IT products.
Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre - Evaluationskriterien für IT-Sicherheit - Teil 2: Sicherheit funktionale Komponenten (ISO/IEC 15408-2:2022)
Sécurité de l'information, cybersécurité et protection de la vie privée - Critères d'évaluation pour la sécurité des technologies de l'information - Partie 2: Composants fonctionnels de sécurité (ISO/IEC 15408-2:2022)
Informacijska varnost, kibernetska varnost in varstvo zasebnosti - Merila za vrednotenje varnosti IT - 2. del: Funkcionalne varnostne komponente (ISO/IEC 15408-2:2022)
Ta dokument določa zahtevano strukturo in vsebino funkcionalnih varnostnih komponent za namen vrednotenja varnosti. Vključuje katalog funkcionalnih komponent, ki izpolnjujejo zahteve številnih izdelkov IT v zvezi s splošno varnostno funkcionalnostjo.
General Information
- Status
- Published
- Public Enquiry End Date
- 13-Oct-2023
- Publication Date
- 11-Apr-2024
- Technical Committee
- ITC - Information technology
- Current Stage
- 6060 - National Implementation/Publication (Adopted Project)
- Start Date
- 20-Mar-2024
- Due Date
- 25-May-2024
- Completion Date
- 12-Apr-2024
Relations
- Effective Date
- 01-May-2024
- Effective Date
- 22-May-2024
Overview
SIST EN ISO/IEC 15408-2:2024 - Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 2: Security functional components (ISO/IEC 15408-2:2022) defines the required structure and content for security functional components used in IT security evaluations. Adopted as EN ISO/IEC 15408-2:2023 and published by SIST (01 May 2024), this part of the ISO/IEC 15408 series (Common Criteria) provides a standardized catalogue of functional components that address common security functionality across many IT products.
Key Topics and Technical Requirements
- Functional requirements paradigm: establishes how functional components are structured and expressed for use in evaluation artefacts.
- Class / Family / Component structure: specifies a hierarchical model - classes group related families, families group components, and components define specific functional requirements.
- Component catalogue: a reusable set of security functional components intended to satisfy typical security needs in products and systems.
- Security audit (Class FAU): example coverage in the document includes families and components such as:
- FAU_ARP (automatic response)
- FAU_GEN (auditable data generation)
- FAU_SAA (security audit analysis)
- FAU_SAR (security audit review)
- FAU_SEL (event selection)
- FAU_STG (audit data storage) These illustrate the levelled component descriptions, management and audit considerations included in the standard.
- Normative references, terms & definitions: ensures consistent semantics for evaluations and interoperability of evaluation results.
Practical Applications
- Creating or updating Protection Profiles and Security Targets for product certification under the Common Criteria framework.
- Mapping product features to standardized security functional components to support third‑party evaluation and certification.
- Guiding product architects and security engineers in specifying measurable, testable security functions (audit, authentication, access control, etc.).
- Supporting procurement and compliance teams in defining required security functions for vendor selection and assurance.
Who Should Use This Standard
- Security product vendors and developers preparing certification artefacts.
- Evaluation laboratories and certification bodies conducting Common Criteria assessments.
- Security architects, systems integrators, and procurement officers specifying or verifying security requirements.
- Regulatory or compliance teams aligning product capabilities with recognized evaluation criteria.
Related Standards
- ISO/IEC 15408 series (Common Criteria) - Part 1 (general) and Part 3 (assurance) - for the full evaluation framework and assurance requirements.
Keywords: ISO/IEC 15408-2, security functional components, Common Criteria, security evaluation, IT security, cybersecurity, privacy protection, security audit, protection profile, security target.
Frequently Asked Questions
SIST EN ISO/IEC 15408-2:2024 is a standard published by the Slovenian Institute for Standardization (SIST). Its full title is "Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 2: Security functional components (ISO/IEC 15408-2:2022)". This standard covers: This document defines the required structure and content of security functional components for the purpose of security evaluation. It includes a catalogue of functional components that will meet the common security functionality requirements of many IT products.
This document defines the required structure and content of security functional components for the purpose of security evaluation. It includes a catalogue of functional components that will meet the common security functionality requirements of many IT products.
SIST EN ISO/IEC 15408-2:2024 is classified under the following ICS (International Classification for Standards) categories: 35.030 - IT Security. The ICS classification helps identify the subject area and facilitates finding related standards.
SIST EN ISO/IEC 15408-2:2024 has the following relationships with other standards: It is inter standard links to SIST EN ISO/IEC 15408-2:2020, oSIST prEN ISO/IEC 15408-2:2024. Understanding these relationships helps ensure you are using the most current and applicable version of the standard.
You can purchase SIST EN ISO/IEC 15408-2:2024 directly from iTeh Standards. The document is available in PDF format and is delivered instantly after payment. Add the standard to your cart and complete the secure checkout process. iTeh Standards is an authorized distributor of SIST standards.
Standards Content (Sample)
SLOVENSKI STANDARD
01-maj-2024
Nadomešča:
SIST EN ISO/IEC 15408-2:2020
Informacijska varnost, kibernetska varnost in varstvo zasebnosti - Merila za
vrednotenje varnosti IT - 2. del: Funkcionalne varnostne komponente (ISO/IEC
15408-2:2022)
Information security, cybersecurity and privacy protection - Evaluation criteria for IT
security - Part 2: Security functional components (ISO/IEC 15408-2:2022)
Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre -
Evaluationskriterien für IT-Sicherheit - Teil 2: Sicherheit funktionale Komponenten
(ISO/IEC 15408-2:2022)
Sécurité de l'information, cybersécurité et protection de la vie privée - Critères
d'évaluation pour la sécurité des technologies de l'information - Partie 2: Composants
fonctionnels de sécurité (ISO/IEC 15408-2:2022)
Ta slovenski standard je istoveten z: EN ISO/IEC 15408-2:2023
ICS:
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD EN ISO/IEC 15408-2
NORME EUROPÉENNE
EUROPÄISCHE NORM
December 2023
ICS 35.030
Supersedes EN ISO/IEC 15408-2:2020
English version
Information security, cybersecurity and privacy protection
- Evaluation criteria for IT security - Part 2: Security
functional components (ISO/IEC 15408-2:2022)
Sécurité de l'information, cybersécurité et protection Informationssicherheit, Cybersicherheit und Schutz
de la vie privée - Critères d'évaluation pour la sécurité der Privatsphäre - Evaluationskriterien für IT-
des technologies de l'information - Partie 2: Sicherheit - Teil 2: Sicherheit funktionale
Composants fonctionnels de sécurité (ISO/IEC 15408- Komponenten (ISO/IEC 15408-2:2022)
2:2022)
This European Standard was approved by CEN on 20 November 2023.
CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.
CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.
CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2023 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. EN ISO/IEC 15408-2:2023 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 3
European foreword
The text of ISO/IEC 15408-2:2022 has been prepared by Technical Committee ISO/IEC JTC 1
"Information technology” of the International Organization for Standardization (ISO) and has been
taken over as EN ISO/IEC 15408-2:2023 by Technical Committee CEN-CENELEC/ JTC 13 “Cybersecurity
and Data Protection” the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by June 2024, and conflicting national standards shall be
withdrawn at the latest by June 2024.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN-CENELEC shall not be held responsible for identifying any or all such patent rights.
This document supersedes EN ISO/IEC 15408-2:2020.
Any feedback and questions on this document should be directed to the users’ national standards body.
A complete listing of these bodies can be found on the CEN and CENELEC websites.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 15408-2:2022 has been approved by CEN-CENELEC as EN ISO/IEC 15408-2:2023
without any modification.
INTERNATIONAL ISO/IEC
STANDARD 15408-2
Fourth edition
2022-08
Information security, cybersecurity
and privacy protection — Evaluation
criteria for IT security —
Part 2:
Security functional components
Sécurité de l'information, cybersécurité et protection de la vie
privée — Critères d'évaluation pour la sécurité des technologies de
l'information —
Partie 2: Composants fonctionnels de sécurité
Reference number
ISO/IEC 15408-2:2022(E)
© ISO/IEC 2022
ISO/IEC 15408-2:2022(E)
© ISO/IEC 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2022 – All rights reserved
ISO/IEC 15408-2:2022(E)
Contents Page
Foreword . xv
Introduction . xvii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 3
5 Overview . 4
5.1 General . 4
5.2 Organization of this document . . 4
6 Functional requirements paradigm . .5
7 Security functional components .9
7.1 Overview . 9
7.1.1 General . 9
7.1.2 Class structure . 9
7.1.3 Family structure . 10
7.1.4 Component structure . 11
7.2 Component catalogue .13
8 Class FAU: Security audit .14
8.1 Class description . 14
8.2 Security audit automatic response (FAU_ARP) . 15
8.2.1 Family behaviour .15
8.2.2 Components leveling and description . 15
8.2.3 Management of FAU_ARP.1 . 15
8.2.4 Audit of FAU_ARP.1 . 15
8.2.5 FAU_ARP.1 Security alarms . 15
8.3 Security audit data generation (FAU_GEN) . 15
8.3.1 Family behaviour . 15
8.3.2 Components leveling and description . 15
8.3.3 Management of FAU_GEN.1, FAU_GEN.2 . 16
8.3.4 Audit of FAU_GEN.1, FAU_GEN.2. 16
8.3.5 FAU_GEN.1 Audit data generation . 16
8.3.6 FAU_GEN.2 User identity association . 16
8.4 Security audit analysis (FAU_SAA) . 17
8.4.1 Family behaviour . 17
8.4.2 Components leveling and description . 17
8.4.3 Management of FAU_SAA.1 . 17
8.4.4 Management of FAU_SAA.2 . 18
8.4.5 Management of FAU_SAA.3 . 18
8.4.6 Management of FAU_SAA.4 . 18
8.4.7 Audit of FAU_SAA.1, FAU_SAA.2, FAU_SAA.3, FAU_SAA.4 . 18
8.4.8 FAU_SAA.1 Potential violation analysis . 18
8.4.9 FAU_SAA.2 Profile based anomaly detection . 18
8.4.10 FAU_SAA.3 Simple attack heuristics . 19
8.4.11 FAU_SAA.4 Complex attack heuristics . 19
8.5 Security audit review (FAU_SAR) . 20
8.5.1 Family behaviour .20
8.5.2 Components leveling and description . 20
8.5.3 Management of FAU_SAR.1 . 20
8.5.4 Management of FAU_SAR.2, FAU_SAR.3 . 20
8.5.5 Audit of FAU_SAR.1 . .20
8.5.6 Audit of FAU_SAR.2 . 21
iii
© ISO/IEC 2022 – All rights reserved
ISO/IEC 15408-2:2022(E)
8.5.7 Audit of FAU_SAR.3 . 21
8.5.8 FAU_SAR.1 Audit review . 21
8.5.9 FAU_SAR.2 Restricted audit review . 21
8.5.10 FAU_SAR.3 Selectable audit review . 21
8.6 Security audit event selection (FAU_SEL) . 22
8.6.1 Family behaviour .22
8.6.2 Components leveling and description . 22
8.6.3 Management of FAU_SEL.1 . 22
8.6.4 Audit of FAU_SEL.1.22
8.6.5 FAU_SEL.1 Selective audit . 22
8.7 Security audit data storage (FAU_STG) . 22
8.7.1 Family behaviour .22
8.7.2 Components leveling and description . 23
8.7.3 Management of FAU_STG.1 . 23
8.7.4 Management of FAU_STG.2 . 23
8.7.5 Management of FAU_STG.3 . 23
8.7.6 Management of FAU_STG.4 . 23
8.7.7 Management of FAU_STG.5 . 23
8.7.8 Audit of FAU_STG.1 . 24
8.7.9 Audit of FAU_STG.2, FAU_STG.3 . 24
8.7.10 Audit of FAU_STG.4 . 24
8.7.11 Audit of FAU_STG.5 . 24
8.7.12 FAU_STG.1 Audit data storage location . 24
8.7.13 FAU_STG.2 Protected audit data storage . 24
8.7.14 FAU_STG.3 Guarantees of audit data availability . 25
8.7.15 FAU_STG.4 Action in case of possible audit data loss . 25
8.7.16 FAU_STG.5 Prevention of audit data loss . 25
9 Class FCO: Communication .25
9.1 Class description .25
9.2 Non-repudiation of origin (FCO_NRO) . 26
9.2.1 Family behaviour .26
9.2.2 Components leveling and description . 26
9.2.3 Management of FCO_NRO.1, FCO_NRO.2 . 26
9.2.4 Audit of FCO_NRO.1 .26
9.2.5 Audit of FCO_NRO.2 . 27
9.2.6 FCO_NRO.1 Selective proof of origin . 27
9.2.7 FCO_NRO.2 Enforced proof of origin . 27
9.3 Non-repudiation of receipt (FCO_NRR) .28
9.3.1 Family behaviour .28
9.3.2 Components leveling and description .28
9.3.3 Management of FCO_NRR.1, FCO_NRR.2 .28
9.3.4 Audit of FCO_NRR.1.28
9.3.5 Audit of FCO_NRR.2 .28
9.3.6 FCO_NRR.1 Selective proof of receipt .29
9.3.7 FCO_NRR.2 Enforced proof of receipt .29
10 Class FCS: Cryptographic support .29
10.1 Class description .29
10.2 Cryptographic key management (FCS_CKM) .30
10.2.1 Family behaviour .30
10.2.2 Components leveling and description .30
10.2.3 Management of FCS_CKM.1, FCS_CKM.2, FCS_CKM.3, FCS_CKM.5, CKM.6 . 31
10.2.4 Audit of FCS_CKM.1, FCS_CKM.2, FCS_CKM.3, FCS_CKM.5, CKM.6 . 31
10.2.5 FCS_CKM.1 Cryptographic key generation . 31
10.2.6 FCS_CKM.2 Cryptographic key distribution . 32
10.2.7 FCS_CKM.3 Cryptographic key access . 32
10.2.8 FCS_CKM.4 Cryptographic key destruction . 32
10.2.9 FCS_CKM.5 Cryptographic key derivation . 33
iv
© ISO/IEC 2022 – All rights reserved
ISO/IEC 15408-2:2022(E)
10.2.10 FCS_CKM.6 Timing and event of cryptographic key destruction .33
10.3 Cryptographic operation (FCS_COP) . 33
10.3.1 Family behaviour .33
10.3.2 Components leveling and description . 33
10.3.3 Management of FCS_COP.1 .34
10.3.4 Audit of FCS_COP.1 .34
10.3.5 FCS_COP.1 Cryptographic operation .34
10.4 Random bit generation (FCS_RBG) .34
10.4.1 Family behaviour .34
10.4.2 Components leveling and description .34
10.4.3 Management of FCS_RBG.1, FCS_RBG.2, FCS_RBG.3, FCS_RBG.4, FCS_
RBG.5, FCS_RBG.6 . 35
10.4.4 Audit of FCS_RBG.1, FCS_RBG.2 . 35
10.4.5 Audit of FCS_RBG.3, FCS_RBG.4, FCS_RBG.5, FCS_RBG.6 . 35
10.4.6 FCS_RBG.1 Random bit generation (RBG) . 35
10.4.7 FCS_RBG.2 Random bit generation (external seeding) .36
10.4.8 FCS_RBG.3 Random bit generation (internal seeding – single source) .36
10.4.9 FCS_RBG.4 Random bit generation (internal seeding – multiple sources) . 37
10.4.10 FCS_RBG.5 Random bit generation (combining noise sources) . 37
10.4.11 FCS_RBG.6 Random bit generation service . 37
10.5 Generation of random numbers (FCS_RNG) . 37
10.5.1 Family behaviour . 37
10.5.2 Components leveling and description .38
10.5.3 Management of FCS_RNG.1 .38
10.5.4 Audit of FCS_RNG.1 .38
10.5.5 FCS_RNG.1 Random number generation .38
11 Class FDP: User data protection.38
11.1 Class description .38
11.2 Access control policy (FDP_ACC) .40
11.2.1 Family behaviour .40
11.2.2 Components leveling and description . 41
11.2.3 Management of FDP_ACC.1, FDP_ACC.2 . 41
11.2.4 Audit of FDP_ACC.1, FDP_ACC.2 . 41
11.2.5 FDP_ACC.1 Subset access control . 41
11.2.6 FDP_ACC.2 Complete access control . 41
11.3 Access control functions (FDP_ACF) . 42
11.3.1 Family behaviour . 42
11.3.2 Components leveling and description . 42
11.3.3 Management of FDP_ACF.1 . 42
11.3.4 Audit of FDP_ACF.1 . 42
11.3.5 FDP_ACF.1 Security attribute-based access control . 42
11.4 Data authentication (FDP_DAU) . 43
11.4.1 Family behaviour . 43
11.4.2 Components leveling and description . 43
11.4.3 Management of FDP_DAU.1, FDP_DAU.2 . 43
11.4.4 Audit of FDP_DAU.1 . 43
11.4.5 Audit of FDP_DAU.2 .44
11.4.6 FDP_DAU.1 Basic Data Authentication .44
11.4.7 FDP_DAU.2 Data Authentication with Identity of Guarantor .44
11.5 Export from the TOE (FDP_ETC) .44
11.5.1 Family behaviour .44
11.5.2 Components leveling and description . 45
11.5.3 Management of FDP_ETC.1 . 45
11.5.4 Management of FDP_ETC.2 . 45
11.5.5 Audit of FDP_ETC.1, FDP_ETC.2 . 45
11.5.6 FDP_ETC.1 Export of user data without security attributes . 45
11.5.7 FDP_ETC.2 Export of user data with security attributes . 45
11.6 Information flow control policy (FDP_IFC) .46
v
© ISO/IEC 2022 – All rights reserved
ISO/IEC 15408-2:2022(E)
11.6.1 Family behaviour .46
11.6.2 Components leveling and description .46
11.6.3 Management of FDP_IFC.1, FDP_IFC.2 . 47
11.6.4 Audit of FDP_IFC.1, FDP_IFC.2 . 47
11.6.5 FDP_IFC.1 Subset information flow control. 47
11.6.6 FDP_IFC.2 Complete information flow control . 47
11.7 Information flow control functions (FDP_IFF) . 47
11.7.1 Family behaviour . 47
11.7.2 Components leveling and description .48
11.7.3 Management of FDP_IFF.1, FDP_IFF.2 .48
11.7.4 Management of FDP_IFF.3, FDP_IFF.4, FDP_IFF.5 .48
11.7.5 Management of FDP_IFF.6 .49
11.7.6 Audit of FDP_IFF.1, FDP_IFF.2, FDP_IFF.5 .49
11.7.7 Audit of FDP_IFF.3, FDP_IFF.4, FDP_IFF.6 .49
11.7.8 FDP_IFF.1 Simple security attributes .49
11.7.9 FDP_IFF.2 Hierarchical security attributes .50
11.7.10 FDP_IFF.3 Limited illicit information flows. 51
11.7.11 FDP_IFF.4 Partial elimination of illicit information flows . 51
11.7.12 FDP_IFF.5 No illicit information flows . 51
11.7.13 FDP_IFF.6 Illicit information flow monitoring . 51
11.8 Information Retention Control (FDP_IRC) . 52
11.8.1 Family behaviour . 52
11.8.2 Components leveling and description . 52
11.8.3 Management of FDP_IRC.1 . . 53
11.8.4 Audit of FDP_IRC.1 .53
11.8.5 FDP_IRC.1 Information retention control . 53
11.9 Import from outside of the TOE (FDP_ITC) . 53
11.9.1 Family behaviour . 53
11.9.2 Components leveling and description . 53
11.9.3 Management of FDP_ITC.1, FDP_ITC.2 .54
11.9.4 Audit of FDP_ITC.1, FDP_ITC.2 .54
11.9.5 FDP_ITC.1 Import of user data without security attributes .54
11.9.6 FDP_ITC.2 Import of user data with security attributes .54
11.10 Internal TOE transfer (FDP_ITT) . 55
11.10.1 Family behaviour .55
11.10.2 Components leveling and description . 55
11.10.3 Management of FDP_ITT.1, FDP_ITT.2 . 55
11.10.4 Management of FDP_ITT.3, FDP_ITT.4 .56
11.10.5 Audit of FDP_ITT.1, FDP_ITT.2 .56
11.10.6 Audit of FDP_ITT.3, FDP_ITT.4 .56
11.10.7 FDP_ITT.1 Basic internal transfer protection .56
11.10.8 FDP_ITT.2 Transmission separation by attribute .56
11.10.9 FDP_ITT.3 Integrity monitoring . 57
11.10.10 .
FDP_ITT.4 Attribute-based integrity monitoring . 57
11.11 Residual information protection (FDP_RIP) . 57
11.11.1 Family behaviour . 57
11.11.2 Components leveling and description .58
11.11.3 Management of FDP_RIP.1, FDP_RIP.2 .58
11.11.4 Audit of FDP_RIP.1, FDP_RIP.2 .58
11.11.5 FDP_RIP.1 Subset residual information protection .58
11.11.6 FDP_RIP.2 Full residual information protection .58
11.12 Rollback (FDP_ROL) . 59
11.12.1 Family behaviour . 59
11.12.2 Components leveling and description . 59
11.12.3 Management of FDP_ROL.1, FDP_ROL.2 . 59
11.12.4 Audit of FDP_ROL.1, FDP_ROL.2 . 59
11.12.5 FDP_ROL.1 Basic rollback . 59
vi
© ISO/IEC 2022 – All rights reserved
ISO/IEC 15408-2:2022(E)
11.12.6 FDP_ROL.2 Advanced rollback .60
11.13 Stored data confidentiality (FDP_SDC) .60
11.13.1 Family behaviour .60
11.13.2 Componen
...
SLOVENSKI STANDARD
01-maj-2024
Nadomešča:
SIST EN ISO/IEC 15408-2:2020
Informacijska varnost, kibernetska varnost in varovanje zasebnosti - Merila za
vrednotenje varnosti IT - 2. del: Funkcionalne varnostne komponente (ISO/IEC
15408-2:2022)
Information security, cybersecurity and privacy protection - Evaluation criteria for IT
security - Part 2: Security functional components (ISO/IEC 15408-2:2022)
Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre -
Evaluationskriterien für IT-Sicherheit - Teil 2: Sicherheit funktionale Komponenten
(ISO/IEC 15408-2:2022)
Sécurité de l'information, cybersécurité et protection de la vie privée - Critères
d'évaluation pour la sécurité des technologies de l'information - Partie 2: Composants
fonctionnels de sécurité (ISO/IEC 15408-2:2022)
Ta slovenski standard je istoveten z: EN ISO/IEC 15408-2:2023
ICS:
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD EN ISO/IEC 15408-2
NORME EUROPÉENNE
EUROPÄISCHE NORM
December 2023
ICS 35.030
Supersedes EN ISO/IEC 15408-2:2020
English version
Information security, cybersecurity and privacy protection
- Evaluation criteria for IT security - Part 2: Security
functional components (ISO/IEC 15408-2:2022)
Sécurité de l'information, cybersécurité et protection Informationssicherheit, Cybersicherheit und Schutz
de la vie privée - Critères d'évaluation pour la sécurité der Privatsphäre - Evaluationskriterien für IT-
des technologies de l'information - Partie 2: Sicherheit - Teil 2: Sicherheit funktionale
Composants fonctionnels de sécurité (ISO/IEC 15408- Komponenten (ISO/IEC 15408-2:2022)
2:2022)
This European Standard was approved by CEN on 20 November 2023.
CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.
CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.
CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2023 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. EN ISO/IEC 15408-2:2023 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 3
European foreword
The text of ISO/IEC 15408-2:2022 has been prepared by Technical Committee ISO/IEC JTC 1
"Information technology” of the International Organization for Standardization (ISO) and has been
taken over as EN ISO/IEC 15408-2:2023 by Technical Committee CEN-CENELEC/ JTC 13 “Cybersecurity
and Data Protection” the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by June 2024, and conflicting national standards shall be
withdrawn at the latest by June 2024.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN-CENELEC shall not be held responsible for identifying any or all such patent rights.
This document supersedes EN ISO/IEC 15408-2:2020.
Any feedback and questions on this document should be directed to the users’ national standards body.
A complete listing of these bodies can be found on the CEN and CENELEC websites.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 15408-2:2022 has been approved by CEN-CENELEC as EN ISO/IEC 15408-2:2023
without any modification.
INTERNATIONAL ISO/IEC
STANDARD 15408-2
Fourth edition
2022-08
Information security, cybersecurity
and privacy protection — Evaluation
criteria for IT security —
Part 2:
Security functional components
Sécurité de l'information, cybersécurité et protection de la vie
privée — Critères d'évaluation pour la sécurité des technologies de
l'information —
Partie 2: Composants fonctionnels de sécurité
Reference number
ISO/IEC 15408-2:2022(E)
© ISO/IEC 2022
ISO/IEC 15408-2:2022(E)
© ISO/IEC 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2022 – All rights reserved
ISO/IEC 15408-2:2022(E)
Contents Page
Foreword . xv
Introduction . xvii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 3
5 Overview . 4
5.1 General . 4
5.2 Organization of this document . . 4
6 Functional requirements paradigm . .5
7 Security functional components .9
7.1 Overview . 9
7.1.1 General . 9
7.1.2 Class structure . 9
7.1.3 Family structure . 10
7.1.4 Component structure . 11
7.2 Component catalogue .13
8 Class FAU: Security audit .14
8.1 Class description . 14
8.2 Security audit automatic response (FAU_ARP) . 15
8.2.1 Family behaviour .15
8.2.2 Components leveling and description . 15
8.2.3 Management of FAU_ARP.1 . 15
8.2.4 Audit of FAU_ARP.1 . 15
8.2.5 FAU_ARP.1 Security alarms . 15
8.3 Security audit data generation (FAU_GEN) . 15
8.3.1 Family behaviour . 15
8.3.2 Components leveling and description . 15
8.3.3 Management of FAU_GEN.1, FAU_GEN.2 . 16
8.3.4 Audit of FAU_GEN.1, FAU_GEN.2. 16
8.3.5 FAU_GEN.1 Audit data generation . 16
8.3.6 FAU_GEN.2 User identity association . 16
8.4 Security audit analysis (FAU_SAA) . 17
8.4.1 Family behaviour . 17
8.4.2 Components leveling and description . 17
8.4.3 Management of FAU_SAA.1 . 17
8.4.4 Management of FAU_SAA.2 . 18
8.4.5 Management of FAU_SAA.3 . 18
8.4.6 Management of FAU_SAA.4 . 18
8.4.7 Audit of FAU_SAA.1, FAU_SAA.2, FAU_SAA.3, FAU_SAA.4 . 18
8.4.8 FAU_SAA.1 Potential violation analysis . 18
8.4.9 FAU_SAA.2 Profile based anomaly detection . 18
8.4.10 FAU_SAA.3 Simple attack heuristics . 19
8.4.11 FAU_SAA.4 Complex attack heuristics . 19
8.5 Security audit review (FAU_SAR) . 20
8.5.1 Family behaviour .20
8.5.2 Components leveling and description . 20
8.5.3 Management of FAU_SAR.1 . 20
8.5.4 Management of FAU_SAR.2, FAU_SAR.3 . 20
8.5.5 Audit of FAU_SAR.1 . .20
8.5.6 Audit of FAU_SAR.2 . 21
iii
© ISO/IEC 2022 – All rights reserved
ISO/IEC 15408-2:2022(E)
8.5.7 Audit of FAU_SAR.3 . 21
8.5.8 FAU_SAR.1 Audit review . 21
8.5.9 FAU_SAR.2 Restricted audit review . 21
8.5.10 FAU_SAR.3 Selectable audit review . 21
8.6 Security audit event selection (FAU_SEL) . 22
8.6.1 Family behaviour .22
8.6.2 Components leveling and description . 22
8.6.3 Management of FAU_SEL.1 . 22
8.6.4 Audit of FAU_SEL.1.22
8.6.5 FAU_SEL.1 Selective audit . 22
8.7 Security audit data storage (FAU_STG) . 22
8.7.1 Family behaviour .22
8.7.2 Components leveling and description . 23
8.7.3 Management of FAU_STG.1 . 23
8.7.4 Management of FAU_STG.2 . 23
8.7.5 Management of FAU_STG.3 . 23
8.7.6 Management of FAU_STG.4 . 23
8.7.7 Management of FAU_STG.5 . 23
8.7.8 Audit of FAU_STG.1 . 24
8.7.9 Audit of FAU_STG.2, FAU_STG.3 . 24
8.7.10 Audit of FAU_STG.4 . 24
8.7.11 Audit of FAU_STG.5 . 24
8.7.12 FAU_STG.1 Audit data storage location . 24
8.7.13 FAU_STG.2 Protected audit data storage . 24
8.7.14 FAU_STG.3 Guarantees of audit data availability . 25
8.7.15 FAU_STG.4 Action in case of possible audit data loss . 25
8.7.16 FAU_STG.5 Prevention of audit data loss . 25
9 Class FCO: Communication .25
9.1 Class description .25
9.2 Non-repudiation of origin (FCO_NRO) . 26
9.2.1 Family behaviour .26
9.2.2 Components leveling and description . 26
9.2.3 Management of FCO_NRO.1, FCO_NRO.2 . 26
9.2.4 Audit of FCO_NRO.1 .26
9.2.5 Audit of FCO_NRO.2 . 27
9.2.6 FCO_NRO.1 Selective proof of origin . 27
9.2.7 FCO_NRO.2 Enforced proof of origin . 27
9.3 Non-repudiation of receipt (FCO_NRR) .28
9.3.1 Family behaviour .28
9.3.2 Components leveling and description .28
9.3.3 Management of FCO_NRR.1, FCO_NRR.2 .28
9.3.4 Audit of FCO_NRR.1.28
9.3.5 Audit of FCO_NRR.2 .28
9.3.6 FCO_NRR.1 Selective proof of receipt .29
9.3.7 FCO_NRR.2 Enforced proof of receipt .29
10 Class FCS: Cryptographic support .29
10.1 Class description .29
10.2 Cryptographic key management (FCS_CKM) .30
10.2.1 Family behaviour .30
10.2.2 Components leveling and description .30
10.2.3 Management of FCS_CKM.1, FCS_CKM.2, FCS_CKM.3, FCS_CKM.5, CKM.6 . 31
10.2.4 Audit of FCS_CKM.1, FCS_CKM.2, FCS_CKM.3, FCS_CKM.5, CKM.6 . 31
10.2.5 FCS_CKM.1 Cryptographic key generation . 31
10.2.6 FCS_CKM.2 Cryptographic key distribution . 32
10.2.7 FCS_CKM.3 Cryptographic key access . 32
10.2.8 FCS_CKM.4 Cryptographic key destruction . 32
10.2.9 FCS_CKM.5 Cryptographic key derivation . 33
iv
© ISO/IEC 2022 – All rights reserved
ISO/IEC 15408-2:2022(E)
10.2.10 FCS_CKM.6 Timing and event of cryptographic key destruction .33
10.3 Cryptographic operation (FCS_COP) . 33
10.3.1 Family behaviour .33
10.3.2 Components leveling and description . 33
10.3.3 Management of FCS_COP.1 .34
10.3.4 Audit of FCS_COP.1 .34
10.3.5 FCS_COP.1 Cryptographic operation .34
10.4 Random bit generation (FCS_RBG) .34
10.4.1 Family behaviour .34
10.4.2 Components leveling and description .34
10.4.3 Management of FCS_RBG.1, FCS_RBG.2, FCS_RBG.3, FCS_RBG.4, FCS_
RBG.5, FCS_RBG.6 . 35
10.4.4 Audit of FCS_RBG.1, FCS_RBG.2 . 35
10.4.5 Audit of FCS_RBG.3, FCS_RBG.4, FCS_RBG.5, FCS_RBG.6 . 35
10.4.6 FCS_RBG.1 Random bit generation (RBG) . 35
10.4.7 FCS_RBG.2 Random bit generation (external seeding) .36
10.4.8 FCS_RBG.3 Random bit generation (internal seeding – single source) .36
10.4.9 FCS_RBG.4 Random bit generation (internal seeding – multiple sources) . 37
10.4.10 FCS_RBG.5 Random bit generation (combining noise sources) . 37
10.4.11 FCS_RBG.6 Random bit generation service . 37
10.5 Generation of random numbers (FCS_RNG) . 37
10.5.1 Family behaviour . 37
10.5.2 Components leveling and description .38
10.5.3 Management of FCS_RNG.1 .38
10.5.4 Audit of FCS_RNG.1 .38
10.5.5 FCS_RNG.1 Random number generation .38
11 Class FDP: User data protection.38
11.1 Class description .38
11.2 Access control policy (FDP_ACC) .40
11.2.1 Family behaviour .40
11.2.2 Components leveling and description . 41
11.2.3 Management of FDP_ACC.1, FDP_ACC.2 . 41
11.2.4 Audit of FDP_ACC.1, FDP_ACC.2 . 41
11.2.5 FDP_ACC.1 Subset access control . 41
11.2.6 FDP_ACC.2 Complete access control . 41
11.3 Access control functions (FDP_ACF) . 42
11.3.1 Family behaviour . 42
11.3.2 Components leveling and description . 42
11.3.3 Management of FDP_ACF.1 . 42
11.3.4 Audit of FDP_ACF.1 . 42
11.3.5 FDP_ACF.1 Security attribute-based access control . 42
11.4 Data authentication (FDP_DAU) . 43
11.4.1 Family behaviour . 43
11.4.2 Components leveling and description . 43
11.4.3 Management of FDP_DAU.1, FDP_DAU.2 . 43
11.4.4 Audit of FDP_DAU.1 . 43
11.4.5 Audit of FDP_DAU.2 .44
11.4.6 FDP_DAU.1 Basic Data Authentication .44
11.4.7 FDP_DAU.2 Data Authentication with Identity of Guarantor .44
11.5 Export from the TOE (FDP_ETC) .44
11.5.1 Family behaviour .44
11.5.2 Components leveling and description . 45
11.5.3 Management of FDP_ETC.1 . 45
11.5.4 Management of FDP_ETC.2 . 45
11.5.5 Audit of FDP_ETC.1, FDP_ETC.2 . 45
11.5.6 FDP_ETC.1 Export of user data without security attributes . 45
11.5.7 FDP_ETC.2 Export of user data with security attributes . 45
11.6 Information flow control policy (FDP_IFC) .46
v
© ISO/IEC 2022 – All rights reserved
ISO/IEC 15408-2:2022(E)
11.6.1 Family behaviour .46
11.6.2 Components leveling and description .46
11.6.3 Management of FDP_IFC.1, FDP_IFC.2 . 47
11.6.4 Audit of FDP_IFC.1, FDP_IFC.2 . 47
11.6.5 FDP_IFC.1 Subset information flow control. 47
11.6.6 FDP_IFC.2 Complete information flow control . 47
11.7 Information flow control functions (FDP_IFF) . 47
11.7.1 Family behaviour . 47
11.7.2 Components leveling and description .48
11.7.3 Management of FDP_IFF.1, FDP_IFF.2 .48
11.7.4 Management of FDP_IFF.3, FDP_IFF.4, FDP_IFF.5 .48
11.7.5 Management of FDP_IFF.6 .49
11.7.6 Audit of FDP_IFF.1, FDP_IFF.2, FDP_IFF.5 .49
11.7.7 Audit of FDP_IFF.3, FDP_IFF.4, FDP_IFF.6 .49
11.7.8 FDP_IFF.1 Simple security attributes .49
11.7.9 FDP_IFF.2 Hierarchical security attributes .50
11.7.10 FDP_IFF.3 Limited illicit information flows. 51
11.7.11 FDP_IFF.4 Partial elimination of illicit information flows . 51
11.7.12 FDP_IFF.5 No illicit information flows . 51
11.7.13 FDP_IFF.6 Illicit information flow monitoring . 51
11.8 Information Retention Control (FDP_IRC) . 52
11.8.1 Family behaviour . 52
11.8.2 Components leveling and description . 52
11.8.3 Management of FDP_IRC.1 . . 53
11.8.4 Audit of FDP_IRC.1 .53
11.8.5 FDP_IRC.1 Information retention control . 53
11.9 Import from outside of the TOE (FDP_ITC) . 53
11.9.1 Family behaviour . 53
11.9.2 Components leveling and description . 53
11.9.3 Management of FDP_ITC.1, FDP_ITC.2 .54
11.9.4 Audit of FDP_ITC.1, FDP_ITC.2 .54
11.9.5 FDP_ITC.1 Import of user data without security attributes .54
11.9.6 FDP_ITC.2 Import of user data with security attributes .54
11.10 Internal TOE transfer (FDP_ITT) . 55
11.10.1 Family behaviour .55
11.10.2 Components leveling and description . 55
11.10.3 Management of FDP_ITT.1, FDP_ITT.2 . 55
11.10.4 Management of FDP_ITT.3, FDP_ITT.4 .56
11.10.5 Audit of FDP_ITT.1, FDP_ITT.2 .56
11.10.6 Audit of FDP_ITT.3, FDP_ITT.4 .56
11.10.7 FDP_ITT.1 Basic internal transfer protection .56
11.10.8 FDP_ITT.2 Transmission separation by attribute .56
11.10.9 FDP_ITT.3 Integrity monitoring . 57
11.10.10 .
FDP_ITT.4 Attribute-based integrity monitoring . 57
11.11 Residual information protection (FDP_RIP) . 57
11.11.1 Family behaviour . 57
11.11.2 Components leveling and description .58
11.11.3 Management of FDP_RIP.1, FDP_RIP.2 .58
11.11.4 Audit of FDP_RIP.1, FDP_RIP.2 .58
11.11.5 FDP_RIP.1 Subset residual information protection .58
11.11.6 FDP_RIP.2 Full residual information protection .58
11.12 Rollback (FDP_ROL) . 59
11.12.1 Family behaviour . 59
11.12.2 Components leveling and description . 59
11.12.3 Management of FDP_ROL.1, FDP_ROL.2 . 59
11.12.4 Audit of FDP_ROL.1, FDP_ROL.2 . 59
11.12.5 FDP_ROL.1 Basic rollback . 59
vi
© ISO/IEC 2022 – All rights reserved
ISO/IEC 15408-2:2022(E)
11.12.6 FDP_ROL.2 Advanced rollback .60
11.13 Stored data confidentiality (FDP_SDC) .60
11.13.1 Family behaviour .60
11.13.2 Compon
...
Die SIST EN ISO/IEC 15408-2:2024 ist ein zentrales Dokument, das sich mit der Evaluation von IT-Sicherheitskomponenten befasst. Der Standard hat einen klar definierten Anwendungsbereich, der sich auf die Struktur und den Inhalt von sicherheitsrelevanten funktionalen Komponenten konzentriert. Das Dokument bietet ein umfassendes Katalogsystem, das es ermöglicht, die gemeinsamen Sicherheitsanforderungen für eine Vielzahl von IT-Produkten zu erfüllen. Ein wesentlicher Vorteil des Standards liegt in seiner detaillierten Definition der Sicherheitsfunktionen. Die Vorgaben sorgen dafür, dass Hersteller und Evaluatoren eine klare und einheitliche Basis für die Sicherheitsüberprüfung haben. Dies verbessert nicht nur die Transparenz der Bewertungen, sondern erhöht auch das Vertrauen in die Sicherheit der evaluierten IT-Produkte. Die Relevanz der SIST EN ISO/IEC 15408-2:2024 ergibt sich aus der aktuellen Entwicklung in der Informationssicherheit, Cybersecurity und dem Schutz der Privatsphäre. In einer Zeit, in der digitale Bedrohungen immer komplexer werden, bietet dieser Standard eine unverzichtbare Grundlage, um die Sicherheit von IT-Systemen zu gewährleisten. Die standardisierten Evaluationskriterien ermöglichen es Organisationen, proaktive Maßnahmen für die Sicherheit zu ergreifen und sicherzustellen, dass ihre Produkte den höchsten Sicherheitsanforderungen gerecht werden. Insgesamt stärkt die SIST EN ISO/IEC 15408-2:2024 das Vertrauen in die Sicherheitstechnologien und unterstützt die kontinuierliche Verbesserung der IT-Sicherheitsstandards, wodurch sie zu einem unverzichtbaren Instrument für Entwickler und Evaluatoren in der Branche wird.
The SIST EN ISO/IEC 15408-2:2024 standard is a pivotal document within the domain of information security, cybersecurity, and privacy protection, specifically pertaining to the evaluation criteria for IT security. This standard delineates the necessary structure and content for security functional components, which are essential for conducting security evaluations in IT products. The scope of this standard is comprehensive, as it encapsulates a detailed catalogue of security functional components that cater to the common security functionality requirements observed across a wide array of IT products. This ensures that the evaluation process is systematic and consistent, promoting a greater degree of reliability in assessing security features. One of the primary strengths of SIST EN ISO/IEC 15408-2:2024 is its alignment with international best practices, which elevates the standard's credibility and applicability globally. By providing a clear framework for security functional components, it facilitates interoperability among various technologies and products, thus enhancing security management practices. Furthermore, the inclusion of well-defined components helps organizations identify and address vulnerabilities effectively, making IT environments more resilient against potential threats. The relevance of this standard cannot be overstated, as the evolving landscape of cybersecurity threats necessitates heightened security measures. By adhering to the evaluation criteria set forth in this standard, organizations can foster a robust security posture, ensuring that their IT products meet rigorous security functionality benchmarks. Moreover, this standard aids stakeholders, including developers, security evaluators, and end-users, in establishing trust and confidence in the security capabilities of the IT products they utilize. In summary, the SIST EN ISO/IEC 15408-2:2024 standard serves as an authoritative reference for the evaluation of security functional components, promoting enhanced security practices and addressing the dynamic challenges in information security and cybersecurity today.
SIST EN ISO/IEC 15408-2:2024は、情報セキュリティ、サイバーセキュリティ、およびプライバシー保護に関する重要な標準であり、ITセキュリティ評価のためのセキュリティ機能コンポーネントに関する評価基準を提供しています。この標準は、IT製品のセキュリティ評価を目的としたセキュリティ機能コンポーネントの必要な構造と内容を定義しており、多くのIT製品の共通のセキュリティ機能要件を満たす機能コンポーネントのカタログを含んでいます。 この標準の強みは、セキュリティ機能コンポーネントの明確な定義と構造にあります。これにより、製品の開発者や評価者は、高度なセキュリティを確保しつつ、製品の互換性を維持することができるため、サイバーセキュリティの強化に貢献します。また、IT製品が市場で適切に評価されるための共通の基準を提供することで、信頼性を向上させることにも寄与しています。 さらに、SIST EN ISO/IEC 15408-2:2024は、セキュリティ機能の重要性を認識し、包括的なガイドラインを供給する点において、サイバーセキュリティの分野での関連性を維持しています。これにより、企業や組織は、最新の脅威に対抗するための効果的な戦略を策定するのに役立つ情報を手に入れることができます。 この文書は、ITセキュリティ評価の過程で必要不可欠な枠組みを提供し、業界全体が標準化された高い基準に従うことを促進します。したがって、SIST EN ISO/IEC 15408-2:2024は、情報セキュリティの実践において不可欠なツールとなり、セキュリティ評価の信頼性を飛躍的に向上させることが期待されます。
La norme SIST EN ISO/IEC 15408-2:2024, intitulée « Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 2: Security functional components », établit des lignes directrices essentielles pour l'évaluation de la sécurité des technologies de l'information. Ce document précise la structure et le contenu requis des composants fonctionnels de sécurité, jouant un rôle crucial dans la standardisation des évaluations de sécurité. L'un des principaux atouts de cette norme réside dans son catalogue exhaustif de composants fonctionnels. Ce dernier permet aux produits informatiques de répondre aux exigences communes de fonctionnalité de sécurité, garantissant ainsi que les divers systèmes informatiques respectent des critères de sécurité uniformes. Grâce à ces définitions claires, il devient plus aisé pour les évaluateurs de sécurité d’analyser et de certifier les produits sur la base de critères reconnus à l’échelle internationale. La portée de la norme est également significative, car elle s'applique à une vaste gamme de produits IT, englobant tant les applications logicielles que les systèmes matériels. Cette polyvalence assure que la gestion des risques liés à la sécurité de l'information et à la cybersécurité soit cohérente et applicable à différents contextes d'utilisation. De ce fait, la norme revêt une importance particulière dans un environnement où la cybermenace évolue rapidement. En résumé, la SIST EN ISO/IEC 15408-2:2024 se distingue par ses caractéristiques structurelles et son approche systématique des composants fonctionnels de sécurité, ce qui en fait un outil inestimable pour toute organisation cherchant à maintenir une protection efficace contre les risques liés à la sécurité de l'information et à la cybersécurité. Sa pertinence est accentuée par sa capacité à favoriser une amélioration continue des pratiques en matière de sécurité informatique, essentielle dans le paysage numérique actuel.
La norme SIST EN ISO/IEC 15408-2:2024 constitue un élément crucial dans le domaine de la sécurité de l’information, de la cybersécurité et de la protection de la vie privée. Ce document détermine la structure et le contenu requis des composants fonctionnels de sécuriténécessaires à l'évaluation de la sécurité, apportant ainsi une rigueur appréciable dans ce domaine technologique complexe. Parmi ses principales forces, cette norme propose un catalogue exhaustif de composants fonctionnels qui répondent aux exigences communes en matière de fonctionnalité de sécurité, applicables à de nombreux produits informatiques. Cela permet non seulement d’harmoniser les critères d’évaluation de la sécurité des systèmes d’information, mais également d’accroître la confiance des utilisateurs dans les solutions informatiques proposées. La pertinence de la norme SIST EN ISO/IEC 15408-2:2024 réside dans sa capacité à fournir un cadre de référence qui facilite l’évaluation et la certification des produits informatiques, tout en garantissant un niveau de sécurité adapté aux besoins contemporains en matière de cybersécurité. En définissant des composants fonctionnels clairs et normés, cette norme joue un rôle fondamental dans l’amélioration de la résilience des systèmes face aux menaces de sécurité. En résumé, la norme SIST EN ISO/IEC 15408-2:2024 se révèle indispensable pour les professionnels du secteur, leur offrant un outil efficace et standardisé pour garantir et évaluer la sécurité des produits IT, tout en répondant aux exigences croissantes en matière de protection des données personnelles et de sécurité des systèmes.
Die Norm SIST EN ISO/IEC 15408-2:2024 befasst sich mit der Informationssicherheit, Cybersicherheit und dem Datenschutz, indem sie spezifische Evaluierungskriterien für die IT-Sicherheit festlegt. Der Geltungsbereich dieser Norm ist klar definiert: Sie legt die erforderliche Struktur und den Inhalt der Sicherheitsfunktionen fest, die für Sicherheitsbewertungen notwendig sind. Dies ist besonders relevant in einer Zeit, in der die Sicherheitsanforderungen an IT-Produkte ständig steigen und der Schutz von Daten immer wichtiger wird. Ein herausragendes Merkmal der Norm ist ihr Katalog funktionaler Komponenten, der entwickelt wurde, um den allgemeinen Sicherheitsanforderungen zahlreicher IT-Produkte gerecht zu werden. Diese Funktionalität trägt dazu bei, dass Unternehmen und Organisationen die erforderlichen Maßnahmen zur Gewährleistung der Cybersicherheit umsetzen können. Die Norm bietet eine solide Grundlage, die nicht nur die Entwicklung und Implementierung sicherer Systeme unterstützt, sondern auch die Kommunikation zwischen verschiedenen Stakeholdern erleichtert. Die Stärken der SIST EN ISO/IEC 15408-2:2024 liegen in ihrer umfassenden Herangehensweise an die Sicherheitsbewertung. Sie stellt sicher, dass alle notwendigen Aspekte der IT-Sicherheitsfunktionen berücksichtigt werden, und fördert die Standardisierung in der Branche. Dies ist besonders bedeutsam, da es Unternehmen ermöglicht, bewährte Methoden im Bereich der Informationssicherheit anzuwenden, die weltweit anerkannt sind. Zusammenfassend lässt sich sagen, dass die SIST EN ISO/IEC 15408-2:2024 eine wesentliche Ressource für alle Stakeholder im Bereich der IT-Sicherheit darstellt. Ihre Relevanz zeigt sich nicht nur in der Unterstützung von Sicherheitsbewertungen, sondern auch in der Förderung eines einheitlichen Verständnisses von Sicherheitsfunktionen, was letztendlich zu einer verbesserten Cybersicherheit beiträgt.
SIST EN ISO/IEC 15408-2:2024 표준은 정보 보안, 사이버 보안, 그리고 개인 정보 보호에 대한 평가 기준을 제공하는 중요한 문서로, IT 보안의 기능적 구성 요소를 정의합니다. 이 문서는 보안 평가의 목적을 위해 요구되는 보안 기능 구성 요소의 구조와 내용을 명확하게 규정하고 있습니다. 표준의 강점 중 하나는 다양한 IT 제품의 공통 보안 기능 요구사항을 충족하는 기능 구성 요소의 카탈로그를 포함하고 있다는 점입니다. 이는 개발자와 사용자가 필요한 보안 기능을 보다 쉽게 이해하고 적용할 수 있도록 도와줍니다. 또한, 이러한 표준화된 접근 방식은 제품 간의 일관성을 제공하며, 보안 평가의 신뢰성을 높이는 데 기여합니다. SIST EN ISO/IEC 15408-2:2024의 범위는 매우 넓고, 보안 기능 구성 요소의 심층적인 평가를 통한 정보 시스템의 전반적인 보안 개선을 지원합니다. 특히, 사이버 보안의 중요성이 날로 증가하는 현 시대에서, 이 표준은 기관과 기업이 효과적으로 보안 기능을 도입하고 평가할 수 있도록 하는 데 필수적입니다. 전반적으로, SIST EN ISO/IEC 15408-2:2024 표준은 정보 보안과 개인 정보 보호에 있어 매우 중요한 기준을 제공하며, 보안 기능의 표준화된 평가를 통해 IT 보안의 신뢰성을 강화하는 데 큰 의의를 지니고 있습니다.
SIST EN ISO/IEC 15408-2:2024는 정보 보안, 사이버 보안 및 개인정보 보호와 관련하여 IT 보안 평가를 위한 필수 문서로, 보안 기능 구성 요소에 대한 평가 기준을 명확하게 정의하고 있습니다. 이 표준은 IT 제품의 공통적인 보안 기능 요구사항을 충족하는 다양한 보안 기능 구성 요소의 카탈로그를 포함하여 매우 포괄적인 범위를 지니고 있습니다. 이 표준의 강점 중 하나는 명확한 구조와 내용을 제공하여 평가자가 IT 보안의 기능적 구성 요소를 체계적으로 이해하고 적용할 수 있도록 돕는 점입니다. 이를 통해 IT 제품의 보안 기능을 평가하는 데 있어 일관성과 신뢰성을 보장할 수 있습니다. 각 기능 구성 요소는 명확하게 정의되어 있어 효과적인 보안 평가 과정을 지원합니다. 또한, SIST EN ISO/IEC 15408-2:2024는 권장되는 보안 기능을 포함하여 다양한 IT 솔루션의 보안 평가에 필수적인 기준을 충족하도록 설계되었습니다. 이는 기업들이 정보 보호 및 사이버 보안을 위해 필요한 특정 요구사항을 충족시키는 데 매우 중요한 역할을 수행합니다. 이러한 요구사항은 급격히 변화하는 사이버 위협 환경에서 IT 제품의 보안을 강화하는 데 필수적입니다. 결론적으로, SIST EN ISO/IEC 15408-2:2024는 정보 보안 및 사이버 보안 분야에 있어 신뢰할 수 있는 평가 기준을 제공하며, IT 제품의 보안 기능을 명확히 정의하고 있습니다. 이 표준의 사용은 보안 평가의 일관성을 높이고, 다양한 IT 제품의 보안 강화를 위한 토대를 제공하는 데 큰 기여를 할 것입니다.
SIST EN ISO/IEC 15408-2:2024は、情報セキュリティ、サイバーセキュリティ、プライバシー保護の観点から、ITセキュリティ評価のための評価基準を定義する重要な標準です。この文書は、セキュリティ評価の目的で必要とされるセキュリティ機能コンポーネントの構造と内容を詳細に示しています。 この標準の強みは、IT製品に共通するセキュリティ機能要件に対応するための機能コンポーネントのカタログが含まれていることです。これにより、製品のセキュリティ機能が一貫して評価され、国際的な基準に基づく信頼性のある評価が可能になります。特に、テクノロジーの進展に伴う新たなリスクに対処するために、この標準が提供する枠組みはますます重要となっています。 この標準は、セキュリティ機能を正確に定義し、それが実際の評価プロセスにどのように適用されるかを明確にします。これによって、異なる製品間での比較や評価が容易になり、企業や組織はセキュリティ投資の意思決定を行う際に、より有益な情報を得ることができます。 SIST EN ISO/IEC 15408-2:2024は、ITセキュリティの構造的な理解を促進し、リーダビリティが高く、実務での活用がなされやすい仕様となっています。そのため、セキュリティ評価の標準化に寄与し、さまざまな業界におけるセキュリティ基準の統一をサポートするものです。この標準は、IT利用の安全性を確保し、サイバーセキュリティの進展に対する実用的なアプローチの一翼を担っています。
The SIST EN ISO/IEC 15408-2:2024 standard provides a comprehensive framework for evaluating IT security through its defined security functional components. Its primary scope focuses on outlining the necessary structure and content required for security evaluation, facilitating consistent assessments across various IT products. By delineating a catalogue of functional components, this standard ensures that the common security functionality requirements are comprehensively met, thereby enhancing the reliability and effectiveness of security evaluations. One of the significant strengths of this standard is its meticulous approach to defining security functional components, which promotes a uniform understanding among stakeholders in the information security domain. This consistency is crucial for establishing trust in security evaluations and certifications, making it easier for organizations to navigate the complexities of cybersecurity and privacy protection. Additionally, SIST EN ISO/IEC 15408-2:2024 not only serves as a pivotal resource for evaluators but also benefits product developers by providing clear benchmarks for integrating essential security functionalities into their offerings. The standardized criteria help streamline the development process, ensuring that products align with recognized security requirements, ultimately empowering users with more secure IT solutions. The relevance of this standard is underscored by the growing global emphasis on cybersecurity and privacy protection. As organizations increasingly face sophisticated cyber threats, the assurance provided by a robust framework for security evaluations becomes indispensable. The structured approach to functional components fosters an environment where IT products can be critically assessed for security risks, thus supporting an informed decision-making process for consumers and businesses alike. In summary, the SIST EN ISO/IEC 15408-2:2024 standard stands out for its thoroughness, clarity, and alignment with contemporary information security needs, making it an essential reference in the ever-evolving landscape of cybersecurity.
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.
Loading comments...