iTeh Standards logo
EURUSD
Your shopping cart is empty.
SIST

oSIST prEN ISO/IEC 15408-3:2024

(Main)

Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 3: Security assurance components (ISO/IEC DIS 15408-3:2024)

Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 3: Security assurance components (ISO/IEC DIS 15408-3:2024)

This document defines the assurance requirements of the ISO/IEC 15408 series. It includes the individual assurance components from which the evaluation assurance levels and other packages contained in ISO/IEC 15408-5 are composed, and the criteria for evaluation of Protection Profiles (PPs), PP-Configurations, PP-Modules, and Security Targets (STs).

Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre - Evaluationskriterien für IT-Sicherheit - Teil 3: Komponenten für die Vertrauenswürdigkeit der Sicherheit

Sécurité de l'information, cybersécurité et protection de la vie privée - Critères d'évaluation pour la sécurité des technologies de l'information - Partie 3: Composants d'assurance de sécurité (ISO/IEC DIS 15408-3:2024)

Informacijska varnost, kibernetska varnost in varovanje zasebnosti - Merila za vrednotenje varnosti IT - 3. del: Komponente za zagotavljanje varnosti (ISO/IEC DIS 15408-3:2024)

General Information

Status
Not Published
Public Enquiry End Date
10-Nov-2024
ICS
35.030 - IT Security
Technical Committee
ITC - Information technology
Current Stage
4020 - Public enquire (PE) (Adopted Project)
Start Date
16-Sep-2024
Due Date
03-Feb-2025
Completion Date
21-Nov-2024
Ref Project
prEN ISO/IEC 15408-3 - Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 3: Security assurance components (ISO/IEC DIS 15408-3:2024)

Relations

Revises
SIST EN ISO/IEC 15408-3:2024 - Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 3: Security assurance components (ISO/IEC 15408-3:2022)
Effective Date
22-May-2024

Overview

prEN ISO/IEC 15408-3 (ISO/IEC DIS 15408-3:2024) is Part 3 of the ISO/IEC 15408 series (Common Criteria) and defines the security assurance components used to assess the trustworthiness of IT products, systems and their development processes. The document specifies the assurance requirements, component structure and the criteria for evaluation of Protection Profiles (PPs), PP‑Configurations, PP‑Modules, and Security Targets (STs). It also describes how individual assurance components combine to form Evaluation Assurance Levels (EALs) and other assurance packages (see ISO/IEC 15408‑5).

Keywords: ISO/IEC 15408-3, Common Criteria, security assurance components, evaluation assurance levels, Protection Profile, Security Target, IT security evaluation, cybersecurity standard, privacy protection.

Key Topics

  • Assurance paradigm and evaluation approach
    • Concepts behind assurance, vulnerability significance and causes, and assurance through independent evaluation.
    • Use of an evaluation assurance scale to express reviewer confidence.
  • Component taxonomy and structure
    • Hierarchy of assurance classes → families → components → elements.
    • Standardized naming, objectives, levelling and dependencies for each component.
  • Component content and rules
    • Component objectives, application notes, levelling rules and assurance elements that form measurable evaluation criteria.
  • Evaluation criteria for PPs and PP configurations
    • Classes and components specifically for PP evaluation (e.g., APE_* components such as APE_CCL, APE_ECD, APE_INT, APE_OBJ, APE_REQ, APE_SPD).
    • Components for PP‑Module and PP‑Configuration evaluation (ACE_* components including ACE_CCL, ACE_CCO, ACE_ECD, ACE_INT, ACE_MCO).
  • Assurance class and family definitions
    • Guidance on how families are grouped, how component levelling works, and how to apply components to different assurance targets.

Applications

  • Product and system certification: Laboratories and certification bodies use these components to assess and certify IT products, security functions, and development lifecycle activities.
  • Protection Profile development: PP authors apply the component definitions and levelling rules to create PPs that are consistent, testable and suitable for evaluation.
  • Procurement and assurance claims: Procurement officers, integrators and regulators can reference assurance components and evaluation criteria to specify required assurance levels in tenders and regulations.
  • Security engineering and compliance: Security architects, developers and privacy officers use the standard to align development and documentation with internationally recognized assurance requirements.

Who should use this standard

  • Certification bodies and evaluation laboratories
  • Security product vendors and PP authors
  • Procurement, risk and compliance teams
  • Regulators and standards harmonization committees

Related standards

  • ISO/IEC 15408 series (Common Criteria) - Parts 1, 2 and 5 (context and security functional components and packages)
  • National scheme implementation guides and certification policies that adopt Common Criteria components

This part consolidates the assurance building blocks that underpin Common Criteria evaluations, enabling consistent, repeatable assessment of IT security, cybersecurity and privacy protection.

oSIST prEN ISO/IEC 15408-3:2024oSIST prEN ISO/IEC 15408-3:2024
PreviousNext
Draft
oSIST prEN ISO/IEC 15408-3:2024
English language
202 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)


SLOVENSKI STANDARD
01-november-2024
Informacijska varnost, kibernetska varnost in varovanje zasebnosti - Merila za
vrednotenje varnosti IT - 3. del: Komponente za zagotavljanje varnosti (ISO/IEC
DIS 15408-3:2024)
Information security, cybersecurity and privacy protection - Evaluation criteria for IT
security - Part 3: Security assurance components (ISO/IEC DIS 15408-3:2024)
Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre -
Evaluationskriterien für IT-Sicherheit - Teil 3: Komponenten für die Vertrauenswürdigkeit
der Sicherheit
Sécurité de l'information, cybersécurité et protection de la vie privée - Critères
d'évaluation pour la sécurité des technologies de l'information - Partie 3: Composants
d'assurance de sécurité (ISO/IEC DIS 15408-3:2024)
Ta slovenski standard je istoveten z: prEN ISO/IEC 15408-3
ICS:
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

DRAFT
International
Standard
ISO/IEC
DIS
15408-3
ISO/IEC JTC 1/SC 27
Information security, cybersecurity
Secretariat: DIN
and privacy protection —
Voting begins on:
Evaluation criteria for IT security —
2024-08-19
Part 3:
Voting terminates on:
2024-11-11
Security assurance components
Sécurité de l'information, cybersécurité et protection de la vie
privée — Critères d'évaluation pour la sécurité des technologies
de l'information —
Partie 3: Composants d'assurance de sécurité
ICS: ISO ics
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS.
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Reference number
© ISO/IEC 2024
ISO/IEC DIS 15408-3:2024(en)
DRAFT
ISO/IEC DIS 15408-3:2024(en)
International
Standard
ISO/IEC
DIS
15408-3
ISO/IEC JTC 1/SC 27
Information security, cybersecurity
Secretariat: DIN
and privacy protection —
Voting begins on:
Evaluation criteria for IT security —
2024-08-19
Part 3:
Voting terminates on:
2024-11-11
Security assurance components
Sécurité de l'information, cybersécurité et protection de la vie
privée — Critères d'évaluation pour la sécurité des technologies
de l'information —
Partie 3: Composants d'assurance de sécurité
ICS: ISO ics
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
© ISO/IEC 2024
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
BE CONSIDERED IN THE LIGHT OF THEIR
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
or ISO’s member body in the country of the requester.
NATIONAL REGULATIONS.
ISO copyright office
RECIPIENTS OF THIS DRAFT ARE INVITED
CP 401 • Ch. de Blandonnet 8
TO SUBMIT, WITH THEIR COMMENTS,
CH-1214 Vernier, Geneva
NOTIFICATION OF ANY RELEVANT PATENT
Phone: +41 22 749 01 11
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland Reference number
© ISO/IEC 2024
ISO/IEC DIS 15408-3:2024(en)
© ISO/IEC 2024 – All rights reserved
ii
ISO/IEC DIS 15408-3:2024(en)
Contents Page
Foreword .x
Introduction .xii
1 Scope . 1
2 Normative references . 1
3 Terms, definitions and abbreviated terms . 1
4 Overview . 5
5 Assurance paradigm . 6
5.1 General .6
5.2 ISO/IEC 15408 series approach .6
5.3 Assurance approach .6
5.3.1 General .6
5.3.2 Significance of vulnerabilities .6
5.3.3 Cause of vulnerabilities .7
5.3.4 ISO/IEC 15408 series assurance .7
5.3.5 Assurance through evaluation .7
5.4 ISO/IEC 15408 series evaluation assurance scale .8
6 Security assurance components . 8
6.1 Overview .8
6.2 Assurance class structure .8
6.2.1 General .8
6.2.2 Class name .8
6.2.3 Class introduction .9
6.2.4 Assurance families .9
6.3 Assurance family structure .9
6.3.1 General .9
6.3.2 Family name .9
6.3.3 Family objectives .9
6.3.4 Component levelling .10
6.3.5 Family application notes .10
6.3.6 Assurance components .10
6.4 Assurance component structure .10
6.4.1 General .10
6.4.2 Component name .10
6.4.3 Component objectives . .11
6.4.4 Component application notes .11
6.4.5 Component dependencies .11
6.4.6 Assurance elements .11
6.5 Assurance elements . 12
6.6 Component taxonomy . 12
7 Class APE Protection Profile (PP) evaluation .12
7.1 Introduction . 12
7.2 Conformance claims (APE_CCL) .14
7.2.1 Objectives .14
7.2.2 Conformance claims (APE_CCL.1) .14
7.3 Extended components definition (APE_ECD) .16
7.3.1 Objectives .16
7.3.2 Extended components definition (APE_ECD.1) .16
7.4 PP introduction (APE_INT) .17
7.4.1 Objectives .17
7.4.2 PP introduction (APE_INT.1) .17
7.5 Security objectives (APE_OBJ) .17
7.5.1 Objectives .17

© ISO/IEC 2024 – All rights reserved
iii
ISO/IEC DIS 15408-3:2024(en)
7.5.2 Component levelling .17
7.5.3 Security objectives for the operational environment (APE_OBJ.1) .18
7.5.4 Security objectives (APE_OBJ.2) . .18
7.6 Security requirements (APE_REQ) .19
7.6.1 Objectives .19
7.6.2 Component levelling .19
7.6.3 Direct rationale security requirements (APE_REQ.1) .19
7.6.4 Derived security requirements (APE_REQ.2) . 20
7.7 Security problem definition (APE_SPD) . 22
7.7.1 Objectives . 22
7.7.2 Security problem definition (APE_SPD.1) . 22
8 Class ACE Protection Profile Configuration evaluation .22
8.1 Introduction . 22
8.2 PP-Module conformance claims (ACE_CCL) .24
8.2.1 Objectives .24
8.2.2 PP-Module conformance claims (ACE_CCL.1) .24
8.3 PP-Configuration consistency (ACE_CCO) . 25
8.3.1 Objectives . 25
8.3.2 PP-Configuration consistency (ACE_CCO.1) . 26
8.4 PP-Module extended components definition (ACE_ECD). 29
8.4.1 Objectives . 29
8.4.2 PP-Module extended components definition (ACE_ECD.1) . 29
8.5 PP-Module introduction (ACE_INT) . 30
8.5.1 Objectives . 30
8.5.2 PP-Module introduction (ACE_INT.1) . 30
8.6 PP-Module consistency (ACE_MCO) .31
8.6.1 Objectives .31
8.6.2 PP-Module consistency (ACE_MCO.1) .31
8.7 PP-Module security objectives (ACE_OBJ) .32
8.7.1 Objectives .32
8.7.2 Component levelling .32
8.7.3 PP-Module security objectives for the operational environment (ACE_OBJ.1) .32
8.7.4 PP-Module security objectives (ACE_OBJ.2) . 33
8.8 PP-Module security requirements (ACE_REQ) . 34
8.8.1 Objectives . 34
8.8.2 Component levelling . 34
8.8.3 PP-Module direct rationale security requirements (ACE_REQ.1) . 34
8.8.4 PP-Module derived security requirements (ACE_REQ.2) . 35
8.9 PP-Module security problem definition (ACE_SPD) .37
8.9.1 Objectives .37
8.9.2 PP-Module security problem definition (ACE_SPD.1) .37
9 Class ASE Security Target (ST) evaluation .37
9.1 Introduction .37
9.2 Conformance claims (ASE_CCL) . 39
9.2.1 Objectives . 39
9.2.2 Conformance claims (ASE_CCL.1) . 39
9.3 Consistency of composite product Security Target (ASE_COMP) .41
9.3.1 Objectives .41
9.3.2 Component levelling .41
9.3.3 Application notes .41
9.3.4 Consistency of Security Target (ST) (ASE_COMP.1) .42
9.4 Extended components definition (ASE_ECD) .42
9.4.1 Objectives .42
9.4.2 Extended components definition (ASE_ECD.1) .43
9.5 ST introduction (ASE_INT) .43
9.5.1 Objectives .43
9.5.2 ST introduction (ASE_INT.1) . 44
9.6 Security objectives (ASE_OBJ) .45

© ISO/IEC 2024 – All rights reserved
iv
ISO/IEC DIS 15408-3:2024(en)
9.6.1 Objectives .45
9.6.2 Component levelling .45
9.6.3 Security objectives for the operational environment (ASE_OBJ.1) .45
9.6.4 Security objectives (ASE_OBJ.2) .45
9.7 Security requirements (ASE_REQ). 46
9.7.1 Objectives . 46
9.7.2 Component levelling .47
9.7.3 Direct rationale security requirements (ASE_REQ.1) .47
9.7.4 Derived security requirements (ASE_REQ.2). 48
9.8 Security problem definition (ASE_SPD) . 49
9.8.1 Objectives . 49
9.8.2 Security problem definition (ASE_SPD.1) . 50
9.9 TOE summary specification (ASE_TSS) . 50
9.9.1 Objectives . 50
9.9.2 Component levelling . 50
9.9.3 TOE summary specification (ASE_TSS.1) .51
9.9.4 TOE summary specification with architectural design summary (ASE_TSS.2) .51
10 Class ADV Development .52
10.1 Introduction .52
10.2 Security architecture (ADV_ARC) .57
10.2.1 Objectives .57
10.2.2 Component levelling .57
10.2.3 Application notes .57
10.2.4 Security architecture description (ADV_ARC.1) . 58
10.3 Composite design compliance (ADV_COMP) .59
10.3.1 Objectives .59
10.3.2 Component levelling .59
10.3.3 Application notes .59
10.3.4 Design compliance with the base component-related user guidance, ETR for
composite evaluation and report of the base component evaluation authority
(ADV_COMP.1) . 60
10.4 Functional specification (ADV_FSP) . 60
10.4.1 Objectives . 60
10.4.2 Component levelling .61
10.4.3 Application notes .61
10.4.4 Basic functional specification (ADV_FSP.1) . 63
10.4.5 Security-enforcing functional specification (ADV_FSP.2) . 64
10.4.6 Functional specification with complete summary (ADV_FSP.3) . 65
10.4.7 Complete functional specification (ADV_FSP.4) . 66
10.4.8 Complete semi-formal functional specification with additional error
information (ADV_FSP.5). 66
10.4.9 Complete semi-formal functional specification with additional formal
specification (ADV_FSP.6). 68
10.5 Implementation representation (ADV_IMP) . 69
10.5.1 Objectives . 69
10.5.2 Component levelling . 69
10.5.3 Application notes . 69
10.5.4 Implementation representation of the TSF (ADV_IMP.1) .70
10.5.5 Complete mapping of the implementation representation of the TSF (ADV_IMP.2) .71
10.6 TSF internals (ADV_INT) .71
10.6.1 Objectives .71
10.6.2 Component levelling . 72
10.6.3 Application notes . 72
10.6.4 Well-structured subset of TSF internals (ADV_INT.1) . 72
10.6.5 Well-structured internals (ADV_INT.2) . 73
10.6.6 Minimally complex internals (ADV_INT.3) .74
10.7 Formal TSF model (ADV_SPM). 75
10.7.1 Objectives . 75

© ISO/IEC 2024 – All rights reserved
v
ISO/IEC DIS 15408-3:2024(en)
10.7.2 Component levelling . 75
10.7.3 Application notes . 75
10.7.4 Formal TSF model (ADV_SPM.1) .76
10.8 TOE design (ADV_TDS) . 77
10.8.1 Objectives . 77
10.8.2 Component levelling . 77
10.8.3 Application notes . 77
10.8.4 Basic design (ADV_TDS.1) . 79
10.8.5 Architectural design (ADV_TDS.2) . 80
10.8.6 Basic modular design (ADV_TDS.3) . 81
10.8.7 Semi-Formal modular design (ADV_TDS.4) . 82
10.8.8 Complete semi-formal modular design (ADV_TDS.5) . 83
10.8.9 Complete semi-formal modular design with formal high-level design
presentation (ADV_TDS.6) . 84
11 Class AGD Guidance documents .85
11.1 Introduction . 85
11.2 Operational user guidance (AGD_OPE) . 86
11.2.1 Objectives . 86
11.2.2 Component levelling . 86
11.2.3 Application notes . 87
11.2.4 Operational user guidance (AGD_OPE.1) . 87
11.3 Preparative procedures (AGD_PRE) . 88
11.3.1 Objectives . 88
11.3.2 Component levelling . 88
11.3.3 Application notes . 88
11.3.4 Preparative procedures (AGD_PRE.1) . 89
12 Class ALC Life-cycle support .89
12.1 Introduction . 89
12.2 CM capabilities (ALC_CMC) .91
12.2.1 Objectives .91
12.2.2 Component levelling . 92
12.2.3 Application notes . 92
12.2.4 Labelling of the TOE (ALC_CMC.1) . 92
12.2.5 Use of the CM system (ALC_CMC.2) . 93
12.2.6 Authorization controls (ALC_CMC.3) . 94
12.2.7 Production support, acceptance procedures and automation (ALC_CMC.4) . 95
12.2.8 Advanced support (ALC_CMC.5) . 97
12.3 CM scope (ALC_CMS) . 99
12.3.1 Objectives . 99
12.3.2 Component levelling . 99
12.3.3 Application notes . 99
12.3.4 TOE CM coverage (ALC_CMS.1) . 99
12.3.5 Parts of the TOE CM coverage (ALC_CMS.2) . 100
12.3.6 Implementation representation CM coverage (ALC_CMS.3) . 101
12.3.7 Problem tracking CM coverage (ALC_CMS.4) . 101
12.3.8 Development tools CM coverage (ALC_CMS.5) . 102
12.4 Integration of composition parts and consistency check of delivery procedures (ALC_
COMP) . 103
12.4.1 Objectives . 103
12.4.2 Component levelling . 103
12.4.3 Application notes .
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

Loading comments...

Frequently Asked Questions

oSIST prEN ISO/IEC 15408-3:2024 is a draft published by the Slovenian Institute for Standardization (SIST). Its full title is "Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 3: Security assurance components (ISO/IEC DIS 15408-3:2024)". This standard covers: This document defines the assurance requirements of the ISO/IEC 15408 series. It includes the individual assurance components from which the evaluation assurance levels and other packages contained in ISO/IEC 15408-5 are composed, and the criteria for evaluation of Protection Profiles (PPs), PP-Configurations, PP-Modules, and Security Targets (STs).

This document defines the assurance requirements of the ISO/IEC 15408 series. It includes the individual assurance components from which the evaluation assurance levels and other packages contained in ISO/IEC 15408-5 are composed, and the criteria for evaluation of Protection Profiles (PPs), PP-Configurations, PP-Modules, and Security Targets (STs).

oSIST prEN ISO/IEC 15408-3:2024 is classified under the following ICS (International Classification for Standards) categories: 35.030 - IT Security. The ICS classification helps identify the subject area and facilitates finding related standards.

oSIST prEN ISO/IEC 15408-3:2024 has the following relationships with other standards: It is inter standard links to SIST EN ISO/IEC 15408-3:2024. Understanding these relationships helps ensure you are using the most current and applicable version of the standard.

You can purchase oSIST prEN ISO/IEC 15408-3:2024 directly from iTeh Standards. The document is available in PDF format and is delivered instantly after payment. Add the standard to your cart and complete the secure checkout process. iTeh Standards is an authorized distributor of SIST standards.

This May Also Interest You

SIST
SIST EN ISO/IEC 27706:2025(Main)
Information security, cybersecurity and privacy protection - Requirements for bodies providing audit and certification of privacy information management systems (ISO/IEC 27706:2025)
EN ISO/IEC 27706:2025

This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701, in addition to the requirements contained within ISO/IEC 17021-1.
The requirements contained in this document are demonstrated in terms of competence and reliability by bodies providing PIMS certification. The guidance contained in this document provides additional interpretation of these requirements for bodies providing PIMS certification.
NOTE       This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

  • Standard
    33 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO/IEC 27701:2025(Main)
Information security, cybersecurity and privacy protection - Privacy information management systems - Requirements and guidance (ISO/IEC 27701:2025)
EN ISO/IEC 27701:2025

This document specifies requirements for establishing, implementing, maintaining and continually improving a privacy information management system (PIMS).
Guidance is also provided to assist in the implementation of the requirements in this document.
This document is intended for personally identifiable information (PII) controllers and PII processors holding responsibility and accountability for PII processing.
This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations.

  • Standard
    73 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST-TS CEN/CLC/TS 18072:2025(Main)
Requirements for Conformity Assessment Bodies certifying Cloud Services
CEN/CLC/TS 18072:2025

This TS provides requirements and ISO/IEC 17065 interpretations for Conformity Assessment Bodies (CABs) assessing Cloud Services
This TS is intended to be used by the National Accreditation Bodies (NABs), as well as CABs.

  • Technical specification
    45 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN 18037:2025(Main)
Guidelines on a sectoral cybersecurity assessment
EN 18037:2025

This document contains guidelines to be used in the process of drafting requirements of cybersecurity certification schemes for sectoral ICT services and systems. It includes all steps necessary to define, implement and maintain such requirements.

  • Standard
    65 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO/IEC 27555:2025(Main)
Information security, cybersecurity and privacy protection - Guidelines on personally identifiable information deletion (ISO/IEC 27555:2021)
EN ISO/IEC 27555:2025

This document contains guidelines for developing and establishing policies and procedures for deletion of personally identifiable information (PII) in organizations by specifying:
—    a harmonized terminology for PII deletion;
—    an approach for defining deletion rules in an efficient way;
—    a description of required documentation;
—    a broad definition of roles, responsibilities and processes.
This document is intended to be used by organizations where PII is stored or processed.
This document does not address:
—    specific legal provision, as given by national law or specified in contracts;
—    specific deletion rules for particular clusters of PII that are defined by PII controllers for processing PII;
—    deletion mechanisms;
—    reliability, security and suitability of deletion mechanisms;
—    specific techniques for de-identification of data.

  • Standard
    34 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN ISO/IEC 27001:2023/A1:2025(Amendment)
Information security, cybersecurity and privacy protection - Information security management systems - Requirements - Amendment 1: Climate action changes (ISO/IEC 27001:2022/Amd 1:2024)
EN ISO/IEC 27001:2023/A1:2024
  • Amendment
    7 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Amendment
    7 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST-TS CEN/CLC ISO/IEC/TS 23532-1:2025(Main)
Information security, cybersecurity and privacy protection - Requirements for the competence of IT security testing and evaluation laboratories - Part 1: Evaluation for ISO/IEC 15408 (ISO/IEC/TS 23532-1:2021)
CEN/CLC ISO/IEC/TS 23532-1:2024

This document complements and supplements the procedures and general requirements found in ISO/IEC 17025:2017 for laboratories performing evaluations based on the ISO/IEC 15408 series and ISO/IEC 18045.

  • Technical specification
    29 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Technical specification
    29 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST-TS CEN/CLC ISO/IEC/TS 23532-2:2025(Main)
Information security, cybersecurity and privacy protection - Requirements for the competence of IT security testing and evaluation laboratories - Part 2: Testing for ISO/IEC 19790 (ISO/IEC/TS 23532-2:2021)
CEN/CLC ISO/IEC/TS 23532-2:2024

This document complements and supplements the procedures and general requirements found in ISO/IEC 17025:2017 for laboratories performing testing based on ISO/IEC 19790 and ISO/IEC 24759.

  • Technical specification
    35 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Technical specification
    35 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST-TS CEN/TS 18099:2025(Main)
Biometric data injection attack detection
CEN/TS 18099:2024

This document provides an overview on:
-   Definitions on Biometric Data Injection Attack,
-   Biometric Data Injection Attack use case on main biometric system hardware for enrolment and verification,
-   Injection Attack Instruments on systems using one or several biometric modalities.
This document provides guidance on:
-   System for the detection of Injection Attack Instruments (defined in 3.12),
-   Appropriate mitigation risk of Injection Attack Instruments,
-   Creation of test plan for the evaluation of Injection Attack Detection system (defined in 3.9).
If presentation attacks testing is out of scope of this document, note that these two characteristics are in the scope of this document:
-   Presentation Attack Detection systems which can be used as injection attack instrument defence mechanism and/or injection attack method defence mechanism. Yet, no presentation attack testing will be performed by the laboratory to be compliant with this document (out of scope).
-   Bona Fide Presentation testing in order to test the ability of the Target Of Evaluation to correctly classify legitimate users.
The following aspects are out of scope:
-   Presentation Attack testing (as they are covered in ISO/IEC 30107 standards),
-   Biometric attacks which are not classified as Type 2 attacks (see Figure 1),
-   Evaluation of implementation of cryptographic mechanisms like secure elements,
-   Injection Attack Instruments rejected due to quality issues.

  • Technical specification
    37 pages
    English language
    sale 10% off
    e-Library read for
    1 day
SIST
SIST EN 18031-1:2024(Main)
Common security requirements for radio equipment - Part 1: Internet connected radio equipment
EN 18031-1:2024

This document specifies common security requirements for internet-connected radio equipment. This document provides technical specifications for radio equipment, which concerns electrical or electronic products that are capable to communicate over the internet, regardless of whether these products communicate directly or via any other equipment.

  • Standard
    180 pages
    English language
    sale 10% off
    e-Library read for
    1 day