Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Methodology for IT security evaluation (ISO/IEC 18045:2022)

This document defines the minimum actions to be performed by an evaluator in order to conduct an ISO/IEC 15408 series evaluation, using the criteria and evaluation evidence defined in the ISO/IEC 15408 series.

Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre - Evaluationskriterien für IT-Sicherheit - Methodik für die Bewertung der IT-Sicherheit (ISO/IEC 18045:2022)

Dieses Dokument legt die Aktionen fest, die ein Evaluator mindestens durchführen muss, um eine Evaluierung nach der Normenreihe ISO/IEC 15408 unter Verwendung der in der Normenreihe ISO/IEC 15408 definierten Kriterien und Evaluationsnachweise durchzuführen.

Sécurité de l'information, cybersécurité et protection de la vie privée - Critères d'évaluation pour la sécurité des technologies de l'information - Méthodologie pour l'évaluation de sécurité (ISO/IEC 18045:2022)

Le présent document définit les actions minimales à réaliser par un évaluateur pour mener une évaluation selon la série de normes ISO/IEC 15408 en utilisant les critères et les preuves d'évaluation définis dans la série de normes ISO/IEC 15408.

Informacijska varnost, kibernetska varnost in varstvo zasebnosti - Merila za ocenjevanje varnosti IT - Metodologija za ocenjevanje varnosti IT (ISO/IEC 18045:2022)

Ta dokument spremlja dokument »Merila za ocenjevanje varnosti IT«, standard ISO/IEC 15408 (vsi deli). Ta dokument določa minimalne ukrepe, ki jih mora izvesti ocenjevalec, da izvede oceno iz skupine standardov ISO/IEC 15408 z uporabo meril in dokazov za ocenjevanje, opredeljenih v skupini standardov ISO/IEC 15408.

General Information

Status
Published
Public Enquiry End Date
14-Sep-2023
Publication Date
22-Feb-2024
ICS
35.030 - IT Security
Technical Committee
ITC - Information technology
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
13-Feb-2024
Due Date
19-Apr-2024
Completion Date
23-Feb-2024
Ref Project
EN ISO/IEC 18045:2023 - Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Methodology for IT security evaluation (ISO/IEC 18045:2022)

Relations

Replaces
SIST EN ISO/IEC 18045:2020 - Information technology - Security techniques - Methodology for IT security evaluation (ISO/IEC 18045:2008)
Effective Date
01-Apr-2024
Revised
kSIST FprEN ISO/IEC 18045:2026 - Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Requirements and methodology for IT security evaluation (ISO/IEC FDIS 18045:2025)
Effective Date
17-Apr-2024

Overview

SIST EN ISO/IEC 18045:2024 - Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Methodology for IT security evaluation (ISO/IEC 18045:2022) - defines the minimum actions an evaluator must perform to conduct an evaluation against the ISO/IEC 15408 series (Common Criteria). Adopted as EN ISO/IEC 18045:2023 and published by the Slovene standards body (SIST), this methodology standard provides structured guidance for planning, executing and reporting IT security evaluations and for managing evaluation evidence and outputs.

Key topics and technical requirements

  • Evaluation process and tasks: Guidance on evaluation inputs, sub-activities and outputs, including objectives and application notes for each task area.
  • Roles and responsibilities: Definitions of evaluator roles, relationships between roles, and required activities to reach reliable verdicts.
  • Evaluator verdicts and reporting: Rules for forming verdicts and producing evaluation artifacts such as the Evaluation Technical Report (ETR).
  • Protection Profile (PP) and PP‑module evaluation: Methodology for assessing Protection Profiles, re‑use of certified PP results, PP introductions, conformance claims, security problem definitions, objectives, extended components and security requirements.
  • Management of evaluation evidence: Minimum actions for collecting, organizing and validating evidence required by the ISO/IEC 15408 criteria.
  • Conformance and consistency checks: Procedures for verifying consistency of claims, requirements and mappings between problem definition, objectives and security requirements.

Keywords: ISO/IEC 18045, IT security evaluation methodology, ISO/IEC 15408, Protection Profile evaluation, Evaluation Technical Report, evaluator roles, cybersecurity standard.

Practical applications - who uses this standard

  • Independent evaluators and laboratories - to follow a consistent, auditable methodology when performing Common Criteria evaluations.
  • Certification bodies - to assess evaluator outputs and ensure evaluations meet the minimum methodology requirements.
  • Product vendors and PP authors - to prepare deliverables (security targets, protection profiles, evidence) that align with evaluator expectations.
  • Procurement and compliance teams - to interpret evaluation results and incorporate certified claims into procurement and risk decisions.
  • Security consultants and auditors - to understand the evaluation lifecycle, required evidence, and how evaluator verdicts are derived.

Related standards

  • ISO/IEC 15408 series (Common Criteria) - evaluation criteria and evidence referenced by ISO/IEC 18045.
  • EN ISO/IEC 18045:2023 - European adoption of the ISO/IEC 18045:2022 text.
  • Other relevant frameworks: ISO/IEC 27001 (information security management) - complementary for organizational controls and governance.

This standard is essential for anyone involved in formal IT security evaluation, certification, or producing evaluable security documentation, ensuring consistent, repeatable and defensible evaluation outcomes.

SIST EN ISO/IEC 18045:2024 - BARVE - Page 1 previewSIST EN ISO/IEC 18045:2024 - BARVE - Page 2 previewSIST EN ISO/IEC 18045:2024 - BARVE - Page 3 previewSIST EN ISO/IEC 18045:2024 - BARVE - Page 4 preview
PreviousNext
Standard

SIST EN ISO/IEC 18045:2024 - BARVE

English language
439 pages
Preview
Preview
e-Library read for
1 day
SIST EN ISO/IEC 18045:2024 - BARVE - Page 1 previewSIST EN ISO/IEC 18045:2024 - BARVE - Page 2 previewSIST EN ISO/IEC 18045:2024 - BARVE - Page 3 previewSIST EN ISO/IEC 18045:2024 - BARVE - Page 4 preview
PreviousNext
Standard

SIST EN ISO/IEC 18045:2024 - BARVE

English language
439 pages
Preview
Preview
e-Library read for
1 day

Frequently Asked Questions

SIST EN ISO/IEC 18045:2024 is a standard published by the Slovenian Institute for Standardization (SIST). Its full title is "Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Methodology for IT security evaluation (ISO/IEC 18045:2022)". This standard covers: This document defines the minimum actions to be performed by an evaluator in order to conduct an ISO/IEC 15408 series evaluation, using the criteria and evaluation evidence defined in the ISO/IEC 15408 series.

This document defines the minimum actions to be performed by an evaluator in order to conduct an ISO/IEC 15408 series evaluation, using the criteria and evaluation evidence defined in the ISO/IEC 15408 series.

SIST EN ISO/IEC 18045:2024 is classified under the following ICS (International Classification for Standards) categories: 35.030 - IT Security. The ICS classification helps identify the subject area and facilitates finding related standards.

SIST EN ISO/IEC 18045:2024 has the following relationships with other standards: It is inter standard links to SIST EN ISO/IEC 18045:2020, kSIST FprEN ISO/IEC 18045:2026. Understanding these relationships helps ensure you are using the most current and applicable version of the standard.

You can purchase SIST EN ISO/IEC 18045:2024 directly from iTeh Standards. The document is available in PDF format and is delivered instantly after payment. Add the standard to your cart and complete the secure checkout process. iTeh Standards is an authorized distributor of SIST standards.

Standards Content (Sample)


SLOVENSKI STANDARD
01-april-2024
Nadomešča:
SIST EN ISO/IEC 18045:2020
Informacijska varnost, kibernetska varnost in varovanje zasebnosti - Merila za
ocenjevanje varnosti IT - Metodologija za ocenjevanje varnosti IT (ISO/IEC
18045:2022)
Information security, cybersecurity and privacy protection - Evaluation criteria for IT
security - Methodology for IT security evaluation (ISO/IEC 18045:2022)
Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre -
Evaluationskriterien für IT-Sicherheit - Methodik für die Bewertung der IT-Sicherheit
(ISO/IEC 18045:2022)
Sécurité de l'information, cybersécurité et protection de la vie privée - Critères
d'évaluation pour la sécurité des technologies de l'information - Méthodologie pour
l'évaluation de sécurité (ISO/IEC 18045:2022)
Ta slovenski standard je istoveten z: EN ISO/IEC 18045:2023
ICS:
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD EN ISO/IEC 18045

NORME EUROPÉENNE
EUROPÄISCHE NORM
November 2023
ICS 35.030
Supersedes EN ISO/IEC 18045:2020
English version
Information security, cybersecurity and privacy protection
- Evaluation criteria for IT security - Methodology for IT
security evaluation (ISO/IEC 18045:2022)
Sécurité de l'information, cybersécurité et protection Informationssicherheit, Cybersicherheit und Schutz
de la vie privée - Critères d'évaluation pour la sécurité der Privatsphäre - Evaluationskriterien für IT-
des technologies de l'information - Méthodologie pour Sicherheit - Methodik für die Bewertung der IT-
l'évaluation de sécurité (ISO/IEC 18045:2022) Sicherheit (ISO/IEC 18045:2022)
This European Standard was approved by CEN on 29 October 2023.

CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.

CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2023 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. EN ISO/IEC 18045:2023 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 3

European foreword
The text of ISO/IEC 18045:2022 has been prepared by Technical Committee ISO/IEC JTC 1 "Information
technology” of the International Organization for Standardization (ISO) and has been taken over as
Protection” the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by May 2024, and conflicting national standards shall be
withdrawn at the latest by May 2024.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN-CENELEC shall not be held responsible for identifying any or all such patent rights.
This document supersedes EN ISO/IEC 18045:2020.
Any feedback and questions on this document should be directed to the users’ national standards body.
A complete listing of these bodies can be found on the CEN and CENELEC websites.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 18045:2022 has been approved by CEN-CENELEC as EN ISO/IEC 18045:2023
without any modification.
INTERNATIONAL ISO/IEC
STANDARD 18045
Third edition
2022-08
Information security, cybersecurity
and privacy protection — Evaluation
criteria for IT security — Methodology
for IT security evaluation
Sécurité de l'information, cybersécurité et protection de la vie
privée — Critères d'évaluation pour la sécurité des technologies de
l'information — Méthodologie pour l'évaluation de sécurité
Reference number
ISO/IEC 18045:2022(E)
© ISO/IEC 2022
ISO/IEC 18045:2022(E)
© ISO/IEC 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2022 – All rights reserved

ISO/IEC 18045:2022(E)
Table of Contents
LIST OF FIGURES . ix
LIST OF TABLES . x
FOREWORD . xi
INTRODUCTION . xii
SCOPE . 1
NORMATIVE REFERENCES . 1
TERMS AND DEFINITIONS . 1
ABBREVIATED TERMS . 4
TERMINOLOGY . 4
VERB USAGE . 4
GENERAL EVALUATION GUIDANCE . 5
RELATIONSHIP BETWEEN THE ISO/IEC 15408 SERIES AND ISO/IEC 18045 STRUCTURES . 5
EVALUATION PROCESS AND RELATED TASKS . 5
9.1 GENERAL . 5
9.2 EVALUATION PROCESS OVERVIEW . 6
9.2.1 Objectives . 6
9.2.2 Responsibilities of the roles . 6
9.2.3 Relationship of roles . 6
9.2.4 General evaluation model . 7
9.2.5 Evaluator verdicts . 7
9.3 EVALUATION INPUT TASK . 9
9.3.1 Objectives . 9
9.3.2 Application notes . 9
9.3.3 Management of evaluation evidence sub-task . 10
9.4 EVALUATION SUB-ACTIVITIES.10
9.5 EVALUATION OUTPUT TASK .10
9.5.1 Objectives . 10
9.5.2 Management of evaluation outputs . 11
9.5.3 Application notes . 11
9.5.4 Write OR sub-task . 11
9.5.5 Write ETR sub-task . 11
CLASS APE: PROTECTION PROFILE EVALUATION . 19
10.1 GENERAL .19
10.2 RE-USING THE EVALUATION RESULTS OF CERTIFIED PPS .19
10.3 PP INTRODUCTION (APE_INT) .20
10.3.1 Evaluation of sub-activity (APE_INT.1) . 20
10.4 CONFORMANCE CLAIMS (APE_CCL) .21
10.4.1 Evaluation of sub-activity (APE_CCL.1) . 21
10.5 SECURITY PROBLEM DEFINITION (APE_SPD) .31
10.5.1 Evaluation of sub-activity (APE_SPD.1) . 31
10.6 SECURITY OBJECTIVES (APE_OBJ) .32
10.6.1 Evaluation of sub-activity (APE_OBJ.1) . 32
10.6.2 Evaluation of sub-activity (APE_OBJ.2) . 33
10.7 EXTENDED COMPONENTS DEFINITION (APE_ECD) .36
10.7.1 Evaluation of sub-activity (APE_ECD.1) . 36
© ISO/IEC 2022 – All rights reserved
iii
ISO/IEC 18045:2022(E)
10.8 SECURITY REQUIREMENTS (APE_REQ) .40
10.8.1 Evaluation of sub-activity (APE_REQ.1) . 40
10.8.2 Evaluation of sub-activity (APE_REQ.2) . 45
CLASS ACE: PROTECTION PROFILE CONFIGURATION EVALUATION . 49
11.1 GENERAL .49
11.2 PP-MODULE INTRODUCTION (ACE_INT) .51
11.2.1 Evaluation of sub-activity (ACE_INT.1) . 51
11.3 PP-MODULE CONFORMANCE CLAIMS (ACE_CCL) .53
11.3.1 Evaluation of sub-activity (ACE_CCL.1) . 53
11.4 PP-MODULE SECURITY PROBLEM DEFINITION (ACE_SPD) . 58
11.4.1 Evaluation of sub-activity (ACE_SPD.1) . 58
11.5 PP-MODULE SECURITY OBJECTIVES (ACE_OBJ) .59
11.5.1 Evaluation of sub-activity (ACE_OBJ.1) . 59
11.5.2 Evaluation of sub-activity (ACE_OBJ.2) . 60
11.6 PP-MODULE EXTENDED COMPONENTS DEFINITION (ACE_ECD) . 63
11.6.1 Evaluation of sub-activity (ACE_ECD.1) . 63
11.7 PP-MODULE SECURITY REQUIREMENTS (ACE_REQ) . 67
11.7.1 Evaluation of sub-activity (ACE_REQ.1) . 67
11.7.2 Evaluation of sub-activity (ACE_REQ.2) . 72
11.8 PP-MODULE CONSISTENCY (ACE_MCO) .76
11.8.1 Evaluation of sub-activity (ACE_MCO.1) . 76
11.9 PP-CONFIGURATION CONSISTENCY (ACE_CCO) .79
11.9.1 Evaluation of sub-activity (ACE_CCO.1) . 79
CLASS ASE: SECURITY TARGET EVALUATION . 87
12.1 GENERAL .87
12.2 APPLICATION NOTES .87
12.2.1 Re-using the evaluation results of certified PPs. 87
12.3 ST INTRODUCTION (ASE_INT) .88
12.3.1 Evaluation of sub-activity (ASE_INT.1) . 88
12.4 CONFORMANCE CLAIMS (ASE_CCL) .91
12.4.1 Evaluation of sub-activity (ASE_CCL.1) . 91
12.5 SECURITY PROBLEM DEFINITION (ASE_SPD) . 105
12.5.1 Evaluation of sub-activity (ASE_SPD.1) . 105
12.6 SECURITY OBJECTIVES (ASE_OBJ) . 106
12.6.1 Evaluation of sub-activity (ASE_OBJ.1) . 106
12.6.2 Evaluation of sub-activity (ASE_OBJ.2) . 107
12.7 EXTENDED COMPONENTS DEFINITION (ASE_ECD) . 109
12.7.1 Evaluation of sub-activity (ASE_ECD.1) . 109
12.8 SECURITY REQUIREMENTS (ASE_REQ) . 113
12.8.1 Evaluation of sub-activity (ASE_REQ.1) . 113
12.8.2 Evaluation of sub-activity (ASE_REQ.2) . 119
12.9 TOE SUMMARY SPECIFICATION (ASE_TSS) . 124
12.9.1 Evaluation of sub-activity (ASE_TSS.1) . 124
12.9.2 Evaluation of sub-activity (ASE_TSS.2) . 125
12.10 CONSISTENCY OF COMPOSITE PRODUCT SECURITY TARGET (ASE_COMP) . 127
12.10.1 General . 127
12.10.2 Evaluation of sub-activity (ASE_COMP.1) . 127
CLASS ADV: DEVELOPMENT . 132
13.1 GENERAL . 132
13.2 APPLICATION NOTES . 132
13.3 SECURITY ARCHITECTURE (ADV_ARC) . 133
13.3.1 Evaluation of sub-activity (ADV_ARC.1) . 133
13.4 FUNCTIONAL SPECIFICATION (ADV_FSP) . 137
13.4.1 Evaluation of sub-activity (ADV_FSP.1) . 137
13.4.2 Evaluation of sub-activity (ADV_FSP.2) . 140
© ISO/IEC 2022 – All rights reserved
iv
ISO/IEC 18045:2022(E)
13.4.3 Evaluation of sub-activity (ADV_FSP.3) . 145
13.4.4 Evaluation of sub-activity (ADV_FSP.4) . 150
13.4.5 Evaluation of sub-activity (ADV_FSP.5) . 155
13.4.6 Evaluation of sub-activity (ADV_FSP.6) . 161
13.5 IMPLEMENTATION REPRESENTATION (ADV_IMP) . 161
13.5.1 Evaluation of sub-activity (ADV_IMP.1) . 161
13.5.2 Evaluation of sub-activity (ADV_IMP.2) . 164
13.6 TSF INTERNALS (ADV_INT) . 166
13.6.1 Evaluation of sub-activity (ADV_INT.1) . 166
13.6.2 Evaluation of sub-activity (ADV_INT.2) . 169
13.6.3 Evaluation of sub-activity (ADV_INT.3) . 171
13.7 FORMAL TSF MODEL (ADV_SPM) . 173
13.7.1 Evaluation of sub-activity (ADV_SPM.1) . 173
13.8 TOE DESIGN (ADV_TDS) . 180
13.8.1 Evaluation of sub-activity (ADV_TDS.1) . 180
13.8.2 Evaluation of sub-activity (ADV_TDS.2) . 183
13.8.3 Evaluation of sub-activity (ADV_TDS.3) . 188
13.8.4 Evaluation of sub-activity (ADV_TDS.4) . 197
13.8.5 Evaluation of sub-activity (ADV_TDS.5) . 206
13.8.6 Evaluation of sub-activity (ADV_TDS.6) . 213
13.9 COMPOSITE DESIGN COMPLIANCE (ADV_COMP) . 214
13.9.1 General . 214
13.9.2 Evaluation of sub-activity (ADV_COMP.1) . 214
CLASS AGD: GUIDANCE DOCUMENTS . 216
14.1 GENERAL .216
14.2 APPLICATION NOTES .216
14.3 OPERATIONAL USER GUIDANCE (AGD_OPE) . 216
14.3.1 Evaluation of sub-activity (AGD_OPE.1). 216
14.4 PREPARATIVE PROCEDURES (AGD_PRE) . 219
14.4.1 Evaluation of sub-activity (AGD_PRE.1) . 219
CLASS ALC: LIFE-CYCLE SUPPORT . 221
15.1 GENERAL .221
15.2 CM CAPABILITIES (ALC_CMC) . 222
15.2.1 Evaluation of sub-activity (ALC_CMC.1) . 222
15.2.2 Evaluation of sub-activity (ALC_CMC.2) . 223
15.2.3 Evaluation of sub-activity (ALC_CMC.3) . 224
15.2.4 Evaluation of sub-activity (ALC_CMC.4) . 228
15.2.5 Evaluation of sub-activity (ALC_CMC.5) . 233
15.3 CM SCOPE (ALC_CMS) .240
15.3.1 Evaluation of sub-activity (ALC_CMS.1) . 240
15.3.2 Evaluation of sub-activity (ALC_CMS.2) . 241
15.3.3 Evaluation of sub-activity (ALC_CMS.3) . 242
15.3.4 Evaluation of sub-activity (ALC_CMS.4) . 243
15.3.5 Evaluation of sub-activity (ALC_CMS.5) . 244
15.4 DELIVERY (ALC_DEL) .245
15.4.1 Evaluation of sub-activity (ALC_DEL.1) . 245
15.5 DEVELOPMENT SECURITY (ALC_DVS) . 247
15.5.1 Evaluation of sub-activity (ALC_DVS.1) . 247
15.5.2 Evaluation of sub-activity (ALC_DVS.2) . 249
15.6 FLAW REMEDIATION (ALC_FLR) . 252
15.6.1 Evaluation of sub-activity (ALC_FLR.1) . 252
15.6.2 Evaluation of sub-activity (ALC_FLR.2) . 254
15.6.3 Evaluation of sub-activity (ALC_FLR.3) . 257
15.7 LIFE-CYCLE DEFINITION (ALC_LCD) . 262
15.7.1 Evaluation of sub-activity (ALC_LCD.1) . 262
15.7.2 Evaluation of sub-activity (ALC_LCD.2) . 263
© ISO/IEC 2022 – All rights reserved
v
ISO/IEC 18045:2022(E)
15.8 TOE DEVELOPMENT ARTIFACTS (ALC_TDA) . 265
15.8.1 Evaluation of sub-activity (ALC_TDA.1) . 265
15.8.2 Evaluation of sub-activity (ALC_TDA.2) . 268
15.8.3 Evaluation of sub-activity (ALC_TDA.3) . 272
15.9 TOOLS AND TECHNIQUES (ALC_TAT) . 276
15.9.1 Evaluation of sub-activity (ALC_TAT.1) . 276
15.9.2 Evaluation of sub-activity (ALC_TAT.2) . 278
15.9.3 Evaluation of sub-activity (ALC_TAT.3) . 281
15.10 INTEGRATION OF COMPOSITION PARTS AND CONSISTENCY CHECK OF DELIVERY PROCEDURES (ALC_COMP) . 284
15.10.1 General . 284
15.10.2 Evaluation of sub-activity (ALC_COMP.1) . 284
CLASS ATE: TESTS . 286
16.1 GENERAL . 286
16.2 APPLICATION NOTES . 287
16.2.1 Understanding the expected behaviour of the TOE . 287
16.2.2 Testing vs. alternate approaches to verify the expected behaviour of functionality . 288
16.2.3 Verifying the adequacy of tests . 288
16.3 COVERAGE (ATE_COV) . 288
16.3.1 Evaluation of sub-activity (ATE_COV.1) . 288
16.3.2 Evaluation of sub-activity (ATE_COV.2) . 289
16.3.3 Evaluation of sub-activity (ATE_COV.3) . 291
16.4 DEPTH (ATE_DPT) . 293
16.4.1 Evaluation of sub-activity (ATE_DPT.1) . 293
16.4.2 Evaluation of sub-activity (ATE_DPT.2) . 295
16.4.3 Evaluation of sub-activity (ATE_DPT.3) . 298
16.4.4 Evaluation of sub-activity (ATE_DPT.4) . 300
16.5 FUNCTIONAL TESTS (ATE_FUN) . 300
16.5.1 Evaluation of sub-activity (ATE_FUN.1) . 300
16.5.2 Evaluation of sub-activity (ATE_FUN.2) . 303
16.6 INDEPENDENT TESTING (ATE_IND) . 307
16.6.1 Evaluation of sub-activity (ATE_IND.1) . 307
16.6.2 Evaluation of sub-activity (ATE_IND.2) . 311
16.6.3 Evaluation of sub-activity (ATE_IND.3) . 316
16.7 COMPOSITE FUNCTIONAL TESTING (ATE_COMP) . 316
16.7.1 General . 316
16.7.2 Evaluation of sub-activity (ATE_COMP.1) . 316
CLASS AVA: VULNERABILITY ASSESSMENT . 317
17.1 GENERAL .
...


SLOVENSKI STANDARD
01-april-2024
Nadomešča:
SIST EN ISO/IEC 18045:2020
Informacijska varnost, kibernetska varnost in varstvo zasebnosti - Merila za
ocenjevanje varnosti IT - Metodologija za ocenjevanje varnosti IT (ISO/IEC
18045:2022)
Information security, cybersecurity and privacy protection - Evaluation criteria for IT
security - Methodology for IT security evaluation (ISO/IEC 18045:2022)
Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre -
Evaluationskriterien für IT-Sicherheit - Methodik für die Bewertung der IT-Sicherheit
(ISO/IEC 18045:2022)
Sécurité de l'information, cybersécurité et protection de la vie privée - Critères
d'évaluation pour la sécurité des technologies de l'information - Méthodologie pour
l'évaluation de sécurité (ISO/IEC 18045:2022)
Ta slovenski standard je istoveten z: EN ISO/IEC 18045:2023
ICS:
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD EN ISO/IEC 18045

NORME EUROPÉENNE
EUROPÄISCHE NORM
November 2023
ICS 35.030
Supersedes EN ISO/IEC 18045:2020
English version
Information security, cybersecurity and privacy protection
- Evaluation criteria for IT security - Methodology for IT
security evaluation (ISO/IEC 18045:2022)
Sécurité de l'information, cybersécurité et protection Informationssicherheit, Cybersicherheit und Schutz
de la vie privée - Critères d'évaluation pour la sécurité der Privatsphäre - Evaluationskriterien für IT-
des technologies de l'information - Méthodologie pour Sicherheit - Methodik für die Bewertung der IT-
l'évaluation de sécurité (ISO/IEC 18045:2022) Sicherheit (ISO/IEC 18045:2022)
This European Standard was approved by CEN on 29 October 2023.

CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.

CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2023 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. EN ISO/IEC 18045:2023 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 3

European foreword
The text of ISO/IEC 18045:2022 has been prepared by Technical Committee ISO/IEC JTC 1 "Information
technology” of the International Organization for Standardization (ISO) and has been taken over as
Protection” the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by May 2024, and conflicting national standards shall be
withdrawn at the latest by May 2024.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN-CENELEC shall not be held responsible for identifying any or all such patent rights.
This document supersedes EN ISO/IEC 18045:2020.
Any feedback and questions on this document should be directed to the users’ national standards body.
A complete listing of these bodies can be found on the CEN and CENELEC websites.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 18045:2022 has been approved by CEN-CENELEC as EN ISO/IEC 18045:2023
without any modification.
INTERNATIONAL ISO/IEC
STANDARD 18045
Third edition
2022-08
Information security, cybersecurity
and privacy protection — Evaluation
criteria for IT security — Methodology
for IT security evaluation
Sécurité de l'information, cybersécurité et protection de la vie
privée — Critères d'évaluation pour la sécurité des technologies de
l'information — Méthodologie pour l'évaluation de sécurité
Reference number
ISO/IEC 18045:2022(E)
© ISO/IEC 2022
ISO/IEC 18045:2022(E)
© ISO/IEC 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2022 – All rights reserved

ISO/IEC 18045:2022(E)
Table of Contents
LIST OF FIGURES . ix
LIST OF TABLES . x
FOREWORD . xi
INTRODUCTION . xii
SCOPE . 1
NORMATIVE REFERENCES . 1
TERMS AND DEFINITIONS . 1
ABBREVIATED TERMS . 4
TERMINOLOGY . 4
VERB USAGE . 4
GENERAL EVALUATION GUIDANCE . 5
RELATIONSHIP BETWEEN THE ISO/IEC 15408 SERIES AND ISO/IEC 18045 STRUCTURES . 5
EVALUATION PROCESS AND RELATED TASKS . 5
9.1 GENERAL . 5
9.2 EVALUATION PROCESS OVERVIEW . 6
9.2.1 Objectives . 6
9.2.2 Responsibilities of the roles . 6
9.2.3 Relationship of roles . 6
9.2.4 General evaluation model . 7
9.2.5 Evaluator verdicts . 7
9.3 EVALUATION INPUT TASK . 9
9.3.1 Objectives . 9
9.3.2 Application notes . 9
9.3.3 Management of evaluation evidence sub-task . 10
9.4 EVALUATION SUB-ACTIVITIES.10
9.5 EVALUATION OUTPUT TASK .10
9.5.1 Objectives . 10
9.5.2 Management of evaluation outputs . 11
9.5.3 Application notes . 11
9.5.4 Write OR sub-task . 11
9.5.5 Write ETR sub-task . 11
CLASS APE: PROTECTION PROFILE EVALUATION . 19
10.1 GENERAL .19
10.2 RE-USING THE EVALUATION RESULTS OF CERTIFIED PPS .19
10.3 PP INTRODUCTION (APE_INT) .20
10.3.1 Evaluation of sub-activity (APE_INT.1) . 20
10.4 CONFORMANCE CLAIMS (APE_CCL) .21
10.4.1 Evaluation of sub-activity (APE_CCL.1) . 21
10.5 SECURITY PROBLEM DEFINITION (APE_SPD) .31
10.5.1 Evaluation of sub-activity (APE_SPD.1) . 31
10.6 SECURITY OBJECTIVES (APE_OBJ) .32
10.6.1 Evaluation of sub-activity (APE_OBJ.1) . 32
10.6.2 Evaluation of sub-activity (APE_OBJ.2) . 33
10.7 EXTENDED COMPONENTS DEFINITION (APE_ECD) .36
10.7.1 Evaluation of sub-activity (APE_ECD.1) . 36
© ISO/IEC 2022 – All rights reserved
iii
ISO/IEC 18045:2022(E)
10.8 SECURITY REQUIREMENTS (APE_REQ) .40
10.8.1 Evaluation of sub-activity (APE_REQ.1) . 40
10.8.2 Evaluation of sub-activity (APE_REQ.2) . 45
CLASS ACE: PROTECTION PROFILE CONFIGURATION EVALUATION . 49
11.1 GENERAL .49
11.2 PP-MODULE INTRODUCTION (ACE_INT) .51
11.2.1 Evaluation of sub-activity (ACE_INT.1) . 51
11.3 PP-MODULE CONFORMANCE CLAIMS (ACE_CCL) .53
11.3.1 Evaluation of sub-activity (ACE_CCL.1) . 53
11.4 PP-MODULE SECURITY PROBLEM DEFINITION (ACE_SPD) . 58
11.4.1 Evaluation of sub-activity (ACE_SPD.1) . 58
11.5 PP-MODULE SECURITY OBJECTIVES (ACE_OBJ) .59
11.5.1 Evaluation of sub-activity (ACE_OBJ.1) . 59
11.5.2 Evaluation of sub-activity (ACE_OBJ.2) . 60
11.6 PP-MODULE EXTENDED COMPONENTS DEFINITION (ACE_ECD) . 63
11.6.1 Evaluation of sub-activity (ACE_ECD.1) . 63
11.7 PP-MODULE SECURITY REQUIREMENTS (ACE_REQ) . 67
11.7.1 Evaluation of sub-activity (ACE_REQ.1) . 67
11.7.2 Evaluation of sub-activity (ACE_REQ.2) . 72
11.8 PP-MODULE CONSISTENCY (ACE_MCO) .76
11.8.1 Evaluation of sub-activity (ACE_MCO.1) . 76
11.9 PP-CONFIGURATION CONSISTENCY (ACE_CCO) .79
11.9.1 Evaluation of sub-activity (ACE_CCO.1) . 79
CLASS ASE: SECURITY TARGET EVALUATION . 87
12.1 GENERAL .87
12.2 APPLICATION NOTES .87
12.2.1 Re-using the evaluation results of certified PPs. 87
12.3 ST INTRODUCTION (ASE_INT) .88
12.3.1 Evaluation of sub-activity (ASE_INT.1) . 88
12.4 CONFORMANCE CLAIMS (ASE_CCL) .91
12.4.1 Evaluation of sub-activity (ASE_CCL.1) . 91
12.5 SECURITY PROBLEM DEFINITION (ASE_SPD) . 105
12.5.1 Evaluation of sub-activity (ASE_SPD.1) . 105
12.6 SECURITY OBJECTIVES (ASE_OBJ) . 106
12.6.1 Evaluation of sub-activity (ASE_OBJ.1) . 106
12.6.2 Evaluation of sub-activity (ASE_OBJ.2) . 107
12.7 EXTENDED COMPONENTS DEFINITION (ASE_ECD) . 109
12.7.1 Evaluation of sub-activity (ASE_ECD.1) . 109
12.8 SECURITY REQUIREMENTS (ASE_REQ) . 113
12.8.1 Evaluation of sub-activity (ASE_REQ.1) . 113
12.8.2 Evaluation of sub-activity (ASE_REQ.2) . 119
12.9 TOE SUMMARY SPECIFICATION (ASE_TSS) . 124
12.9.1 Evaluation of sub-activity (ASE_TSS.1) . 124
12.9.2 Evaluation of sub-activity (ASE_TSS.2) . 125
12.10 CONSISTENCY OF COMPOSITE PRODUCT SECURITY TARGET (ASE_COMP) . 127
12.10.1 General . 127
12.10.2 Evaluation of sub-activity (ASE_COMP.1) . 127
CLASS ADV: DEVELOPMENT . 132
13.1 GENERAL . 132
13.2 APPLICATION NOTES . 132
13.3 SECURITY ARCHITECTURE (ADV_ARC) . 133
13.3.1 Evaluation of sub-activity (ADV_ARC.1) . 133
13.4 FUNCTIONAL SPECIFICATION (ADV_FSP) . 137
13.4.1 Evaluation of sub-activity (ADV_FSP.1) . 137
13.4.2 Evaluation of sub-activity (ADV_FSP.2) . 140
© ISO/IEC 2022 – All rights reserved
iv
ISO/IEC 18045:2022(E)
13.4.3 Evaluation of sub-activity (ADV_FSP.3) . 145
13.4.4 Evaluation of sub-activity (ADV_FSP.4) . 150
13.4.5 Evaluation of sub-activity (ADV_FSP.5) . 155
13.4.6 Evaluation of sub-activity (ADV_FSP.6) . 161
13.5 IMPLEMENTATION REPRESENTATION (ADV_IMP) . 161
13.5.1 Evaluation of sub-activity (ADV_IMP.1) . 161
13.5.2 Evaluation of sub-activity (ADV_IMP.2) . 164
13.6 TSF INTERNALS (ADV_INT) . 166
13.6.1 Evaluation of sub-activity (ADV_INT.1) . 166
13.6.2 Evaluation of sub-activity (ADV_INT.2) . 169
13.6.3 Evaluation of sub-activity (ADV_INT.3) . 171
13.7 FORMAL TSF MODEL (ADV_SPM) . 173
13.7.1 Evaluation of sub-activity (ADV_SPM.1) . 173
13.8 TOE DESIGN (ADV_TDS) . 180
13.8.1 Evaluation of sub-activity (ADV_TDS.1) . 180
13.8.2 Evaluation of sub-activity (ADV_TDS.2) . 183
13.8.3 Evaluation of sub-activity (ADV_TDS.3) . 188
13.8.4 Evaluation of sub-activity (ADV_TDS.4) . 197
13.8.5 Evaluation of sub-activity (ADV_TDS.5) . 206
13.8.6 Evaluation of sub-activity (ADV_TDS.6) . 213
13.9 COMPOSITE DESIGN COMPLIANCE (ADV_COMP) . 214
13.9.1 General . 214
13.9.2 Evaluation of sub-activity (ADV_COMP.1) . 214
CLASS AGD: GUIDANCE DOCUMENTS . 216
14.1 GENERAL .216
14.2 APPLICATION NOTES .216
14.3 OPERATIONAL USER GUIDANCE (AGD_OPE) . 216
14.3.1 Evaluation of sub-activity (AGD_OPE.1). 216
14.4 PREPARATIVE PROCEDURES (AGD_PRE) . 219
14.4.1 Evaluation of sub-activity (AGD_PRE.1) . 219
CLASS ALC: LIFE-CYCLE SUPPORT . 221
15.1 GENERAL .221
15.2 CM CAPABILITIES (ALC_CMC) . 222
15.2.1 Evaluation of sub-activity (ALC_CMC.1) . 222
15.2.2 Evaluation of sub-activity (ALC_CMC.2) . 223
15.2.3 Evaluation of sub-activity (ALC_CMC.3) . 224
15.2.4 Evaluation of sub-activity (ALC_CMC.4) . 228
15.2.5 Evaluation of sub-activity (ALC_CMC.5) . 233
15.3 CM SCOPE (ALC_CMS) .240
15.3.1 Evaluation of sub-activity (ALC_CMS.1) . 240
15.3.2 Evaluation of sub-activity (ALC_CMS.2) . 241
15.3.3 Evaluation of sub-activity (ALC_CMS.3) . 242
15.3.4 Evaluation of sub-activity (ALC_CMS.4) . 243
15.3.5 Evaluation of sub-activity (ALC_CMS.5) . 244
15.4 DELIVERY (ALC_DEL) .245
15.4.1 Evaluation of sub-activity (ALC_DEL.1) . 245
15.5 DEVELOPMENT SECURITY (ALC_DVS) . 247
15.5.1 Evaluation of sub-activity (ALC_DVS.1) . 247
15.5.2 Evaluation of sub-activity (ALC_DVS.2) . 249
15.6 FLAW REMEDIATION (ALC_FLR) . 252
15.6.1 Evaluation of sub-activity (ALC_FLR.1) . 252
15.6.2 Evaluation of sub-activity (ALC_FLR.2) . 254
15.6.3 Evaluation of sub-activity (ALC_FLR.3) . 257
15.7 LIFE-CYCLE DEFINITION (ALC_LCD) . 262
15.7.1 Evaluation of sub-activity (ALC_LCD.1) . 262
15.7.2 Evaluation of sub-activity (ALC_LCD.2) . 263
© ISO/IEC 2022 – All rights reserved
v
ISO/IEC 18045:2022(E)
15.8 TOE DEVELOPMENT ARTIFACTS (ALC_TDA) . 265
15.8.1 Evaluation of sub-activity (ALC_TDA.1) . 265
15.8.2 Evaluation of sub-activity (ALC_TDA.2) . 268
15.8.3 Evaluation of sub-activity (ALC_TDA.3) . 272
15.9 TOOLS AND TECHNIQUES (ALC_TAT) . 276
15.9.1 Evaluation of sub-activity (ALC_TAT.1) . 276
15.9.2 Evaluation of sub-activity (ALC_TAT.2) . 278
15.9.3 Evaluation of sub-activity (ALC_TAT.3) . 281
15.10 INTEGRATION OF COMPOSITION PARTS AND CONSISTENCY CHECK OF DELIVERY PROCEDURES (ALC_COMP) . 284
15.10.1 General . 284
15.10.2 Evaluation of sub-activity (ALC_COMP.1) . 284
CLASS ATE: TESTS . 286
16.1 GENERAL . 286
16.2 APPLICATION NOTES . 287
16.2.1 Understanding the expected behaviour of the TOE . 287
16.2.2 Testing vs. alternate approaches to verify the expected behaviour of functionality . 288
16.2.3 Verifying the adequacy of tests . 288
16.3 COVERAGE (ATE_COV) . 288
16.3.1 Evaluation of sub-activity (ATE_COV.1) . 288
16.3.2 Evaluation of sub-activity (ATE_COV.2) . 289
16.3.3 Evaluation of sub-activity (ATE_COV.3) . 291
16.4 DEPTH (ATE_DPT) . 293
16.4.1 Evaluation of sub-activity (ATE_DPT.1) . 293
16.4.2 Evaluation of sub-activity (ATE_DPT.2) . 295
16.4.3 Evaluation of sub-activity (ATE_DPT.3) . 298
16.4.4 Evaluation of sub-activity (ATE_DPT.4) . 300
16.5 FUNCTIONAL TESTS (ATE_FUN) . 300
16.5.1 Evaluation of sub-activity (ATE_FUN.1) . 300
16.5.2 Evaluation of sub-activity (ATE_FUN.2) . 303
16.6 INDEPENDENT TESTING (ATE_IND) . 307
16.6.1 Evaluation of sub-activity (ATE_IND.1) . 307
16.6.2 Evaluation of sub-activity (ATE_IND.2) . 311
16.6.3 Evaluation of sub-activity (ATE_IND.3) . 316
16.7 COMPOSITE FUNCTIONAL TESTING (ATE_COMP) . 316
16.7.1 General . 316
16.7.2 Evaluation of sub-activity (ATE_COMP.1) . 316
CLASS AVA: VULNERABILITY ASSESSMENT . 317
17.1 GENERAL .
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

Loading comments...

SIST EN ISO/IEC 18045:2024は、情報セキュリティ、サイバーセキュリティ、およびプライバシー保護に関する重要な国際基準であり、ITセキュリティの評価における方法論を明確に定義しています。この標準文書は、ISO/IEC 15408シリーズによる評価を実施するために必要な最低限のアクションを示しており、評価者が遵守すべき基準と評価証拠を整備しています。 本標準の優れた点は、評価者が具体的かつ体系的にITセキュリティ評価を行うためのガイドラインを提供している点です。これにより、ITセキュリティの評価プロセスが一貫性を持ち、信頼性の高い結果が得られるようになります。また、ISO/IEC 15408シリーズとの緊密な連携により、他の関連標準との整合性も保たれており、国際的な基準としての位置付けが際立っています。 さらに、SIST EN ISO/IEC 18045:2024は、情報セキュリティの急速に進化する環境に対応するための適応力を持っています。このことは、サイバーセキュリティの脅威が日々変化する中で、評価基準も柔軟に対応できることを意味します。したがって、この標準は、企業や組織がサイバーセキュリティ対策を強化し、情報保護を促進するための重要な手段となります。 全体的に、SIST EN ISO/IEC 18045:2024は、情報セキュリティ評価に関する明確な基準を提供することで、ITセキュリティ評価プロセスの効率化と信頼性向上に寄与しています。この標準は、現代のサイバーセキュリティのニーズに応える有力なツールであり、幅広い業界での活用が期待されます。

The SIST EN ISO/IEC 18045:2024 is a pivotal standard that delineates the methodology for evaluating IT security, with a strong focus on information security, cybersecurity, and privacy protection. This document serves as a crucial framework for evaluators, specifying the minimum actions required to perform evaluations in accordance with the ISO/IEC 15408 series, providing clarity and consistency in the evaluation process. One of the primary strengths of the SIST EN ISO/IEC 18045:2024 is its comprehensive nature. It establishes clear criteria and delineates the evaluation evidence necessary for conducting thorough assessments of IT security. This systematic approach not only enhances the reliability of the evaluation process but also ensures that evaluators can reference a standardized methodology, thus promoting uniformity across the industry. By adhering to this standard, organizations can achieve a higher level of confidence in their security evaluations. The scope of the standard is particularly relevant in the context of growing concerns around cybersecurity threats and data privacy. As organizations increasingly rely on Information Technology systems, the ability to adequately assess the security posture of these systems becomes paramount. The effective methodology outlined in SIST EN ISO/IEC 18045:2024 promotes proactive risk management, helping organizations to identify vulnerabilities and implement necessary controls to safeguard sensitive information. Moreover, the standard's association with the ISO/IEC 15408 series underlines its significance within the broader framework of international IT security evaluation standards. It connects evaluators with a well-respected lineage of methodologies, fostering a culture of excellence and accountability in cybersecurity practices. In conclusion, the SIST EN ISO/IEC 18045:2024 stands as a critical reference for IT security evaluations, equipping evaluators with the necessary tools to conduct thorough and reliable assessments. Its detailed approach to the evaluation criteria and the evidence required ensures its relevance in today's fast-evolving cybersecurity landscape, making it an essential resource for organizations seeking to bolster their information security and privacy protection measures.

SIST EN ISO/IEC 18045:2024 표준은 정보 보안, 사이버 보안 및 개인 정보 보호의 평가 기준을 제공하는 중요한 문서입니다. 이 표준은 IT 보안 평가를 위한 방법론을 정의하고 있으며, ISO/IEC 15408 시리즈 평가를 수행하기 위해 평가자가 따라야 할 최소한의 행동을 명확히 하고 있습니다. 이 표준의 강점은 명확하게 정의된 평가 기준과 증거를 기반으로 평가를 수행하는 방법을 제시한다는 점입니다. 이를 통해 기업 및 기관은 IT 보안의 유효성을 검증할 수 있으며, 그 과정에서 발생할 수 있는 잠재적인 취약점을 예방할 수 있습니다. 이러한 관리적 접근은 정보 보안 분야에서 필수적인 요소로, 이해관계자들에게 신뢰를 줄 수 있는 기초를 마련합니다. 또한 SIST EN ISO/IEC 18045:2024는 다양한 산업에서 IT 보안 평가의 필요성이 증가하는 현재의 상황에서 더욱 그 중요성이 부각됩니다. 사이버 공격의 위협이 증가하고 있는 시점에서, 이 표준은 조직들이 체계적이고 일관된 방식으로 보안을 평가하고 강화할 수 있도록 돕습니다. 결과적으로, 이 문서는 기관들이 사이버 보안 및 개인 정보 보호를 더욱 효율적으로 관리하도록 지원하는 필수 요소로 자리잡고 있습니다. 종합적으로 볼 때, SIST EN ISO/IEC 18045:2024는 정보 보안 및 IT 보안 평가의 방법론을 확립하는 데 중요한 역할을 하며, 평가자가 준수해야 할 구체적인 지침을 제공하는 점에서 그 가치가 높습니다. 이는 정보 보안 분야의 표준화된 접근 방식을 통해 전체적인 사이버 보안을 강화하는 데 기여할 것입니다.

La norme SIST EN ISO/IEC 18045:2024 est un document essentiel qui définit les actions minimales à entreprendre par un évaluateur pour mener une évaluation conforme à la série ISO/IEC 15408, en utilisant des critères et des preuves d'évaluation spécifiés dans cette série. Dans le domaine de la sécurité de l'information, de la cybersécurité et de la protection de la vie privée, cette norme représente un cadre robuste et fiable pour l'évaluation de la sécurité des systèmes informatiques. Une des forces majeures de cette norme réside dans sa méthodologie clairement établie pour l'évaluation de la sécurité informatique. En fournissant des lignes directrices précises, le document permet aux évaluateurs de procéder de manière systématique et objective, garantissant ainsi que toutes les dimensions de la sécurité sont prises en compte. De plus, la norme favorise l'harmonisation des processus d'évaluation à l'échelle internationale, rendant les résultats comparables et lisibles, ce qui est crucial dans un environnement technologique globalisé. Le champ d'application de SIST EN ISO/IEC 18045:2024 est particulièrement pertinent à une époque où les menaces liées à la sécurité numérique sont omniprésentes. En définissant les critères d'évaluation, la norme aide les organisations à s'assurer que leurs systèmes informatiques sont tests de manière rigoureuse, ce qui contribue à améliorer la résilience globale et la confiance des utilisateurs face aux systèmes de sécurité en place. En somme, la norme SIST EN ISO/IEC 18045:2024, en fournissant une base définie pour l'évaluation de la sécurité des systèmes informatiques, s'avère indispensable pour toute organisation cherchant à évaluer ses pratiques en matière de sécurité de l’information, de cybersécurité et de protection des données privées. Sa pertinence et sa fiabilité en font un outil indispensable pour les évaluateurs et les organismes souhaitant garantir une protection adéquate contre les risques numériques.

SIST EN ISO/IEC 18045:2024は、ITセキュリティ評価のための方法論を定義する重要な標準です。この文書は、ISO/IEC 15408シリーズの評価を実施するために評価者が行うべき最小限のアクションを明確に示しており、情報セキュリティ、サイバーセキュリティ、プライバシー保護における評価基準を提供します。 本標準の強みは、評価の整合性と標準化された方法論を通じて、ITセキュリティ評価の透明性を高めるところにあります。特に、ISO/IEC 15408シリーズとの連携により、評価者は一貫した基準に基づいて結果を導出することができ、信頼性の高い評価を提供できます。また、評価者が使用する必要な証拠や基準が明記されているため、評価プロセス全体が明確になります。 SIST EN ISO/IEC 18045:2024は、現代の情報システムが直面するサイバー脅威に対抗するために、企業や組織にとって不可欠な参考となるものであり、情報セキュリティの強化に寄与します。この標準の適用により、評価プロセスが正確かつ効率的になるとともに、プライバシー保護の観点からも高水準の基準が提供されます。評価者にとって、具体的な手順が定義されることで、より効果的かつ体系的な統制策の構築が促進されるでしょう。 このように、SIST EN ISO/IEC 18045:2024は、ITセキュリティ評価における重要な基盤となり、業界全体の信頼性向上に寄与することを狙った標準であり、その適用範囲は広く、現実的な評価ニーズに応えています。

Der Standard SIST EN ISO/IEC 18045:2024 stellt eine wesentliche Grundlage für die Evaluierung von IT-Sicherheit dar und definiert die erforderlichen Mindestaktionen für Evaluatoren, um eine Bewertung gemäß der ISO/IEC 15408-Serie durchzuführen. Die Methodologie für die IT-Sicherheitsevaluation ist besonders relevant, da sie einen strukturierten Ansatz bereitstellt, der die Qualität und Konsistenz der Bewertungen sicherstellt. Ein signifikantes Merkmal des Standards ist die Klarheit, mit der die Kriterien und Evaluierungsbeweise formuliert sind. Diese Standardisierung ermöglicht es Evaluatoren, eine fundierte und nachprüfbare Bewertung vorzunehmen, die auf international anerkannten Praktiken basiert. Die Festlegung von Mindestanforderungen trägt zur Gewährleistung der Integrität der Evaluationsprozesse bei und fördert das Vertrauen in die Ergebnisse. Ein weiterer Vorteil des Standards ist seine Anpassungsfähigkeit an verschiedene IT-Systeme und -Umgebungen. Die Methodologie berücksichtigt die Vielfalt der Technologien und Bedrohungen im Bereich der Informationssicherheit, Cybersecurity und Datenschutz. Dadurch kann der Standard breitflächig angewendet werden, was seine Relevanz in einer dynamischen technologischen Landschaft unterstreicht. Die fortwährende Aktualisierung und Anpassung des Standards an die neuesten Entwicklungen in der IT-Sicherheitslandschaft zeigen dessen Engagement für Exzellenz und Relevanz. Die Orientierung an den internationalen Normen des ISO/IEC 15408 sichert die globale Akzeptanz und anerkannte Verwendung des Standards und macht ihn zu einem unverzichtbaren Instrument für jedes Unternehmen, das ernsthaft mit Informationssicherheit, Cybersecurity und Datenschutz umgehen möchte. Zusammenfassend lässt sich sagen, dass der SIST EN ISO/IEC 18045:2024 Standard nicht nur die erforderlichen Rahmenbedingungen für die Durchführung von IT-Sicherheitsbewertungen festlegt, sondern auch eine wertvolle Ressource für Evaluatoren darstellt, die Best Practices und eine hohe Qualität in ihren Arbeiten anstreben.

Der Standard SIST EN ISO/IEC 18045:2024 bietet eine umfassende Methodologie zur Bewertung der IT-Sicherheit und legt die erforderlichen Mindestmaßnahmen fest, die ein Evaluator ergreifen muss, um eine Bewertung gemäß der ISO/IEC 15408-Serie durchzuführen. Diese Norm ist von wesentlicher Bedeutung für die Informationssicherheit, da sie sowohl den Bereich der Cybersicherheit als auch den Datenschutz abdeckt. Die Stärken des Standards liegen in seiner klaren Struktur und seinem Fokus auf eine einheitliche Bewertungsmethodik. Durch die Festlegung konkreter Kriterien und Bewertungsnachweise aus der ISO/IEC 15408-Serie ermöglicht der Standard eine konsistente und nachvollziehbare Bewertung von IT-Sicherheitslösungen. Dies trägt nicht nur zur Vertrauensbildung bei Nutzern und Unternehmen bei, sondern stärkt auch die allgemeine Sicherheit in einer zunehmend vernetzten Welt. Des Weiteren ist der Standard äußerst relevant in der heutigen Zeit, in der Cyberangriffe und Datenschutzverletzungen an der Tagesordnung sind. Die klare Definition von Bewertungskriterien hilft Organisationen dabei, ihre IT-Sicherheitsmaßnahmen zu verbessern und den Anforderungen an die Compliance gerecht zu werden. Gleichzeitig bietet die Methodologie eine nützliche Orientierung für Evaluatoren, die qualitative und quantitative Aspekte der IT-Sicherheit bewerten müssen. Zusammenfassend zeigt sich, dass der SIST EN ISO/IEC 18045:2024 Standard nicht nur eine unverzichtbare Grundlage für die IT-Sicherheitsbewertung bietet, sondern auch die Relevanz von Informationssicherheit und Cybersicherheit in einer digitalisierten Welt unterstreicht.

La norme SIST EN ISO/IEC 18045:2024 offre une approche rigoureuse pour l'évaluation de la sécurité informatique, répondant aux exigences critiques en matière de sécurité de l'information, de cybersécurité et de protection de la vie privée. Son champ d'application est clairement défini, axé sur les actions minimales nécessaires pour qu'un évaluateur puisse mener à bien une évaluation conformément à la série ISO/IEC 15408. Un des points forts de ce document est sa méthodologie structurée pour l'évaluation de la sécurité informatique, qui guide les évaluateurs à travers un processus systématique. Cela permet d'assurer que toutes les dimensions de la sécurité, y compris les critères d'évaluation et les preuves nécessaires, sont correctement prises en compte. La norme renforce non seulement la crédibilité des évaluations, mais elle favorise également la transparence et la cohérence dans les pratiques d'évaluation à l'échelle mondiale. La pertinence de la norme SIST EN ISO/IEC 18045:2024 dans un environnement numérique en constante évolution est indéniable. En offrant une base solide pour l'évaluation des systèmes et des produits IT, elle aide les organisations à s'assurer qu'elles se conforment aux normes internationales tout en protégeant leurs informations sensibles et en minimisant les risques liés aux cybermenaces. L'intégration des critères de la série ISO/IEC 15408 dans cette norme souligne l'importance d'un cadre cohérent pour aborder les défis contemporains en matière de sécurité. En synthèse, la norme SIST EN ISO/IEC 18045:2024 se positionne comme une référence incontournable pour toute organisation cherchant à mener des évaluations de sécurité informatique efficaces, tout en garantissant la conformité avec les standards internationaux de sécurité.

The SIST EN ISO/IEC 18045:2024 standard provides a comprehensive framework for evaluating information security, cybersecurity, and privacy protection within IT systems. As a critical component in the ISO/IEC 15408 series, the standard delineates the minimum actions required for evaluators when conducting evaluations, thereby establishing a clear methodology for IT security evaluation. One of the key strengths of this standard lies in its structured approach to evaluation criteria. By integrating well-documented procedures, it ensures that the assessment of IT security is not only robust but also consistent across different evaluators and organizations. This level of standardization is particularly essential in a landscape where cybersecurity threats are increasingly sophisticated. Evaluators can rely on the guidelines provided in the SIST EN ISO/IEC 18045:2024 to support their assessments, making it easier to validate IT security measures and privacy protections. Furthermore, the standard’s emphasis on aligning with the ISO/IEC 15408 series enhances its relevance within the wider context of information security frameworks. By leveraging established criteria and evaluation evidence from the ISO/IEC 15408 series, the standard offers a reliable method for assessing IT security, leading to improved trust in the evaluation outcomes. Organizations that adopt this standard not only demonstrate compliance with recognized global benchmarks but also enhance their credibility in managing information security risks. The methodology presented in SIST EN ISO/IEC 18045:2024 is adaptable, allowing organizations across various sectors to tailor the evaluation process according to their specific security needs and compliance requirements. This flexibility is crucial in today’s dynamic technological environment, where the threats to cybersecurity can differ significantly among industries. In summary, SIST EN ISO/IEC 18045:2024 stands out as a vital reference for IT security evaluation. Its clear scope, solid foundation on the ISO/IEC 15408 protocols, and focus on rigorous evaluation criteria make it a relevant and necessary tool for organizations aiming to bolster their information security and privacy practices.

SIST EN ISO/IEC 18045:2024 표준 문서는 정보 보안, 사이버 보안 및 개인 정보 보호에 관한 중요한 평가 기준을 제공합니다. 이 표준은 ISO/IEC 15408 시리즈 평가를 수행하기 위한 최소한의 행동을 정의하고 있으며, 정보 기술 보안 평가를 위한 체계적인 방법론을 제시합니다. 표준의 범위는 정보 보안 및 사이버 보안의 평가는 물론, 개인 정보 보호와 관련된 요소 또한 포함하여 IT 보안 평가를 체계적으로 접근할 수 있도록 합니다. 이를 통해, 조직들은 보다 신뢰성 있는 보안 체계를 구축할 수 있는 기반을 마련하게 됩니다. SIST EN ISO/IEC 18045:2024의 강점 중 하나는 평가 기준과 평가 증거를 명확히 규명함으로써, 보안 평가의 일관성을 보장하는 점입니다. 이는 평가자들이 ISO/IEC 15408 시리즈의 적용을 통해 체계적이고 신뢰할 수 있는 평가를 수행할 수 있는 근거를 제공합니다. 또한, 이 표준은 다양한 정보 시스템 요구 사항에 대한 실질적 접근 방식을 제시하여, 기업들이 급변하는 사이버 환경에서도 지속적인 보안을 유지할 수 있도록 합니다. 이는 정보 기술의 진화와 함께 보안 요구 사항이 증가하는 현대 사회에서 매우 중요한 요소입니다. 결론적으로, SIST EN ISO/IEC 18045:2024 표준은 정보 보안, 사이버 보안 및 개인 정보 보호의 평가에 있어 필수적인 문서로 자리 잡고 있으며, IT 보안 평가에 대한 명확하고 일관된 기준을 제시하여 실무에 큰 도움이 됩니다.