|Title:||ISO/IEC 15408-1/2/3:2005 - Information technology — Security techniques — Evaluation criteria for IT security —
Part 1: Introduction and general model (15408-1)
Part 2: Security functional requirements (15408-2)
Part 3: Security assurance requirements (15408-3)
|Topic:||Standard containing a common set of requirements for the security functions of IT products and systems and for assurance measures applied to them during a security evaluation.|
|Direct / indirect relevance||Indirect. The text is a resource for the evaluation of the security of IT products and systems, and can thus be used as a tool for RM/RA.|
|Scope:||Publicly available ISO standard, which can be voluntarily implemented.|
|Legal force:||Nonbinding ISO standard.|
|Affected sectors:||Generic. The standard can be implemented in any sector confronted by the need to test the security of IT products and systems.|
|Relevant provision(s):||The standard is made up of three parts:
a) Part 1, Introduction and general model, is the introduction to ISO/IEC 15408. It defines general concepts and principles of IT security evaluation and presents a general model of evaluation. Part 1 also presents constructs for expressing IT security objectives, for selecting and defining IT security requirements, and for writing high-level specifications for products and systems. In addition, the usefulness of each part of ISO/IEC 15408 is described in terms of each of the target audiences.
b) Part 2, Security functional requirements, establishes a set of functional components as a standard way of expressing the functional requirements for TOEs [Targets Of Evaluation). Part 2 catalogues the set of functional components, families, and classes.
c) Part 3, Security assurance requirements, establishes a set of assurance components as a standard way of expressing the assurance requirements for TOEs. Part 3 catalogues the set of assurance components, families and classes. Part 3 also defines evaluation criteria for PPs and STs and presents evaluation assurance levels that define the predefined ISO/IEC 15408 scale for rating assurance for TOEs, which is called the Evaluation Assurance Levels (EALs).
|Relevance to RM/RA:||The standard is commonly used as a resource for the evaluation of the security of IT products and systems; including (if not specifically) for procurement decisions with regard to such products.
The standard can thus be used as an RM/RA tool to determine the security of an IT product or system during its design, manufacturing or marketing, or before procuring it.