ISO/IEC Standard 15408

ISO/IEC Standard 15408 - Information technology -- Security techniques -- Evaluation criteria for IT security

Published under Risk Management
Title: ISO/IEC 15408-1/2/3:2005 - Information technology — Security techniques — Evaluation criteria for IT security —
Part 1: Introduction and general model (15408-1)
Part 2: Security functional requirements (15408-2)
Part 3: Security assurance requirements (15408-3)
Source reference: http://isotc.iso.org/
Topic: Standard containing a common set of requirements for the security functions of IT products and systems and for assurance measures applied to them during a security evaluation.
Direct / indirect relevance Indirect. The text is a resource for the evaluation of the security of IT products and systems, and can thus be used as a tool for RM/RA.
Scope: Publicly available ISO standard, which can be voluntarily implemented.
Legal force: Nonbinding ISO standard.
Affected sectors: Generic. The standard can be implemented in any sector confronted by the need to test the security of IT products and systems.
Relevant provision(s): The standard is made up of three parts:

a) Part 1, Introduction and general model, is the introduction to ISO/IEC 15408. It defines general concepts and principles of IT security evaluation and presents a general model of evaluation. Part 1 also presents constructs for expressing IT security objectives, for selecting and defining IT security requirements, and for writing high-level specifications for products and systems. In addition, the usefulness of each part of ISO/IEC 15408 is described in terms of each of the target audiences.

b) Part 2, Security functional requirements, establishes a set of functional components as a standard way of expressing the functional requirements for TOEs [Targets Of Evaluation). Part 2 catalogues the set of functional components, families, and classes.

c) Part 3, Security assurance requirements, establishes a set of assurance components as a standard way of expressing the assurance requirements for TOEs. Part 3 catalogues the set of assurance components, families and classes. Part 3 also defines evaluation criteria for PPs and STs and presents evaluation assurance levels that define the predefined ISO/IEC 15408 scale for rating assurance for TOEs, which is called the Evaluation Assurance Levels (EALs).

(source: http://standards.iso.org/)
Relevance to RM/RA: The standard is commonly used as a resource for the evaluation of the security of IT products and systems; including (if not specifically) for procurement decisions with regard to such products.
The standard can thus be used as an RM/RA tool to determine the security of an IT product or system during its design, manufacturing or marketing, or before procuring it.

 

Browse the Topics

This site uses cookies to offer you a better browsing experience.
Aside from essential cookies we also use tracking cookies for analytics.
Find out more on how we use cookies.

Accept all cookies Accept only essential cookies