|Title:||ISO/IEC TR 15443-1:2005 – Information technology -- Security techniques -- A framework for IT security assurance|
|Source reference:||http://www.iso.org/(Note: this is a reference to the ISO page where the standard can be acquired. However, the standard is not free of charge, and its provisions are not publicly available. For this reason, specific provisions cannot be quoted).|
|Topic:||Security assurance – the Technical Report (TR) contains generally accepted guidelines which can be used to determine an appropriate assurance method for assessing a security service, product or environmental factor|
|Direct / indirect relevance||Direct. The text allows security professionals to determine a suitable methodology for assessing a security service, product or environmental factor (a deliverable) and for assessing compliance with the chosen security level.|
|Scope:||Not publicly available ISO TR, which can be voluntarily applied.|
|Legal force:||Nonbinding ISO Technical Report.|
|Affected sectors:||Generic. The TR can be applied by security professionals in any sector confronted by technology security management.|
|Relevant provision(s):||The TR is not free of charge, and its provisions are not publicly available. For this reason, specific provisions cannot be quoted.
The publicly available abstract describes the TR as follows:
“ISO/IEC TR 15443 is a multi-part type 3 Technical Report to guide the IT security professional in the selection of an appropriate assurance method when specifying, selecting, or deploying a security service, product, or environmental factor such as an organization or personnel (known as a deliverable). The aim is to understand the assurance type and amount required to achieve confidence that the deliverable satisfies the stated IT security assurance requirements and consequently its security policy.
ISO/IEC TR 15443-1:2005 describes the fundamentals of security assurance and its relation to other security concepts. This is to clarify why security assurance is required and dispel common misconceptions such as that increased assurance is gained by increasing the strength of a security mechanism. The framework includes a categorization of assurance types and a generic lifecycle model to identify the appropriate assurance types required for the deliverable with respect to the deliverable's lifecycle. The model also demonstrates how security assurance must be managed throughout the deliverable's lifecycle requiring assurance decisions to be made by several assurance authorities for the lifecycle stage relevant to their organization (i.e. developer, standards, consumer). The framework has been developed to be general enough to accommodate different assurance types and map into any lifecycle approach so as not to dictate any particular design. Advanced security assurance concepts, such as combining security assurance methods, are addressed briefly as they are to be addressed in later parts of ISO/IEC TR 15443.
ISO/IEC TR 15443 targets IT security managers and other security professionals responsible for developing a security assurance program, engineering security into a deliverable, determining the security assurance of their deliverable, entering an assurance assessment audit (e.g. ISO 9000, SSE-CMM (ISO/IEC 21827), ISO/IEC 15408-3), or other assurance activities.”
|Relevance to RM/RA:||The TR allows security professionals to determine a suitable methodology for assessing a security service, product or environmental factor (a deliverable). Following this TR, it can be determined which level of security assurance a deliverable is intended to meet, and if this threshold is actually met by the deliverable.|