ISO/IEC Standard 15408
ISO/IEC Standard 15408 - Information technology -- Security techniques -- Evaluation criteria for IT security
Published under Risk Management
Title: | ISO/IEC 15408-1/2/3:2005 - Information technology — Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model (15408-1) Part 2: Security functional requirements (15408-2) Part 3: Security assurance requirements (15408-3) |
Source reference: | http://isotc.iso.org/ |
Topic: | Standard containing a common set of requirements for the security functions of IT products and systems and for assurance measures applied to them during a security evaluation. |
Direct / indirect relevance | Indirect. The text is a resource for the evaluation of the security of IT products and systems, and can thus be used as a tool for RM/RA. |
Scope: | Publicly available ISO standard, which can be voluntarily implemented. |
Legal force: | Nonbinding ISO standard. |
Affected sectors: | Generic. The standard can be implemented in any sector confronted by the need to test the security of IT products and systems. |
Relevant provision(s): | The standard is made up of three parts: a) Part 1, Introduction and general model, is the introduction to ISO/IEC 15408. It defines general concepts and principles of IT security evaluation and presents a general model of evaluation. Part 1 also presents constructs for expressing IT security objectives, for selecting and defining IT security requirements, and for writing high-level specifications for products and systems. In addition, the usefulness of each part of ISO/IEC 15408 is described in terms of each of the target audiences. b) Part 2, Security functional requirements, establishes a set of functional components as a standard way of expressing the functional requirements for TOEs [Targets Of Evaluation). Part 2 catalogues the set of functional components, families, and classes. c) Part 3, Security assurance requirements, establishes a set of assurance components as a standard way of expressing the assurance requirements for TOEs. Part 3 catalogues the set of assurance components, families and classes. Part 3 also defines evaluation criteria for PPs and STs and presents evaluation assurance levels that define the predefined ISO/IEC 15408 scale for rating assurance for TOEs, which is called the Evaluation Assurance Levels (EALs). (source: http://standards.iso.org/) |
Relevance to RM/RA: | The standard is commonly used as a resource for the evaluation of the security of IT products and systems; including (if not specifically) for procurement decisions with regard to such products. The standard can thus be used as an RM/RA tool to determine the security of an IT product or system during its design, manufacturing or marketing, or before procuring it. |
Browse the Topics