UNLIMITED FREE ACCESS TO THE WORLD'S BEST IDEAS

close
Already an Engineering360 user? Log in.

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.

Customize Your Engineering360 Experience

close
Privacy Policy

This is embarrasing...

An error occurred while processing the form. Please try again in a few minutes.

ISO/IEC DIS 15408-4

Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Part 4: Framework for the specification of evaluation methods and activities

active, Most Current
Buy Now
Organization: ISO
Publication Date: 29 May 2020
Status: active
Page Count: 24
ICS Code (IT Security): 35.030
scope:

The model of security evaluation in ISO/IEC 15408-1:20XX provides high-level generic Evaluation Activities which are defined in ISO/IEC 18045. More specific Evaluation Activities may be derived from these generic work units for particular situations such as for SFRs or SARs applied to specific technologies or TOE types. This document describes a framework that can be used for deriving Evaluation Activities from work units of ISO/IEC 18045 and grouping them into 'Evaluation Methods'. Evaluation Activities or Evaluation Methods may be included in PPs and any documents supporting them. Where a PP, PP-Module, package, or Security Target (ST) identifies that specific Evaluation Methods/Evaluation Activities are to be used, then the evaluators are required by ISO/IEC 18045 to follow and report the relevant Evaluation Methods/Evaluation Activities when assigning evaluator verdicts. As noted in ISO/IEC 15408-1, in some cases an evaluation scheme may not approve the use of particular Evaluation Methods/Evaluation Activities: in such a case the evaluation scheme may decide not to carry out evaluations following an ST that requires those Evaluation Methods/Evaluation Activities.

This document also allows for Evaluation Activities to be defined for extended SARs, in which case derivation of the Evaluation Activities relates to equivalent action elements and work units defined for that extended SAR. Where reference is made in this document to the use of ISO/IEC 18045 or ISO/IEC 15408-3 for SARs (such as when defining rationales for Evaluation Activities) then in the case of an extended SAR the reference applies instead to the equivalent action elements and work units defined for that extended SAR.

For clarity, this document specifies how to define Evaluation Methods and Evaluation Activities but does NOT itself specify instances of Evaluation Methods or Evaluation Activities .

This document does not specify how to evaluate, adopt, or maintain Evaluation Methods and Evaluation Activities. These aspects are a matter for those originating the Evaluation Methods and Evaluation Activities a in their particular area of interest.

Document History

ISO/IEC DIS 15408-4
May 29, 2020
Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Part 4: Framework for the specification of evaluation methods and activities
The model of security evaluation in ISO/IEC 15408-1:20XX provides high-level generic Evaluation Activities which are defined in ISO/IEC 18045. More specific Evaluation Activities may be derived from...

References

Advertisement