ISO/IEC DIS 15408-4
Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Part 4: Framework for the specification of evaluation methods and activities
|Publication Date:||29 May 2020|
|ICS Code (IT Security):||35.030|
The model of security evaluation in ISO/IEC 15408-1:20XX provides high-level generic Evaluation Activities which are defined in ISO/IEC 18045. More specific Evaluation Activities may be derived from these generic work units for particular situations such as for SFRs or SARs applied to specific technologies or TOE types. This document describes a framework that can be used for deriving Evaluation Activities from work units of ISO/IEC 18045 and grouping them into 'Evaluation Methods'. Evaluation Activities or Evaluation Methods may be included in PPs and any documents supporting them. Where a PP, PP-Module, package, or Security Target (ST) identifies that specific Evaluation Methods/Evaluation Activities are to be used, then the evaluators are required by ISO/IEC 18045 to follow and report the relevant Evaluation Methods/Evaluation Activities when assigning evaluator verdicts. As noted in ISO/IEC 15408-1, in some cases an evaluation scheme may not approve the use of particular Evaluation Methods/Evaluation Activities: in such a case the evaluation scheme may decide not to carry out evaluations following an ST that requires those Evaluation Methods/Evaluation Activities.
This document also allows for Evaluation Activities to be defined for extended SARs, in which case derivation of the Evaluation Activities relates to equivalent action elements and work units defined for that extended SAR. Where reference is made in this document to the use of ISO/IEC 18045 or ISO/IEC 15408-3 for SARs (such as when defining rationales for Evaluation Activities) then in the case of an extended SAR the reference applies instead to the equivalent action elements and work units defined for that extended SAR.
For clarity, this document specifies how to define Evaluation Methods and Evaluation Activities but does NOT itself specify instances of Evaluation Methods or Evaluation Activities .
This document does not specify how to evaluate, adopt, or maintain Evaluation Methods and Evaluation Activities. These aspects are a matter for those originating the Evaluation Methods and Evaluation Activities a in their particular area of interest.