Updated November 9th, 2016
In 1990 ISO/IEC JTC 1 sub committee 27 was formed in order to deal with ICT security, Not long afterwards SC 27 initiated Working Group 3 "Security Evaluation Criteria". This working group focuses on security evaluation, testing and specification.
At that time, Common Criteria was in development and the need to have these standards internationally recognised was an important point of the strategy. The goal, which has been achieved, was that the standards should be available to the world, regardless of the formal Common Criteria Recognition Arrangement which was the formal arrangement between nations.
SC27's business plan mentions that "The CCDB and SC 27/WG 3 have had a long-standing technical liaison on projects related to IT Security Evaluation Criteria. Thus, Working Group 3 has been working in close co-operation with the CCDB on the development of the Common Criteria, which has been simultaneously published as ISO/IEC 15408. The co-operation has been extended to also involve the work on 18045 “Evaluation methodology for IT security”.
This liaison allows ISO's member national bodies, especially those not represented directly in the CCDB, an opportunity to review, comment and contribute to the project. In many cases it also provides a vehicle for industry experts from the commercial sector (vendor) community to have a place to contribute more directly.
Both ISO/IEC JTC 1/SC 27/WG 3 and the CCDB produce supporting documents, those produced by the CCDB are listed on the CC portal at the bottom of the supporting publications page and cover smartcard and IC technology as well as documents directly related to supporting the CCRA.
Additional documents related to ISO/IEC 15408 produced by WG 3 are described below.
2016 Study Period on Information Assurance2016: The Study Period, which has been run by ISO, in close liaison with the CCDB, in regard to determining appropriate future developments of ISO/IEC 15408, ISO/IEC 18045 and other IT Assurance standards closed after a year.
The Fall 2016 WG 3 meeting enjoyed a summary of the two calls for comments and the rapporteurs presented a proposal for revising the ISO/IEC 15408 and ISO/IEC 18045 standards, as well as proposing some changes to the structure of ISO/IEC 15408.
The proposed changes are shown in the diagram below. They include the specification of two new parts to ISO/IEC 15408 and an additional document that will be guidance supporting the transition and explaining the changes to the standard.
Evaluation criteria and Methodology for IT security evaluation
ISO/IEC 15408-1:2009: Evaluation criteria for IT security -- Part 1: Introduction and general model
ISO/IEC 15408-2:2008: Evaluation criteria for IT security -- Part 2: Security functional components
ISO/IEC 15408-3:2008: Evaluation criteria for IT security -- Part 3: Security assurance components
ISO/IEC 18045:2008: Methodology for IT security evaluation
Developing security and privacy functional requirements based on ISO/IEC 15408
ISO/IEC TS 19608: Guidance for developing security and privacy functional requirements based on ISO/IEC 15408
Guidance for the production of Protection Profiles and Security Targets
ISO/IEC TR 15446: Guide for the production of Protection Profiles and Security Targets
2016/11: The third edition of ISO/IEC 15446 is currently being published by ISO.
Security assessment of operational systems
ISO/IEC TR 19791: Security assessment of operational systems.ISO/IEC TR 19791:2010 provides guidance and criteria for the security evaluation of operational systems. It provides an extension to the scope of ISO/IEC 15408 by taking into account a number of critical aspects of operational systems not addressed in ISO/IEC 15408 evaluation. The principal extensions that are required address evaluation of the operational environment surrounding the target of evaluation, and the decomposition of complex operational systems into security domains that can be separately evaluated.
ISO/IEC TR 19791:2010 provides:
- a definition and model for operational systems;
- a description of the extensions to ISO/IEC 15408 evaluation concepts needed to evaluate such operational systems;
- a methodology and process for performing the security evaluation of operational systems;
- additional security evaluation criteria to address those aspects of operational systems not covered by the ISO/IEC 15408 evaluation criteria.
ISO/IEC TR 19791:2010 is limited to the security evaluation of operational systems and does not consider other forms of system assessment. It does not define techniques for the identification, assessment and acceptance of operational risk.
This document was initially produced as a technical report with the goal of gaining experience in the subject sufficient to be able to codify a standard. It defines extensions to ISO/IEC 15408 in order to enable the security assessment (evaluation) of operational systems. Since ISO/IEC 15408, does not capture certain critical aspects of an operational system that must be precisely specified in order to effectively evaluate such a system.
The contents are fairly exhaustive with discussions of
- The technical approach to operational systems assessment used in this Technical Report.
- The extension of ISO/IEC 15408 evaluation concepts for use in operational system evaluation.
- The relationship between this Technical Report and other security standards which have been used in its development.
- requirements for specification of security problems, security objectives, security requirements, SST contents and periodic reassessment which are needed in order to evaluate operational systems.
- Security Targets and System Protection Profiles, which defines the security requirement specifications needed for operational systems.
- Functional control requirements, which defines the additional security functional requirements needed for operational systems
- Assurance requirements, which defines the additional security assurance requirements needed for operational systems.
- evaluation methodology, which defines additional actions to be performed by an evaluator conducting the evaluation of an operational system.
Competence requirements for information security testers and evaluatorsDRAFT ISO/IEC TR 19896-1: Competence requirements for information security testers and evaluators: Part 1: Introduction, concepts and general requirements.
Provides the fundamental concepts related to the topic of the competence of the individuals responsible for performing IT product security evaluations and conformance testing. Provides the framework and the specialised requirements that specify the minimum competence of individuals performing IT product security evaluation and conformance testing using established standards.
This will support the goals of ISO CASCO conformity assessment by contributing standardized requirements for competency supporting ISO/IEC 17024.
DRAFT ISO/IEC TR 19896-3: Competence requirements for information security testers and evaluators: Part 3: Knowledge, skills and effectiveness requirements for ISO/IEC 15408 evaluator.
Provides the specialised requirements to demonstrate competence of individuals in performing IT product security evaluations in accordance with ISO/IEC 15408 and ISO/IEC 18045.
Vulnerability analysis and penetration testing for ISO/IEC 15408
ISO/IEC TR 20004-1:2016: Refining software vulnerability analysis under ISO/IEC 15408 and ISO/IEC 18045
ISO/IEC TR 20004-2:Detailing software penetration testing under ISO/IEC 15408 and ISO/IEC 18045 vulnerability analysis
ISO/IEC 30111 Vulnerability handling processes
ISO/IEC 29147 Vulnerability disclosureGives guidelines for the disclosure of potential vulnerabilities in products and online services. It details the methods a vendor should use to address issues related to vulnerability disclosure. This standard
- provides guidelines for vendors on how to receive information about potential vulnerabilities in their products or online services,
- provides guidelines for vendors on how to disseminate resolution information about vulnerabilities in their products or online services,
- provides the information items that should be produced through the implementation of a vendor's vulnerability disclosure process, and
- provides examples of content that should be included in the information items.
BiometricsDelving into technology specific areas of evaluation, biometrics were seen by the community as an area in need of standardization. So far WG 3 has produced two standards in this area.
ISO/IEC 19792 Security evaluation of biometricsRelevant to both evaluator and developer communities as it addresses biometric-specific aspects and principles to be addressed during a security evaluation of a biometric system.
It does not address the non-biometric aspects which might form part of the overall security
evaluation of a system using biometric technology (e.g. requirements on databases or communication channels).
Neither does this standard aim to define any concrete methodology for the security evaluation of biometric systems but instead focuses on the principal requirements.
As such, the requirements in this International Standard are independent of any evaluation or certification scheme and will need to be incorporated into and adapted before being used in the context of a concrete scheme. The standard includes:
- an overview of all terms, definitions and acronyms used,
- an introduction of the overall concept for a security evaluation of a biometric system,
- a description of the statistical aspects of security-relevant error rates,
- vulnerability assessment of biometric systems and
- the evaluation of privacy aspects.
ISO/IEC 24745: Biometric information protectionProvides guidance for the protection of biometric information under various requirements for confidentiality, integrity and renewability/revocability during storage and transfer. Additionally, ISO/IEC 24745 provides requirements and guidelines for the secure and privacy-compliant management and processing of biometric information. ISO/IEC 24745 specifies the following:
- analysis of the threats to and countermeasures inherent in a biometric and biometric system application models;
- security requirements for secure binding between a biometric reference and an identity reference;
- biometric system application models with different scenarios for the storage of biometric references and comparison; and
- guidance on the protection of an individual's privacy during the processing of biometric information.
DRAFT IS 19989-1: Criteria and methodology for security evaluation of biometric systems: Part 1: Framework
DRAFT IS 19989-2: Criteria and methodology for security evaluation of biometric systems: Part 2: Biometric recognition performance
DRAFT IS 19989-3: Criteria and methodology for security evaluation of biometric systems: Part 3: Presentation attack detection
Test and analysis methods for random bit generators within ISO/IEC 19790 and ISO/IEC 15408
DRAFT ISO/IEC TR 20543:Test and analysis methods for random bit generators within ISO/IEC 19790 and ISO/IEC 15408.
Physically unclonable functions (PUFs)
DRAFT: ISO/IEC 20897:Security requirements, test and evaluation methods for physically unclonable functions (PUFs) for generating non-stored security parameters
IS 29128: Verification of cryptographic protocols:Establishes a technical base for the security proof of the specification of cryptographic protocols. It specifies design evaluation criteria for these protocols, as well as methods to be applied in a verification process for such protocols. It also provides definitions of different protocol assurance levels consistent with evaluation assurance components in ISO/IEC 15408.
Physical Security Attacks, Mitigation Techniques and Security Requirements
ISO/IEC 30104:2015 Physical Security Attacks, Mitigation Techniques and Security Requirements
- a survey of physical security attacks directed against different types of hardware embodiments including a description of known physical attacks, ranging from simple attacks that require little skill or resource, to complex attacks that require trained, technical people and considerable resources;
- guidance on the principles, best practices and techniques for the design of tamper protection mechanisms and methods for the mitigation of those attacks; and
- guidance on the evaluation or testing of hardware tamper protection mechanisms and references to current standards and test programs that address hardware tamper evaluation and testing.
Secure System Engineering
ISO/IEC TS 19249: Catalogue of Architectural and Design Principles for Secure Products, Systems, and Applications
Provides a catalogue of architectural and design principles that can be used in the development of secure products, systems, and applications together with guidance on how to use those principles effectively. Each architectural and design principle is described using a common structure, identifying the purpose and advantage of the design principle, how it can contribute to develop a secure product, system, or application, its dependency on other principles described in the catalogue.
Examples are provided for each principle on how it may be implemented, how it may contribute to security properties and functions and what other aspects have to be taken into account in the example provided to also address non-security related requirements like usability and performance.
It gives guidelines for the development of secure products, systems and applications and is aiming for a more effective assessment with respect to the security properties they are supposed to implement.
ISO/IEC TS 19249 is related to IS 15408 and IS 18045 and addresses both developers and evaluators of secure products, systems, and applications.
This Technical Specification does not establish any requirements for the evaluation or the assessment process or implementation.
ISO/IEC TR 29193: Secure system engineering principles and techniquesThis technical report, ISO/IEC TR 29193 offers guidance on secure system engineering for Information and Communication Technology systems or products, and emphasizes security engineering aspects within the scope of the development stages of the system lifecycle described in ISO/IEC 15288.
Drawing on the notion that it is better to build a system or product securely in the first place than to spend much resource after its instantiation this technical report begins to offer guidance on how the use of these principles and techniques will support a system engineering process to obtain results consistent with the system security characteristics and objectives determined for the ICT system or product.