PD ISO/IEC TR 15443-3:2007
Current
The latest, up-to-date edition.
Information technology. Security techniques. A framework for IT security assurance Analysis of assurance methods
31-01-2008
Foreword
Introduction
1 Scope
1.1 Purpose
1.2 Application
1.3 Field of Application
1.4 Limitations
2 Terms and definitions
3 Abbreviated terms
4 Understanding Assurance
4.1 Setting the assurance goal
4.2 Applying assurance methods
4.3 Assessing assurance results
4.4 Example
5 Comparing, selecting and composing assurance
5.1 Selecting the assurance approach
5.2 Composing assurance methods
5.3 Comparing assurance methods
5.4 Focus on assurance properties
6 Guidance
6.1 Developmental Assurance (DA)
6.2 Integration Assurance (IA)
6.3 Operational Assurance (OA)
Annex A - Tabular comparisons
A.1 Methods and their target groups
A.2 Available Assurance Methods
Annex B - Assurance properties of selected methods
B.1 ISO/IEC 15408
B.2 ISO/IEC 19790
B.3 ISO/IEC 21827
B.4 ISO/IEC 13335
B.5 ISO/IEC 27001 and ISO/IEC 27002
B.6 IT Baseline Protection Manual
B.7 COBIT
B.8 ISO 9000
Annex C - Composition of assurance methods
C.1 ISO/IEC 15408 + IT Baseline Protection Manual
C.2 ISO/IEC 27002 + IT Baseline Protection
C.3 ISO/IEC 27001 and ISO/IEC 27002
C.4 ISO/IEC 27002 + ISO 9000
C.5 COBIT + IT Baseline Protection
Annex D - Case Studies
D.1 A chip-card manufacturer's assurance composition strategy
D.2 A service provider assures the upgrade of business processes
Annex E - Determination of the assurance goal
E.1 Risk Assessment
E.2 Risk Management
E.3 Security Model
E.4 Organizational security policy
E.5 Applicable Assurance goal
E.6 Security Measures
E.7 Example: ISO/IEC 15408
Bibliography
Provides general guidance to an assurance authority in the choice of the appropriate type of international communications technology (ICT) assurance methods and to lay the framework for the analysis of specific assurance methods for specific environments.
Committee |
IST/33/3
|
DocumentType |
Standard
|
PublisherName |
British Standards Institution
|
Status |
Current
|
SupersededBy |
1.1 Purpose
The purpose of this part of ISO/IEC TR 15443 is to provide general guidance to an assurance authority in the choice of the appropriate type of international communications techology (ICT) assurance methods and to lay the framework for the analysis of specific assurance methods for specific environments.
1.2 Application
This part of ISO/IEC TR 15443 will allow the user to match specific assurance requirements and/or typical assurance situations with the general characteristics offered by available assurance methods.
1.3 Field of Application
The guidance of this part of ISO/IEC TR 15443 is applicable to the development, implementation and operation of ICT products and ICT systems with security requirements.
1.4 Limitations
Security requirements may be complex, assurance methods are of great diversity, and organisational resources and cultures differ considerably.
Therefore the advice given in this part of ISO/IEC TR 15443 will be qualitative and summary, and the user may need to analyse on his own which methods presented in Part 2 of this Technical Report will suit best his specific deliverables and organisational security requirements.
Standards | Relationship |
ISO/IEC TR 15443-3:2007 | Identical |
ISO/IEC 17025:2005 | General requirements for the competence of testing and calibration laboratories |
ISO/IEC 15408-2:2008 | Information technology — Security techniques — Evaluation criteria for IT security — Part 2: Security functional components |
ISO/IEC 27001:2013 | Information technology — Security techniques — Information security management systems — Requirements |
ISO/IEC 15408-3:2008 | Information technology — Security techniques — Evaluation criteria for IT security — Part 3: Security assurance components |
ISO/IEC 19790:2012 | Information technology — Security techniques — Security requirements for cryptographic modules |
ISO/IEC 27002:2013 | Information technology Security techniques Code of practice for information security controls |
ISO/IEC 21827:2008 | Information technology Security techniques Systems Security Engineering Capability Maturity Model (SSE-CMM) |
ISO/IEC 15288:2008 | Systems and software engineering — System life cycle processes |
ISO/IEC Guide 73:2002 | Risk management Vocabulary Guidelines for use in standards |
ISO/IEC TR 19791:2010 | Information technology Security techniques Security assessment of operational systems |
ISO/IEC 27005:2011 | Information technology Security techniques Information security risk management |
ISO/IEC Guide 61:1996 | General requirements for assessment and accreditation of certification/registration bodies |
ISO/IEC Guide 67:2004 | Conformity assessment Fundamentals of product certification |
ISO 9001:2015 | Quality management systems — Requirements |
ISO/IEC 17024:2012 | Conformity assessment — General requirements for bodies operating certification of persons |
ISO 9000:2015 | Quality management systems — Fundamentals and vocabulary |
ISO/IEC 15408-1:2009 | Information technology — Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model |
EN 45013 : 1989 | GENERAL CRITERIA FOR CERTIFICATION BODIES OPERATING CERTIFICATION OF PERSONNEL |
ISO/IEC Guide 65:1996 | General requirements for bodies operating product certification systems |
ISO/IEC 13335-1:2004 | Information technology Security techniques Management of information and communications technology security Part 1: Concepts and models for information and communications technology security management |
ISO/IEC 18045:2008 | Information technology — Security techniques — Methodology for IT security evaluation |
EN 45013:1989 | GENERAL CRITERIA FOR CERTIFICATION BODIES OPERATING CERTIFICATION OF PERSONNEL |
Access your standards online with a subscription
Features
-
Simple online access to standards, technical information and regulations.
-
Critical updates of standards and customisable alerts and notifications.
-
Multi-user online standards collection: secure, flexible and cost effective.