EN 17640:2022/prA1

SLOVENSKI STANDARD
01-december-2025
Metodologija ocenjevanja kibernetske varnosti za izdelke IKT za določeno obdobje
- Dopolnilo A1
Fixed-time cybersecurity evaluation methodology for ICT products
Zeitlich festgelegte Cybersicherheitsevaluationsmethodologie für IKT‑Produkte
Méthode d’évaluation de la cybersécurité à temps fixe pour les produits TIC
Ta slovenski standard je istoveten z: EN 17640:2022/prA1
ICS:
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD DRAFT
EN 17640:2022
NORME EUROPÉENNE
EUROPÄISCHE NORM
prA1
October 2025
ICS 35.030
English version
Fixed-time cybersecurity evaluation methodology for ICT
products
Méthode d'évaluation de la cybersécurité à temps fixe Zeitlich festgelegte
pour les produits TIC Cybersicherheitsevaluationsmethodologie für IKT-
Produkte
This draft amendment is submitted to CEN members for enquiry. It has been drawn up by the Technical Committee CEN/CLC/JTC
13.
This draft amendment A1, if approved, will modify the European Standard EN 17640:2022. If this draft becomes an amendment,
CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
inclusion of this amendment into the relevant national standard without any alteration.

This draft amendment was established by CEN and CENELEC in three official versions (English, French, German). A version in any
other language made by translation under the responsibility of a CEN and CENELEC member into its own language and notified
to the CEN-CENELEC Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.

Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are
aware and to provide supporting documentation.Recipients of this draft are invited to submit, with their comments, notification
of any relevant patent rights of which they are aware and to provide supporting documentation.

Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change without
notice and shall not be referred to as a European Standard.

Contents Page
European foreword . 3
1 Modification to Clause 3, “Terms and definitions” . 4
2 Modification to Clause 4, “Conformance” . 5
3 Modification to Clause 5, “General concepts” . 5
4 Modification to Clause 6, “Evaluation tasks” . 6
5 Modification to Annex A (informative), “Example for a structure of a FIT Security
Target (FIT ST)” . 9
6 Modification to Annex E (informative), “Parameters of the methodology and the
evaluation tasks” . 10
7 Addition of a new Annex H (informative), “Clarification of ‘composition of assurance’
developed in EN ISO/IEC 15408-1:2023 in support of ‘composition’ introduced in
EN 17640/A1” . 10
European foreword
This document (EN 17640:2022/prA1:2025) has been prepared by Technical Committee CEN/TC 121
“Welding and allied processes”, the secretariat of which is held by AFNOR.
This document is currently submitted to the CEN Enquiry.
1 Modification to Clause 3, “Terms and definitions”
Add the following definitions:
“
3.19
component
entity (3.20) which provides resources and services in a product
[SOURCE: EN ISO/IEC 15408-1:2023, 3.18 modified, is omitted]
3.20
entity
identifiable item that is described by a set or collection of properties
Note 1 to entry: Entities include subjects, users (including external IT products), objects, information, sessions
and/or resources
[SOURCE: EN ISO/IEC 15408-1:2023, 3.36]
3.21
composite product
product comprised of two or more components (3.19) which one already evaluated component (3.19)
and another component (3.19)
Note 1 to entry: The component (3.19) which has already been evaluated provides resources and services to
another component(s) (3.19), and these components (3.19) are called ‘base component’ and ‘dependant
component’, respectively.
Note 2 to entry: Already evaluated base component is called ‘base TOE’.
Note 4 to entry: A dependant component can rely on one or more base components.
Note 3 to entry: A dependent component potentially consists of one or more dependent sub-components. For
simplification, they are considered as ‘one dependent component’.
[SOURCE: EN ISO/IEC 15408-1:2023, 3.24 with references to layer removed and Notes to entries
added.]
3.22
composite target of evaluation
composite TOE
part of a composite product (3.21) being subject to composite TOE evaluation
Note 1 to entry: A composite TOE can contain parts that are independent from the base component or base TOE
respectively. For simplification, such parts are considered as belonging to the dependent component.
Note 2 to entry: The composite TOE evaluation can be applied as many times as necessary to a multi-component
product, in an incremental approach.
3.23
evaluation technical report for composite TOE evaluation
ETR for composite TOE evaluation
documentation intended to be used within the composite TOE (3.22) evaluation and derived by the base
component evaluator from the full evaluation technical report (ETR) (3.13) for the evaluated
component
Note 1 to entry: The ETR for composite TOE evaluation is used for the evaluation of a composite product with
such base component when using the composite evaluation approach.
Note 2 to entry: The ETR for composite TOE evaluation related to a base component is set up to provide sufficient
information for a composite evaluation of a composite product that integrates such already evaluated component.
It enables the composite product evaluator and the respective composite product evaluation authority to
understand the attack paths and the tests that have been considered and performed for the base component and
the effectiveness of the countermeasures implemented by the base component.
[SOURCE: EN ISO/IEC 15408-1:2023, 3.44, adapted.]
”
2 Modification to Clause 4, “Conformance”
Add the following paragraph:
“The concept of composite evaluation is not explicitly contained in the CSA and hence not explicitly
mentioned in any assurance level. Moreover, composite evaluation is not applicable in every TOE. If
scheme developers intend to implement composite TOE evaluation, they need to specify conditions and
requirements on the certificates concerning base components that can be used as evidence in the
composite TOE evaluation.”
3 Modification to Clause 5, “General concepts”
Add the following Clause 5.6:
“
5.6 Composition
Often a product consists of several components, developed by different parties. Sometimes some of
these components are evaluated or certified independently of the entire TOE they will be integrated in.
In this specific case the evaluation of the certified component can be replaced by certain evaluation
tasks listed in Clause 6.13.
rd
NOTE Other means of gaining assurance in 3 party components are not considered composition in this
document.
To enable efficient evaluations and avoid double evaluation work, composition typically requires
certain inputs to be provided. These inputs are divided into two groups. The names and further
requirements on theses inputs are scheme dependent. The inputs includes the following:
• Developer guidelines with
— sufficient requirements for integration and use, ensuring that all the related claimed security
features are indeed active;
— a description with which other type of component(s) the component is expected to be
composed;
— assumptions regarding the environment the composite TOE operates in;
— which actions are required to be performed during composition to maintain the TOE resistance
to the specified attack potential;
— how to securely use the component interfaces;
— what are the security dependencies to other components;
• Evaluation report for composition with
— assurance level of the evaluation / certification;
— what tests have been performed, with which intention, means, depth and observations;
— when applicable, what need to be tested at a composite level and why it was not tested at the
individual component level;
— relevant evaluation results for composite TOE evaluation.
In case a component is supposed to be used later in a composition, then these documents should be
provided alongside the component.”
4 Modification to Clause 6, “Evaluation tasks”
Add the following Clause 6.13:
“
6.13 Composition TOE Evaluation
6.13.1 Aim
This evaluation tasks aims at verifying that all relevant components fulfil the requirements for
integration into the TOE, identifying the extend the evaluation results of these components can be
reused in the evaluation of the TOE, and performing tests that confirm the security features that are
depending on the integrated components work as specified.
6.13.2 Evaluation method
This evaluation task contains a documentation review and testing of the relevant security functionality
of the composite TOE. An access to specific composition documents is required. Depending on the TOE,
access to publicly available specifications or other documents distributed with or referenced by the TOE
might be necessary. Access to the TOE (and possibly background systems provided by the vendor) is
required.
6.13.3 Evaluator qualification
The evaluators need to have knowledge of composition. They need to be able to review the information
provided by the developer. The evaluator shall be able to analyse the evaluation report for composition.
The evaluator shall have knowledge of the technology the base components support and technology
used in the integrated components.
6.13.4 Evaluator work units
6.13.4.1 Work unit 1
The evaluator shall check first that the following documents are provided:
• the developer guidelines of each evaluated component which is subject to integration;
• the evaluation report for composition of each evaluated component which is subject to integration;
• the composition rationale provided by the composite TOE.
NOTE The names and further requirements on these documents can be defined by the scheme. This includes
possible further subdivision of the content.
6.13.4.2 Work unit 2
The evaluator shall confirm that the developer guidance is complete and fulfils the requirements on
format and availability stated by the scheme.
The evaluator shall confirm the developer guidance concerns the evaluated configuration and version of
the component covered by the evaluation. The evaluator shall analyse that at least the following content
is provided in the component developer guidelines:
• information for integration and use, so all the related claimed security features are indeed active;
• with which other components the base component is expected to be composed;
• how to interact with the component correctly and securely; and
• which further dependencies on operational environment and organizational policies exists. This
includes actions that should be performed during composition to enable the composite TOE to
inherit the resistance to specified attack potential.
NOTE The information is sufficient when it allows the proper activation of all security features claimed by the
component when integrated into the TOE.
The evaluator shall
• confirm that the evaluation/certificate of the evaluated base component conforms to the
requirements for composition of the scheme. This includes documents like ETR for composition,
certification report etc.
• review details for documents (ETR, certification report):
— what tests have been performed, with which intention, means, depth and observations; (might,
be something that is not always available in this detail maybe specifics up to scheme
developers);
— when applicable, what need to be tested at a composite level and why it was not tested at the
individual component level.
• review developer guidelines.
6.13.4.3 Work unit 3
The evaluator shall analyse that the composition rationale provided by the developer (which describes
how the security guidelines of the integrated component are followed) is sufficient. Sufficiency is
obtained when the evaluator has all information needed to assess that all the security guidelines from
the evaluated components are covered or justified.
6.13.4.4 Work unit 4
The evaluator shall verify that the security requirements from integrated components are followed.
The verification shall
...