EN 17640:2022
(Main)Fixed-time cybersecurity evaluation methodology for ICT products
Fixed-time cybersecurity evaluation methodology for ICT products
This document describes a cybersecurity evaluation methodology that can be implemented using pre-defined time and workload resources, for ICT products. It is intended to be applicable for all three assurance levels defined in the CSA (i.e. basic, substantial and high).
The methodology comprises different evaluation blocks including assessment activities that comply with the evaluation requirements of the CSA for the mentioned three assurance levels. Where appropriate, it can be applied both to third-party evaluation and self-assessment.
Zeitlich festgelegte Cybersicherheitsevaluationsmethodologie für IKT-Produkte
Dieses Dokument beschreibt eine Methodologie zur Evaluierung der Cybersicherheit von IKT-Produkten, die mit vorab festgelegten Ressourcen für Zeit und Arbeitsaufwand durchgeführt werden kann. Es soll für alle drei im CSA definierten Vertrauenswürdigkeitsstufen (d. h. niedrig, mittel und hoch) anwendbar sein.
Die Methodologie umfasst verschiedene Evaluierungsblöcke mit Bewertungsaufgaben, die den Evaluierungsanforderungen des CSA für die genannten drei Vertrauenswürdigkeitsstufen entsprechen.
Gegebenenfalls kann sie sowohl bei der Fremd- als auch bei der Selbstbeurteilung angewendet werden.
Méthode d'évaluation de la cybersécurité pour produits TIC
Le présent document décrit une méthodologie d'évaluation de la cybersécurité des produits TIC qui peut être implémentée à l'aide d'une durée et de ressources de charge de travail prédéfinies. Il est destiné à s'appliquer aux trois niveaux d'assurance définis dans le CSA (c'est-à-dire élémentaire, substantiel et élevé).
La méthodologie comprend différents blocs d'évaluation contenant des activités d'évaluation qui sont conformes aux exigences d'évaluation du CSA pour les trois niveaux d'assurance mentionnés. Le cas échéant, elle peut être appliquée à la fois à une évaluation tierce et à une auto-évaluation.
Metodologija ocenjevanja kibernetske varnosti za izdelke IKT za določeno obdobje
Ta dokument opisuje metodologijo ocenjevanja kibernetske varnosti za izdelke IKT. Namenjen je za vse tri ravni varnosti, ki so opredeljene v Zakonu o kibernetski varnosti (tj. osnovno, znatno in visoko).
Metodologijo sestavljajo različni ocenjevalni bloki, vključno z ocenjevalnimi dejavnostmi, ki so skladne z ocenjevalnimi zahtevami CSA za tri ravni.
Metodologijo je mogoče uporabiti za ocenjevanje tretjih oseb ali za samoocenjevanje.
Pričakuje se, da bodo to metodologijo lahko uporabljali v različnih shemah za kibernetsko varnost in specializiranih panogah za zagotovitev skupnega okvira za vrednotenje izdelkov IKT.
General Information
Standards Content (Sample)
SLOVENSKI STANDARD
01-januar-2023
Metodologija ocenjevanja kibernetske varnosti za izdelke IKT za določeno obdobje
Fixed time cybersecurity evaluation methodology for ICT products
Cybersicherheitsevaluationsmethodologie für IKT-Produkte
Méthode d'évaluation de la cybersécurité pour produits TIC
Ta slovenski standard je istoveten z: EN 17640:2022
ICS:
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD EN 17640
NORME EUROPÉENNE
EUROPÄISCHE NORM
October 2022
ICS 35.030
English version
Fixed-time cybersecurity evaluation methodology for ICT
products
Méthode d'évaluation de la cybersécurité pour Zeitlich festgelegte
produits TIC Cybersicherheitsevaluationsmethodologie für IKT-
Produkte
This European Standard was approved by CEN on 15 August 2022.
CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.
CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.
CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2022 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. EN 17640:2022 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 4
Introduction . 5
1 Scope . 7
2 Normative references . 7
3 Terms and definitions . 7
4 Conformance . 9
5 General concepts . 11
5.1 Usage of this methodology . 11
5.2 Knowledge of the TOE . 12
5.3 Development process evaluation . 12
5.4 Attack Potential . 12
5.5 Knowledge building . 13
6 Evaluation tasks . 13
6.1 Completeness check . 13
6.1.1 Aim . 13
6.1.2 Evaluation method . 13
6.1.3 Evaluator competence . 13
6.1.4 Evaluator work units . 13
6.2 FIT Protection Profile Evaluation . 14
6.2.1 Aim . 14
6.2.2 Evaluation method . 14
6.2.3 Evaluator competence . 14
6.2.4 Evaluator work units . 14
6.3 Review of security functionalities . 15
6.3.1 Aim . 15
6.3.2 Evaluation method . 15
6.3.3 Evaluator competence . 15
6.3.4 Evaluator work units . 15
6.4 FIT Security Target Evaluation . 16
6.4.1 Aim . 16
6.4.2 Evaluation method . 16
6.4.3 Evaluator competence . 16
6.4.4 Evaluator work units . 16
6.5 Development documentation . 17
6.5.1 Aim . 17
6.5.2 Evaluation method . 17
6.5.3 Evaluator competence . 17
6.5.4 Work units . 17
6.6 Evaluation of TOE Installation . 17
6.6.1 Aim . 17
6.6.2 Evaluation method . 18
6.6.3 Evaluator competence . 18
6.6.4 Evaluator work units . 18
6.7 Conformance testing . 18
6.7.1 Aim . 18
6.7.2 Evaluation method . 18
6.7.3 Evaluator competence . 19
6.7.4 Evaluator work units . 19
6.8 Vulnerability review . 20
6.8.1 Aim . 20
6.8.2 Evaluation method . 20
6.8.3 Evaluator competence . 21
6.8.4 Evaluator work units . 21
6.9 Vulnerability testing . 21
6.9.1 Aim . 21
6.9.2 Evaluation method . 22
6.9.3 Evaluator competence . 22
6.9.4 Evaluator work units . 22
6.10 Penetration testing . 24
6.10.1 Aim . 24
6.10.2 Evaluation method . 24
6.10.3 Evaluator competence . 25
6.10.4 Evaluator work units . 25
6.11 Basic crypto analysis . 26
6.11.1 Aim . 26
6.11.2 Evaluation method . 26
6.11.3 Evaluator competence . 26
6.11.4 Evaluator work units . 26
6.12 Extended crypto analysis . 27
6.12.1 Aim . 27
6.12.2 Evaluation method . 27
6.12.3 Evaluator competence . 28
6.12.4 Evaluator work units . 28
Annex A (informative) Example for a structure of a FIT Security Target (FIT ST) . 30
Annex B (normative) The concept of a FIT Protection Profile (FIT PP) . 32
Annex C (informative) Acceptance Criteria . 33
Annex D (informative) Guidance for integrating the methodology into a scheme . 40
Annex E (informative) Parameters of the methodology and the evaluation tasks . 45
Annex F (normative) Calculating the Attack Potential . 47
Annex G (normative) Reporting the results of an evaluation . 52
Bibliography .
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.