ISO/IEC TR 15443-1:2012

TECHNICAL ISO/IEC
REPORT TR
15443-1
Second edition
2012-11-15
Information technology — Security
techniques — Security assurance
framework —
Part 1:
Introduction and concepts
Technologies de l'information — Techniques de sécurité — Assurance
de la sécurité cadre —
Partie 1: Introduction et concepts

Reference number
©
ISO/IEC 2012
©  ISO/IEC 2012
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56  CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2012 – All rights reserved

Contents Page
Foreword . v
Introduction . vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated Terms . 6
5 Concepts of security assurance . 8
5.1 Security assurance . 8
5.2 Assurance is distinguishable from confidence . 9
5.3 The need for security assurance . 9
5.4 Security assurance is intangible . 10
5.5 Security assurance reduces security risk . 10
5.6 Security assurance provided is related to the effort expended . 10
5.7 Security assurance does not improve the product . 11
5.8 Security assurance stakeholders . 11
5.8.1 Those requiring confidence in SACA results . 11
5.8.2 Approval and assurance authorities . 11
5.9 Security assurance pervasiveness . 12
5.9.1 Pass-through security assurance . 14
5.9.2 Boundaries of deliverables . 14
5.9.3 Transfer of deliverables . 18
5.10 Organisational aspects of SACA . 18
6 The structure of security assurance . 19
6.1 Security assurance requirements specification . 20
6.2 Security assurance cases . 20
6.2.1 Developing a security assurance case . 21
6.2.2 Communicating a security assurance case . 21
6.3 Security assurance evidence . 21
6.4 Security assurance claims . 21
6.5 Security assurance arguments . 22
7 SACA techniques . 23
7.1 Techniques . 23
7.1.1 Effectiveness (or evaluation) . 24
7.1.2 Correctness (or conformance) . 24
7.1.3 Predictive assurance . 24
7.2 Selecting security assurance techniques . 24
7.2.1 Optimisation considerations . 25
8 SACA methods . 26
8.1 Security Assurance Conformity Assessment (SACA) Methods . 26
8.1.2 The composition of a security assurance conformance assessment method . 27
8.1.3 Methods specific to security assurance . 28
8.1.4 Methods not specific to security assurance . 29
8.2 Approaches of SACA methods . 29
8.2.1 Approach types . 29
8.2.2 Combining approaches . 30
8.3 Coverage of life cycle phases . 31
8.3.1 Security assurance conformity assessors . 32
8.3.2 Efficiency of a SACA method . 32
© ISO/IEC 2012 – All rights reserved iii

8.4 The relationship between security criteria and assessment methods .33
8.5 Security assurance ratings .33
8.6 SACA tools .34
8.7 Outputs from the application of SACA methods .34
9 CASCO .35
9.1 Standards supporting conformity assessment .35
10 SACA Paradigms .36
10.1 SACA schemes .36
10.2 SACA conformity assessment bodies .37
10.2.1 Type A conformity assessments .37
10.2.2 Second party conformity assessment bodies .37
10.2.3 Third party conformity assessment bodies .38
10.3 Example models of SACA paradigms.38
10.3.1 Common Criteria .38
10.3.2 The Cryptographic Module Validation Program (CMVP) .39
10.3.3 The Payment Card Industry .40
11 Aspects of the composition of security assurance .41
11.1 Developing an assurance case in a compositional setting .42
11.1.1 General problems of composition .43
11.1.2 General aspects of composition re-use .43
11.1.3 Composition using different assurance techniques .44
11.2 Types of composition .44
11.2.1 Layering .44
11.2.2 Network .46
11.2.3 Component .48
11.3 Further activities .49
Bibliography .50

iv © ISO/IEC 2012 – All rights reserved

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
In exceptional circumstances, when a technical committee has collected data of a different kind from that
which is normally published as an International Standard (“state of the art”, for example), it may decide by a
simple majority vote of its participating members to publish a Technical Report. A Technical Report is entirely
informative in nature and does not have to be reviewed until the data it provides are considered to be no
longer valid or useful.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO/IEC TR 15443-1 was prepared by Joint Technical Committee ISO/IEC JTC1, Information technology,
Subcommittee SC 27, Security techniques.
This second edition cancels and replaces the first edition (ISO/IEC TR 15443-1:2005), which has been
technically revised. It also replaces ISO/IEC TR 15443-3.
ISO/IEC TR 15443 consists of the following parts, under the general title Information technology — Security
techniques — Security assurance framework:
 Part 1: Introduction and concepts
 Part 2: Analysis
© ISO/IEC 2012 – All rights reserved v

Introduction
At the plenary meeting of ISO/IEC JTC 1/SC 27 in November 1994, a study group was set up to consider the
question of testing and assessment methods which contribute to assurance that IT products and systems
conform to security standards from SC 27 and elsewhere (e.g. SC 21 and ETSI; and some Internet standards
contain security aspects). In parallel, the Common Criteria project created a working group on assurances
approaches in early 1996. ISO/IEC TR 15443 resulted from these two activities. Since then the subject of
security assurance has advanced and matured. This second edition of ISO/IEC TR 15443 reflects the current
state of the art in this topic.
Assurance in general may extend to include many properties of IT systems such as usability, interoperability,
quality, reliability and so on and are discussed in other complementary documents such as ISO/IEC 15026
"Systems and software engineering — Systems and software assurance". Hence a detailed discussion of
these properties is outside the scope of this Technical Report which focuses on IT security assurance.
The objective of ISO/IEC TR 15443 is to describe the topic of security assurance, providing the fundamental
concepts of the topic and present the various security assurance techniques. Provision of a framework in
which an appropriate security assurance case can be made is given. The framework provides guidance to the
IT Security Professional in the use of security assurance to achieve confidence that a given deliverable
satisfies its stated IT security assurance requirements. This report examines security assurance techniques,
and security assurance methods proposed by various types of organisations whether they are de-jure or de-
facto in nature.
In pursuit of this objective, ISO/IEC TR 15443 comprises the following:
a) the terms and definitions relating to the topic of security assurance
b) the fundamental concepts relating to security assurance
c) guidance to the selection, application, composition and recognition of assurance methods.
d) a presentation of common and unique properties specific to assurance methods;
e) a framework model to position existing assurance methods and to show their relationships;
ISO/IEC TR 15443 is organised in two parts to address the analysis of security assurance techniques as
follows:
In this part, the introduction and concepts provides an overview of the definitions, fundamental concepts and a
general description of security assurance. This material is aimed at providing the fundamental knowledge
necessary to use the framework for analysis presented in ISO/IEC TR 15443-2 appropriately.
This part of ISO/IEC TR 15443 targets:
a) security assurance authorities, i.e. those responsible for decisions related to a deliverable's security
assurance,
b) those responsible for developing deliverables with security functionality, such as security officers, IT
security architects, developers and integrators,
c) those who are responsible for determining the security assurance of a deliverable, for example through
the use of SACA methods such as those offered by ISO/IEC 27001, ISO/IEC 15408 and ISO/IEC 19790,
This audience may include government agencies, suppliers and integrators.
vi © ISO/IEC 2012 – All rights reserved

d) consumers of IT security assurance such as those acquirers and end-users who are responsible for
procuring or using deliverables that make claims about their security properties.
ISO/IEC TR 15443 -2, Analysis, describes a security assurance framework model that can be used to assess
a variety of assurance methods and approaches and relates them to ISO/IEC TR 15443-1. The emphasis is to
identify qualitative properties of the security assurance methods that contribute to security assurance. This
material is catering to an IT security professional to provide understanding of how to obtain security assurance
in a given life cycle stage of a deliverable.
ISO/IEC TR 15443 is relevant to security assurance methods that may not be unique to IT security; however,
guidance given in ISO/IEC TR 15443 will be limited to IT security requirements. A Technical Report,
ISO/IEC TR 15026, covers the related topic of systems and software assurance.
Similarly, additional terms and concepts defined in other International standardisation initiatives (i.e. CASCO)
and International guides (e.g., ISO/IEC 17000) will be incorporated; however, guidance will be provided
specific to the field of IT security and is not intended for general quality management and assessment, or IT
conformity.
© ISO/IEC 2012 – All rights reserved vii

TECHNICAL REPORT ISO/IEC TR 15443-1:2012(E)

Information technology — Security techniques — Security
assurance framework —
Part 1:
Introduction and concepts
1 Scope
This part of ISO/IEC TR 15443 defines terms and establishes an extensive and organised set of concepts and
their relationships for understanding IT security assurance, thereby establishing a basis for shared
understanding of the concepts and principles central to ISO/IEC TR 15443 across its user communities. It
provides information fundamental to users of ISO/IEC TR 15443-2.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated references,
the latest edition of the referenced document (including any amendments) applies.
ISO/IEC TR 15026-1:2010, Systems and software engineering — Systems and software assurance — Part 1:
Concepts and vocabulary
ISO/IEC 17000:2004, Conformity assessment — Vocabulary and general principles
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 17000, ISO/IEC TR 15026-1
and the following apply.
NOTE Defining terms for a generic security assurance framework is a difficult task since many security assurance
terms have been coined to satisfy the needs of specific security assurance needs. In many cases, similar terms have
different definitions making it difficult to construct a generic language for the security assurance framework. Owing to
these difficulties, definitions in conflict are reproduced below, and the term's preferred definition in the context of this
Technical Report indicated. In particular, definitions from ISO/IEC 17000, ISO/IEC TR 15026, ISO/IEC 15408 part 1 and
the ISO/IEC 27000 series may be reproduced below.
3.1
accreditation
third-party attestation related to a conformity assessment body conveying formal demonstration of its
competence to carry out specific conformity assessment results
[SOURCE: ISO/IEC 17000:2004, definition 5.6]
3.2
accreditation
formal declaration by a designated approving authority that a system is approved to operate in a particular
security mode using a prescribed set of safeguards
© ISO/IEC 2012 – All rights reserved 1

NOTE 1 The definition of the term "accreditation" adopted for this standard is from ISO/IEC 17000:2004, definition 5.6.
NOTE 2 Note 1 is not part of the definition from ISO/IEC 21827.
[SOURCE: ISO/IEC 21827:2008, definition 3.2]
3.3
approval authority
SACA approval authority
entity with the authority to decide that the assurance case and the extent of assurance it provides are
satisfactory
NOTE 1 The approval authority may include multiple entities, e.g. individuals or organizations. These can include
different entitles with different levels of approval and/or different areas of interest.
NOTE 2 Two-party situations; approval authority often rests with the acquirer. In regulatory situations, the approval
authority may be a third party such as a governmental organization or its agent. In other situations, e.g. the purchase of
off-the-shelf products developed by a single-party, the independence of the approval authority can be a relevant issue to
the acquirer.
[SOURCE: Adapted from ISO/IEC 15026-1:2010, definition 2.3]
3.4
approval authority
any national or international organization/authority mandated to approve and/or evaluate security functions
NOTE 1 An approval authority in the context of this definition evaluates and approves security functions based on their
cryptographic or mathematical merits but is not the testing entity which would test for conformance to this International
Standard and ISO/IEC 19790:2006.
[SOURCE: ISO/IEC 19790:2006, definition 3.1]
3.5
assessment
verification of a product, system or service against a standard using the corresponding assessment method to
establish compliance and determine the assurance
[SOURCE: ISO/IEC 21827, definition 3.3]
3.6
assurance
grounds for justified confidence that a claim has been or will be achieved
[SOURCE: ISO/IEC TR 15026-1:2010, definition 2.1]
3.7
assurance
grounds for justified confidence that a TOE meets the SFRs
[SOURCE: ISO/IEC 15408-1:2009, definition 3.1.4]
3.8
assurance authority
individual or organization responsible for specifying security assurance requirements for which assurance is to
be obtained
NOTE 1 An assurance authority may be the same individual or organization as the approval authority in definition 3.3.
2 © ISO/IEC 2012 – All rights reserved

3.9
assurance case
representation of a claim or claims, and the support for these claims
NOTE 1 An assurance case is a reasoned, auditable artefact created to support the contention its claim or claims are
satisfied. It contains the following and their relationships:
 one or more claims about properties;
 arguments that logically link the evidence and any assumptions to the claim(s);
 a body of evidence and possibly assumptions supporting these arguments for the claim(s).
[SOURCE: ISO/IEC TR 15026-1, definition 2.2]
3.10
assurance claim
assertion or supporting assertion that a system meets a stated security need
NOTE 1 Claims address both direct threats (e.g. system data are protected from attacks by outsiders) and indirect
threats (e.g. system code has minimal flaws).
NOTE 2 Compare with the definition of "claim" in definition 3.11.
[SOURCE: Adapted from ISO/IEC 21827, definition 3.7]
3.11
certification
third-party attestation related to products, processes, systems or persons
NOTE 1 Certification of a management system is some-times also called registration.
NOTE 2 Certification is applicable to all objects of conformity assessment except for conformity assessment bodies
themselves, to which accreditation is applicable.
[SOURCE: ISO/IEC 17000:2004, definition 5.5]
3.12
claim
statement of something to be true including associated conditions and limitations
NOTE 1 The statement of a claim does not mean that the only possible intent or desire is to show it is true. Sometimes
claims are made for the purpose of evaluating whether they are true or false or undertaking an effort to establish what is
true.
NOTE 2 In its entirety, a claim conforming to ISO/IEC 15026-2 is an unambiguous declaration of an assertion with any
associated conditionality giving explicit details including limitations on values and uncertainty. It could be about the future,
present, or past.
[SOURCE: ISO/IEC 15026-1:2010,definition 2.4]
3.13
conformity assessment scheme
conformity assessment programme
conformity assessment system related to specified objects of conformity assessment, to which the same
specified requirements, specific rules and procedures apply
NOTE 1 Conformity assessment schemes may be operated at international, regional, national or sub-national level.
[SOURCE: ISO/IEC 17000:2010, definition 2.8]
© ISO/IEC 2012 – All rights reserved 3

3.14
deliverable
component, product, system, service, process, organization or personnel that has a security objective
NOTE 1 A deliverable's boundary may include one or many components including the processors, and peripherals,
associated communication technologies, peripheral services, the environment in which it operates, associated
organizational processes as well as the personnel responsible for developing, operating, maintaining and using it.
3.15
evaluation
systematic determination of the extent to which an entity meets its specified criteria
[SOURCE: ISO/IEC 12207:2007, definition 4.12]
3.16
evaluation
assessment of a PP, an ST or a TOE against defined criteria
[SOURCE: ISO/IEC 15408–1:2009, definition 3.1.26]
3.17
evaluation scheme
the administrative and regulatory framework under which ISO/IEC 15408 is applied by an evaluation authority
within a specific community
NOTE 1 Compare with [ISO/IEC 17000, definition 2.8 "conformity assessment scheme"].
[SOURCE: Adapted from ISO/IEC 15408–1:2009, definition 3.1.29]
3.18
mark
assurance argument that substantiates the assurance claim
NOTE 1 ISO/IEC 17030:2003 gives general requirements for third party marks of conformity.
3.19
predictive assurance
recognition of the vendor’s consistent repeatability to provide deliverables that satisfy its security policy or to
perform as claimed
3.20
secure
not vulnerable to most attacks, are able to tolerate many of the attacks that they are vulnerable to, and that
can recover quickly with a minimum of damage from the few attacks that successfully exploit their
vulnerabilities
3.21
security
property of a system by which confidentiality, integrity, availability, accountability, authenticity, and reliability
are achieved
3.22
security
the capability of the software product to protect information and data so that unauthorised persons or systems
cannot read or modify them and authorised persons or systems are not denied access to them
[SOURCE: ISO/IEC 12207:2007, definition 4.39]
4 © ISO/IEC 2012 – All rights reserved

3.23
security assurance
grounds for justified confidence that a claim about meeting security objectives has been or will be achieved
[SOURCE: Adapted from ISO/IEC 15026-1:2010, definition 2.1]
3.24
security assurance argument
set of structured security assurance claims, supported by evidence and reasoning, that demonstrate clearly
how security assurance needs have been satisfied
3.25
security assurance evidence
data on which a judgment or conclusion about an security assurance claim may be based
NOTE 1 The evidence may consist of observation, test results, analysis results, evaluation and appraisals.
[SOURCE: Adapted from ISO/IEC 21827, definition 3.8]
3.26
Security assurance conformance assessment method
SACA method
systematic process, procedure or technique for obtaining security assurance evidence and consistently
verifying security assurance claims
NOTE 1 Compare with conformity assessment scheme, definition 2.8 in ISO/IEC 17000.
3.27
Security assurance conformance assessment paradigm
SACA paradigm
complete system for the provision and recognition of a single or several related SACA Marks including the
specification of SACA methods, SACA schemes and a set of stakeholders
3.28
Security assurance conformance assessment scheme
SACA scheme
system of common rules, procedures and management for demonstrating that specified security assurance
requirements relating to a product, process, system, person or body are applied to specific objects of
conformity assessment
NOTE 1 Conformity assessment schemes may be operated at international, national or sub-national level.
NOTE 2 Adapted from ISO/IEC 17000:2004 definition 2.8.
NOTE 3 Compare with "evaluation scheme" definition 3.17.
3.29
security assurance rating
indication of assessment rigour and coverage of security assurance requirements according to a specific scale
used by the security assurance method
NOTE 1 The assurance level may not be measurable in quantitative terms.
NOTE 2 The degree of security assurance obtained is generally related to the effort expended on the activities
performed.
3.30
security assurance result
documented quantitative or qualitative security assurance statement pertaining to a deliverable
© ISO/IEC 2012 – All rights reserved 5

3.31
security objective
statement of intent to counter identified threats and/or satisfy identified organisation security policies and
assumptions
[SOURCE: ISO/IEC 15408-1:2009, definition 3.1.60]
3.32
security problem
statement which in a formal manner defines the nature and scope of the security that the TOE is intended to
address
NOTE 1 This statement consists of a combination of:
 threats to be countered by the deliverable,
 the OSPs enforced by the deliverable, and
 the assumptions that are upheld for the deliverable and its operational environment.
[SOURCE: ISO/IEC 15408-1:2009, definition 3.1.61]
3.33
system
combination of interacting elements organized to achieve one or more stated purposes
NOTE 1 A system may be considered as a product and/or as the services it provides.
NOTE 2 In practice, the interpretation of its meaning is frequently clarified by the use of an associative noun, e.g.
aircraft system. Alternatively the word system may be substituted simply by a context dependent synonym, e.g. aircraft,
though this may then obscure a system principles perspective.
[SOURCE: ISO/IEC 15288:2008, definition 4.31]
4 Abbreviated Terms
CASCO
ISO Committee on conformity assessment
CC
Common Criteria
CCMC
Common Criteria Management Committee
CCRA
Common Criteria Recognition Arrangement
CEM
Common Evaluation Methodology
CMM
Capability Maturity Model
COTS
Commercial off the shef
CSEC
Communications Security Establishment of Canada (Canadian IT Security Agency)
6 © ISO/IEC 2012 – All rights reserved

EAL
Evaluation Assurance Level
IEC
International Electrotechnical Commission
ISMS
Information Security Management System
ISO
International Organization for Standardization
IT
Information Technology
ITSEC
Information Technology Security Evaluation Criteria (Office for Official Publications of the European
Communities)
ITSEF
Information Technology Security Evaluation Facility
ITSEM
Information Technology Security Evaluation Methodology (Office for Official Publications of the European
Communities)
NIST
National Institute of Standards and Technology (Government Agency of the USA)
NSA
National Security Agency (Government Agency of the USA)
PCI DSS
Payment Card Industry Data Security Standard
PCI SSC
Payment Card Industry Security Standards Council
PP
Protection Profile (defined in ISO/IEC 15408-1)
SACA
Security assurance conformance assessment
SCT
Strict (Security) Conformance Testing
SDO
Standards Development Organization
SOG-IS
Senior Officials Group, Information System Security
SSE-CMM
System Security Engineering - Capability Maturity Model ISO/IEC 21827 (submitted to ISO as a publicly
available standard by the Support Organization of the International Systems Security Engineering Association
(ISSEA)
© ISO/IEC 2012 – All rights reserved 7

ST
Security Target (defined in ISO/IEC 15408-1)
TOE
Target of Evaluation (a term defined in ISO/IEC 15408-1)
5 Concepts of security assurance
This clause introduces the concepts of security assurance and aims to elaborate on the general assurance
concepts given in ISO/IEC 15026-1:2010 for systems and software assurance.
The structure of security assurance is given in clause 6, the concepts of conformity in security assurance
assessments are explained in clauses 7, 8 and 9 and the notion of composing security assurance is
introduced in clause 10.
5.1 Security assurance
Security is often described in terms of key security properties, those of confidentiality, integrity and availability.
Further principles, including non-repudiation and authenticity are often cited by security professionals. For the
topic of assurance the properties considered may also include reliability, dependability, quality, survivability,
and according to some people safety.
Security assurance can be considered as related to quality assurance. Quality has been defined in many ways
including:
 excellence or arête (Socrates, Plato, Aristotle);
 value (Feigenbaum);
 conformance to specification (Gilmore, Levitt, Crosby, Deming, Feigenbaum, Juran);
 meeting/exceeding customers expectations (Feigenbaum, Juran);
 conformance to requirements (Crosby);
 loss avoidance (Taguchi);
 fitness for purpose (Juran).
The provision of security assurance contributes to these paradigms and therefore can be considered as a
contributor to the property of quality and is related to the satisfaction of the stakeholders.
It has been claimed that the provision of security assurance is resource intensive and involves additional cost
and delays. This is true. The amount of resources expended is commensurate with the security assurance
provided. Furthermore, security assurance is geared to prevent losses and does not directly contribute to
revenue or profit. Therefore its return on investment is measurable through the cost of failure. The benefit an
organisation receives from the investment of resources in security assurance will not be obvious to people not
familiar with security issues therefore it may require extensive justification and must be well presented to gain
management approval.
The reader should note that a claim for a complex deliverable such as an IT system stating that the
deliverable is completely secure can not be reasonably made. Conversely, the only claim about being secure
that promises complete assurance for a complex deliverable is that sooner or later such a complex deliverable
will have security failures. Hence we can deduce that what is indicated by the objective that an IT system is
“secure” is the specification of IT systems, or deliverables, that are not vulnerable to most attacks, are able to
tolerate many of the attacks that they are vulnerable to, and that can recover quickly with a minimum of
damage from the few attacks that successfully exploit their vulnerabilities.
The provision of security assurance then is to qualify such a high level objective and to provide stakeholders
with an indication of the confidence that they can assume that a deliverable is secure.
8 © ISO/IEC 2012 – All rights reserved

5.2 Assurance is distinguishable from confidence
It is important to point out that assurance and confidence are not identical and cannot be used in place of one
another. Too often, these terms are used incorrectly as they are closely related. It is important for the reader
to understand the distinction between these two terms. Confidence, from the perspective of an individual, is
related to the belief that one has in the assurance of the deliverable whereas assurance is related to the
demonstrated ability of the deliverable to perform its security objectives. Therefore, confidence is not a
certainty but an expression of trust and belief created through assurance.
Assurance is determined from the evidence produced by the assessment process of the deliverable. The
evidence, usually composed of an assurance argument, documentation, and other related work products,
substantiates the claimed assurance based on the security engineering and assessment activities.
Confidence is subject to the individual’s perception of their specific security requirements and to the
knowledge gained in assessment processes that the deliverable will perform in the way expected or claimed.
This includes the knowledge of the assurance criteria, method, scheme, and assessment process used.
Furthermore, the reputation of the assessors and operators is a significant factor in establishing confidence of
the deliverable because their qualifications and experience may or may not be acceptable. As a consequence,
by their individual perception, stakeholders may have different degrees of confidence after the performance of
a given assurance method by a given person or organisation.
5.3 The need for security assurance
Over the past few decades, our reliance on IT systems has dramatically increased. IT systems are now
pervasive and play critical roles in the infrastructure of our societies. With the acknowledgement of this
statement as fact comes a realisation that the value of the assets that could be compromised through an IT
system extends beyond the monetary value but can also affect the fundamental processes of modern
societies.
For example the trust placed by people in the stability of financial systems can now be influenced, at least in
part, through the security of the IT systems deployed that support that industry. A failure of key systems could
disrupt a national, regional, or world economy.
Similarly, the production and distribution of electricity is dependent on the IT systems that are used to control
and manage that resource. The value of the assets that these IT systems are associated with goes beyond
the systems themselves, beyond even the value of the equipment that forms that infrastructure, but extends to
the value of the society that is dependent upon receiving electricity.
IT systems are prone to failures in maintaining security due in part to their increasing complexity, the evolution
of attackers' capabilities, and increasing value of the assets that they hold. Exploitable vulnerabilities can be
introduced through rapidly changing technology, human error, poor requirement specifications, poor
development processes or as a result of underestimating the threat. Once deployed IT systems are rarely
static with additional functionality being added, system modifications and maintenance, and changing
business requirements often being introduced contributing to the likelihoods of an increased number of
exploitable vulnerabilities and security violations occurring throughout the IT system's life cycle. This situation
makes it practically impossible to guarantee an error-free, risk-free, and secure IT system.
From the above paragraphs, it can be seen that errors, exploitable vulnerabilities and risks will always exist
and their characteristics will change over the course of an IT system's life. Therefore, the errors, vulnerabilities
and risks will have to be managed over the IT system's life within acceptable parameters.
The task of those responsible for the security of IT systems is to establish acceptable levels of security
assurance and risk objectives for the IT system. They must manage the security risks by mitigating the
vulnerabilities and threats with technological and organisational security measures to achieve an IT system
with acceptable security assurance. In this way, the stakeholders of an IT system will achieve reasonable
confidence that the IT system performs in the way that was intended.
From a security standpoint, this translates into confidence that the deliverable enforces the applicable security
policy.
© ISO/IEC 2012 – All rights reserved 9

5.4 Security assurance is intangible
Security assurance does not “add” any safeguards or services to the deliverable. Thus it is sometimes difficult
for non-security personnel to understand what benefit they are receiving from the investment of resources in
assurance. For example, with respect to an IT security product, it has been argued that assurance contributes
to the “strength” of a security mechanism; however, the assurance actually contributes to the confidence that
one has in the mechanism strength by reducing the uncertainty (or probability) of a threat occurrence causing
a security breach. For example, Two-Factor authentication is often mistaken as having more assurance than a
simple password mechanism, where in reality it is only a stronger authentication mechanism. Two-Factor
authentication is a stronger mechanism since it verifies two user attributes versus one attribute in a password
mechanism. This in itself does not offer assurance since it is the assurance activities in the development of
the mechanism that contributes to the assurance of the mechanism.
It is important to understand that assurance does not automatically imply good security: only that it meets its
security objectives (security policy). In other words, the assurance provides confidence that the deliverable
enforces its security objectives without examining whether the security objectives appropriately address the
risks and threats. For example, while a high assurance IT product can be trusted to meet its security
objectives, it depends on the nature of these objectives as to whether the product behaves in a secure
manner. In contrast, a low assurance product with more appropriate objectives may actually be more secure.
5.5 Security assurance reduces security risk
Security assurance contributes to a reduction of risk, in-so-much-as assurance reduces the uncertainty
associated with vulnerabilities of the deliverable. Thus the potential vulnerability is reduced, leading to a
reduction in the overall risk associated with the deliverable. As discussed in the previous clause, security
assurance does not add any additional controls to counter the risks related to security: rather, the assurance
activities attempt to substantiate that the deliverable satisfies its security objectives. This involves the
production of assurance-relevant evidence and a rationale to provide confidence that the controls
implemented will reduce the anticipated risk.
Direct qualification o
...