ISO/IEC 20243-2:2018

INTERNATIONAL ISO/IEC
STANDARD 20243-2
First edition
2018-01
Information technology — Open
TM
Trusted Technology Provider
Standard (O-TTPS) — Mitigating
maliciously tainted and counterfeit
products —
Part 2:
Assessment procedures for the O-TTPS
and ISO/IEC 20243-1:2018
Technologies de l'information — Norme de fournisseur de technologie
de confiance ouverte (O-TTPS) — Atténuation des produits contrefaits
et malicieusement contaminés —
Partie 2: Procédures d'évaluation de l'O-TTPS et l'ISO/IEC 20243-
1:2018
Reference number
©
ISO/IEC 2018
© ISO/IEC 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
Published in Switzerland
ii © ISO/IEC 2018 – All rights reserved

Contents
1.  Introduction . 1
1.1  Scope . 1
1.2  Normative References . 1
1.3  Terms and Definitions . 1
1.3.1  Distributor . 1
1.3.2  Evidence of Conformance . 1
1.3.3  Implementation Evidence . 1
1.3.4  O-TTPS Requirements . 1
1.3.5  Organization . 1
1.3.6  Pass-Through Reseller . 2
1.3.7  Process Evidence . 2
1.3.8  Scope of Assessment . 2
1.3.9  Selected Representative Product . 2
2.  General Concepts . 3
2.1  The O-TTPS . 3
2.2  Assessment Concepts: Relevance of Scope of Assessment and Selected Representative Products . 3
2.3  Relevance of IT Technology Provider Categories in the Supply Chain . 4
3.  Assessment Requirements . 6
3.1  General Requirements for Assessor Activities . 6
3.1.1  General Requirements for Evidence of Conformance . 6
4.  Assessor Activities for O-TTPS Requirements . 8
4.1  PD_DES: Software/Firmware/Hardware Design Process . 8
4.2  PD_CFM: Configuration Management . 9
4.3  PD_MPP: Well-defined Development/Engineering Method Process and Practices . 11
4.4  PD_QAT: Quality and Test Management . 11
4.5  PD_PSM: Product Sustainment Management . 13
4.6  SE_TAM: Threat Analysis and Mitigation . 14
4.7  SE_VAR: Vulnerability Analysis and Response . 16
4.8  SE_PPR: Product Patching and Remediation . 17
4.9  SE_SEP: Secure Engineering Practices . 17
4.10  SE_MTL: Monitor and Assess the Impact of Changes in the Threat Landscape . 19
4.11  SC_RSM: Risk Management . 20
4.12  SC_PHS: Physical Security . 21
4.13  SC_ACC: Access Controls . 22
4.14  SC_ESS: Employee and Supplier Security and Integrity . 23
4.15  SC_BPS: Business Partner Security . 24
4.16  SC_STR: Supply Chain Security Training . 24
4.17  SC_ISS: Information Systems Security . 25
4.18  SC_TTC: Trusted Technology Components . 25
4.19  SC_STH: Secure Transmission and Handling . 26
4.20  SC_OSH: Open Source Handling . 28
4.21  SC_CTM: Counterfeit Mitigation . 29
4.22  SC_MAL: Malware Detection . 30
A.1  Guidance . 32

© ISO/IEC 2018 – All rights reserved iii

FOREWORD
ISO (the International Organization for Standardization) and IEC (the International
Electrotechnical Commission) form the specialized system for worldwide standardization.
National bodies that are members of ISO or IEC participate in the development of International
Standards through technical committees established by the respective organization to deal with
particular fields of technical activity. ISO and IEC technical committees collaborate in fields of
mutual interest. Other international organizations, governmental and non‐governmental, in
liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO
and IEC have established a joint technical committee, ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria
needed for the different types of document should be noted. This document was drafted in
accordance with the editorial rules of the ISO/IEC Directives, Part 2
(see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the
subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such
patent rights. Details of any patent rights identified during the development of the document
will be in the Introduction and/or on the ISO list of patent declarations received
(see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and
does not constitute an endorsement.
For an explanation on the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see the
following URL: www.iso.org/iso/foreword.html.
This document was prepared by The Open Group and was adopted, under the PAS procedure, by
Joint Technical Committee ISO/IEC JTC 1, Information technology, in parallel with its approval by
national bodies of ISO and IEC.
A list of all parts in the ISO 20243 series can be found on the ISO website.
© ISO/IEC 2018 – All rights reserved
iv
1. Introduction
1.1 Scope
This document specifies the procedures to be utilized by an assessor when conducting a conformity
assessment to the mandatory requirements in the Open Trusted Technology Provider™ Standard
(O-TTPS).
These Assessment Procedures are intended to ensure the repeatability, reproducibility, and objectivity
of assessments against the O-TTPS. Though the primary audience for this document is the assessor,
an Information Technology (IT) provider who is undergoing assessment or preparing for assessment,
may also find this document useful.
1.2 Normative References
The following documents, in whole or in part, are normatively referenced within this document. For
undated references, the latest edition of the referenced document applies:
 ISO/IEC 20243-1:2018 Information Technology – Open Trusted Technology Provider™
Standard (O-TTPS) – Mitigating Maliciously Tainted and Counterfeit Products
1.3 Terms and Definitions
For the purposes of this document, the following terms and definitions apply. For terms not defined
here refer to the Glossary in the O-TTPS.
The O-TTPS is technically equivalent to ISO/IEC 20243-1:2018. Throughout this document, the term
O-TTPS is used when referring to The Open Trusted Technology Provider Standard (O-TTPS)
(ISO/IEC 20243-1:2018).
Note: The terms listed in the following sections are capitalized throughout this document.
1.3.1 Distributor
Distributors and Pass-Through Resellers distribute products, but do not modify the product or
augment the physical composition of the product as they distribute it. Distributors and Pass-Through
Resellers do have responsibility for mitigating risk to the physical and logical access to the product.
1.3.2 Evidence of Conformance
Evidence submitted to the assessor performing the assessment to demonstrate conformance to the O-
TTPS Requirements within an Organization’s declared Scope of Assessment.
1.3.3 Implementation Evidence
Artifacts that show the required process has been applied to the Selected Representative Products.
1.3.4 O-TTPS Requirements
All of the mandatory (i.e., Shall) requirements in the O-TTPS.
1.3.5 Organization
A technology provider being assessed for conformance to the O-TTPS Requirements (e.g., Original
Equipment Manufacturer (OEM), Original Design Manufacturer (ODM), hardware and software
component supplier, integrator, Value-Add Reseller (VAR), Distributor, or Pass-Through Reseller.

The O-TTPS is freely available at: www.opengroup.org/bookstore/catalog/c147.htm. The O-TTPS is technically identical
to ISO/IEC 20243:2015 ISO/IEC 20243-1:2018 and is available at: www.iso.org
Open Trusted Technology Provider™ Standard (O-TTPS) Certification Program:
Assessment Procedures for the O-TTPS, ISO/IEC 20243:2015 and ISO/IEC 20243-1:2018

© ISO/IEC 2018 – All rights reserved 1

1.3.6 Pass-Through Reseller
Pass-Through Resellers distribute products, but do not modify the product or augment the physical
composition of the product as they distribute it. Distributors and Pass-Through Resellers do have
responsibility for mitigating risk to the physical and logical access to the product.
1.3.7 Process Evidence
The evidence/artifacts listed in this document as required to demonstrate that the Organization has the
required processes/procedures defined.
Note: The Process Evidence shows they have defined/documented processes, the Implementation
Evidence (see Section 1.3.3) demonstrates that the defined/documented processes/procedures have
been implemented.
1.3.8 Scope of Assessment
A description by the Organization of the products, product lines, business units, and/or geographies,
which optionally could encompass an entire organization.
1.3.9 Selected Representative Product
A set of products that is a representative sample of all the products from within the Scope of
Assessment.
2 © ISO/IEC 2018 – All rights reserved

2. General Concepts
2.1 The O-TTPS
This section is included to provide insight into the structure and the naming conventions of the
requirements in the O-TTPS, which are also included in these Assessment Procedures in Section 3.
The O-TTPS is a standard containing a set of requirements that when properly adhered to have been
shown to enhance the security of the global supply chain and the integrity of commercial off-the-shelf
(COTS) information and communication technology (ICT) products. It provides a set of guidelines,
requirements, and recommendations that help assure against maliciously tainted and counterfeit
products throughout the COTS ICT product life cycle encompassing the following phases: design,
sourcing, build, fulfillment, distribution, sustainment, and disposal. The assessor shall only assess
conformance against the mandatory requirements, the (shall) requirements, in the O-TTPS and shall
not assess conformance to guidelines or recommendations.
The O-TTPS is described in terms of the provider’s product life cycle. The collection of provider best
practices contained in the O-TTPS are those that The Open Group Trusted Technology Forum
(OTTF) considers best capable of influencing and governing the integrity of a COTS ICT product
from its inception to proper disposal at end-of- life. These provider practices are divided into two
basic categories of product life cycle activities: Technology Development and Supply Chain Security:
 The provider’s Technology Development activities for a COTS ICT product are mostly under
the provider’s in-house supervision in how they are executed. The methodology areas that are
most relevant to assuring against tainted and counterfeit products are:
— Product Development/Engineering methods
— Secure Development/Engineering methods
 The provider’s Supply Chain Security activities focus on best practices where the provider
must interact with third parties who produce their agreed contribution with respect to the
product’s life cycle. Here, the provider’s best practices often control the point of intersection
with the outside supplier through control points that may include inspection, verification, and
contracts.
The O-TTPS is structured by prefacing each requirement with the associated activity area described
above. The naming convention is reflected in the O-TTPS and in this document and is listed below:
 Product Development/Engineering-related requirements: PD
 Secure Development/Engineering methods: SD
 Supply Chain-related requirements: SC
2.2 Assessment Concepts: Relevance of Scope of Assessment and
Selected Representative Products
These Assessment Procedures introduce the concepts of “Scope of Assessment” and “Selected
Representative Products”. Rather than assuming an Organization would only request assessment for
conforming to the requirements in the O-TTPS for one specific product, these Assessment Procedures
allow for the possibility of an Organization to identify their desired Scope of Assessment, which
could be:
 An individual product
 All products within one product-line
 All products within a business unit, or
 All products within an entire organization
Open Trusted Technology Provider™ Standard (O-TTPS) Certification Program:
Assessment Procedures for the O-TTPS, ISO/IEC 20243:2015 and ISO/IEC 20243-1:2018

© ISO/IEC 2018 – All rights reserved 3

If an Organization wants to be assessed for conforming to the O-TTPS Requirements throughout a
larger scope, then the concept of Selected Representative Products becomes useful. Depending on the
size of the product-line, business unit, or organization, it would likely not be practical or affordable
for the Organization to demonstrate conformance on every product in a product-line, business-unit, or
in an entire organization. Instead the Organization may identify a representative subset of products
from within the Scope of Assessment. It is this set of Selected Representative Products which would
then be used to generate Evidence of Conformance to each of the O-TTPS Requirements.
However, if an Organization decides to be assessed for conforming to the O-TTPS Requirements for
an individual product, then they are free to do so. In that case, the Scope of Assessment would be that
one product and there would be only one Selected Representative Product to be assessed.
Note: Throughout these Assessment Procedures, what is being assessed is the conformance to the O-
TTPS Requirements which are, in general, a set of process requirements to be deployed throughout a
product’s life cycle from design through to disposal. Assessors are not assessing the products; they are
using the products to aid in demonstrating conformance to the O-TTPS Requirements for the defined
and implemented processes.
2.3 Relevance of IT Technology Provider Categories in the Supply Chain
The Assessment Procedures contained herein are applicable to all types of Organizations who are ICT
technology providers. The nature of the Organization as it applies to their Scope of Assessment is
relevant and should be specified by the Organization being assessed, and recorded by the assessor.
The category selections include:
 OEM: indicating product provider or component supplier and whether the
product(s)/component(s) in the Scope of Assessment are primarily hardware or software or
both. All of the O-TTPS Requirements are applicable to OEMs including both hardware and
software technology providers and component suppliers.
 Distributor or Pass-Through Reseller (assumes no value-add to the products/components): In
Section 4 it indicates which requirements do not typically apply to this group. In general,
none of the Product Development (PD) or Secure Engineering (SE) requirements apply and
all of the Supply Chain (SC) requirements do apply.
 Integrator/Value-Add Reseller (VAR): These are integrators or resellers who do add value to
the product before they distribute it or resell it. For this category of technology provider they
would need to indicate the type of value they add to the product before reselling or
distributing it. This value-add should be relevant to the technology within their Scope of
Assessment. These technology providers indicate their value-add by choosing one or more of
the attribute categories from the O-TTPS – those options listed below. This additional
declaration provides the assessor with a better understanding of the Organization’s value-add
and, therefore, the Organization will be better informed about the particular requirements that
will apply, and the type(s) of evidence that should be provided.
The O-TTPS value-add options list for integrators and VARs (taken from the O-TTPS attributes
(high-level categories of requirements in the O-TTPS)):
 PD_DES: Software/Firmware/Hardware Design Process
 PD_CFM: Configuration Management
 PD_MPP: Well-defined Development/Engineering Method Process and Practices
 PD_QAT: Quality and Test Management
 PD_PSM: Product Sustainment Management
 SE_TAM: Threat Analysis and Mitigation
 SE_RTP: Run-time Protection Techniques
 SE_VAR: Vulnerability Analysis and Response

4 © ISO/IEC 2018 – All rights reserved

 SE_PPR: Product Patching and Remediation
 SE_SEP: Secure Engineering Practices
 SE_MTL: Monitor and Assess the Impact of Changes in the Threat Landscape
 SC_RSM: Risk Management
 SC_PHS: Physical Security
 SC_ACC: Access Controls
 SC_ESS: Employee and Supplier Security and Integrity
 SC_BPS: Business Partner Security
 SC_STR: Supply Chain Security Training
 SC_ISS: Information Systems Security
 SC_TTC: Trusted Technology Components
 SC_STH: Secure Transmission and Handling
 SC_OSH: Open Source Handling
 SC_CTM: Counterfeit Mitigation
 SC_MAL: Malware Detection
Open Trusted Technology Provider™ Standard (O-TTPS) Certification Program:
Assessment Procedures for the O-TTPS, ISO/IEC 20243:2015 and ISO/IEC 20243-1:2018

© ISO/IEC 2018 – All rights reserved 5

3. Assessment Requirements
This section contains the general requirements for the assessor that shall be read, understood, and
followed during an assessment. Section 4 contains additional specific requirements for the assessor,
arranged in table format with specific requirements for assessing each of the O-TTPS Requirements.
3.1 General Requirements for Assessor Activities
This section contains general requirements for all assessor activities.
3.1.1 General Requirements for Evidence of Conformance
The Evidence of Conformance, demonstrating the existence of a process and the implementation of a
process provided by the Organization, shall meet the following requirements:
General
Assessor
Requirement
No. Description
There are two categories of evidence required: Process Evidence and Implementation Evidence.
Each requirement in Section 4 is characterized as either requiring Process Evidence,
Implementation Evidence, or both.
Process Evidence:
 The specific types of Process Evidence listed in Section 4 in this document are required.
This is because these specific types of Process Evidence are generally considered to be
paramount in demonstrating conformance and will help assure consistency across all
assessments.
 When a specific process is cited in the Evidence of Conformance by an Organization and
it is different from the process name specified in the assessor activities in Section 4 under
Process Evidence, the assessor should accept this provided the intent of the requirement is
met. The assessor shall record those instances and shall include a rationale for acceptance.
Implementation Evidence:
 Implementation Evidence shows the process has been applied to the Selected
Representative Products. Acceptable types of evidence/artifacts are listed in the assessor
activities in Section 4 under Implementation Evidence. This is because each Organization
will likely have different ways of demonstrating implementation of the processes, which
may include a wide variety of types of evidence.
 In certain instances the types of acceptable Implementation Evidence may differ based on
whether the Selected Representative Product being assessed is primarily a hardware or
software component/product. Therefore, in some instances, the types of recommended
evidence in the Assessment Procedures include options for both hardware and software-
related evidence, to be provided as appropriate.
2 The Implementation Evidence shall be related to the Selected Representative Products.
3 The Implementation Evidence and Process Evidence provided shall be sufficient to demonstrate
conformance to the requirement and shall be retained by the assessor.
4 The evidence provided shall cover the period of time for which the claimed process has been
implemented for the product(s) in the Scope of Assessment.
5 There may be one or more processes identified for each attribute; this will be evident from the
Evidence of Conformance. Therefore, in some cases it is acceptable for a requirement to be met by
evidence from more than one formal process.

6 © ISO/IEC 2018 – All rights reserved

General
Assessor
Requirement
No. Description
6 Evidence specified in the tables in Section 4 indicates the expectations of content. The specific
names of items and the location of information and document names used within the supplied
Evidence of Conformance may vary and is acceptable as long as conformance to the requirement is
shown.
7 Terminology used in identifying evidence by Organizations may differ from that used by the O-
TTPS provided the terms are understood by the Organization and the assessor.
8 The nature of the Organization as it applies to their Scope of Assessment must be specified by the
Organization being assessed and recorded by the assessor. The options include the primary
categories of technology providers in the supply chain. Below are the category options and any
associated requirements that might be associated with those categories:
 OEMs: All of the requirements apply equally to software or hardware providers.
Therefore, if the technology providers that are being assessed are considered to be OEMs,
then all of the requirements shall apply and a response of Not Applicable (N/A) is not
acceptable based solely on whether a product is primarily hardware or software.
 Distributors or Pass-Through Resellers (with no value-add): There are certain cases where
requirements do not apply. For those cases in the specific guidelines of those
requirements, it will state: “NOTE: For Distributors and Pass-Through Resellers, where
there is no value-add, this requirement is not applicable”.
 Integrators or Value-Add Resellers (VARs): Depending on the value added for the
Selected Representative Product(s) being assessed, different requirements could apply. In
instances where the type of evidence required may be slightly different from that required
for OEMs, or known by a different name, that evidence is indicated in the specific
requirements section or in the Process or Implementation Evidence fields in the tables in
Section 4 by the following preface: “For integrators and VARs: …”.
9 For those O-TTPS Requirements related to training programs, the purpose of receiving the training
artifacts evidence is to ensure that the training occurs, not to judge the effectiveness of the training.
10 The term “routinely” is used occasionally in the O-TTPS. For assessment purposes the assessor
shall check that the period is defined. However, the Organization shall provide a rationale for the
stated period.
11 When photographic or video evidence is provided as Evidence of Conformance, it shall be current
and be indicative of how an Organization is currently applying its processes.
12 The assessor shall record their activities and findings such that the assessment can be repeated and
reviewed should the need arise.
13 In instances where the Organization indicates that the requirement is non-applicable, the assessor
shall request the rationale for non-applicability in place of evidence, which shall be recorded.
Open Trusted Technology Provider™ Standard (O-TTPS) Certification Program:
Assessment Procedures for the O-TTPS, ISO/IEC 20243:2015 and ISO/IEC 20243-1:2018

© ISO/IEC 2018 – All rights reserved 7

4. Assessor Activities for O-TTPS Requirements
This section provides specific assessor activities for each O-TTPS Requirement. The tables in this
section are arranged as follows:
 There is an overall heading for each O-TTPS attribute, which includes the name and acronym
for the attribute, the definition of the attribute, and a reference to where in the O-TTPS the
attribute and associated requirements can be found.
 Under each attribute heading there are tables for every O-TTPS Requirement associated with
that attribute. Each table contains the acronym for the O-TTPS Requirement, along with the
exact wording of the O-TTPS Requirement.
Each table also includes the following fields:
 Assessment Type: Indicates whether the Evidence of Conformance to be provided/assessed is
Process Evidence, Implementation Evidence, or both.
 Related Requirements: Indicates which other O-TTPS Requirements shall be considered in
the assessment of this requirement.
 Specific Requirements for Assessor Activities: Provides additional assessor requirements
for the specific O-TTPS Requirement – if any.
 Evidence of Conformance (Process): Indicates the Process Evidence that shall be provided
for each requirement.
 Evidence of Conformance (Implementation): Indicates the types of Implementation
Evidence that are acceptable.
4.1 PD_DES: Software/Firmware/Hardware Design Process
Attribute Definition
A formal process exists that defines and documents how requirements are translated into a product
design.
O-TTPS Reference
Section 4.1.1.1.
Assessor Activity Tables
PD_DES.01 A process shall exist that assures the requirements are addressed in the design.
Assessment Type Process Evidence and Implementation Evidence required
Related Requirements SC_TAM.02
Specific Requirements for NOTE: For Distributors and Pass-Through Resellers, where there is no value-add,
Assessor Activities this requirement is not applicable.
Evidence of Conformance Product requirements management process, product design process
(Process)
Evidence of Conformance Design artifacts, requirements traceability report, quality assurance, audit reports,
(Implementation) reports produced by tracking system

PD_DES.02 Product requirements shall be documented.

8 © ISO/IEC 2018 – All rights reserved

Assessment Type Implementation Evidence required
Related Requirements SC_OSH.02
NOTE: For Distributors and Pass-Through Resellers, where there is no value-add,
Specific Requirements for
Assessor Activities this requirement is not applicable.
Evidence of Conformance None.
(Process)
Evidence of Conformance Product requirements document
(Implementation)
4.2 PD_CFM: Configuration Management
Attribute Definition
A formal process and supporting systems exist which assure the proper management, control, and
tracking of change to product development and manufacturing assets and artifacts.
O-TTPS Reference
Section 4.1.1.2.
Assessor Activity Tables
PD_CFM.01 A documented formal process shall exist which defines the configuration
management process and practices.
Assessment Type Process Evidence and Implementation Evidence required
Related Requirements None.
Specific Requirements for The configuration management process shall include change management or
Assessor Activities separate process documentation shall exist that covers change management.
NOTE: For Distributors and Pass-Through Resellers, where there is no value-add,
this requirement is not applicable.
Evidence of Conformance Configuration Management (CM) process
(Process)
Evidence of Conformance CM reports, build reports, CM tooling, CM artifacts, CM applications, tools, build
(Implementation) tools, change control applications, reports produced from change boards

PD_CFM.02 Baselines of identified assets and artifacts under configuration management shall
be established.
Assessment Type Implementation Evidence required
Related Requirements CD_MPP.02
Specific Requirements for Baselines shall be current and include the artifacts that constitute each product.
Assessor Activities
NOTE: For Distributors and Pass-Through Resellers, where there is no value-add,
this requirement is not applicable.
None.
Evidence of Conformance
(Process)
Open Trusted Technology Provider™ Standard (O-TTPS) Certification Program:
Assessment Procedures for the O-TTPS, ISO/IEC 20243:2015 and ISO/IEC 20243-1:2018

© ISO/IEC 2018 – All rights reserved 9

Evidence of Conformance Product baselines in the CM system
(Implementation)
Changes to identified assets and artifacts under configuration management shall be
PD_CFM.03
tracked and controlled.
Assessment Type Process Evidence and Implementation Evidence required
Related Requirements SC_OSH.03
Specific Requirements for Starting with a change request to the Selected Representative Product(s) trace that
the process for change management process has been implemented.
Assessor Activities
NOTE: For Distributors and Pass-Through Resellers, where there is no value-add,
this requirement is not applicable.
Evidence of Conformance Change management process
(Process)
Evidence of Conformance Problem reports, change reviews, build reports, requests for changes, build/scope
(Implementation) review
PD_CFM.05 Access to identified assets and artifacts and supporting systems shall be protected
and secured.
Assessment Type Process Evidence and Implementation Evidence required
Related Requirements SC_ACC.all
Specific Requirements for An access control policy shall exist and it shall describe the access control policy
Assessor Activities for each of the artifacts and assets identified in the assessment of PD_CFM.02 and
supporting systems. This includes physical access control policies and logical
access control policies. The assessor shall check that the evidence demonstrates
that the access control policy has been implemented.
NOTE: For Distributors and Pass-Through Resellers, where there is no value-add,
this requirement is not applicable.
Evidence of Conformance Security controls: access control policies and procedures
(Process)
Evidence of Conformance Security audit reports, CM access control, problem tracking access control, build
(Implementation) management access control, assembly management access control, access controls
to physical artifacts, role-based or identity-based access controls, list of supporting
systems
PD_CFM.06 A formal process shall exist that establishes acceptance criteria for work products
accepted into the product baseline.
Assessment Type Process Evidence and Implementation Evidence required
PD_QAT.all
Related Requirements
10 © ISO/IEC 2018 – All rights reserved

Specific Requirements for The acceptance criteria for each artifact and asset (configuration item) that forms
Assessor Activities part of the baseline should be defined.
NOTE: Types of artifacts and assets may include, but are not limited to: source
code, Open Source code, binary code, hardware or Integrated Circuits (IC)
specifications, components, sub-assemblies, drivers, and documentation such as
product manuals and configuration guides.
NOTE: For Distributors and Pass-Through Resellers, where there is no value-add,
this requirement is not applicable.
Evidence of Conformance Product development process
(Process)
Signed or acknowledged acceptance and compliance records, reports or output
Evidence of Conformance
(Implementation) from the process gate reviews, business process flows
4.3 PD_MPP: Well-defined Development/Engineering Method Process
and Practices
Attribute Definition
Development/engineering processes and practices are documented, and managed and followed across
the life cycle.
O-TTPS Reference
Section 4.1.1.3.
Assessor Activity Tables
PD_MPP.02 The development/engineering process shall be able to track, as appropriate,
components that are proven to be targets of tainting or counterfeiting as they
progress through the life cycle.
Assessment Type Process Evidence and Implementation Evidence required
Related Requirements PD_CFM.03, SC_MAL.01, SC_RSM.04
Specific Requirements for The process should cover identifying and labeling components that are judged by
Assessor Activities the Organization as requiring tracking throughout the development/engineering life
cycle.
NOTE: For Distributors and Pass-Through Resellers, where there is no value-add,
this requirement is not applicable.
Evidence of Conformance Product development process
(Process)
Evidence of Conformance List of components that have been identified as requiring tracking targets of
(Implementation) tainting/counterfeiting, CM tool
4.4 PD_QAT: Quality and Test Management
Attribute Definition
Quality and test management is practiced as part of the Product Development/Engineering life cycle.
O-TTPS Reference
Section 4.1.1.4.
Open Trusted Technology Provider™ Standard (O-TTPS) Certification Program:
Assessment Procedures for the O-TTPS, ISO/IEC 20243:2015 and ISO/IEC 20243-1:2018

© ISO/IEC 2018 – All rights reserved 11

Assessor Activity Tables
There shall be a quality and test product plan that includes quality metrics and
PD_QAT.01
acceptance criteria.
Assessment Type Process Evidence and Implementation Evidence required
PD_MPP.02, SC_TTC.01
Related Requirements
Specific Requirements for NOTE: For Distributors and Pass-Through Resellers, where there is no value-add,
Assessor Activities this requirement is not applicable.
Evidence of Conformance Quality Assurance (QA) process, product test process
(Process)
Evidence of Conformance Quality and test product plan, documented acceptance criteria
(Implementation)
PD_QAT.02 Testing and quality assurance activities shall be conducted according to the plan.
Assessment Type Implementation Evidence required
Related Requirements SE_TAM.03, SC_TTC.01
Specific Requirements for The assessor reviews the Evidence of Conformance related to QA of the work
products under development.
Assessor Activities
NOTE: For Distributors and Pass-Through Resellers, where there is no value-add,
this requirement is not applicable.
Evidence of Conformance None.
(Process)
Evidence of Conformance Test reports which address the acceptance criteria, QA audit report, QA tracking,
(Implementation) QA and test plan

PD_QAT.03 Products or components shall meet appropriate quality criteria throughout the life
cycle.
Assessment Type Implementation Evidence required
Related Requirements PD_CFM.06, SC_TTC.01
Specific Requirements for Note that “full life cycle” should be interpreted as throughout the
Assessor Activities development/engineering life cycle.
NOTE: For Distributors and Pass-Through Resellers, where there is no value-add,
this requirement is not applicable.
Evidence of Conformance None.
(Process)
Evidence of Conformance Test reports, QA audit report, QA tracking, QA plan
(Implementation)
12 © ISO/IEC 2018 – All rights reserved

4.5 PD_PSM: Product Sustainment Management
Attribute Definition
Product support, release maintenance, and defect management are product sustainment services
offered to acquirers while the product is generally available.
O-TTPS Reference
Section 4.1.1.5.
Assessor Activity Tables
PD_PSM.01 A release maintenance process shall be implemented.
Assessment Type Process Evidence and Implementation Evidence required
Related Requirements PD_QAT.03, PD_CFM.03, SC_MAL.02
Specific Requirements for NOTE: For Distributors and Pass-Through Resellers, where there is no value-add,
Assessor Activities this requirement is not applicable.
Evidence of Conformance Product release maintenance process
(Process)
Evidence of Conformance Design change requests, product update descriptions, defect reports, product life
(Implementation) cycle management tooling reports

PD_PSM.02 Release maintenance shall include a process for notification to acquirers of product
updates.
Assessment Type Process Evidence and Implementation Evidence required
Related Requirements SC_BPS.01
Specific Requirements for NOTE: The type of notification may be called something different for hardware
Assessor Activities (e.g., notification of a new version versus notification of an update, which is more
often the case with software).
NOTE: For Distributors and Pass-Through Resellers, where there is no value-add,
this requirement is not applicable.
Evidence of Conformance Product release maintenance process
(Process)
Evidence of Conformance Acquirer notification example
(Implementation)
PD_PSM.03 Release maintenance shall include a product update process, which uses security
mechanisms.
Assessment Type Process Evidence and Implementation Evidence required
Related Requirements SC_RSM.all, SC_STH.all
Open Trusted Technology Provider™ Standard (O-TTPS) Certification Program:
Assessment Procedures for the O-TTPS, ISO/IEC 20243:2015 and ISO/IEC 20243-1:2018

© ISO/IEC 2018 – All rights reserved 13

Specific Requirements for NOTE: The type of process may be called something different for hardware (e.g.,
Assessor Activities new version release or new bill of materials for a new release versus product
update process, which is more often the case with software).
NOTE: For Distributors and Pass-Through Resellers, where there is no value-add,
this requirement is not applicable.
Evidence of Conformance Product defect management process, product life cycle management processes, or
(Process) release management processes and practices
Evidence of Conformance Security audit report that covers updates, new version release or new bill of
materials for a new release, representative updates showing the Organization’s
(Implementation)
security mechanisms being used

PD_PSM.04 A defect management process shall be implemented.
Process Evidence and Implementation Evidence required
Assessment Type
Related Requirements None.
Specific Requirements for NOTE: For Distributors and Pass-Through Resellers, where there is no value-add,
this requirement is not applicable.
Assessor Activities
Evidence of Conformance Product defect management process
(Process)
Evidence of Conformance Evidence of a defect management process, defect reports
(Implementation)
PD_PSM.05 The defect management process shall include: a documented feedback and problem
reporting process.
Assessment Type Process Evidence and Implementation Evidence required
Related Requirements PD_MPT.02, SC_RSM.all, PD_DES.01
Specific Requirements for NOTE: For Distributors and Pass-Through Resellers, where there is no value-add,
Assessor Activities this requirement is not applicable.
Problem reporting process, product defect management process
Evidence of Conformance
(Process)
Evidence of Conformance Product failure reports, problem reports, change requests, product QA reports,
(Implementation) component QA reports
4.6 SE_TAM: Threat Analysis and Mitigation
Attribute Definition
Threat analysis and mitigation identify a set of potential attacks on a particular product or system and
describe how those attacks might be perpetrated and the best methods of preventing or mitigating
potential attacks.
O-TTPS Reference
Section 4.1.2.1.
14 © ISO/IEC
...