ISO/IEC 18045:2005

INTERNATIONAL ISO/IEC
STANDARD 18045
First edition
2005-10-01
Information technology — Security
techniques — Methodology for IT security
evaluation
Technologies de l'information — Techniques de sécurité —
Méthodologie pour l'évaluation de sécurité TI

Reference number
©
ISO/IEC 2005
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

©  ISO/IEC 2005
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2005 – All rights reserved

Contents Page
Foreword .vii
Introduction .viii
1 Scope.1
2 Normative references.1
3 Terms and definitions.1
4 Symbols and abbreviated terms .3
5 Overview.3
5.1 Organisation of this International Standard .3
6 Document Conventions.3
6.1 Terminology.3
6.2 Verb usage.4
6.3 General evaluation guidance.4
6.4 Relationship between ISO/IEC 15408 and ISO/IEC 18045 structures.4
6.5 Evaluator verdicts.4
7 General evaluation tasks.5
7.1 Introduction.5
7.2 Evaluation input task.6
7.2.1 Objectives.6
7.2.2 Application notes.6
7.2.3 Management of evaluation evidence sub-task.7
7.3 Evaluation output task.7
7.3.1 Objectives.7
7.3.2 Application notes.8
7.3.3 Write OR sub-task.8
7.3.4 Write ETR sub-task.8
7.3.5 Evaluation sub-activities.13
8 Protection Profile evaluation.14
8.1 Introduction.14
8.2 PP evaluation relationships.14
8.3 Protection Profile evaluation activity.15
8.3.1 Evaluation of TOE description (APE_DES.1).15
8.3.2 Evaluation of Security environment (APE_ENV.1).16
8.3.3 Evaluation of PP introduction (APE_INT.1) .19
8.3.4 Evaluation of Security objectives (APE_OBJ.1).20
8.3.5 Evaluation of IT security requirements (APE_REQ.1) .23
8.3.6 Evaluation of Explicitly stated IT security requirements (APE_SRE.1).32
9 Security Target evaluation.35
9.1 Introduction.35
9.2 ST evaluation relationships.35
9.3 Security Target evaluation activity.36
9.3.1 Evaluation of TOE description (ASE_DES.1).36
9.3.2 Evaluation of Security environment (ASE_ENV.1).37
9.3.3 Evaluation of ST introduction (ASE_INT.1).40
9.3.4 Evaluation of Security objectives (ASE_OBJ.1).42
9.3.5 Evaluation of PP claims (ASE_PPC.1).45
9.3.6 Evaluation of IT security requirements (ASE_REQ.1) .46
9.3.7 Evaluation of Explicitly stated IT security requirements (ASE_SRE.1).56
© ISO/IEC 2005 – All rights reserved iii

9.3.8 Evaluation of TOE summary specification (ASE_TSS.1). 58
10 EAL1 evaluation. 62
10.1 Introduction. 62
10.2 Objectives. 62
10.3 EAL1 evaluation relationships. 62
10.4 Configuration management activity. 63
10.4.1 Evaluation of CM capabilities (ACM_CAP.1). 63
10.5 Delivery and operation activity. 64
10.5.1 Evaluation of Installation, generation and start-up (ADO_IGS.1). 64
10.6 Development activity. 65
10.6.1 Application notes. 65
10.6.2 Evaluation of Functional specification (ADV_FSP.1). 66
10.6.3 Evaluation of Representation correspondence (ADV_RCR.1). 69
10.7 Guidance documents activity. 72
10.7.1 Application notes. 72
10.7.2 Evaluation of Administrator guidance (AGD_ADM.1). 72
10.7.3 Evaluation of User guidance (AGD_USR.1) . 75
10.8 Tests activity. 77
10.8.1 Application notes. 77
10.8.2 Evaluation of Independent testing (ATE_IND.1). 78
11 EAL2 evaluation. 81
11.1 Introduction. 81
11.2 Objectives. 82
11.3 EAL2 evaluation relationships. 82
11.4 Configuration management activity. 82
11.4.1 Evaluation of CM capabilities (ACM_CAP.2). 82
11.5 Delivery and operation activity. 85
11.5.1 Evaluation of Delivery (ADO_DEL.1). 85
11.5.2 Evaluation of Installation, generation and start-up (ADO_IGS.1). 86
11.6 Development activity. 87
11.6.1 Application notes. 87
11.6.2 Evaluation of Functional specification (ADV_FSP.1). 88
11.6.3 Evaluation of High-level design (ADV_HLD.1). 91
11.6.4 Evaluation of Representation correspondence (ADV_RCR.1). 94
11.7 Guidance documents activity. 97
11.7.1 Application notes. 97
11.7.2 Evaluation of Administrator guidance (AGD_ADM.1). 97
11.7.3 Evaluation of User guidance (AGD_USR.1) . 100
11.8 Tests activity. 102
11.8.1 Application notes. 102
11.8.2 Evaluation of Coverage (ATE_COV.1) . 103
11.8.3 Evaluation of Functional tests (ATE_FUN.1) . 104
11.8.4 Evaluation of Independent testing (ATE_IND.2). 108
11.9 Vulnerability assessment activity. 114
11.9.1 Evaluation of Strength of TOE security functions (AVA_SOF.1). 114
11.9.2 Evaluation of Vulnerability analysis (AVA_VLA.1). 116
12 EAL3 evaluation. 121
12.1 Introduction. 121
12.2 Objectives. 122
12.3 EAL3 evaluation relationships. 122
12.4 Configuration management activity. 122
12.4.1 Evaluation of CM capabilities (ACM_CAP.3). 122
12.4.2 Evaluation of CM scope (ACM_SCP.1) . 126
12.5 Delivery and operation activity. 127
12.5.1 Evaluation of Delivery (ADO_DEL.1). 127
12.5.2 Evaluation of Installation, generation and start-up (ADO_IGS.1). 128
12.6 Development activity. 129
12.6.1 Application notes. 130
iv © ISO/IEC 2005 – All rights reserved

12.6.2 Evaluation of Functional specification (ADV_FSP.1) .130
12.6.3 Evaluation of High-level design (ADV_HLD.2) .134
12.6.4 Evaluation of Representation correspondence (ADV_RCR.1).138
12.7 Guidance documents activity .140
12.7.1 Application notes.140
12.7.2 Evaluation of Administrator guidance (AGD_ADM.1).140
12.7.3 Evaluation of User guidance (AGD_USR.1).143
12.8 Life cycle support activity.146
12.8.1 Evaluation of Development security (ALC_DVS.1) .146
12.9 Tests activity.148
12.9.1 Application notes.148
12.9.2 Evaluation of Coverage (ATE_COV.2).150
12.9.3 Evaluation of Depth (ATE_DPT.1).152
12.9.4 Evaluation of Functional tests (ATE_FUN.1) .154
12.9.5 Evaluation of Independent testing (ATE_IND.2).159
12.10 Vulnerability assessment activity.164
12.10.1 Evaluation of Misuse (AVA_MSU.1).164
12.10.2 Evaluation of Strength of TOE security functions (AVA_SOF.1) .167
12.10.3 Evaluation of Vulnerability analysis (AVA_VLA.1).169
13 EAL4 evaluation.174
13.1 Introduction.174
13.2 Objectives.175
13.3 EAL4 evaluation relationships.175
13.4 Configuration management activity.175
13.4.1 Evaluation of CM automation (ACM_AUT.1).175
13.4.2 Evaluation of CM capabilities (ACM_CAP.4) .177
13.4.3 Evaluation of CM scope (ACM_SCP.2).182
13.5 Delivery and operation activity .183
13.5.1 Evaluation of Delivery (ADO_DEL.2) .183
13.5.2 Evaluation of Installation, generation and start-up (ADO_IGS.1).185
13.6 Development activity.186
13.6.1 Application notes.186
13.6.2 Evaluation of Functional specification (ADV_FSP.2) .187
13.6.3 Evaluation of High-level design (ADV_HLD.2) .191
13.6.4 Evaluation of Implementation representation (ADV_IMP.1).195
13.6.5 Evaluation of Low-level design (ADV_LLD.1).197
13.6.6 Evaluation of Representation correspondence (ADV_RCR.1).200
13.6.7 Evaluation of Security policy modeling (ADV_SPM.1) .203
13.7 Guidance documents activity .206
13.7.1 Application notes.206
13.7.2 Evaluation of Administrator guidance (AGD_ADM.1).206
13.7.3 Evaluation of User guidance (AGD_USR.1).209
13.8 Life cycle support activity.211
13.8.1 Evaluation of Development security (ALC_DVS.1) .212
13.8.2 Evaluation of Life cycle definition (ALC_LCD.1).214
13.8.3 Evaluation of Tools and techniques (ALC_TAT.1).215
13.9 Tests activity.217
13.9.1 Application notes.217
13.9.2 Evaluation of Coverage (ATE_COV.2).218
13.9.3 Evaluation of Depth (ATE_DPT.1).220
13.9.4 Evaluation of Functional tests (ATE_FUN.1) .222
13.9.5 Evaluation of Independent testing (ATE_IND.2).227
13.10 Vulnerability assessment activity.232
13.10.1 Evaluation of Misuse (AVA_MSU.2).232
13.10.2 Evaluation of Strength of TOE security functions (AVA_SOF.1) .236
13.10.3 Evaluation of Vulnerability analysis (AVA_VLA.2).238
14 Flaw remediation sub-activities.250
14.1 Evaluation of flaw remediation (ALC_FLR.1).250
14.1.1 Objectives.250
© ISO/IEC 2005 – All rights reserved v

14.1.2 Input. 250

14.1.3 Action ALC_FLR.1.1E. 250
14.2 Evaluation of flaw remediation (ALC_FLR.2). 252
14.2.1 Objectives. 252
14.2.2 Input. 252
14.2.3 Action ALC_FLR.2.1E. 252
14.3 Evaluation of flaw remediation (ALC_FLR.3). 255
14.3.1 Objectives. 255
14.3.2 Input. 255
14.3.3 Action ALC_FLR.3.1E. 255
Annex A (normative) General evaluation guidance. 260
A.1 Objectives. 260
A.2 Sampling. 260
A.3 Consistency analysis. 262
A.4 Dependencies. 264
A.4.1 Dependencies between activities. 264
A.4.2 Dependencies between sub-activities. 264
A.4.3 Dependencies between actions. 264
A.5 Site Visits. 264
A.6 TOE Boundary. 265
A.6.1 Product and system. 265
A.6.2 TOE. 266
A.6.3 TSF. 266
A.6.4 Evaluation. 266
A.6.5 Certification. 267
A.7 Threats and FPT Requirements. 267
A.7.1 TOEs not necessarily requiring the FPT class . 268
A.7.2 Impact upon Assurance Families. 268
A.8 Strength of function and vulnerability analysis . 269
A.8.1 Attack potential. 270
A.8.2 Calculating attack potential. 271
A.8.3 Example strength of function analysis. 274
A.9 Scheme Responsibilities. 275

vi © ISO/IEC 2005 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commi ssion) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 18045 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT security techniques. The identical text of ISO/IEC 18045 is published by the Common
Criteria Project Sponsoring Organisations as Common Methodology for Information Technology Security
Evaluation.
Legal notice
The governmental organizations listed below contributed to the development of this version of the Common
Methodology for Information Technology Security Evaluations. As the joint holders of the copyright in the
Common Methodology for Information Technology Security Evaluations, version 2.3 (called CEM 2.3), they
hereby grant non-exclusive license to ISO/IEC to use CEM 2.3 in the continued development/maintenance of
the ISO/IEC 18045 international standard. However, these governmental organizations retain the right to use,
copy, distribute, translate or modify CEM 2.3 as they see fit.
Australia/New Zealand: The Defence Signals Directorate and the Government Communications
Security Bureau respectively;
Canada:   Communications Security Establishment;
France:    Direction Centrale de la Sécurité des Systèmes d'Information;
Germany:   Bundesamt für Sicherheit in der Informationstechnik;
Japan:    Information Technology Promotion Agency;
Netherlands:   Netherlands National Communications Security Agency;
Spain:    Ministerio de Administraciones Públicas and Centro Criptológico Nacional;
United Kingdom:   Communications-Electronic Security Group;
United States:   The National Security Agency and the National Institute of Standards and
Technology.
© ISO/IEC 2005 – All rights reserved vii

Introduction
The methodology for IT security evaluation presented in this International Standard is limited to evaluations for

EAL1 through EAL4,as defined in ISO/IEC 15408. It does not provide guidance for EALs 5 through 7, nor for
evaluations using other assurance packages.
The target audience for this International Standard is primarily evaluators applying ISO/IEC 15408 and
certifiers confirming evaluator actions; evaluation sponsors, developers, PP/ST authors and other parties
interested in IT security may be a secondary audience.
This International Standard recognises that not all questions concerning IT security evaluation will be
answered herein and that further interpretations will be needed. Individual schemes will determine how to
handle such interpretations, although these may be subject to mutual recognition agreements. A list of
methodology-related activities that may be handled by individual schemes can be found in Annex A.
viii © ISO/IEC 2005 – All rights reserved

INTERNATIONAL STANDARD      ISO/IEC 18045:2005(E)

Information technology — Security techniques — Methodology
for IT security evaluation
1 Scope
This International Standard is a companion document to ISO/IEC 15408, Information technology — Security
techniques — Evaluation criteria for IT security. This International Standard describes the minimum actions
to be performed by an evaluator in order to conduct an ISO/IEC 15408 evaluation, using the criteria and
evaluation evidence defined in ISO/IEC 15408.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC 15408 (all parts), Information technology — Security techniques — Evaluation criteria for IT security
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
NOTE Bold-faced type is used in the definitions to indicate terms which are themselves defined in this clause.
3.1
action
evaluator action element of ISO/IEC 15408-3. These actions are either explicitly stated as evaluator actions or
implicitly derived from developer actions (implied evaluator actions) within ISO/IEC 15408-3 assurance
components.
3.2
activity
the application of an assurance class of ISO/IEC 15408-3.
3.3
check
to generate a verdict by a simple comparison. Evaluator expertise is not required. The statement that uses
this verb describes what is mapped.
3.4
evaluation deliverable
any resource required from the sponsor or developer by the evaluator or overseer to perform one or more
evaluation or evaluation oversight activities.
3.5
evaluation evidence
a tangible evaluation deliverable.
© ISO/IEC 2005 - All rights reserved 1

3.6
evaluation technical report
a report that documents the overall verdict and its justification, produced by the evaluator and submitted to
an overseer.
3.7
examine
to generate a verdict by analysis using evaluator expertise. The statement that uses this verb identifies what
is analysed and the properties for which it is analysed.
3.8
interpretation
a clarification or amplification of an ISO/IEC 15408, ISO/IEC 18045 or scheme requirement.
3.9
methodology
the system of principles, procedures and processes applied to IT security evaluations.
3.10
observation report
a report written by the evaluator requesting a clarification or identifying a problem during the evaluation.
3.11
overall verdict
a pass or fail statement issued by an evaluator with respect to the result of an evaluation.
3.12
oversight verdict
a statement issued by an overseer confirming or rejecting an overall verdict based on the results of evaluation
oversight activities.
3.13
record
to retain a written description of procedures, events, observations, insights and results in sufficient detail to
enable the work performed during the evaluation to be reconstructed at a later time.
3.14
report
to include evaluation results and supporting material in the evaluation technical report or an observation
report.
3.15
scheme
set of rules, established by an evaluation authority, defining the evaluation environment, including criteria and
methodology required to conduct IT security evaluations.
3.16
sub-activity
the application of an assurance component of ISO/IEC 15408-3. Assurance families are not explicitly
addressed in this International Standard because evaluations are conducted on a single assurance
component from an assurance family.
3.17
tracing
a simple directional relation between two sets of entities, which shows which entities in the first set correspond
to which entities in the second.
2 © ISO/IEC 2005 - All rights reserved

3.18
verdict
a pass, fail or inconclusive statement issued by an evaluator with respect to an ISO/IEC 15408 evaluator
action element, assurance component, or class. Also see overall verdict.
3.19
work unit
the most granular level of evaluation work. Each evaluation methodology action comprises one or more work
units, which are grouped within the evaluation methodology action by ISO/IEC 15408 content and
presentation of evidence or developer action element. The work units are presented in this International
Standard in the same order as ISO/IEC 15408 elements from which they are derived. Work units are identified
in the left margin by a symbol such as 4:ALC_TAT.1-2. In this symbol, the first digit (4) indicates the EAL; the
string ALC_TAT.1 indicates ISO/IEC 15408 component (i.e. this International Standard sub-activity), and the
final digit ( 2) indicates that this is the second work unit in the ALC_TAT.1 sub-activity.
4 Symbols and abbreviated terms
ETR Evaluation Technical Report
OR Observation Report
5 Overview
5.1 Organisation of this International Standard
Clause 6 defines the conventions used in this International Standard.
Clause 7 describes general evaluation tasks with no verdicts associated with them as they do not map to
ISO/IEC 15408 evaluator action elements.
Clause 8 defines the evaluation of a PP.
Clause 9 defines the evaluation of an ST.
Clauses 10 to 13 define the minimal evaluation effort for achieving EAL1 to EAL4 evaluations and to provide
guidance on ways and means of accomplishing the evaluation.
Clause 14 defines the flaw remediation evaluation activities.
Annex A covers the basic evaluation techniques used to provide technical evidence of evaluation results.
6 Document Conventions
6.1 Terminology
Unlike ISO/IEC 15408, where each element maintains the last digit of its identifying symbol for all components
within the family, this International Standard may introduce new work units when an ISO/IEC 15408 evaluator
action element changes from sub-activity to sub-activity; as a result, the last digit of the work unit's identifying
symbol may change although the work unit remains unchanged. For example, because an additional work unit
labeled 4:ADV_FSP.2-7 was added at EAL4, the subsequent sequential numbering of FSP work units is offset
by one. Thus work unit 3:ADV_FSP.1-8 is now mirrored by work unit 4:ADV_FSP.2-9; each express the same
requirement though their numbering no longer directly correspond.
Any methodology-specific evaluation work required that is not derived directly from ISO/IEC 15408
requirements is termed task or sub-task.
© ISO/IEC 2005 - All rights reserved 3

6.2 Verb usage
All work unit and sub-task verbs are preceded by the auxiliary verb shall and by presenting both the verb and
the shall in bold italic type face. The auxiliary verb shall is used only when the provided text is mandatory and
therefore only within the work units and sub-tasks. The work units and sub-tasks contain mandatory activities
that the evaluator must perform in order to assign verdicts.
Guidance text accompanying work units and sub-tasks gives further explanation on how to apply ISO/IEC
15408 words in an evaluation. The described method is normative, meaning that the verb usage is in
accordance with ISO definitions for these verbs; that is: the auxiliary verb should is used when the described
method is strongly preferred and the auxiliary verb may is used where the described method(s) is allowed but
no preference is indicated. (The auxiliary verb shall is used only for the text of work units.)
The verbs check, examine, report and record are used with a precise meaning within this International
Standard and the clause 3 should be referenced for their definitions.
6.3 General evaluation guidance
Material that has applicability to more than one sub-activity is collected in one place. Guidance whose
applicability is widespread (across activities and EALs) has been collected into Annex A. Guidance that
pertains to multiple sub-activities within a single activity has been provided in the introduction to that activity. If
guidance pertains to only a single sub-activity, it is presented within that sub-activity.
6.4 Relationship between ISO/IEC 15408 and ISO/IEC 18045 structures
There are direct relationships between ISO/IEC 15408 structure (i.e. class, family, component and element)
and the structure of this International Standard. Figure 1 illustrates the correspondence between ISO/IEC
15408 constructs of class, family and evaluator action elements and evaluation methodology activities, sub-
activities and actions. However, several evaluation methodology work units may result from the requirements
noted in ISO/IEC 15408 developer action and content and presentation elements.

Figure 1 - Mapping of ISO/IEC 15408 and ISO/IEC 18045 structures
6.5 Evaluator verdicts
The evaluator assigns verdicts to the requirements of ISO/IEC 15408 and not to those of this International
Standard. The most granular ISO/IEC 15408 structure to which a verdict is assigned is the evaluator action
element (explicit or implied). A verdict is assigned to an applicable ISO/IEC 15408 evaluator action element as
4 © ISO/IEC 2005 - All rights reserved

a result of performing the corresponding evaluation methodology action and its constituent work units. Finally,
an evaluation result is assigned, as described in ISO/IEC 15408-1, Subclause 6.3.

Figure 2 - Example of the verdict assignment rule
This International Standard recognises three mutually exclusive verdict states:
a) Conditions for a pass verdict are defined as an evaluator completion of ISO/IEC 15408 evaluator action
element and de
...