SIST EN ISO/IEC 19896-2:2023

SLOVENSKI STANDARD
01-maj-2023
Varnostne tehnike IT - Zahteve za usposobljenost za preskuševalce in ocenjevalce
informacijske varnosti - 2. del: Zahteve glede znanja, veščin in učinkovitosti za
preskuševalce ISO/IEC 19790 (ISO/IEC 19896-2:2018)
IT security techniques - Competence requirements for information security testers and
evaluators - Part 2: Knowledge, skills and effectiveness requirements for ISO/IEC 19790
testers (ISO/IEC 19896-2:2018)
IT-Sicherheitstechniken - Kompetenzanforderungen an Tester und Evaluatoren von
Informationssicherheit - Teil 2: Anforderungen an Wissen, Fähigkeiten und Effektivität für
ISO/IEC 19790‑Tester (ISO/IEC 19896-2:2018)
Techniques de sécurité IT - Exigences de compétence pour l'information testeurs
d'assurance et les évaluateurs - Partie 2: Exigences en matière de connaissances, de
compétences et d'efficacité pour ISO/IEC 19790 testeurs (ISO/IEC 19896-2:2018)
Ta slovenski standard je istoveten z: EN ISO/IEC 19896-2:2023
ICS:
03.100.30 Vodenje ljudi Management of human
resources
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD EN ISO/IEC 19896-2

NORME EUROPÉENNE
EUROPÄISCHE NORM
January 2023
ICS 35.030
English version
IT security techniques - Competence requirements for
information security testers and evaluators - Part 2:
Knowledge, skills and effectiveness requirements for
ISO/IEC 19790 testers (ISO/IEC 19896-2:2018)
Techniques de sécurité IT - Exigences de compétence IT-Sicherheitstechniken - Kompetenzanforderungen an
pour l'information testeurs d'assurance et les Tester und Evaluatoren von Informationssicherheit -
évaluateurs - Partie 2: Exigences en matière de Teil 2: Anforderungen an Wissen, Fähigkeiten und
connaissances, de compétences et d'efficacité pour Effektivität für ISO/IEC 19790-Tester (ISO/IEC 19896-
ISO/IEC 19790 testeurs (ISO/IEC 19896-2:2018) 2:2018)
This European Standard was approved by CEN on 9 January 2023.

CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.

CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2023 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. EN ISO/IEC 19896-2:2023 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 3

European foreword
The text of ISO/IEC 19896-2:2018 has been prepared by Technical Committee ISO/IEC JTC 1
"Information technology” of the International Organization for Standardization (ISO) and has been
taken over as EN ISO/IEC 19896-2:2023 by Technical Committee CEN-CENELEC/ JTC 13 “Cybersecurity
and Data Protection” the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by July 2023, and conflicting national standards shall be
withdrawn at the latest by July 2023.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN-CENELEC shall not be held responsible for identifying any or all such patent rights.
Any feedback and questions on this document should be directed to the users’ national standards body.
A complete listing of these bodies can be found on the CEN and CENELEC websites.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 19896-2:2018 has been approved by CEN-CENELEC as EN ISO/IEC 19896-2:2023
without any modification.
INTERNATIONAL ISO/IEC
STANDARD 19896-2
First edition
2018-08
IT security techniques — Competence
requirements for information security
testers and evaluators —
Part 2:
Knowledge, skills and effectiveness
requirements for ISO/IEC 19790
testers
Techniques de sécurité IT — Exigences de compétence pour
l'information testeurs d'assurance et les évaluateurs —
Partie 2: Exigences en matière de connaissances, de compétences et
d'efficacité pour ISO / IEC 19790 testeurs
Reference number
ISO/IEC 19896-2:2018(E)
©
ISO/IEC 2018
ISO/IEC 19896-2:2018(E)
© ISO/IEC 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2018 – All rights reserved

ISO/IEC 19896-2:2018(E)
Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 2
5 Structure of this document . 2
6 Knowledge . 2
6.1 General . 2
6.2 Tertiary education . 2
6.2.1 General. 2
6.2.2 Technical specialities . 2
6.2.3 Speciality topics . 3
6.3 Knowledge of standards . 7
6.3.1 General. 7
6.3.2 ISO/IEC 19790 concepts . 7
6.3.3 ISO/IEC 24759 . 7
6.3.4 Additional ISO/IEC standards . 8
6.4 Knowledge of the validation program . 8
6.4.1 Validation program . 8
6.5 Knowledge of the requirements of ISO/IEC 17025 .10
7 Skills .10
7.1 General .10
7.2 Algorithm testing .10
7.3 Physical security testing .10
7.4 Side channel analysis .10
7.5 Technology types .10
8 Experience.10
8.1 General .10
8.2 Demonstration of technical competence to the validation program .11
8.2.1 Experience with performing testing .11
8.2.2 Experience with particular technology types .11
9 Education .11
10 Effectiveness .11
Annex A (informative) Example of an ISO/IEC 24759 testers’ log.12
Annex B (informative) Ontology of technology types and associated bodies of knowledge .13
Annex C (informative) Specific knowledge associated with the security of cryptographic
modules .16
Annex D (informative) Competence requirements for ISO/IEC 19790 validators .33
Bibliography .34
© ISO/IEC 2018 – All rights reserved iii

ISO/IEC 19896-2:2018(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso
.org/iso/foreword .html.
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT security techniques.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/members .html.
A list of all parts in the ISO/IEC 19896 series can be found on the ISO website.
iv © ISO/IEC 2018 – All rights reserved

ISO/IEC 19896-2:2018(E)
Introduction
This document provides the specialized requirements to demonstrate knowledge, skills and
effectiveness requirements of individuals in performing security testing projects in accordance with
ISO/IEC 19790 and ISO/IEC 24759. ISO/IEC 19790 provides the specification of security requirements
for cryptographic modules. Many certification, validation schemes and recognition arrangements
have been developed using it as a basis. ISO/IEC 19790 permits comparability between the results
of independent security testing projects. ISO/IEC 24759 supports this by providing a common set of
testing requirements for testing a cryptographic module for conformance with ISO/IEC 19790.
One important factor in assuring comparability of the results of such validations or certifications is the
knowledge, skills and effectiveness requirements of the individual testers responsible for performing
testing projects.
ISO/IEC 17025, which is often specified as a standard to which testing facilities conform, states in 5.2.1
that “Personnel performing specific tasks shall be qualified on the basis of appropriate education,
training, experience and/or demonstrated skills”.
The audience for this document includes validation and certification authorities, laboratory testing
accreditation bodies, testing projects schemes, testing facilities, testers and organizations offering
professional credentials and recognitions.
This document establishes a baseline for the knowledge, skills and effectiveness requirements of ISO/
IEC 19790 testers with the goal of establishing conformity in the requirements for the training of ISO/
IEC 19790 testing professionals associated with cryptographic module conformance testing programs.
Annex D illustrates the usefulness of this document by validators within a validation program.
© ISO/IEC 2018 – All rights reserved v

INTERNATIONAL STANDARD ISO/IEC 19896-2:2018(E)
IT security techniques — Competence requirements for
information security testers and evaluators —
Part 2:
Knowledge, skills and effectiveness requirements for ISO/
IEC 19790 testers
1 Scope
This document provides the minimum requirements for the knowledge, skills and effectiveness
requirements of individuals performing testing activities for a conformance scheme using ISO/
IEC 19790 and ISO/IEC 24759.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 17025, General requirements for the competence of testing and calibration laboratories
ISO/IEC 17825, Information technology — Security techniques — Testing methods for the mitigation of
non-invasive attack classes against cryptographic modules
ISO/IEC 18367, Information technology — Security techniques — Cryptographic algorithms and security
mechanisms conformance testing
ISO/IEC 19790, Information technology — Security techniques — Security requirements for
cryptographic modules
ISO/IEC 19896-1, IT security techniques — Competence requirements for information security testers and
evaluators — Part 1: Introduction, concepts and general requirements
ISO/IEC 20085-1, Information technology — Security techniques — Test tool requirements and test
tool calibration methods for use in testing non-invasive attack mitigation techniques in cryptographic
modules — Part 1: Test tools and techniques
ISO/IEC 20085-2, Information technology — Security techniques — Test tool requirements and test
tool calibration methods for use in testing non-invasive attack mitigation techniques in cryptographic
modules — Part: 2 Test calibration methods and apparatus
ISO/IEC 20543, Information technology — Security techniques — Test and analysis methods for random
bit generators within ISO/IEC 19790 and ISO/IEC 15408
ISO/IEC 24759, Information technology — Security techniques — Test requirements for cryptographic
modules
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 19896-1 and ISO/
IEC 19790 apply.
© ISO/IEC 2018 – All rights reserved 1

ISO/IEC 19896-2:2018(E)
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https: //www .iso .org/obp
— IEC Electropedia: available at http: //www .electropedia .org/
4 Abbreviated terms
AES advanced encryption standard
HDD hard disk drive
RSA rivest-shamir-adleman
SHA secure hash algorithm
SSD solid state drive
5 Structure of this document
This document is divided into the following clauses: Knowledge (Clause 5), Skills (Clause 6), Experience
(Clause 7), Education (Clause 8) and Effectiveness (Clause 9). Each clause corresponds to an aspect of
the knowledge, skills, experience, education and effectiveness requirements of individuals performing
testing activities as introduced in ISO/IEC 19896-1 for a conformance scheme using ISO/IEC 19790 and
ISO/IEC 24759.
6 Knowledge
6.1 General
Knowledge is what a tester knows and can describe. Clauses 6 to 9 address education requirements
and knowledge areas that are specifically needed for conformance testing to ISO/IEC 19790 and ISO/
IEC 24759.
6.2 Tertiary education
6.2.1 General
Testers shall have educational qualifications such as an associate, bachelor, or higher degree that is
relevant to the security requirements addressed in ISO/IEC 19790 and the test requirements in ISO/
IEC 24759. The testers shall at a minimum demonstrate they have either:
a) successfully completed appropriate tertiary education with at least 3 years of study in disciplines
related to IT or IT security; or
b) experience equivalent to the tertiary education in disciplines related to IT, IT security or IT system
administration.
6.2.2 Technical specialities
In addition to the minimum level of educational requirements in 6.2.1, testers shall have educational
qualifications such as an associate, bachelor, or higher degree that addresses the specific technical
specialities. Examples of specific technical specialities include:
— cryptographic concepts;
— engineering technology;
2 © ISO/IEC 2018 – All rights reserved

ISO/IEC 19896-2:2018(E)
— electrical engineering;
— mechanical engineering;
— material engineering;
— chemical engineering;
— computer information technology;
— computer engineering;
— computer science;
— computer networks;
— cybersecurity;
— information systems;
— laboratory management;
— software development and security; or
— software engineering.
6.2.3 Speciality topics
ISO/IEC 19790:2012 and the test requirements in ISO/IEC 24759 address the following specific
speciality knowledge topics. A tester shall, at a minimum, demonstrate knowledge in at least one
specific speciality topic.
A testing laboratory shall have knowledge in all the speciality areas as an aggregate of its technical staff.
ISO/IEC 19790:2012 and ISO/IEC 24759 specify speciality topics:
a) software and firmware development:
1) programming languages (e.g. assembler and high-level);
2) compilers;
3) debugging tools;
4) product testing performed by vendor:
i) unit testing;
ii) integration testing;
iii) regression testing;
b) operating systems:
1) installation;
2) configuration;
3) operation;
4) architecture;
5) system hardening;
6) virtual machines;
© ISO/IEC 2018 – All rights reserved 3

ISO/IEC 19896-2:2018(E)
7) java runtime environment;
c) hardware development:
1) hardware embodiments:
i) single-chip;
ii) multi-chip embedded;
iii) multi-chip standalone;
2) technology:
i) single-chip fabrication;
ii) electrical components and design, schematics and concepts including logic design and HDL
representations;
iii) mechanical design and packaging;
3) manufacturing:
i) supply chain integrity;
ii) fabrication methods;
iii) initialization of parameters;
iv) packing and shipping;
v) testing and characterization;
4) hardware security features;
d) operational environments:
1) boot loader;
2) loading;
3) linking;
4) memory management and protection;
5) inter-process communication;
6) discretionary access control;
7) role-based access control;
8) executable forms;
9) audit mechanisms;
e) cryptographic algorithms, mechanisms and techniques:
1) cryptographic algorithms and security functions:
i) symmetric key;
ii) asymmetric key;
iii) hashing;
iv) random bit generators;
4 © ISO/IEC 2018 – All rights reserved

ISO/IEC 19896-2:2018(E)
v) message authentication;
vi) entropy;
vii) modes of operation;
2) sensitive security parameter management:
i) sensitive security parameter generation;
ii) sensitive security parameter establishment;
I) automated SSP transport or SSP agreement;
II) manual SSP entry or output via direct or electronic;
iii) sensitive security parameter entry and output;
iv) sensitive security parameter storage;
v) sensitive security parameter zeroization;
f) identification and authentication mechanisms:
1) identity-based authentication;
2) role-based authentication;
3) multi-factor–based authentication;
g) best practices in design and development:
1) design assurance such as configuration management, delivery, operation and development;
2) design by contract;
h) informal modelling;
1) finite state model;
i) non-invasive security;
1) non-invasive attacks:
i) DPA/DEMA;
ii) SPA/SEMA;
iii) timing attacks;
2) countermeasures:
i) physical countermeasures;
EXAMPLE 1 Precharge logic, dual-rail logic, current flattening, probe detection, adding noise,
random interrupts, jittered clock.
ii) Logical countermeasures;
EXAMPLE 2 Masking, hiding, dummy operation, balanced timing, shuffling, automatic re-keying.
j) self-test mechanisms:
1) pre-operational tests;
© ISO/IEC 2018 – All rights reserved 5

ISO/IEC 19896-2:2018(E)
2) conditional tests;
k) security mechanisms:
1) zeroization;
2) trusted path;
3) tamper evident devices;
4) epoxies, potting materials and adhesives (including chemical properties);
5) encapsulation enclosures and materials;
6) tamper mechanisms;
7) countermeasures against fault induction attacks;
EXAMPLE 3 Redundancy-based scheme, error detecting code, footprint
8) secure communication protocols (e.g. Secure Sockets Layer, Transport Layer Security, Internet
Key Exchange, Secure Socket Shell, Over the Air Rekeying, etc.);
9) security policy attributes;
10) split knowledge procedures;
l) design features:
1) ports and interfaces;
2) approved modes of operation;
3) specification of services;
4) specification of sensitive security parameters;
m) tools and test methods:
1) construction of test jigs (software or hardware);
2) environmental testing methods such as the use of temperature (e.g. heat and cold) and voltage
(e.g. changes to input power);
i) temperature chambers (e.g. heating and cooling mechanisms);
ii) variable power supplies;
3) use of hand tools (e.g. saws, drills, prying tools, grinding, variable speed rotary tools, dental
picks and mirrors, etc.);
4) use of chemical solvents (e.g. acids and alkaline based);
5) artificial light sources;
6) magnification tools;
7) use of digital storage oscilloscopes or logic analysers;
8) use of volt-ohm-meter or digital multi-meter;
9) digital scanner;
10) digital camera (including near or MACRO focus capabilities);
6 © ISO/IEC 2018 – All rights reserved

ISO/IEC 19896-2:2018(E)
11) validation program supplied tools.
NOTE Calibration of tools are only required depending on the test method.
Additional information on specific knowledge association with the security of cryptographic modules
is specified in Annex C.
6.3 Knowledge of standards
6.3.1 General
The tester shall have knowledge of the normative references specified in Clause 2. The tester shall be
able to demonstrate an understanding or familiarity of one or more of the following topics.
6.3.2 ISO/IEC 19790 concepts
The tester shall have knowledge of the concepts in ISO/IEC 19790. ISO/IEC 19790specifies the security
requirements for a cryptographic module utilized within a security system protecting sensitive
information in computer and telecommunication systems. ISO/IEC 19790 defines four security levels
for each of 11 requirement areas with each security level increasing security over the preceding level
for cryptographic modules.
6.3.3 ISO/IEC 24759
6.3.3.1 General
ISO/IEC 24759 specifies the test requirements for cryptographic modules to be used by vendors and
testing laboratories. ISO/IEC 24759:2017 includes 11 sub-clauses corresponding to the 11 areas of
security requirements and six sub-clauses corresponding to ISO/IEC 19790:2012, Annexes A to F. These
corresponding security requirements are listed in ISO/IEC 19790:2012, 5.2.2.5 and 5.2.2.6, respectively.
6.3.3.2 Vendor requirements
ISO/IEC 24759 specifies all of the vendor evidence (VE) requirements that vendors provide to testing
laboratories, that are applicable to the module under test, as supporting evidence to demonstrate their
cryptographic module's conformity to the security requirements specified in ISO/IEC 19790:2012.
The vendor shall also satisfy any modifications, additions, or deletions to the VE evidence that the
validation authority has made to ISO/IEC 24759.
The tester shall be familiar with all vendor requirements.
6.3.3.3 Test requirements
ISO/IEC 24759 specifies the tester evidence (TE) requirements, applicable to the module under test, to
be used by testing laboratories to test whether the cryptographic module conforms to the requirements
specified in ISO/IEC 19790. The methods are developed to provide a high degree of objectivity during
the testing process and to ensure consistency across the testing laboratories.
The tester shall also satisfy any modifications, additions, or deletions to the TE evidence that the
validation authority has made to ISO/IEC 24759.
The vendor shall be familiar with all test requirements.
© ISO/IEC 2018 – All rights reserved 7

ISO/IEC 19896-2:2018(E)
6.3.4 Additional ISO/IEC standards
The tester shall be familiar with the following.
— ISO/IEC 17825 specifies the testing methods for the mitigation of non-invasive attack classes against
cryptographic modules.
— ISO/IEC 18367 specifies cryptographic algorithms and security mechanisms conformance testing.
— ISO/IEC 20085-1 specifies test tool requirements for use in testing non-invasive attack mitigation
techniques in cryptographic modules.
— ISO/IEC 20085-2 specifies test tool calibration methods for use in testing non-invasive attack
mitigation techniques in cryptographic modules.
— ISO/IEC 20543 specifies test and analysis methods for random bit generators within ISO/IEC 19790
and ISO/IEC 15408.
6.4 Knowledge of the validation program
6.4.1 Validation program
6.4.1.1 General
Validation programs, which typically operate under the auspices of an accreditation authority, often
define aspects of their operation that are specific to the program. This is usually based on applicable
legislation and policies, such as national policies, that are applicable to their operation. Testers shall
have knowledge of the validation program and any specific aspects such as those listed in 6.4.1.2 to
6.4.1.7.
6.4.1.2 Organization
This aspect concerns the program’s organization, and the bodies that are involved in the program’s
operation.
6.4.1.3 Communications
This aspect concerns how the program communicates relevant information to stakeholders, especially
to testing facilities and the associated testers. This should include how communications and information
is protected.
6.4.1.4 Legal and regulatory mandates
This aspect concerns the legislative and/or regulatory framework under which the validation program
operates.
6.4.1.5 Policies
This aspect concerns specific policies that are applicable to the validation program. These can include
process and technical requirement related policies in connection to accepting cryptographic module
validation projects. The following are some examples.
a) Testing sufficiency: the tester should have knowledge of what is required in ensuring that a target
cryptographic module is tested sufficiently.
b) Disposition of evidence: the process for properly disposing of supporting evidence upon completion
of a project.
8 © ISO/IEC 2018 – All rights reserved

ISO/IEC 19896-2:2018(E)
c) Confidentiality: any requirements for confidentiality (on the part of the tester and the non-
disclosure of information obtained during testing projects).
d) Problem resolution: the course of action to be taken if a problem is encountered during the project
(whether the work continues once the problem is remedied, or the project ends immediately and
the remedied product needs to be re-submitted).
e) Language: any specific (natural) language in which documentation needs to be provided.
f) Requirements for recorded evidence: any recorded evidence documented by the tester that needs
to be submitted to the validation program.
g) Additional reporting policies: any specific reports required from the tester such as testing reports.
h) Implementation guidance: a validation authority can provide programmatic or clarification
guidance that should be considered by the tester.
i) Reuse: documentation and rationale required by the validation program to support the reuse of
testing evidence.
j) Any specific handling of the validation program identifiers, logos, trademarks, etc.
k) Handling and application of validation program interpretations.
l) A list or characterizations of suitable alternative approaches to testing when the validation
program’s recommended original testing is infeasible for a given target cryptographic module.
m) The policies by which the validation program determines what steps a tester took while testing.
6.4.1.6 Documentation
This aspect concerns the provision and use of any validation program specific documents. These can
include forms, templates, training material, and informational material. Validation program specific
documents can include documents such as:
— management manuals;
— frequently asked questions;
— implementation or programmatic guidance;
— manuals for program supplied tools.
6.4.1.7 Tools
The validation program can provide specific tools for testing, report generation, delivery or protection
(i.e. encryption). Examples include:
— algorithmic test tools;
— generation of test vectors and resultant expected responses;
— documentation of testing activities and reporting;
— encryption tool for protection of test reports transmitted to the validation program;
— specification of particular encryption algorithm and signature methods (e.g. 128-bit AES for
encryption and 2048-bit RSA with SHA-2 for digital signature).
© ISO/IEC 2018 – All rights reserved 9

ISO/IEC 19896-2:2018(E)
6.5 Knowledge of the requirements of ISO/IEC 17025
Since testing facilities are often required to be compliant with ISO/IEC 17025, the tester shall be familiar
with the requirements of ISO/IEC 17025 and how these are implemented in the validation facility
or facilities with which the tester is associated. If there are additional programmatic accreditation
documents associated with ISO/IEC 17025, that form the basis of the laboratories accreditation, then
the tester shall be familiar these documents as well.
7 Skills
7.1 General
Training for testers is often obtained through career experience in the IT industry, or during their
association with a testing facility, or because of the requirements of professional organizations.
TM TM
EXAMPLE Professional certifications such as the ISC2 ' CISSP credential are associated with a
requirement for continued professional development.
7.2 Algorithm testing
The tester shall have the ability to install, configure and execute the cryptographic algorithm validation
program or user interface driven algorithm test tools.
7.3 Physical security testing
The tester shall have the skills to perform the physical security tests which they are appropriately
trained for and skilled at.
7.4 Side channel analysis
The tester shall have the skills to perform the side channel tests which they are appropriately trained
for and skilled at.
7.5 Technology types
The skills and techniques required in the cryptographic module testing of different technology types
can vary. Testers shall be able to demonstrate that they have the necessary knowledge, skills and
techniques related to the technology types of cryptographic modules which they test.
NOTE 1 The validation program addresses cryptographic modules that represent many technology types
which are being considered for testing. A list of the technology types most commonly referenced and suggested
fundamental knowledge skills and techniques that testers need is given in Annex B.
NOTE 2 Many specialist professional certifications cover the body of knowledge that is needed by testers. Such
certifications can be national, regional or global in scope. It is beyond the scope of this document to catalogue all
of them, however some of these are listed in the Bibliography.
8 Experience
8.1 General
The tester shall document their training and testing activities in accordance with validation program
and or testing facility requirements.
10 © ISO/IEC 2018 – All rights reserved

ISO/IEC 19896-2:2018(E)
8.2 Demonstration of technical competence to the validation program
8.2.1 Experience with performing testing
The tester shall record all testing activity in a log. The records shall be kept along with the acquired
test evidence (see Annex A). The tester should create the testers' log for operational testing so that it
clarifies both expected test results and actual test results.
EXAMPLE Expected status indicator.
8.2.2 Experience with particular technology types
The tester shall include in their recorded activity log the technology types that were tested.
9 Education
The tester shall document their education in accordance with validation program and or testing facility
requirements.
Education requirements are referenced in 6.2.
10 Effectiveness
The tester shall be able to apply knowledge and skills in a productive manner, characterized by
attributes of behaviour such as aptitude, initiative, enthusiasm, willingness, communication skills,
team participation, and leadership.
© ISO/IEC 2018 – All rights reserved 11

ISO/IEC 19896-2:2018(E)
Annex A
(informative)
Example of an ISO/IEC 24759 testers’ log
Name
Designation
Validation program Testing facility

Cryptographic module name Cryptographic module type

Overall Security level Cert ID (if known)

Sponsor/developer Dates testing performed

Description of IUT
AS 01.01 Applicable test requirement as specified in ISO/IEC 24759
Description of IUTs design for conformance to the test requirement
Description of test method and results
12 © ISO/IEC 2018 – All rights reserved

ISO/IEC 19896-2:2018(E)
Annex B
(informative)
Ontology of technology types and associated bodies of knowledge
B.1 General
The validation program addresses cryptographic modules that represent many technology types
which are being considered for testing. A list of the technology types most commonly referenced and
suggested fundamental knowledge skills and techniques that testers need is presented below.
B.2 Technology types
B.2.1 General
Cryptographic modules can be software, firmware, hardware or a hybrid of software and firmware
with hardware.
B.2.2 Software/firmware
Software or firmware can be written in various programming languages and then compiled into
different forms of executables. An executable can represent a cryptographic software or firmware
module. Debuggers may be used for finding and correcting errors in the implementation.
B.2.2.1 Programming languages
Examples of various software programming languages that may be employed are (This list is neither
exhaustive nor complete and for illustrative purposes only):
— Ada;
— APL;
— Assembly language;
— C++;
— dBase ;
— Google Apps Script ;
— Java ;
— JavaScript ;
— Microcode;
— Unix shell;
— Visual Basic;
— VHDL.
© ISO/IEC 2018 – All rights reserved 13

ISO/IEC 19896-2:2018(E)
B.2.2.2 Compilers
Examples of various open source software compilers that may be employed are (This list is neither
exhaustive nor complete and for illustrative purposes only):
— FreeBASIC;
— Clang C/C++/Objective-C Compiler;
— Free Pascal;
— GCC [C, C++, (G++), Java (GCJ) and Ada (GNAT)];
— Local C compiler;
— Open Watcom;
— Open64;
— XPL PL/I;
— C to HDL.
B.2.2.3 Debuggers or Simulators
Examples of various open source debuggers that may be employed are (This list is neither exhaustive
nor complete and for illustrative purposes only):
— Firefox JavaScript debugger;
— GDB – the GNU debugger;
— Eclipse debugger;
— Opera Dragonfly;
— Python debugger;
— X64dbg;
— ZeroBUGS;
— VHDL;
— Verilog.
B.2.2.4 Hardware
B.2.2.4.1 General knowledge
Hardware may be implemented in various embodiments and technology types. Below are examples of
hardware embodiments and technology types within each. The following lists are neither exhaustive
nor complete and are for illustrative purposes only.
B.2.2.4.2 Single-chip modules
B.2.2.4.2.1 General knowledge about single-chip modules
A single-chip cryptographic module is a physical embodiment in which a single integrated circuit (IC)
chip can be used as a standalone device or embedded within an enclosure or a product that may not be
physically protected.
14 © ISO/IEC 2018 – All rights reserved

ISO/IEC 19896-2:2018(E)
B.2.2.4.2.2 Single-chip substrate materials
Examples of single-chip substrate materials:
— Gallium arsenide;
— Germanium;
— Monocrystalline silicon.
B.2.2.4.2.3 Single-chip packaging
...