SIST EN ISO/IEC 18045:2024
(Main)Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Methodology for IT security evaluation (ISO/IEC 18045:2022)
Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Methodology for IT security evaluation (ISO/IEC 18045:2022)
This document defines the minimum actions to be performed by an evaluator in order to conduct an ISO/IEC 15408 series evaluation, using the criteria and evaluation evidence defined in the ISO/IEC 15408 series.
Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre - Evaluationskriterien für IT-Sicherheit - Methodik für die Bewertung der IT-Sicherheit (ISO/IEC 18045:2022)
Dieses Dokument legt die Aktionen fest, die ein Evaluator mindestens durchführen muss, um eine Evaluierung nach der Normenreihe ISO/IEC 15408 unter Verwendung der in der Normenreihe ISO/IEC 15408 definierten Kriterien und Evaluationsnachweise durchzuführen.
Sécurité de l'information, cybersécurité et protection de la vie privée - Critères d'évaluation pour la sécurité des technologies de l'information - Méthodologie pour l'évaluation de sécurité (ISO/IEC 18045:2022)
Le présent document définit les actions minimales à réaliser par un évaluateur pour mener une évaluation selon la série de normes ISO/IEC 15408 en utilisant les critères et les preuves d'évaluation définis dans la série de normes ISO/IEC 15408.
Informacijska varnost, kibernetska varnost in varstvo zasebnosti - Merila za ocenjevanje varnosti IT - Metodologija za ocenjevanje varnosti IT (ISO/IEC 18045:2022)
Ta dokument spremlja dokument »Merila za ocenjevanje varnosti IT«, standard ISO/IEC 15408 (vsi deli). Ta dokument določa minimalne ukrepe, ki jih mora izvesti ocenjevalec, da izvede oceno iz skupine standardov ISO/IEC 15408 z uporabo meril in dokazov za ocenjevanje, opredeljenih v skupini standardov ISO/IEC 15408.
General Information
- Status
- Published
- Public Enquiry End Date
- 14-Sep-2023
- Publication Date
- 22-Feb-2024
- Technical Committee
- ITC - Information technology
- Current Stage
- 6060 - National Implementation/Publication (Adopted Project)
- Start Date
- 13-Feb-2024
- Due Date
- 19-Apr-2024
- Completion Date
- 23-Feb-2024
Relations
- Effective Date
- 01-Apr-2024
- Effective Date
- 17-Apr-2024
Overview
SIST EN ISO/IEC 18045:2024 - Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Methodology for IT security evaluation (ISO/IEC 18045:2022) - defines the minimum actions an evaluator must perform to conduct an evaluation against the ISO/IEC 15408 series (Common Criteria). Adopted as EN ISO/IEC 18045:2023 and published by the Slovene standards body (SIST), this methodology standard provides structured guidance for planning, executing and reporting IT security evaluations and for managing evaluation evidence and outputs.
Key topics and technical requirements
- Evaluation process and tasks: Guidance on evaluation inputs, sub-activities and outputs, including objectives and application notes for each task area.
- Roles and responsibilities: Definitions of evaluator roles, relationships between roles, and required activities to reach reliable verdicts.
- Evaluator verdicts and reporting: Rules for forming verdicts and producing evaluation artifacts such as the Evaluation Technical Report (ETR).
- Protection Profile (PP) and PP‑module evaluation: Methodology for assessing Protection Profiles, re‑use of certified PP results, PP introductions, conformance claims, security problem definitions, objectives, extended components and security requirements.
- Management of evaluation evidence: Minimum actions for collecting, organizing and validating evidence required by the ISO/IEC 15408 criteria.
- Conformance and consistency checks: Procedures for verifying consistency of claims, requirements and mappings between problem definition, objectives and security requirements.
Keywords: ISO/IEC 18045, IT security evaluation methodology, ISO/IEC 15408, Protection Profile evaluation, Evaluation Technical Report, evaluator roles, cybersecurity standard.
Practical applications - who uses this standard
- Independent evaluators and laboratories - to follow a consistent, auditable methodology when performing Common Criteria evaluations.
- Certification bodies - to assess evaluator outputs and ensure evaluations meet the minimum methodology requirements.
- Product vendors and PP authors - to prepare deliverables (security targets, protection profiles, evidence) that align with evaluator expectations.
- Procurement and compliance teams - to interpret evaluation results and incorporate certified claims into procurement and risk decisions.
- Security consultants and auditors - to understand the evaluation lifecycle, required evidence, and how evaluator verdicts are derived.
Related standards
- ISO/IEC 15408 series (Common Criteria) - evaluation criteria and evidence referenced by ISO/IEC 18045.
- EN ISO/IEC 18045:2023 - European adoption of the ISO/IEC 18045:2022 text.
- Other relevant frameworks: ISO/IEC 27001 (information security management) - complementary for organizational controls and governance.
This standard is essential for anyone involved in formal IT security evaluation, certification, or producing evaluable security documentation, ensuring consistent, repeatable and defensible evaluation outcomes.
Frequently Asked Questions
SIST EN ISO/IEC 18045:2024 is a standard published by the Slovenian Institute for Standardization (SIST). Its full title is "Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Methodology for IT security evaluation (ISO/IEC 18045:2022)". This standard covers: This document defines the minimum actions to be performed by an evaluator in order to conduct an ISO/IEC 15408 series evaluation, using the criteria and evaluation evidence defined in the ISO/IEC 15408 series.
This document defines the minimum actions to be performed by an evaluator in order to conduct an ISO/IEC 15408 series evaluation, using the criteria and evaluation evidence defined in the ISO/IEC 15408 series.
SIST EN ISO/IEC 18045:2024 is classified under the following ICS (International Classification for Standards) categories: 35.030 - IT Security. The ICS classification helps identify the subject area and facilitates finding related standards.
SIST EN ISO/IEC 18045:2024 has the following relationships with other standards: It is inter standard links to SIST EN ISO/IEC 18045:2020, kSIST FprEN ISO/IEC 18045:2026. Understanding these relationships helps ensure you are using the most current and applicable version of the standard.
SIST EN ISO/IEC 18045:2024 is available in PDF format for immediate download after purchase. The document can be added to your cart and obtained through the secure checkout process. Digital delivery ensures instant access to the complete standard document.
Standards Content (Sample)
SLOVENSKI STANDARD
01-april-2024
Nadomešča:
SIST EN ISO/IEC 18045:2020
Informacijska varnost, kibernetska varnost in varovanje zasebnosti - Merila za
ocenjevanje varnosti IT - Metodologija za ocenjevanje varnosti IT (ISO/IEC
18045:2022)
Information security, cybersecurity and privacy protection - Evaluation criteria for IT
security - Methodology for IT security evaluation (ISO/IEC 18045:2022)
Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre -
Evaluationskriterien für IT-Sicherheit - Methodik für die Bewertung der IT-Sicherheit
(ISO/IEC 18045:2022)
Sécurité de l'information, cybersécurité et protection de la vie privée - Critères
d'évaluation pour la sécurité des technologies de l'information - Méthodologie pour
l'évaluation de sécurité (ISO/IEC 18045:2022)
Ta slovenski standard je istoveten z: EN ISO/IEC 18045:2023
ICS:
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD EN ISO/IEC 18045
NORME EUROPÉENNE
EUROPÄISCHE NORM
November 2023
ICS 35.030
Supersedes EN ISO/IEC 18045:2020
English version
Information security, cybersecurity and privacy protection
- Evaluation criteria for IT security - Methodology for IT
security evaluation (ISO/IEC 18045:2022)
Sécurité de l'information, cybersécurité et protection Informationssicherheit, Cybersicherheit und Schutz
de la vie privée - Critères d'évaluation pour la sécurité der Privatsphäre - Evaluationskriterien für IT-
des technologies de l'information - Méthodologie pour Sicherheit - Methodik für die Bewertung der IT-
l'évaluation de sécurité (ISO/IEC 18045:2022) Sicherheit (ISO/IEC 18045:2022)
This European Standard was approved by CEN on 29 October 2023.
CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.
CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.
CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2023 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. EN ISO/IEC 18045:2023 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 3
European foreword
The text of ISO/IEC 18045:2022 has been prepared by Technical Committee ISO/IEC JTC 1 "Information
technology” of the International Organization for Standardization (ISO) and has been taken over as
Protection” the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by May 2024, and conflicting national standards shall be
withdrawn at the latest by May 2024.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN-CENELEC shall not be held responsible for identifying any or all such patent rights.
This document supersedes EN ISO/IEC 18045:2020.
Any feedback and questions on this document should be directed to the users’ national standards body.
A complete listing of these bodies can be found on the CEN and CENELEC websites.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 18045:2022 has been approved by CEN-CENELEC as EN ISO/IEC 18045:2023
without any modification.
INTERNATIONAL ISO/IEC
STANDARD 18045
Third edition
2022-08
Information security, cybersecurity
and privacy protection — Evaluation
criteria for IT security — Methodology
for IT security evaluation
Sécurité de l'information, cybersécurité et protection de la vie
privée — Critères d'évaluation pour la sécurité des technologies de
l'information — Méthodologie pour l'évaluation de sécurité
Reference number
ISO/IEC 18045:2022(E)
© ISO/IEC 2022
ISO/IEC 18045:2022(E)
© ISO/IEC 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2022 – All rights reserved
ISO/IEC 18045:2022(E)
Table of Contents
LIST OF FIGURES . ix
LIST OF TABLES . x
FOREWORD . xi
INTRODUCTION . xii
SCOPE . 1
NORMATIVE REFERENCES . 1
TERMS AND DEFINITIONS . 1
ABBREVIATED TERMS . 4
TERMINOLOGY . 4
VERB USAGE . 4
GENERAL EVALUATION GUIDANCE . 5
RELATIONSHIP BETWEEN THE ISO/IEC 15408 SERIES AND ISO/IEC 18045 STRUCTURES . 5
EVALUATION PROCESS AND RELATED TASKS . 5
9.1 GENERAL . 5
9.2 EVALUATION PROCESS OVERVIEW . 6
9.2.1 Objectives . 6
9.2.2 Responsibilities of the roles . 6
9.2.3 Relationship of roles . 6
9.2.4 General evaluation model . 7
9.2.5 Evaluator verdicts . 7
9.3 EVALUATION INPUT TASK . 9
9.3.1 Objectives . 9
9.3.2 Application notes . 9
9.3.3 Management of evaluation evidence sub-task . 10
9.4 EVALUATION SUB-ACTIVITIES.10
9.5 EVALUATION OUTPUT TASK .10
9.5.1 Objectives . 10
9.5.2 Management of evaluation outputs . 11
9.5.3 Application notes . 11
9.5.4 Write OR sub-task . 11
9.5.5 Write ETR sub-task . 11
CLASS APE: PROTECTION PROFILE EVALUATION . 19
10.1 GENERAL .19
10.2 RE-USING THE EVALUATION RESULTS OF CERTIFIED PPS .19
10.3 PP INTRODUCTION (APE_INT) .20
10.3.1 Evaluation of sub-activity (APE_INT.1) . 20
10.4 CONFORMANCE CLAIMS (APE_CCL) .21
10.4.1 Evaluation of sub-activity (APE_CCL.1) . 21
10.5 SECURITY PROBLEM DEFINITION (APE_SPD) .31
10.5.1 Evaluation of sub-activity (APE_SPD.1) . 31
10.6 SECURITY OBJECTIVES (APE_OBJ) .32
10.6.1 Evaluation of sub-activity (APE_OBJ.1) . 32
10.6.2 Evaluation of sub-activity (APE_OBJ.2) . 33
10.7 EXTENDED COMPONENTS DEFINITION (APE_ECD) .36
10.7.1 Evaluation of sub-activity (APE_ECD.1) . 36
© ISO/IEC 2022 – All rights reserved
iii
ISO/IEC 18045:2022(E)
10.8 SECURITY REQUIREMENTS (APE_REQ) .40
10.8.1 Evaluation of sub-activity (APE_REQ.1) . 40
10.8.2 Evaluation of sub-activity (APE_REQ.2) . 45
CLASS ACE: PROTECTION PROFILE CONFIGURATION EVALUATION . 49
11.1 GENERAL .49
11.2 PP-MODULE INTRODUCTION (ACE_INT) .51
11.2.1 Evaluation of sub-activity (ACE_INT.1) . 51
11.3 PP-MODULE CONFORMANCE CLAIMS (ACE_CCL) .53
11.3.1 Evaluation of sub-activity (ACE_CCL.1) . 53
11.4 PP-MODULE SECURITY PROBLEM DEFINITION (ACE_SPD) . 58
11.4.1 Evaluation of sub-activity (ACE_SPD.1) . 58
11.5 PP-MODULE SECURITY OBJECTIVES (ACE_OBJ) .59
11.5.1 Evaluation of sub-activity (ACE_OBJ.1) . 59
11.5.2 Evaluation of sub-activity (ACE_OBJ.2) . 60
11.6 PP-MODULE EXTENDED COMPONENTS DEFINITION (ACE_ECD) . 63
11.6.1 Evaluation of sub-activity (ACE_ECD.1) . 63
11.7 PP-MODULE SECURITY REQUIREMENTS (ACE_REQ) . 67
11.7.1 Evaluation of sub-activity (ACE_REQ.1) . 67
11.7.2 Evaluation of sub-activity (ACE_REQ.2) . 72
11.8 PP-MODULE CONSISTENCY (ACE_MCO) .76
11.8.1 Evaluation of sub-activity (ACE_MCO.1) . 76
11.9 PP-CONFIGURATION CONSISTENCY (ACE_CCO) .79
11.9.1 Evaluation of sub-activity (ACE_CCO.1) . 79
CLASS ASE: SECURITY TARGET EVALUATION . 87
12.1 GENERAL .87
12.2 APPLICATION NOTES .87
12.2.1 Re-using the evaluation results of certified PPs. 87
12.3 ST INTRODUCTION (ASE_INT) .88
12.3.1 Evaluation of sub-activity (ASE_INT.1) . 88
12.4 CONFORMANCE CLAIMS (ASE_CCL) .91
12.4.1 Evaluation of sub-activity (ASE_CCL.1) . 91
12.5 SECURITY PROBLEM DEFINITION (ASE_SPD) . 105
12.5.1 Evaluation of sub-activity (ASE_SPD.1) . 105
12.6 SECURITY OBJECTIVES (ASE_OBJ) . 106
12.6.1 Evaluation of sub-activity (ASE_OBJ.1) . 106
12.6.2 Evaluation of sub-activity (ASE_OBJ.2) . 107
12.7 EXTENDED COMPONENTS DEFINITION (ASE_ECD) . 109
12.7.1 Evaluation of sub-activity (ASE_ECD.1) . 109
12.8 SECURITY REQUIREMENTS (ASE_REQ) . 113
12.8.1 Evaluation of sub-activity (ASE_REQ.1) . 113
12.8.2 Evaluation of sub-activity (ASE_REQ.2) . 119
12.9 TOE SUMMARY SPECIFICATION (ASE_TSS) . 124
12.9.1 Evaluation of sub-activity (ASE_TSS.1) . 124
12.9.2 Evaluation of sub-activity (ASE_TSS.2) . 125
12.10 CONSISTENCY OF COMPOSITE PRODUCT SECURITY TARGET (ASE_COMP) . 127
12.10.1 General . 127
12.10.2 Evaluation of sub-activity (ASE_COMP.1) . 127
CLASS ADV: DEVELOPMENT . 132
13.1 GENERAL . 132
13.2 APPLICATION NOTES . 132
13.3 SECURITY ARCHITECTURE (ADV_ARC) . 133
13.3.1 Evaluation of sub-activity (ADV_ARC.1) . 133
13.4 FUNCTIONAL SPECIFICATION (ADV_FSP) . 137
13.4.1 Evaluation of sub-activity (ADV_FSP.1) . 137
13.4.2 Evaluation of sub-activity (ADV_FSP.2) . 140
© ISO/IEC 2022 – All rights reserved
iv
ISO/IEC 18045:2022(E)
13.4.3 Evaluation of sub-activity (ADV_FSP.3) . 145
13.4.4 Evaluation of sub-activity (ADV_FSP.4) . 150
13.4.5 Evaluation of sub-activity (ADV_FSP.5) . 155
13.4.6 Evaluation of sub-activity (ADV_FSP.6) . 161
13.5 IMPLEMENTATION REPRESENTATION (ADV_IMP) . 161
13.5.1 Evaluation of sub-activity (ADV_IMP.1) . 161
13.5.2 Evaluation of sub-activity (ADV_IMP.2) . 164
13.6 TSF INTERNALS (ADV_INT) . 166
13.6.1 Evaluation of sub-activity (ADV_INT.1) . 166
13.6.2 Evaluation of sub-activity (ADV_INT.2) . 169
13.6.3 Evaluation of sub-activity (ADV_INT.3) . 171
13.7 FORMAL TSF MODEL (ADV_SPM) . 173
13.7.1 Evaluation of sub-activity (ADV_SPM.1) . 173
13.8 TOE DESIGN (ADV_TDS) . 180
13.8.1 Evaluation of sub-activity (ADV_TDS.1) . 180
13.8.2 Evaluation of sub-activity (ADV_TDS.2) . 183
13.8.3 Evaluation of sub-activity (ADV_TDS.3) . 188
13.8.4 Evaluation of sub-activity (ADV_TDS.4) . 197
13.8.5 Evaluation of sub-activity (ADV_TDS.5) . 206
13.8.6 Evaluation of sub-activity (ADV_TDS.6) . 213
13.9 COMPOSITE DESIGN COMPLIANCE (ADV_COMP) . 214
13.9.1 General . 214
13.9.2 Evaluation of sub-activity (ADV_COMP.1) . 214
CLASS AGD: GUIDANCE DOCUMENTS . 216
14.1 GENERAL .216
14.2 APPLICATION NOTES .216
14.3 OPERATIONAL USER GUIDANCE (AGD_OPE) . 216
14.3.1 Evaluation of sub-activity (AGD_OPE.1). 216
14.4 PREPARATIVE PROCEDURES (AGD_PRE) . 219
14.4.1 Evaluation of sub-activity (AGD_PRE.1) . 219
CLASS ALC: LIFE-CYCLE SUPPORT . 221
15.1 GENERAL .221
15.2 CM CAPABILITIES (ALC_CMC) . 222
15.2.1 Evaluation of sub-activity (ALC_CMC.1) . 222
15.2.2 Evaluation of sub-activity (ALC_CMC.2) . 223
15.2.3 Evaluation of sub-activity (ALC_CMC.3) . 224
15.2.4 Evaluation of sub-activity (ALC_CMC.4) . 228
15.2.5 Evaluation of sub-activity (ALC_CMC.5) . 233
15.3 CM SCOPE (ALC_CMS) .240
15.3.1 Evaluation of sub-activity (ALC_CMS.1) . 240
15.3.2 Evaluation of sub-activity (ALC_CMS.2) . 241
15.3.3 Evaluation of sub-activity (ALC_CMS.3) . 242
15.3.4 Evaluation of sub-activity (ALC_CMS.4) . 243
15.3.5 Evaluation of sub-activity (ALC_CMS.5) . 244
15.4 DELIVERY (ALC_DEL) .245
15.4.1 Evaluation of sub-activity (ALC_DEL.1) . 245
15.5 DEVELOPMENT SECURITY (ALC_DVS) . 247
15.5.1 Evaluation of sub-activity (ALC_DVS.1) . 247
15.5.2 Evaluation of sub-activity (ALC_DVS.2) . 249
15.6 FLAW REMEDIATION (ALC_FLR) . 252
15.6.1 Evaluation of sub-activity (ALC_FLR.1) . 252
15.6.2 Evaluation of sub-activity (ALC_FLR.2) . 254
15.6.3 Evaluation of sub-activity (ALC_FLR.3) . 257
15.7 LIFE-CYCLE DEFINITION (ALC_LCD) . 262
15.7.1 Evaluation of sub-activity (ALC_LCD.1) . 262
15.7.2 Evaluation of sub-activity (ALC_LCD.2) . 263
© ISO/IEC 2022 – All rights reserved
v
ISO/IEC 18045:2022(E)
15.8 TOE DEVELOPMENT ARTIFACTS (ALC_TDA) . 265
15.8.1 Evaluation of sub-activity (ALC_TDA.1) . 265
15.8.2 Evaluation of sub-activity (ALC_TDA.2) . 268
15.8.3 Evaluation of sub-activity (ALC_TDA.3) . 272
15.9 TOOLS AND TECHNIQUES (ALC_TAT) . 276
15.9.1 Evaluation of sub-activity (ALC_TAT.1) . 276
15.9.2 Evaluation of sub-activity (ALC_TAT.2) . 278
15.9.3 Evaluation of sub-activity (ALC_TAT.3) . 281
15.10 INTEGRATION OF COMPOSITION PARTS AND CONSISTENCY CHECK OF DELIVERY PROCEDURES (ALC_COMP) . 284
15.10.1 General . 284
15.10.2 Evaluation of sub-activity (ALC_COMP.1) . 284
CLASS ATE: TESTS . 286
16.1 GENERAL . 286
16.2 APPLICATION NOTES . 287
16.2.1 Understanding the expected behaviour of the TOE . 287
16.2.2 Testing vs. alternate approaches to verify the expected behaviour of functionality . 288
16.2.3 Verifying the adequacy of tests . 288
16.3 COVERAGE (ATE_COV) . 288
16.3.1 Evaluation of sub-activity (ATE_COV.1) . 288
16.3.2 Evaluation of sub-activity (ATE_COV.2) . 289
16.3.3 Evaluation of sub-activity (ATE_COV.3) . 291
16.4 DEPTH (ATE_DPT) . 293
16.4.1 Evaluation of sub-activity (ATE_DPT.1) . 293
16.4.2 Evaluation of sub-activity (ATE_DPT.2) . 295
16.4.3 Evaluation of sub-activity (ATE_DPT.3) . 298
16.4.4 Evaluation of sub-activity (ATE_DPT.4) . 300
16.5 FUNCTIONAL TESTS (ATE_FUN) . 300
16.5.1 Evaluation of sub-activity (ATE_FUN.1) . 300
16.5.2 Evaluation of sub-activity (ATE_FUN.2) . 303
16.6 INDEPENDENT TESTING (ATE_IND) . 307
16.6.1 Evaluation of sub-activity (ATE_IND.1) . 307
16.6.2 Evaluation of sub-activity (ATE_IND.2) . 311
16.6.3 Evaluation of sub-activity (ATE_IND.3) . 316
16.7 COMPOSITE FUNCTIONAL TESTING (ATE_COMP) . 316
16.7.1 General . 316
16.7.2 Evaluation of sub-activity (ATE_COMP.1) . 316
CLASS AVA: VULNERABILITY ASSESSMENT . 317
17.1 GENERAL .
...
SLOVENSKI STANDARD
01-april-2024
Nadomešča:
SIST EN ISO/IEC 18045:2020
Informacijska varnost, kibernetska varnost in varstvo zasebnosti - Merila za
ocenjevanje varnosti IT - Metodologija za ocenjevanje varnosti IT (ISO/IEC
18045:2022)
Information security, cybersecurity and privacy protection - Evaluation criteria for IT
security - Methodology for IT security evaluation (ISO/IEC 18045:2022)
Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre -
Evaluationskriterien für IT-Sicherheit - Methodik für die Bewertung der IT-Sicherheit
(ISO/IEC 18045:2022)
Sécurité de l'information, cybersécurité et protection de la vie privée - Critères
d'évaluation pour la sécurité des technologies de l'information - Méthodologie pour
l'évaluation de sécurité (ISO/IEC 18045:2022)
Ta slovenski standard je istoveten z: EN ISO/IEC 18045:2023
ICS:
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD EN ISO/IEC 18045
NORME EUROPÉENNE
EUROPÄISCHE NORM
November 2023
ICS 35.030
Supersedes EN ISO/IEC 18045:2020
English version
Information security, cybersecurity and privacy protection
- Evaluation criteria for IT security - Methodology for IT
security evaluation (ISO/IEC 18045:2022)
Sécurité de l'information, cybersécurité et protection Informationssicherheit, Cybersicherheit und Schutz
de la vie privée - Critères d'évaluation pour la sécurité der Privatsphäre - Evaluationskriterien für IT-
des technologies de l'information - Méthodologie pour Sicherheit - Methodik für die Bewertung der IT-
l'évaluation de sécurité (ISO/IEC 18045:2022) Sicherheit (ISO/IEC 18045:2022)
This European Standard was approved by CEN on 29 October 2023.
CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.
CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.
CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2023 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. EN ISO/IEC 18045:2023 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 3
European foreword
The text of ISO/IEC 18045:2022 has been prepared by Technical Committee ISO/IEC JTC 1 "Information
technology” of the International Organization for Standardization (ISO) and has been taken over as
Protection” the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by May 2024, and conflicting national standards shall be
withdrawn at the latest by May 2024.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN-CENELEC shall not be held responsible for identifying any or all such patent rights.
This document supersedes EN ISO/IEC 18045:2020.
Any feedback and questions on this document should be directed to the users’ national standards body.
A complete listing of these bodies can be found on the CEN and CENELEC websites.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 18045:2022 has been approved by CEN-CENELEC as EN ISO/IEC 18045:2023
without any modification.
INTERNATIONAL ISO/IEC
STANDARD 18045
Third edition
2022-08
Information security, cybersecurity
and privacy protection — Evaluation
criteria for IT security — Methodology
for IT security evaluation
Sécurité de l'information, cybersécurité et protection de la vie
privée — Critères d'évaluation pour la sécurité des technologies de
l'information — Méthodologie pour l'évaluation de sécurité
Reference number
ISO/IEC 18045:2022(E)
© ISO/IEC 2022
ISO/IEC 18045:2022(E)
© ISO/IEC 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2022 – All rights reserved
ISO/IEC 18045:2022(E)
Table of Contents
LIST OF FIGURES . ix
LIST OF TABLES . x
FOREWORD . xi
INTRODUCTION . xii
SCOPE . 1
NORMATIVE REFERENCES . 1
TERMS AND DEFINITIONS . 1
ABBREVIATED TERMS . 4
TERMINOLOGY . 4
VERB USAGE . 4
GENERAL EVALUATION GUIDANCE . 5
RELATIONSHIP BETWEEN THE ISO/IEC 15408 SERIES AND ISO/IEC 18045 STRUCTURES . 5
EVALUATION PROCESS AND RELATED TASKS . 5
9.1 GENERAL . 5
9.2 EVALUATION PROCESS OVERVIEW . 6
9.2.1 Objectives . 6
9.2.2 Responsibilities of the roles . 6
9.2.3 Relationship of roles . 6
9.2.4 General evaluation model . 7
9.2.5 Evaluator verdicts . 7
9.3 EVALUATION INPUT TASK . 9
9.3.1 Objectives . 9
9.3.2 Application notes . 9
9.3.3 Management of evaluation evidence sub-task . 10
9.4 EVALUATION SUB-ACTIVITIES.10
9.5 EVALUATION OUTPUT TASK .10
9.5.1 Objectives . 10
9.5.2 Management of evaluation outputs . 11
9.5.3 Application notes . 11
9.5.4 Write OR sub-task . 11
9.5.5 Write ETR sub-task . 11
CLASS APE: PROTECTION PROFILE EVALUATION . 19
10.1 GENERAL .19
10.2 RE-USING THE EVALUATION RESULTS OF CERTIFIED PPS .19
10.3 PP INTRODUCTION (APE_INT) .20
10.3.1 Evaluation of sub-activity (APE_INT.1) . 20
10.4 CONFORMANCE CLAIMS (APE_CCL) .21
10.4.1 Evaluation of sub-activity (APE_CCL.1) . 21
10.5 SECURITY PROBLEM DEFINITION (APE_SPD) .31
10.5.1 Evaluation of sub-activity (APE_SPD.1) . 31
10.6 SECURITY OBJECTIVES (APE_OBJ) .32
10.6.1 Evaluation of sub-activity (APE_OBJ.1) . 32
10.6.2 Evaluation of sub-activity (APE_OBJ.2) . 33
10.7 EXTENDED COMPONENTS DEFINITION (APE_ECD) .36
10.7.1 Evaluation of sub-activity (APE_ECD.1) . 36
© ISO/IEC 2022 – All rights reserved
iii
ISO/IEC 18045:2022(E)
10.8 SECURITY REQUIREMENTS (APE_REQ) .40
10.8.1 Evaluation of sub-activity (APE_REQ.1) . 40
10.8.2 Evaluation of sub-activity (APE_REQ.2) . 45
CLASS ACE: PROTECTION PROFILE CONFIGURATION EVALUATION . 49
11.1 GENERAL .49
11.2 PP-MODULE INTRODUCTION (ACE_INT) .51
11.2.1 Evaluation of sub-activity (ACE_INT.1) . 51
11.3 PP-MODULE CONFORMANCE CLAIMS (ACE_CCL) .53
11.3.1 Evaluation of sub-activity (ACE_CCL.1) . 53
11.4 PP-MODULE SECURITY PROBLEM DEFINITION (ACE_SPD) . 58
11.4.1 Evaluation of sub-activity (ACE_SPD.1) . 58
11.5 PP-MODULE SECURITY OBJECTIVES (ACE_OBJ) .59
11.5.1 Evaluation of sub-activity (ACE_OBJ.1) . 59
11.5.2 Evaluation of sub-activity (ACE_OBJ.2) . 60
11.6 PP-MODULE EXTENDED COMPONENTS DEFINITION (ACE_ECD) . 63
11.6.1 Evaluation of sub-activity (ACE_ECD.1) . 63
11.7 PP-MODULE SECURITY REQUIREMENTS (ACE_REQ) . 67
11.7.1 Evaluation of sub-activity (ACE_REQ.1) . 67
11.7.2 Evaluation of sub-activity (ACE_REQ.2) . 72
11.8 PP-MODULE CONSISTENCY (ACE_MCO) .76
11.8.1 Evaluation of sub-activity (ACE_MCO.1) . 76
11.9 PP-CONFIGURATION CONSISTENCY (ACE_CCO) .79
11.9.1 Evaluation of sub-activity (ACE_CCO.1) . 79
CLASS ASE: SECURITY TARGET EVALUATION . 87
12.1 GENERAL .87
12.2 APPLICATION NOTES .87
12.2.1 Re-using the evaluation results of certified PPs. 87
12.3 ST INTRODUCTION (ASE_INT) .88
12.3.1 Evaluation of sub-activity (ASE_INT.1) . 88
12.4 CONFORMANCE CLAIMS (ASE_CCL) .91
12.4.1 Evaluation of sub-activity (ASE_CCL.1) . 91
12.5 SECURITY PROBLEM DEFINITION (ASE_SPD) . 105
12.5.1 Evaluation of sub-activity (ASE_SPD.1) . 105
12.6 SECURITY OBJECTIVES (ASE_OBJ) . 106
12.6.1 Evaluation of sub-activity (ASE_OBJ.1) . 106
12.6.2 Evaluation of sub-activity (ASE_OBJ.2) . 107
12.7 EXTENDED COMPONENTS DEFINITION (ASE_ECD) . 109
12.7.1 Evaluation of sub-activity (ASE_ECD.1) . 109
12.8 SECURITY REQUIREMENTS (ASE_REQ) . 113
12.8.1 Evaluation of sub-activity (ASE_REQ.1) . 113
12.8.2 Evaluation of sub-activity (ASE_REQ.2) . 119
12.9 TOE SUMMARY SPECIFICATION (ASE_TSS) . 124
12.9.1 Evaluation of sub-activity (ASE_TSS.1) . 124
12.9.2 Evaluation of sub-activity (ASE_TSS.2) . 125
12.10 CONSISTENCY OF COMPOSITE PRODUCT SECURITY TARGET (ASE_COMP) . 127
12.10.1 General . 127
12.10.2 Evaluation of sub-activity (ASE_COMP.1) . 127
CLASS ADV: DEVELOPMENT . 132
13.1 GENERAL . 132
13.2 APPLICATION NOTES . 132
13.3 SECURITY ARCHITECTURE (ADV_ARC) . 133
13.3.1 Evaluation of sub-activity (ADV_ARC.1) . 133
13.4 FUNCTIONAL SPECIFICATION (ADV_FSP) . 137
13.4.1 Evaluation of sub-activity (ADV_FSP.1) . 137
13.4.2 Evaluation of sub-activity (ADV_FSP.2) . 140
© ISO/IEC 2022 – All rights reserved
iv
ISO/IEC 18045:2022(E)
13.4.3 Evaluation of sub-activity (ADV_FSP.3) . 145
13.4.4 Evaluation of sub-activity (ADV_FSP.4) . 150
13.4.5 Evaluation of sub-activity (ADV_FSP.5) . 155
13.4.6 Evaluation of sub-activity (ADV_FSP.6) . 161
13.5 IMPLEMENTATION REPRESENTATION (ADV_IMP) . 161
13.5.1 Evaluation of sub-activity (ADV_IMP.1) . 161
13.5.2 Evaluation of sub-activity (ADV_IMP.2) . 164
13.6 TSF INTERNALS (ADV_INT) . 166
13.6.1 Evaluation of sub-activity (ADV_INT.1) . 166
13.6.2 Evaluation of sub-activity (ADV_INT.2) . 169
13.6.3 Evaluation of sub-activity (ADV_INT.3) . 171
13.7 FORMAL TSF MODEL (ADV_SPM) . 173
13.7.1 Evaluation of sub-activity (ADV_SPM.1) . 173
13.8 TOE DESIGN (ADV_TDS) . 180
13.8.1 Evaluation of sub-activity (ADV_TDS.1) . 180
13.8.2 Evaluation of sub-activity (ADV_TDS.2) . 183
13.8.3 Evaluation of sub-activity (ADV_TDS.3) . 188
13.8.4 Evaluation of sub-activity (ADV_TDS.4) . 197
13.8.5 Evaluation of sub-activity (ADV_TDS.5) . 206
13.8.6 Evaluation of sub-activity (ADV_TDS.6) . 213
13.9 COMPOSITE DESIGN COMPLIANCE (ADV_COMP) . 214
13.9.1 General . 214
13.9.2 Evaluation of sub-activity (ADV_COMP.1) . 214
CLASS AGD: GUIDANCE DOCUMENTS . 216
14.1 GENERAL .216
14.2 APPLICATION NOTES .216
14.3 OPERATIONAL USER GUIDANCE (AGD_OPE) . 216
14.3.1 Evaluation of sub-activity (AGD_OPE.1). 216
14.4 PREPARATIVE PROCEDURES (AGD_PRE) . 219
14.4.1 Evaluation of sub-activity (AGD_PRE.1) . 219
CLASS ALC: LIFE-CYCLE SUPPORT . 221
15.1 GENERAL .221
15.2 CM CAPABILITIES (ALC_CMC) . 222
15.2.1 Evaluation of sub-activity (ALC_CMC.1) . 222
15.2.2 Evaluation of sub-activity (ALC_CMC.2) . 223
15.2.3 Evaluation of sub-activity (ALC_CMC.3) . 224
15.2.4 Evaluation of sub-activity (ALC_CMC.4) . 228
15.2.5 Evaluation of sub-activity (ALC_CMC.5) . 233
15.3 CM SCOPE (ALC_CMS) .240
15.3.1 Evaluation of sub-activity (ALC_CMS.1) . 240
15.3.2 Evaluation of sub-activity (ALC_CMS.2) . 241
15.3.3 Evaluation of sub-activity (ALC_CMS.3) . 242
15.3.4 Evaluation of sub-activity (ALC_CMS.4) . 243
15.3.5 Evaluation of sub-activity (ALC_CMS.5) . 244
15.4 DELIVERY (ALC_DEL) .245
15.4.1 Evaluation of sub-activity (ALC_DEL.1) . 245
15.5 DEVELOPMENT SECURITY (ALC_DVS) . 247
15.5.1 Evaluation of sub-activity (ALC_DVS.1) . 247
15.5.2 Evaluation of sub-activity (ALC_DVS.2) . 249
15.6 FLAW REMEDIATION (ALC_FLR) . 252
15.6.1 Evaluation of sub-activity (ALC_FLR.1) . 252
15.6.2 Evaluation of sub-activity (ALC_FLR.2) . 254
15.6.3 Evaluation of sub-activity (ALC_FLR.3) . 257
15.7 LIFE-CYCLE DEFINITION (ALC_LCD) . 262
15.7.1 Evaluation of sub-activity (ALC_LCD.1) . 262
15.7.2 Evaluation of sub-activity (ALC_LCD.2) . 263
© ISO/IEC 2022 – All rights reserved
v
ISO/IEC 18045:2022(E)
15.8 TOE DEVELOPMENT ARTIFACTS (ALC_TDA) . 265
15.8.1 Evaluation of sub-activity (ALC_TDA.1) . 265
15.8.2 Evaluation of sub-activity (ALC_TDA.2) . 268
15.8.3 Evaluation of sub-activity (ALC_TDA.3) . 272
15.9 TOOLS AND TECHNIQUES (ALC_TAT) . 276
15.9.1 Evaluation of sub-activity (ALC_TAT.1) . 276
15.9.2 Evaluation of sub-activity (ALC_TAT.2) . 278
15.9.3 Evaluation of sub-activity (ALC_TAT.3) . 281
15.10 INTEGRATION OF COMPOSITION PARTS AND CONSISTENCY CHECK OF DELIVERY PROCEDURES (ALC_COMP) . 284
15.10.1 General . 284
15.10.2 Evaluation of sub-activity (ALC_COMP.1) . 284
CLASS ATE: TESTS . 286
16.1 GENERAL . 286
16.2 APPLICATION NOTES . 287
16.2.1 Understanding the expected behaviour of the TOE . 287
16.2.2 Testing vs. alternate approaches to verify the expected behaviour of functionality . 288
16.2.3 Verifying the adequacy of tests . 288
16.3 COVERAGE (ATE_COV) . 288
16.3.1 Evaluation of sub-activity (ATE_COV.1) . 288
16.3.2 Evaluation of sub-activity (ATE_COV.2) . 289
16.3.3 Evaluation of sub-activity (ATE_COV.3) . 291
16.4 DEPTH (ATE_DPT) . 293
16.4.1 Evaluation of sub-activity (ATE_DPT.1) . 293
16.4.2 Evaluation of sub-activity (ATE_DPT.2) . 295
16.4.3 Evaluation of sub-activity (ATE_DPT.3) . 298
16.4.4 Evaluation of sub-activity (ATE_DPT.4) . 300
16.5 FUNCTIONAL TESTS (ATE_FUN) . 300
16.5.1 Evaluation of sub-activity (ATE_FUN.1) . 300
16.5.2 Evaluation of sub-activity (ATE_FUN.2) . 303
16.6 INDEPENDENT TESTING (ATE_IND) . 307
16.6.1 Evaluation of sub-activity (ATE_IND.1) . 307
16.6.2 Evaluation of sub-activity (ATE_IND.2) . 311
16.6.3 Evaluation of sub-activity (ATE_IND.3) . 316
16.7 COMPOSITE FUNCTIONAL TESTING (ATE_COMP) . 316
16.7.1 General . 316
16.7.2 Evaluation of sub-activity (ATE_COMP.1) . 316
CLASS AVA: VULNERABILITY ASSESSMENT . 317
17.1 GENERAL .
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.
Loading comments...