CAN/CSA-ISO/IEC TR 15443-2-06

1 Scope

1.1 Purpose
This part of ISO/IEC TR 15443 provides a collection of assurance methods including those not unique to ICT security as long as they contribute to overall ICT security. It gives an overview as to their aim and describes their features, reference and standardization aspects. In principle, the resultant ICT security assurance is the assurance of the product, system or service in operation. The resultant assurance is therefore the sum of the assurance increments obtained by each of the assurance methods applied to the product, system or service during its life cycle stages. The large number of available assurance methods makes guidance necessary as to which method to apply to a given ICT field to gain recognized assurance. Each item of the collection presented in this part of ISO/IEC TR 15443 is classified in an overview fashion using the basic assurance concepts and terms developed in ISO/IEC TR 15443-1. Using this categorization, this part of ISO/IEC TR 15443 guides the ICT professional in the selection, and possible combination, of the assurance method(s) suitable for a given ICT security product, system, or service and its specific environment.\ 1.2 Field of Application This part of ISO/IEC TR 15443 gives guidance in a summary and overview fashion. It is suitable to obtain from the presented collection a reduced set of applicable methods to choose from, by way of exclusion of inappropriate methods.

The summaries are informative to provide the basics to facilitate the understanding of the analysis without requiring the source standards.

Intended users of this part of ISO/IEC TR 15443 include the following:

1. acquirer (an individual or organization that acquires or procures a system, software product or software service from a supplier);

2. evaluator (an individual or organization that performs an evaluation; an evaluator may, for example, be a testing laboratory, the quality department of a software development organization, a government organization or a user);

3. developer (an individual or organization that performs development activities, including requirements analysis, design, and testing through acceptance during the software life cycle process);

4. maintainer (an individual or organization that performs maintenance activities);

5. supplier (an individual or organization that enters into a contract with the acquirer for the supply of a system, software product or software service under the terms of the contract) when validating software quality at qualification test;

6. user (an individual or organization that uses the software product to perform a specific function) when evaluating quality of software product at acceptance test;

7. security officer or department (an individual or organization that perform a systematic examination of the software product or software services) when evaluating software quality at qualification test.

1.3 Limitations
This part of ISO/IEC TR 15443 gives guidance in an overview fashion only. ISO/IEC TR 15443-3 provides guidance to refine this choice for better resolution of assurance requirements enabling a review of their comparable and synergetic properties.

The regulatory infrastructure to support verification of an assurance approach and the personnel to perform verification is outside the scope of this part of ISO/IEC TR 15443.