PD ISO/IEC TR 15443-3:2007

Foreword
Introduction
1 Scope
  1.1 Purpose
  1.2 Application
  1.3 Field of Application
  1.4 Limitations
2 Terms and definitions
3 Abbreviated terms
4 Understanding Assurance
  4.1 Setting the assurance goal
  4.2 Applying assurance methods
  4.3 Assessing assurance results
  4.4 Example
5 Comparing, selecting and composing assurance
  5.1 Selecting the assurance approach
  5.2 Composing assurance methods
  5.3 Comparing assurance methods
  5.4 Focus on assurance properties
6 Guidance
  6.1 Developmental Assurance (DA)
  6.2 Integration Assurance (IA)
  6.3 Operational Assurance (OA)
Annex A - Tabular comparisons
 A.1 Methods and their target groups
 A.2 Available Assurance Methods
Annex B - Assurance properties of selected methods
 B.1 ISO/IEC 15408
 B.2 ISO/IEC 19790
 B.3 ISO/IEC 21827
 B.4 ISO/IEC 13335
 B.5 ISO/IEC 27001 and ISO/IEC 27002
 B.6 IT Baseline Protection Manual
 B.7 COBIT
 B.8 ISO 9000
Annex C - Composition of assurance methods
 C.1 ISO/IEC 15408 + IT Baseline Protection Manual
 C.2 ISO/IEC 27002 + IT Baseline Protection
 C.3 ISO/IEC 27001 and ISO/IEC 27002
 C.4 ISO/IEC 27002 + ISO 9000
 C.5 COBIT + IT Baseline Protection
Annex D - Case Studies
 D.1 A chip-card manufacturer's assurance composition strategy
 D.2 A service provider assures the upgrade of business processes
Annex E - Determination of the assurance goal
 E.1 Risk Assessment
 E.2 Risk Management
 E.3 Security Model
 E.4 Organizational security policy
 E.5 Applicable Assurance goal
 E.6 Security Measures
 E.7 Example: ISO/IEC 15408
Bibliography

Provides general guidance to an assurance authority in the choice of the appropriate type of international communications technology (ICT) assurance methods and to lay the framework for the analysis of specific assurance methods for specific environments.

1.1 Purpose

The purpose of this part of ISO/IEC TR 15443 is to provide general guidance to an assurance authority in the choice of the appropriate type of international communications techology (ICT) assurance methods and to lay the framework for the analysis of specific assurance methods for specific environments.

1.2 Application

This part of ISO/IEC TR 15443 will allow the user to match specific assurance requirements and/or typical assurance situations with the general characteristics offered by available assurance methods.

1.3 Field of Application

The guidance of this part of ISO/IEC TR 15443 is applicable to the development, implementation and operation of ICT products and ICT systems with security requirements.

1.4 Limitations

Security requirements may be complex, assurance methods are of great diversity, and organisational resources and cultures differ considerably.

Therefore the advice given in this part of ISO/IEC TR 15443 will be qualitative and summary, and the user may need to analyse on his own which methods presented in Part 2 of this Technical Report will suit best his specific deliverables and organisational security requirements.