7/31/2019 As NZS ISO IEC 15443.1-2006 Information Technology - Security Techniques - A Framework for IT Security Assura

1/8

AS/NZS ISO/IEC 15443.1:2006ISO/IEC TR 15443-1:2005

Australian/New Zealand Standard

Information technologySecuritytechniquesA framework for IT securityassurance

Part 1: Overview and framework

AS/NZS

ISO/IEC15443.1:2006

7/31/2019 As NZS ISO IEC 15443.1-2006 Information Technology - Security Techniques - A Framework for IT Security Assura

2/8

AS/NZS ISO/IEC 15443.1:2006

This Joint Australian/New Zealand Standard was prepared by Joint TechnicalCommittee IT-012, Information Systems, Security and Identification. It wasapproved on behalf of the Council of Standards Australia on 23 June 2006 and onbehalf of the Council of Standards New Zealand on 30 June 2006.This Standard was published on 2 August 2006.

The following are represented on Commit tee IT-012:

Attorney Generals Department

Australian Association of Permanent Building Societies

Australian Bankers Association

Australian Chamber Commerce and Industry

Australian Electrical and Electronic Manufacturers Association

Certification Forum of Australia

Department of DefenceDepartment of Social Welfare, NZ

Government Communications Security Bureau, NZ

Internet Industry Association

NSW Police Service

New Zealand Defence Force

Reserve Bank of Australia

Keeping Standards up-to-date

Standards are living documents which reflect progress in science, technology andsystems. To maintain their currency, all Standards are periodically reviewed, andnew editions are published. Between editions, amendments may be issued.Standards may also be withdrawn. It is important that readers assure themselvesthey are using a current Standard, which should include any amendments whichmay have been published since the Standard was purchased.

Detailed information about joint Australian/New Zealand Standards can be found byvisiting the Standards Web Shop at www.standards.com.au or Standards NewZealand web site at www.standards.co.nz and looking up the relevant Standard inthe on-line catalogue.

Alternatively, both organizations publish an annual printed Catalogue with fulldetails of all current Standards. For more frequent listings or notification ofrevisions, amendments and withdrawals, Standards Australia and Standards NewZealand offer a number of update options. For information about these services,users should contact their respective national Standards organization.

We also welcome suggestions for improvement in our Standards, and especiallyencourage readers to notify us immediately of any apparent inaccuracies orambiguities. Please address your comments to the Chief Executive of eitherStandards Australia or Standards New Zealand at the address shown on the backcover.

This Standard was issued in draft form for comment as DR 06257.

7/31/2019 As NZS ISO IEC 15443.1-2006 Information Technology - Security Techniques - A Framework for IT Security Assura

3/8

AS/NZS ISO/IEC 15443.1:2006

Australian/New Zealand StandardInformation technologySecuritytechniquesA framework for IT securityassurance

Part 1: Overview and framework

COPYRIGHT

Standards Australia/Standards New Zealand

All rights are reserved. No part of this work may be reproduced or copied in any form or byany means, electronic or mechanical, including photocopying, without the written

permission of the publisher.

Jointly published by Standards Australia, GPO Box 476, Sydney, NSW 2001 and Standards

New Zealand, Private Bag 2439, Wellington 6020

ISBN 0 7337 7659 0

First published as AS/NZS ISO/IEC 15443.1:2006.

7/31/2019 As NZS ISO IEC 15443.1-2006 Information Technology - Security Techniques - A Framework for IT Security Assura

4/8

ii

PREFACE

This Standard was prepared by the Joint Standards Australia/Standards New Zealand Committee

IT-012, Information Systems, Security and Identification.

The objective of this Standard is to present a variety of assurance methods, and to guide the IT

Security Professional in the selection of an appropriate assurance method (or combination of

methods) to achieve confidence that a given deliverable satisfies its stated IT security assurance

requirements. This report examines assurance methods and approaches proposed by various

types of organisms whether they are approved or de-facto standards.

This Standardprovides an overview of the fundamental concepts and a general description of

assurance methods. It targets IT security manages and others responsible for developing a

security assurance program, determining the security assurance of their deliverable, entering an

assurance assessment audit or other assurance.

This Standard is identical with, and has been reproduced from ISO/IEC TR 15443-1:2005,

Information technologySecurity techniquesA framework for IT security assurancePart 1:

Overview and framework.

As this Standard is reproduced from an international standard, the following applies:

(a) Its number appears on the cover and title page while the international standard number

appears only on the cover

(b) In the source text this part of ISO/IEC TR 15443 should read this Australian/New

Zealand Standard.

(c) A full point substitutes for a comma when referring to a decimal marker.

7/31/2019 As NZS ISO IEC 15443.1-2006 Information Technology - Security Techniques - A Framework for IT Security Assura

5/8

ii i

CONTENTS

Page

1 Scope...................................................................................................................................................... 11.1 Purpose.................................................................................................................................................. 11.2 Approach ............................................................................................................................................... 11.3 Application............................................................................................................................................. 11.4 Field of Application............................................................................................................................... 11.5 Limitations ............................................................................................................................................. 12 Terms and definitions........................................................................................................................... 13 Abbreviated terms................................................................................................................................. 64 Concepts................................................................................................................................................ 74.1

Why do we need assurance? ............................................................................................................... 8

4.2 Assurance is distinguishable from confidence ................................................................................. 84.3 What is a deliverable? .......................................................................................................................... 84.4 Stakeholders.......................................................................................................................................... 94.5 Assurance requirements ...................................................................................................................... 94.6 Assurance methods applicability to IT security .............................................................................. 104.7 Assurance schemes ........................................................................................................................... 104.8 Quantifying assurance risk and mechanism strength.................................................................... 114.9 Assurance reduces security risk....................................................................................................... 114.10 Quantifying assurance ....................................................................................................................... 114.11 Assurance authority ........................................................................................................................... 115 Selecting security assurance ............................................................................................................ 125.1 Assurance requirements specification............................................................................................. 135.2 Economical aspects............................................................................................................................ 135.3 Organisational aspects....................................................................................................................... 145.4 Type of assurance............................................................................................................................... 145.5 Technical aspects ............................................................................................................................... 155.6 Optimisation considerations ............................................................................................................. 156 Framework ........................................................................................................................................... 166.1 Assurance approach........................................................................................................................... 166.2 Assurance methods............................................................................................................................ 166.3 Life cycle aspects ............................................................................................................................... 176.4 Correctness versus effectiveness assurance.................................................................................. 186.5 Categorisation of assurance methods.............................................................................................. 196.6 Composite assurance......................................................................................................................... 206.7 Assurance rating................................................................................................................................. 20

7/31/2019 As NZS ISO IEC 15443.1-2006 Information Technology - Security Techniques - A Framework for IT Security Assura

6/8

iv

NOTES

7/31/2019 As NZS ISO IEC 15443.1-2006 Information Technology - Security Techniques - A Framework for IT Security Assura

7/8

1AUSTRALIAN/NEW ZEALAND STANDARD

Information technology Security techniques A frameworkfor IT security assurance

Part 1:Overview and framework

1 Scope

1.1 Purpose

The purpose of this part of ISO/IEC TR 15443 is to introduce, relate and categorise security assurancemethods to a generic life cycle model in a manner enabling an increased level of confidence to be obtained inthe security functionality of a deliverable.

1.2 Approach

The approach adopted throughout this part of ISO/IEC TR 15443 presents an overview of the basic assuranceconcepts and terms required for understanding and applying assurance methods through a framework ofidentifying various assurance approaches and assurance stages.

1.3 Application

Using the categorisation obtained through this part of ISO/IEC TR 15443, Part 2 and the future Part 3 willguide the reader in the selection, and possible combination, of the assurance method(s) suitable forapplication to a given deliverable.

1.4 Field of Application

This part of ISO/IEC TR 15443 provides guidance for the categorisation of assurance methods including thosenot unique to IT security. It may be used in areas outside of IT security where criticality warrants assurance.

1.5 Limitations

This part of ISO/IEC TR 15443 applies to deliverables (refer to Clause 4.3) and their related organisationalsecurity issues only.

2 Terms and definitions

For the purposes of this document, the following terms and definitions apply.

NOTE The terms and definitions have been developed to be as generic as possible to support the assurance modeldeveloped in this part of ISO/IEC TR 15443. The assurance model, being applicable to a broad spectrum of assuranceapproaches, requires non-specific terminology to be applicable to a broad spectrum of assurance approaches.

Defining terms for a generic assurance model is a difficult task owing to the myriad of assurance terms that exist to satisfythe available assurance approaches. Furthermore, similar terms have different definitions and many are unique to aparticular assurance approach making it difficult to construct a generic language for the assurance model. Owing to these

COPYRIGHT

7/31/2019 As NZS ISO IEC 15443.1-2006 Information Technology - Security Techniques - A Framework for IT Security Assura

8/8

This is a free preview. Purchase the entire publication at the link below:

Looking for additional Standards? Visit SAI Global Infostore

Subscribe to ourFree Newsletters about Australian Standards in Legislation; ISO, IEC, BSI and more

Do you need to Manage Standards Collections Online?

Learn about LexConnect, All Jurisdictions, Standards referenced in Australian legislation

Do you want to know when a Standard has changed?

Want to become an SAI Global Standards Sales Affiliate?

Learn about other SAI Global Services:

LOGICOM Military Parts and Supplier DatabaseMetals Infobase Database of Metal Grades, Standards and Manufacturers

Materials Infobase Database of Materials, Standards and Suppliers

Database of European Law, CELEX and Court Decisions

Need to speak with a Customer Service Representative - Contact Us

AS/NZS ISO/IEC 15443.1:2006, Informationtechnology - Security techniques - A framework forIT security assurance Overview and framework

http://infostore.saiglobal.com/store?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Newsletters/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Collections/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Law/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/StandardsWatch/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Affiliate/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/LOGICOM/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/LOGICOM/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/Metals/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/Materials/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/European-Law/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://infostore.saiglobal.com/store/getpage.aspx?path=/InformationServices/shop/pages/ContactingUs.htm&utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://infostore.saiglobal.com/store/Details.aspx?ProductId=394409&utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://infostore.saiglobal.com/store/getpage.aspx?path=/InformationServices/shop/pages/ContactingUs.htm&utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/European-Law/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/Materials/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/Metals/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Databases/LOGICOM/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Affiliate/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/StandardsWatch/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Law/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Collections/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://www.saiglobal.com/Information/Standards/Newsletters/?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSiteshttp://infostore.saiglobal.com/store?utm_source=PDF&utm_medium=Website_Infostore&utm_campaign=DocSharingSites