ISO/IEC TR 15026-1:2010

TECHNICAL ISO/IEC
REPORT TR
15026-1
First edition
2010-08-15


Systems and software engineering —
Systems and software assurance —
Part 1:
Concepts and vocabulary
Ingénierie des systèmes et du logiciel — Assurance des systèmes et du
logiciel —
Partie 1: Concepts et vocabulaire




Reference number
ISO/IEC TR 15026-1:2010(E)
©
ISO/IEC 2010

---------------------- Page: 1 ----------------------
ISO/IEC TR 15026-1:2010(E)
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.


COPYRIGHT PROTECTED DOCUMENT


©  ISO/IEC 2010
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO/IEC 2010 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC TR 15026-1:2010(E)
Contents Page
Foreword .v
Introduction.vi
1 Scope .1
2 Terms and definitions .1
3 Document purpose and audience.4
4 Organization of report.4
5 Basic concepts .4
5.1 Introduction.4
5.2 Stakeholders .4
5.3 System and Product.6
5.4 Uncertainty.6
5.5 Assurance .6
6 How to use multiple parts of ISO/IEC 15026 .7
6.1 Introduction.7
6.2 Initial usage concerns.7
6.3 Internal structure of parts.8
6.4 Relationships among parts of ISO/IEC 15026.9
6.5 Authorities.9
6.6 Mitigation of ambiguity .9
7 Assurance Case.10
7.1 Introduction.10
7.2 Claims .13
7.3 Arguments.23
7.4 Evidence .34
7.5 Management and life cycle of assurance case.39
7.6 Decision making using the assurance case .40
8 ISO/IEC 15026 and integrity levels.42
8.1 Introduction.42
8.2 Defining integrity levels .43
8.3 Establishing integrity levels .44
8.4 Planning and performing .45
8.5 Conditions and their initiating or transitioning events .46
8.6 Issues.46
8.7 Outcomes .48
8.8 Summary .48
9 ISO/IEC 15026 and life cycle processes: 15288/12207 .49
9.1 Introduction.49
9.2 Technical processes .50
9.3 Transition, Operation, Maintenance and Disposal.55
9.4 Organization processes.56
10 Summary .57
Annex A (informative) Frequently asked questions .58
Annex B (informative) Difficulties with terms and concepts .59
Annex C (informative) ISO/IEC 15026 relationships to standards .61
Annex D (informative) Phenomena.64
© ISO/IEC 2010 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC TR 15026-1:2010(E)
Annex E (informative) Security . 68
Annex F (informative) Selected Related Standards . 79
Bibliography . 85

Tables
Table 1 — Examples of Stakeholders . 5
Table 2 — Some time- and resource-related properties . 21
Table 3 — Example ways of showing something is true . 24
Table 4 — Communities with different viewpoints and approaches to reasoning . 25
Table 5 — Relationship aspects that are possible bases for or relevant to arguments . 30
Table D-1 — Some kinds and sources of phenomena. 64
List of Figures
Figure 1 — Fragment of Structure . 11
Figure 2 — Claim . 16
Figure 3 — Argument Context . 23
Figure 4 — Simple State Model. 28
Figure 5 — Simplified "cause and effect" chains. 28
Figure 6 — System and Environment. 42
Figure 7 — Two actors cause transitions . 47
Figure 8 — Life cycle process groups . 49
Figure C-1 — Some relationships among standards. 63
iv © ISO/IEC 2010 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC TR 15026-1:2010(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees established
by the respective organization to deal with particular fields of technical activity. ISO and IEC technical
committees collaborate in fields of mutual interest. Other international organizations, governmental and non-
governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology,
ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
In exceptional circumstances, the joint technical committee may propose the publication of a Technical Report
of one of the following types:
⎯ type 1, when the required support cannot be obtained for the publication of an International Standard,
despite repeated efforts;
⎯ type 2, when the subject is still under technical development or where for any other reason there is the
future but not immediate possibility of an agreement on an International Standard;
⎯ type 3, when the joint technical committee has collected data of a different kind from that which is
normally published as an International Standard (“state of the art”, for example).
Technical Reports of types 1 and 2 are subject to review within three years of publication, to decide whether
they can be transformed into International Standards. Technical Reports of type 3 do not necessarily have to
be reviewed until the data they provide are considered to be no longer valid or useful.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC TR 15026-1, which is a Technical Report of type 2, was prepared by Joint Technical Committee
ISO/IEC JTC 1, Information technology, Subcommittee SC 7, Software and systems engineering.
ISO/IEC 15026 consists of the following parts, under the general title Systems and software engineering —
Systems and software assurance:
⎯ Part 1: Concepts and vocabulary
⎯ Part 2: Assurance case
System integrity levels and assurance in the life cycle will form the subjects of future parts.
ISO/IEC 15026:1998, IEEE Std 1228-1994 and IEEE Standard for Safety Plan were used as base documents
in the development of ISO/IEC TR 15026-1.
© ISO/IEC 2010 – All rights reserved v

---------------------- Page: 5 ----------------------
ISO/IEC TR 15026-1:2010(E)
Introduction
Within software and systems assurance and closely related fields, many specialties and subspecialties share
concepts but have differing vocabularies and perspectives. This part of ISO/IEC 15026 provides a unifying set
of underlying concepts and an unambiguous use of terminology across these various fields. It provides a basis
for elaboration, discussion, and recording agreement and rationale regarding concepts and the vocabulary
used uniformly across all parts of ISO/IEC 15026.
This part of ISO/IEC 15026 clarifies concepts needed for understanding software and systems assurance and,
in particular, those central to the use of subsequent parts of ISO/IEC 15026. This part of ISO/IEC 15026
supports intellectual mastery of software and systems assurance primarily at the level of shared concepts,
issues and terminology applicable across a range of properties, application domains, and technologies.
The appreciation of the contents of this part of ISO/IEC 15026 might undergo change as work proceeds on the
other parts of ISO/IEC 15026. A revision of this part of ISO/IEC 15026 reflecting any such changes is
expected to be later published as an International Standard.
vi © ISO/IEC 2010 – All rights reserved

---------------------- Page: 6 ----------------------
TECHNICAL REPORT ISO/IEC TR 15026-1:2010(E)

Systems and software engineering — Systems and software
assurance —
Part 1:
Concepts and vocabulary
1 Scope
This part of ISO/IEC 15026 defines terms and establishes an extensive and organized set of concepts and
their relationships, thereby establishing a basis for shared understanding of the concepts and principles
central to ISO/IEC 15026 across its user communities. It provides information to users of the subsequent parts
of ISO/IEC 15026, including the use of each part and the combined use of multiple parts.
Coverage of assurance for a service being operated and managed on an ongoing basis is not covered in
ISO/IEC 15026.
2 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
2.1
assurance
grounds for justified confidence that a claim has been or will be achieved
2.2
assurance case
representation of a claim or claims, and the support for these claims
NOTE An assurance case is reasoned, auditable artefact created to support the contention its claim or claims are
satisfied. It contains the following and their relationships:
• one or more claims about properties;
• arguments that logically link the evidence and any assumptions to the claim(s);
• a body of evidence and possibly assumptions supporting these arguments for the claim(s).
2.3
approval authority
entity with the authority to decide that the assurance case and the extent of assurance it provides are
satisfactory
NOTE 1 The approval authority may include multiple entities, e.g. individuals or organizations. These can include
different entitles with different levels of approval and/or different areas of interest.
NOTE 2 In two-party situations, approval authority often rests with the acquirer. In regulatory situations, the approval
authority may be a third party such as a governmental organization or its agent. In other situations, e.g. the purchase of
off-the-shelf products developed by a single-party, the independence of the approval authority can be a relevant issue to
the acquirer.
© ISO/IEC 2010 – All rights reserved 1

---------------------- Page: 7 ----------------------
ISO/IEC TR 15026-1:2010(E)
2.4
claim
statement of something to be true including associated conditions and limitations
NOTE 1 The statement of a claim does not mean that the only possible intent or desire is to show it is true. Sometimes
claims are made for the purpose of evaluating whether they are true or false or undertaking an effort to establish what is
true.
NOTE 2 In its entirety, a claim conforming to ISO/IEC 15026-2 is an unambiguous declaration of an assertion with any
associated conditionality giving explicit details including limitations on values and uncertainty. It could be about the future,
present, or past.
2.5
design authority
person or organization that is responsible for the design of the product
2.6
failure
termination of the ability of an item to perform a required function or its inability to perform within previously
specified limits
2.7
fault isolation
ability of a subsystem to prevent a fault within the subsystem from causing consequential faults in other
subsystems
2.8
integrity assurance authority
independent person or organization responsible for assessment of compliance with the integrity-level-related
requirements
NOTE Adapted from ISO/IEC 15026:1998, in which the definition is "The independent person or organization
responsible for assessment of compliance with the integrity requirements."
2.9
integrity level
denotation of a range of values of a property
NOTE 1 Generally, the intention is that meeting these values related to the relevant items will result in maintaining
system risks within limits.
NOTE 2 Adapted from ISO/IEC 15026:1998.
2.10
organization
person or a group of people and facilities with an arrangement of responsibilities, authorities and relationships
[ISO/IEC 15288:2008]
NOTE 1 This definition and notes are taken from ISO/IEC 15288:2008. The definition in ISO/IEC 15288:2008 was
adapted from ISO 9000:2005.
NOTE 2 A body of persons organized for some specific purpose, such as a club, union, corporation, or society, is an
organization.
NOTE 3 An identified part of an organization (even as small as a single individual) or an identified group of
organizations can be regarded as an organization if it has responsibilities, authorities and relationships.
2 © ISO/IEC 2010 – All rights reserved

---------------------- Page: 8 ----------------------
ISO/IEC TR 15026-1:2010(E)
2.11
process
set of interrelated or interacting activities which transforms inputs into outputs
[ISO/IEC 15288:2008 and ISO/IEC 12207:2008]
NOTE This definition does not preclude the existence of a null process, activity or transformation, or of null inputs or
outputs.
2.12
process view
description of how a specified purpose and set of outcomes can be achieved by employing the activities and
tasks of existing processes
NOTE This definition is adapted from the description of the process view concept in ISO/IEC 15288:2008, D.3.
2.13
product
result of a process
[ISO/IEC 15288:2008 and ISO 9000:2005]
NOTE 1 Results could be components, systems, software, services, rules, documents, or many other items.
NOTE 2 “The result” could in some cases be many related individual results. However, claims usually relate to
specified versions of a product.
2.14
system
combination of interacting elements organized to achieve one or more stated purposes
[ISO/IEC 15288:2008]
NOTE 1 A system may be considered as a product or as the services it provides.
NOTE 2 In practice, the interpretation of its meaning is frequently clarified by the use of an associative noun,
e.g. aircraft system. Alternatively, the word “system” may be substituted simply by a context-dependent synonym, e.g.
aircraft, though this may then obscure a system principles perspective.
NOTE 3 Notes 1 and 2 are also taken from ISO/IEC 15288:2008.
2.15
system element
member of a set of elements that constitutes a system
[ISO/IEC 15288:2008]
NOTE 1 A system element is a discrete part of a system that can be implemented to fulfil specified requirements. A
system element can be hardware, software, data, humans, processes (e.g. processes for providing service to users),
procedures (e.g. operator instructions), facilities, materials, and naturally occurring entities (e.g. water, organisms,
minerals), or any combination.
NOTE 2 Note 1 is also taken from ISO/IEC 15288:2008.
2.16
systematic failure
failure related in a deterministic way to a certain cause, which can only be eliminated by a modification of the
design or of the manufacturing process, operational procedures, documentation or other relevant factors
© ISO/IEC 2010 – All rights reserved 3

---------------------- Page: 9 ----------------------
ISO/IEC TR 15026-1:2010(E)
3 Document purpose and audience
The primary purpose of this part of ISO/IEC 15026 is to aid users of the other parts of ISO/IEC 15026. For
each topic, it first briefly covers what might be needed by engineers and technical mangers new to the topic of
assurance cases or integrity levels. Lists of aspects or examples are provided for concreteness and as
reminders or checklists. While essential to assurance practice, details regarding exactly how to measure,
demonstrate, or analyse particular properties are not covered. These are the subjects of more specialized
standards of which a number are referenced.
If a decision is made to use any parts of ISO/IEC 15026, then understanding certain concepts and terms is
essential. This part of ISO/IEC 15026 provides context, concepts, and explanations to aid users in doing this
as well as aiding in the usage of the other parts.
A variety of potential users of ISO/IEC 15026 exists including developers and maintainers of assurance cases
and those who wish to develop, sustain, evaluate, or acquire a system that possesses specific properties of
interest in such a way as to be surer of those properties. Users of this International Standard can benefit from
knowing the included terms, concepts, and principles. For example, while ISO/IEC 15026 uses terms
consistent with ISO/IEC 12207 and ISO/IEC 15288 and generally consistent with the ISO/IEC 25000 series,
the users of ISO/IEC 15026 need to know any differences from that to which they are accustomed. The
remainder of this part of ISO/IEC 15026 attempts to clarify issues of the concepts of interest to users of
ISO/IEC 15026.
4 Organization of report
Clause 5 of this part of ISO/IEC 15026 covers basic concepts such as stakeholders, product, assurance, and
uncertainty. Clause 6 covers some issues of which users of the future ISO/IEC 15026-2, ISO/IEC 15026-3,
and ISO/IEC 15026-4 need to be initially aware. Clauses 7, 8, and 9 cover terms, concepts, and topics
particularly relevant to users of ISO/IEC 15026-2, ISO/IEC 15026-3, and ISO/IEC 15026-4, respectively,
although users of one part can also benefit from some of the information in the clauses oriented to other parts.
Clause 8 is for users of ISO 15026:1998, as well as of the future ISO/IEC 15026-3.
Those who have curiosity or initial questions about ISO/IEC 15026 could find it useful to take an early look at
Annex A on page 58, the Frequently asked questions annex. Other annexes cover pitfalls with terminology
(Annex B), ISO/IEC 15026's relationships to several other standards (Annex C), phenomena (Annex D) as a
way of helping ISO/IEC 15026 users to think about possibilities, security (Annex E), and some related
standards (Annex F). Annex E gives special attention to security because it is an area expected to be
relatively new to many initial users of ISO/IEC 15026. However, ISO/IEC 15026 can be used for both positive
concerns, such as high performance, as well as negative concerns, such as security. A bibliography is
included at the end.
5 Basic concepts
5.1 Introduction
This clause covers the terms and concepts fundamental to ISO/IEC 15026: stakeholders, systems and
products, uncertainty, and assurance.
5.2 Stakeholders
5.2.1 Introduction
Through their life cycle systems and software have multiple stakeholders who affect or are affected by the
system and system-related activities. Stakeholders might benefit from, incur losses from, impose constraints
on, or otherwise have a “stake” in the system.
4 © ISO/IEC 2010 – All rights reserved

---------------------- Page: 10 ----------------------
ISO/IEC TR 15026-1:2010(E)
5.2.2 Kinds of stakeholders
A given system will typically have stakeholders from several of the categories in Table 1.
Table 1 — Examples of Stakeholders
Product's larger environment
Regulators
Standards bodies
Specific communities (such as government or the banking industry)
National (possibly multi-national) and international laws, regulations, treaties, and agreements
Enforcement personnel and organizations
Competitors
Entities about whom the product contains information (e.g. customers and suppliers)
Evaluators, regulators, certifiers, accreditors, and auditors
Attackers
The general public
Organizational
Sources of relevant policies (e.g. safety, security, personnel, procurement, and marketing policies)
Decision makers regarding acquisition and usage (including request for proposal writers and issuers as well as makers of
decisions to acquire or use)
Authorized units within an organization
Directly related to product
Product developers and maintainers
Integrators of the system or software into a larger product (e.g. OEMs or enterprise-wide application developers)
Those involved in product transition (e.g. trainers and installers)
Product operators and administrators
End users
Others involved throughout the product's systems life cycle (e.g. sustainers and disposers)
System into which product is incorporated
Other systems interacting with the product or using the product’s services
Suppliers of services or consumables to product
Product owners and custodians
Project management
Owners and custodians of elements in the system (e.g. data)

In addition, stakeholders can include non-users whose performance, results, or interests might be affected,
e.g., entities whose software is executing on the same or networked computers.
A different but important kind of stakeholder is an attacker, who certainly imposes constraints or has interests
involved with the system, as in, “Both we and the enemy have a stake in keeping within the laws of war.”
However, some in the security community and elsewhere use the term “stakeholders” in such a way as to
exclude attackers. Attackers can be of many kinds and have a variety of motivations and capabilities. The
issue of how hostile or malicious in intention or detrimental in action an entity would need to be to qualify as an
attacker is unclear.
© ISO/IEC 2010 – All rights reserved 5

---------------------- Page: 11 ----------------------
ISO/IEC TR 15026-1:2010(E)
A given system or project might involve more or less of the stakeholders in Table 1. Stakeholder roles and
relative importance can be difficult to establish, for example, who—system funders, customers, beneficiaries,
attackers, benefit gainers or loss sufferers—is more important or should have more influence on which
decisions, including the importance to assurance-related decisions and importance as users of assurance-
related artefacts. The existence and characteristics of potential or actual attackers can strongly influence
decisions.
5.2.3 Stakeholder interests and assets
Stakeholder interests include any benefit, loss, or advantage, e.g., one says, “In the national interests” or “not
in the interest of the organization
...