ISO/IEC 15026-3:2011

INTERNATIONAL ISO/IEC
STANDARD 15026-3
First edition
2011-12-15

Systems and software engineering —
Systems and software assurance —
Part 3:
System integrity levels
Ingénierie du logiciel et des systèmes — Assurance du logiciel et des
systèmes —
Partie 3: Niveaux d'intégrité du système




Reference number
ISO/IEC 15026-3:2011(E)
©
ISO/IEC 2011

---------------------- Page: 1 ----------------------
ISO/IEC 15026-3:2011(E)

COPYRIGHT PROTECTED DOCUMENT


©  ISO/IEC 2011
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland

ii © ISO/IEC 2011 – All rights reserved

---------------------- Page: 2 ----------------------
ISO/IEC 15026-3:2011(E)
Contents Page
Foreword .v
1 Scope.1
2 Normative references.1
3 Terms and definitions .2
4 Integrity level framework .2
4.1 Integrity level specification .2
4.2 Process for using integrity levels.3
5 Using this Part 3 .4
5.1 Uses of this part of ISO/IEC 15026.4
5.2 Documentation .5
5.3 Personnel and organizations .5
5.4 Overview of this part of ISO/IEC 15026 .5
6 Defining integrity levels.6
6.1 Purpose for using this part of ISO/IEC 15026.6
6.2 Outcomes of using this part of ISO/IEC 15026.6
6.3 Prerequisites for defining integrity levels.6
6.3.1 Establish appropriateness of area for use of integrity levels.6
6.3.2 Establish purpose and preliminary scope.7
6.4 Consistency with use requirements.7
6.5 Analysis of scope of applicability.7
6.6 Three required work products .8
6.6.1 Specifying an integrity level claim.8
6.6.2 Specifying integrity level requirements .9
6.6.3 Justification of match between integrity level claim and its requirements.9
6.7 Maintaining integrity level specification .10
6.8 Information provided for users .11
6.8.1 Requirements.11
6.8.2 Guidance and recommendations.11
7 Using integrity levels .11
7.1 Purpose for using this part of ISO/IEC 15026.11
7.2 Outcomes of using this part of ISO/IEC 15026.12
7.3 Prerequisites for use of integrity levels .12
7.3.1 Determine scope of covered risks.12
7.3.2 Establish applicability of integrity levels to the scope of their use .13
7.3.3 Decide role of integrity levels in life cycle.13
7.3.4 Establish approach to risk analysis .13
8 System or product integrity level determination .13
8.1 Introduction.13
8.2 Risk .14
8.2.1 Introduction.14
8.2.2 Risk criterion.14
8.2.3 Risk analyses.15
8.2.4 Risk evaluation .17
8.3 Assignment of system or product integrity level.17
8.4 Independence from internal architecture.18
8.5 Maintaining system or product integrity level.18
8.5.1 Introduction.18
8.5.2 System changes .18
© ISO/IEC 2011 – All rights reserved iii

---------------------- Page: 3 ----------------------
ISO/IEC 15026-3:2011(E)
8.5.3 Risks becomes known .18
8.5.4 Requirements change .18
8.6 Traceability of system or product integrity level assignments .19
9 Assigning system element integrity levels .19
9.1 General.19
9.2 Architecture and design.19
9.2.1 General.19
9.2.2 Failure handling mechanisms .19
9.3 Assignment .20
9.4 Scope of assignments.20
9.5 Special considerations.20
9.5.1 Cycles and recursion .20
9.5.2 Special situations and requirements regarding integrity levels.20
9.5.3 Behaviours other than failure.21
9.6 Maintaining the assignment of integrity levels.21
9.6.1 General.21
9.6.2 Changing integrity level assignments.21
10 Meeting integrity level requirements .22
10.1 Requirements related to evidence .22
10.1.1 Related information .22
10.1.2 Organization of evidence .22
10.1.3 Interpretation of evidence.22
10.2 Alternatives .22
10.3 Achieving integrity level claim .23
10.4 Corrective actions.23
11 Agreements and approvals.23
11.1 Authorities .23
11.2 Specific approvals and agreements related to integrity level definition .24
11.3 Specific approvals and agreements related to integrity level use .24
11.4 Documentation.25
Annex A (normative) Inputs and outputs for integrity level framework.26
A.1 Table for Clause 4 Integrity level framework .26
Annex B (informative) An example of use of ISO/IEC 15026-3 .27
B.1 Introduction.27
B.2 Overview.27
B.3 Defining integrity levels (Clause 6).27
B.4 Using a framework of integrity levels (Clauses 7 and 8) .29
B.5 System element integrity levels (Clause 9).31
B.6 Using integrity levels according to this part of ISO/IEC 15026.31
Bibliography .32
Tables
Table A.1 — Inputs and outputs for activities in Figure 1. 26
Table B.1 — Integrity levels for examples . 28
Table B.2 — Integrity level claims' ranges of property values for examples . 28
Table B.3 — Examples of integrity level requirements and associated evidence. 29
iv © ISO/IEC 2011 – All rights reserved

---------------------- Page: 4 ----------------------
ISO/IEC 15026-3:2011(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 15026-3 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 7, Software and systems engineering.
This first edition of ISO/IEC 15026-3 cancels and replaces ISO/IECI 15026:1998, which has been technically
revised.
ISO/IEC 15026 consists of the following parts, under the general title Systems and software engineering —
Systems and software assurance:
⎯ Part 1: Concepts and vocabulary [Technical Report]
⎯ Part 2: Assurance case
⎯ Part 3: System integrity levels
The following part is under preparation:
⎯ Part 4: Assurance in the life cycle

© ISO/IEC 2011 – All rights reserved v

---------------------- Page: 5 ----------------------
INTERNATIONAL STANDARD ISO/IEC 15026-3:2011(E)

Systems and software engineering — Systems and software
assurance —
Part 3:
System integrity levels
1 Scope
This part of ISO/IEC 15026 specifies the concept of integrity levels with corresponding integrity level
requirements that are required to be met in order to show the achievement of the integrity level. It places
requirements on and recommends methods for defining and using integrity levels and their integrity level
requirements. It covers systems, software products, and their elements, as well as relevant external
dependences.
This part of ISO/IEC 15026 is applicable to systems and software and is intended for use by:
a) definers of integrity levels such as industry and professional organizations, standards organizations, and
government agencies;
b) users of integrity levels such as developers and maintainers, suppliers and acquirers, users, and
assessors of systems or software and for the administrative and technical support of systems and/or
software products.
One important use of integrity levels is by suppliers and acquirers in agreements; for example, to aid in
assuring safety, economic, or security characteristics of a delivered system or product.
This part of ISO/IEC 15026 does not prescribe a specific set of integrity levels or their integrity level
requirements. In addition, it does not prescribe the way in which integrity level use is integrated with the
overall system or software engineering life cycle processes. It does, however, provide an example of use of
this part of ISO/IEC 15026 in Annex B.
2 Normative references
The following referenced documents are indispensable for the application of this document. For dated
references, only the edition cited applies. For undated references, the latest edition of the referenced
document (including any amendments) applies.
ISO/IEC TR 15026-1 Systems and software engineering — Systems and software assurance — Concepts
and vocabulary
© ISO/IEC 2011 – All rights reserved 1

---------------------- Page: 6 ----------------------
ISO/IEC 15026-3:2011(E)
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC TR 15026-1 apply.
NOTE While a definition is included for “integrity level”, existing definitions and the relevant communities do not agree
on a definition of “integrity” consistent with its use in “integrity level”. Hence, no separate definition of “integrity” is included
in this part of ISO/IEC 15026. For the definition of “integrity” used in ISO/IEC JTC 1 SC 7, see ISO/IEC 25010:2011,
Systems and software engineering — Systems and software Quality Requirements and Evaluation (SQuaRE) — System
and software quality models.
4 Integrity level framework
4.1 Integrity level specification
An integrity level specification includes two kinds of related requirements defined as follows:
a) “Integrity level”—A claim of a system, product, or element. This claim includes limitations on a
property's values, the claim's scope of applicability, and the allowable uncertainty regarding the claim's
achievement. A label designated for an integrity level is called an integrity level’s label.
b) “Integrity level requirements”—A set of specified requirements imposed on aspects related to a system,
product, or element and associated activities in order to show the achievement of the assigned integrity
level (that is, meeting its claim) within the required limitations on uncertainty. This includes the evidence
to be obtained.
Definers of integrity levels need to justify explicitly the assertion that meeting an integrity level's corresponding
integrity level requirements suffices to achieve the integrity level within its allowable uncertainty. This
justification can be reflected in, but not necessarily included in, a source for users (e.g., a standard).
NOTE 1 In ISO/IEC 15026:1998, a) and b) are referred to as the “integrity level” and “integrity requirements”
respectively. The latter has been changed to “integrity level requirements” both for increased clarity and because this is
common usage in safety.
NOTE 2 “Integrity level” is sometimes referred as “integrity level claim” to distinguish it from “integrity level requirement”.
NOTE 3 See 8.2 and 8.2.4 for a detailed explanation of “required limitations.”
NOTE 4 See ISO/IEC TR 15026-1 for further explanation of the use of evidence.
NOTE 5 IEEE Std 1012:2004 defines “integrity level” as “a value representing project-unique characteristics (e.g.,
software complexity, criticality, risk, safety level, security level, desired performance, reliability) that define the importance
of the software to the user.” That is, an integrity level is a value of a property of the target software. Since both a claim and
a value can be regarded as a proposition of a system or software, the two definitions of integrity levels have significantly
the same meaning.
NOTE 6 Integrity level claims in this part of ISO/IEC 15026 can cover behaviours or conditions of the system or product
or values of a property, in which case they can play roles of both “requirements” and “measures”. For an acquisition of a
system or product, an integrity level claim can be used for representing an agreement between the acquirer and the
supplier. In this case the integrity level claim plays the role of a requirement. In the activity of accepting a system or
product in the acquisition process, the integrity level claim is used for confirming that the delivered system or product
complies with the agreement, i.e., the delivered system or product is measured by an integrity level claim.
NOTE 7 Integrity levels and standards utilizing them have a significant history especially in safety. Integrity levels in
safety-related standards are defined in multi-level sets addressing varying degrees of stringency and/or uncertainty of their
achievement with higher levels providing higher stringency and lower uncertainty. One example safety standard is
IEC 61508 Functional safety of electrical/electronic/programmable electronic safety-related systems. Elsewhere, similar
schemes are used with different labels, e.g., “conformance classes.”
To complete the integrity level framework, the next clause describes a process for using integrity levels that
also provides the background for understanding the needs and motivations addressed during their definition.
2 © ISO/IEC 2011 – All rights reserved

---------------------- Page: 7 ----------------------
ISO/IEC 15026-3:2011(E)
4.2 Process for using integrity levels
A risk-based approach is used within this part of ISO/IEC 15026 to determine the integrity level assigned to
the system or product. From this system or product integrity level, integrity levels are derived for elements of
the system or product. Figure 1 shows an overview of the activities required to use integrity levels. Inputs and
outputs for each activity are shown in Table A.1 in Annex A. In addition to the main feedback loops shown in
Figure 1, feedback can occur among all these activities.
NOTE 1 ISO/IEC 16085:2006 defines “risk” as “The combination of the probability of an event and its consequence.”
In this part of 15026, a system is assumed to have the following structure in order to introduce the process for
assigning an integrity level to a system. First, a system has several interfaces, each of which is a boundary
between the system and its environment. Any influence on the system and from the system is represented by
this concept, e.g., operations by users, interactions with other systems, and attacks by malicious persons.
A system consists of system elements, which are units associated with an integrity level for purposes of this
part of ISO/IEC 15026. Several ways exist to choose what parts of the system are system elements.
Decomposing a system into elements is accomplished before or during the assignment of integrity levels
described in this part of ISO/IEC 15026. A system element can be seen as a system and thus a system-
element relation can be found at each layer of system decomposition.
NOTE 2 A “system element” is sometimes referred to as an “element” if the context is understood.


Figure 1 — Overview of activities for integrity level determination
© ISO/IEC 2011 – All rights reserved 3

---------------------- Page: 8 ----------------------
ISO/IEC 15026-3:2011(E)
In order to determine the system or product integrity level, a risk criterion measure for the target system is
established to determine which factor (i.e., event, condition of the system, situation of the environment, etc.) is
considered as a risk. Based on the criterion, risks related to the system or product are analyzed and evaluated
to establish limitations on the timing and occurrence of adverse consequences and the conditions that lead to
them. These limitations are preferably established by limiting the occurrence of the initiating events for these
conditions. Once these limitations are established, limitations on behaviours of the system or product are
derived that, if met, would meet the limitations on adverse consequences, conditions, and initiating events
within limitations on allowable uncertainties.
NOTE 3 As it is the more common context in which integrity levels are used, this part of ISO/IEC 15026 speaks in
terms of limiting losses (e.g. adverse consequences, dangers, or risks) but is equally applicable in terms of achieving
benefits.
NOTE 4 An “adverse consequence” is a consequence associated with a loss.
NOTE 5 The phrase “initiating event” and related concepts are explained in ISO/IEC TR15026 Part 1.
For systems with behaviours that can lead to adverse consequences, limitations on the values of the
properties reflect the required limitations on the occurrence, timing, and/or allowable uncertainties regarding
these behaviours. For example, for systems, products, or their elements that perform a mitigating function, the
properties of interest include their being invoked reliably and the availability and reliability of their services.
To assign an integrity level to a system, product, or element is in effect to assign integrity levels to the system,
product, or element interfaces related to the consequences of interest. Different behaviours of the system or
product can result in different severities of risk as can behaviours associated with each external interface, e.g.,
as a result of interfacing with different entities. The same is true for interfaces between internal system
elements.
NOTE 6 Different integrity levels may be assigned to different interfaces. External interfaces of a system or product are
accessible on its boundary and are implemented by the system or product elements. Likewise, integrity levels can be
assigned to an element of an external system upon which the system or product depends and mechanisms connecting
external system elements.
NOTE 7 In this part of ISO/IEC 15026, elements of external systems upon which the system or product depends are
sometimes referred to more briefly as “external elements” and included when “elements” are referred to unless otherwise
indicated. “External elements” include external services and external mechanisms for connection or service delivery.
The integrity levels for internal elements as well as for external elements upon which the system or product
integrity level(s) depend derive from the integrity levels assigned to system or product interfaces. Each
integrity level has a corresponding set of integrity level requirements that must be met regarding the system
and related aspects and activities as well as regarding related evidence. This evidence is obtained in order to
justify that the integrity levels are met within allowable uncertainty.
5 Using this Part 3
5.1 Uses of this part of ISO/IEC 15026
The intended uses of this part of ISO/IEC 15026 are for the definition of an integrity level or a set of integrity
levels, the use of integrity levels during the system or product life cycle, and the assignment of integrity levels
to a system or product and its elements. Integrity levels are used most commonly during design,
implementation, verification, and maintenance processes in order to assure the system or product has
property values that limit related risks during operations, e.g., a certain degree of reliability.
NOTE 1 The term “design” in this part of ISO/IEC 15026 includes designs from all the system or software life-cycle
processes, e.g., architectural design in ISO/IEC 15288:2008 and system architectural design, software architectural
design, and software detailed design in ISO/IEC 12207:2008.
NOTE 2 If this part of ISO/IEC is applied to software only, the system integrity level and the integrity levels of the non-
software elements are only required in order to determine the integrity levels of the software elements.
4 © ISO/IEC 2011 – All rights reserved

---------------------- Page: 9 ----------------------
ISO/IEC 15026-3:2011(E)
Although the definition, determination
...