SIST EN ISO/IEC 19896-3:2023

SLOVENSKI STANDARD
oSIST prEN ISO/IEC 19896-3:2022
01-november-2022
IT varnostne tehnike - Zahteve za usposobljenost za preskuševalce in ocenjevalce
informacijske varnosti - 3. del: Zahteve glede znanja, veščin in učinkovitosti za
ocenjevalce ISO/IEC 15408 (ISO/IEC 19896-3:2018)
IT security techniques - Competence requirements for information security testers and
evaluators - Part 3: Knowledge, skills and effectiveness requirements for ISO/IEC 15408
evaluators (ISO/IEC 19896-3:2018)
IT-Sicherheitstechniken - Kompetenzanforderungen an Tester und Evaluatoren von
Informationssicherheit - Teil 3: Anforderungen an die Kenntnisse, Fähigkeiten und
Effektivität von Evaluatoren nach ISO/IEC 15408 (ISO/IEC 19896‑3:2018)
Techniques de sécurité IT - Exigences en matière de compétences des spécialistes en
tests et évaluations de la sécurité de l'information - Partie 3: Exigences en matière de
connaissances, compétences et efficacité des spécialistes en évaluations ISO/IEC
15408 (ISO/IEC 19896-3:2018)
Ta slovenski standard je istoveten z: prEN ISO/IEC 19896-3
ICS:
03.100.30 Vodenje ljudi Management of human
resources
35.030 Informacijska varnost IT Security
oSIST prEN ISO/IEC 19896-3:2022 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
oSIST prEN ISO/IEC 19896-3:2022

---------------------- Page: 2 ----------------------
oSIST prEN ISO/IEC 19896-3:2022
INTERNATIONAL ISO/IEC
STANDARD 19896-3
First edition
2018-08
IT security techniques — Competence
requirements for information security
testers and evaluators —
Part 3:
Knowledge, skills and effectiveness
requirements for ISO/IEC 15408
evaluators
Techniques de sécurité IT — Exigences en matière de compétences des
spécialistes en tests et évaluations de la sécurité de l'information —
Partie 3: Exigences en matière de connaissances, compétences et
efficacité des spécialistes en évaluations ISO/IEC 15408
Reference number
ISO/IEC 19896-3:2018(E)
©
ISO/IEC 2018

---------------------- Page: 3 ----------------------
oSIST prEN ISO/IEC 19896-3:2022
ISO/IEC 19896-3:2018(E)

COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO/IEC 2018 – All rights reserved

---------------------- Page: 4 ----------------------
oSIST prEN ISO/IEC 19896-3:2022
ISO/IEC 19896-3:2018(E)

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Knowledge . 2
4.1 General . 2
4.2 Knowledge of ISO/IEC 15408 and ISO/IEC 18045 . 2
4.2.1 ISO/IEC 15408-1 . 2
4.2.2 ISO/IEC 15408-2 . 2
4.2.3 ISO/IEC 15408-3 . 2
4.2.4 ISO/IEC 18045 . 3
4.3 Knowledge of the assurance paradigm . 3
4.3.1 Knowledge of the evaluation authority . 3
4.3.2 Knowledge of the evaluation scheme . 3
4.3.3 Knowledge of the laboratory and it’s management system . 4
4.4 Knowledge of information security . 4
4.5 Knowledge of the technology being evaluated . 5
4.5.1 Knowledge of the technology being evaluated . 5
4.5.2 Protection Profiles, packages and supporting documents . 5
4.6 Knowledge required for specific assurance classes . 5
4.7 Knowledge required when evaluating specific security functional requirements. 6
4.8 Knowledge needed when evaluating specific technologies . 6
5 Skills . 6
5.1 Basic evaluation skills . 6
5.1.1 Evaluation methods . . 6
5.1.2 Evaluation tools . 6
5.2 Core evaluation skills given in ISO/IEC 15408-3 and ISO/IEC 18045 . 7
5.2.1 Evaluation principles . 7
5.2.2 Evaluation methods and activities. 7
5.3 Skills required when evaluating specific security assurance classes. 8
5.3.1 General. 8
5.3.2 ADV (Development) Class . 8
5.3.3 AGD (Guidance Documents) Class . 9
5.3.4 ALC (Life-Cycle Support) Class . 9
5.3.5 ASE and APE (ST and PP evaluation) Classes . .10
5.3.6 ATE (Tests) Class . .10
5.3.7 AVA (Vulnerability Assessment) Class .11
5.3.8 ACO (Composition) Class .12
5.4 Skills required when evaluating specific security functional requirement classes .12
5.4.1 General.12
5.4.2 Skills required when evaluating the FCS (Cryptographic support) Class .13
5.5 Skills needed when evaluating specific technologies .13
6 Experience.13
7 Education .13
8 Effectiveness .14
8.1 General .14
8.2 Effectiveness of the evaluation .14
8.3 Evaluation scheme responsibilities for evaluator effectiveness.14
8.4 Effectiveness in performing timely evaluations .14
8.5 Effectiveness in performing accurate evaluations.14
© ISO/IEC 2018 – All rights reserved iii

---------------------- Page: 5 ----------------------
oSIST prEN ISO/IEC 19896-3:2022
ISO/IEC 19896-3:2018(E)

8.6 Effectiveness in reporting results .14
Annex A (informative) Technology types: Knowledge and skills .15
Annex B (informative) Examples of knowledge required for evaluating security assurance
requirement classes .20
Annex C (informative) Examples of knowledge required for evaluating security functional
requirement classes .27
Bibliography .30
iv © ISO/IEC 2018 – All rights reserved

---------------------- Page: 6 ----------------------
oSIST prEN ISO/IEC 19896-3:2022
ISO/IEC 19896-3:2018(E)

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www .iso .org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www .iso .org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the
World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www .iso
.org/iso/foreword .html.
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques.
A list of all parts in the ISO/IEC 19896 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www .iso .org/members .html.
© ISO/IEC 2018 – All rights reserved v

---------------------- Page: 7 ----------------------
oSIST prEN ISO/IEC 19896-3:2022
ISO/IEC 19896-3:2018(E)

Introduction
The ISO/IEC 15408 series permits comparability between the results of independent security
evaluations. It does so by providing a common set of requirements for the security functionality of IT
products and for assurance measures applied to these IT products during a security evaluation. Many
certification and evaluation schemes as well as evaluation authorities have been developed using the
ISO/IEC 15408 series and ISO/IEC 18045 as a basis, which permits comparability between the results
of evaluation projects.
One important factor in assuring comparability of the results of such evaluations is to understand
that the evaluation process includes the specification of both objective and subjective assurance
measures. Hence, the competence of the individual evaluators is important when the comparability and
repeatability of evaluation results are the foundation for mutual recognition.
ISO/IEC 17025, provides general requirements for the competence of testing and calibration
laboratories. In ISO/IEC 17025:2017, 5.2.1, it is stated that "Personnel performing specific tasks shall be
qualified on the basis of appropriate education, training, experience and/or demonstrated skills".
This document establishes a baseline for the minimum competence of ISO/IEC 15408 evaluators
with the goal of establishing conformity in the requirements for the training of ISO/IEC 15408
evaluator professionals associated with IT product evaluation schemes and authorities. It provides
the specialized requirements to demonstrate the competence of individuals in performing IT product
security evaluations in accordance with ISO/IEC 15408 (all parts) and ISO/IEC 18045. ISO/IEC 15408-
1 describes the general framework for competences including the various elements of competence;
knowledge, skills, experience, education and effectiveness. This document includes knowledge and
skills especially in the following areas.
— Information security
Knowledge: Information security principles, information security properties, information security
threats and vulnerabilities
Skills: Understand information security requirements, understand the context
— Information security evaluation
Knowledge: Knowledge of ISO/IEC 15408 (all parts) and ISO/IEC 18045, laboratory
management system
Skills: Basic evaluation skills, core evaluation skills, skills required when evaluating specific
security assurance classes, skills required when evaluating specific security functional
requirements classes
— Information systems architecture
Knowledge: Technology being evaluated
Skills: Understand the interaction of security components and information
— Information security testing
Knowledge: Information security testing techniques, information security testing tools, product
development lifecycle, test types
Skills: Create and manage an information security test plan, design information security tests,
prepare and conduct information security tests
The audience for this document includes validation and certification authorities, testing laboratory
accreditation bodies, evaluation schemes, laboratories, evaluators and organizations offering
professional credentialing.
vi © ISO/IEC 2018 – All rights reserved

---------------------- Page: 8 ----------------------
oSIST prEN ISO/IEC 19896-3:2022
INTERNATIONAL STANDARD ISO/IEC 19896-3:2018(E)
IT security techniques — Competence requirements for
information security testers and evaluators —
Part 3:
Knowledge, skills and effectiveness requirements for ISO/
IEC 15408 evaluators
1 Scope
This document provides the specialized requirements to demonstrate competence of individuals
in performing IT product security evaluations in accordance with ISO/IEC 15408 (all parts) and
ISO/IEC 18045.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 19896-1, IT security techniques — Competence requirements for information security testers and
evaluators — Part 1: Introduction, concepts and general requirements
ISO/IEC 15408 (all parts), Information technology — Security techniques — Evaluation criteria for IT
security
ISO/IEC 18045, Information technology — Security techniques — Methodology for IT security evaluation
ISO/IEC 17025, General requirements for the competence of testing and calibration laboratories
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 19896-1, ISO/IEC 15408-
1, ISO/IEC 17025, ISO/IEC 18045 and the following apply.
ISO and IEC maintain terminological databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https: //www .iso .org/obp
— IEC Electropedia: available at http: //www .electropedia .org/
3.1
evaluation scheme
organization implementing policies and a set of rules established by an evaluation authority, defining
the evaluation environment, including criteria and methodology required to conduct IT security
evaluations
3.2
subjective method
method based on a given person's experience, and understanding
© ISO/IEC 2018 – All rights reserved 1

---------------------- Page: 9 ----------------------
oSIST prEN ISO/IEC 19896-3:2022
ISO/IEC 19896-3:2018(E)

4 Knowledge
4.1 General
Knowledge is what an evaluator knows and can describe. Subclauses 4.2 to 4.8 address the knowledge
that is needed for evaluation to ISO/IEC 15408 (all parts) and ISO/IEC 18045.
4.2 Knowledge of ISO/IEC 15408 and ISO/IEC 18045
4.2.1 ISO/IEC 15408-1
All evaluators shall have knowledge of:
a) the terms and definitions defined in ISO/IEC 15408-1;
b) the terms and definitions defined in ISO/IEC 18045;
c) the context for ISO/IEC 15408 evaluations;
d) the general model for the ISO/IEC 15408 series given in ISO/IEC 15408-1;
e) tailoring security requirements: operations, dependencies between components and extended
components;
f) protection profiles and packages;
g) evaluation results; and
h) the specification of security targets.
4.2.2 ISO/IEC 15408-2
All evaluators shall have knowledge of those security functional requirements (SFRs) of ISO/IEC 15408-
2 which are used for the technology types the evaluator is authorized to work with, as well as any
dependent SFRs. The classes of SFRs given in ISO/IEC 15408-2 are:
a) security audit (FAU);
b) communication (FCO);
c) cryptographic support (FCS);
d) user data protection (FDP);
e) identification and authentication (FIA);
f) security management (FMT);
g) privacy (FPR);
h) protection of the target of evaluation security functions (FPT);
i) resource utilisation (FRU);
j) target of evaluation access (FTA); and
k) trusted path/channels (FTP).
4.2.3 ISO/IEC 15408-3
All evaluators shall have knowledge of the security assurance requirements (SARs) given in ISO/
IEC 15408-3 which are specified by Security Targets (ST) that the evaluator is authorized to work with.
2 © ISO/IEC 2018 – All rights reserved

---------------------- Page: 10 ----------------------
oSIST prEN ISO/IEC 19896-3:2022
ISO/IEC 19896-3:2018(E)

The knowledge of particular SAR components shall include those to which the evaluator is authorized
to work at. The classes of SARs given in ISO/IEC 15408-3 are:
a) development (ADV);
b) guidance documentation (AGD);
c) life-cycle support (ALC);
d) security target structure (ASE);
e) protection profile structure (APE);
f) tests (ATE);
g) vulnerability assessment (AVA); and
h) composition (ACO).
4.2.4 ISO/IEC 18045
All evaluators shall have knowledge of:
a) the evaluation process: this process is described in ISO/IEC 18045:2008, Clause 8; and
b) security evaluation method and activities: this information is given in ISO/IEC 18045.
4.3 Knowledge of the assurance paradigm
4.3.1 Knowledge of the evaluation authority
All evaluators shall have knowledge of the requirements of the evaluation authority or evaluation
authorities that are applicable to the evaluation schemes for which they are authorized to work.
NOTE Examples of such evaluation authorities include "Common Criteria Recognition Agreement (CCRA)"
and the "Senior Officials Group Information Systems Security (SOG-IS)".
Requirements from evaluation authorities can include topics such as:
a) the scope of the evaluation authority;
b) recognition arrangements;
c) evaluation authority policies;
d) guidance to evaluation schemes, validators and evaluators;
e) interpretations;
f) supporting documents;
g) knowledge of related standards; and
h) quality requirements.
4.3.2 Knowledge of the evaluation scheme
Evaluation schemes typically define operational aspects such as policies, and procedures that are
specific to the evaluation scheme. Such items are often based on the scope of the evaluation scheme.
All evaluators shall have knowledge of:
a) The requirements of the evaluation scheme or schemes for which they are authorized to work;
© ISO/IEC 2018 – All rights reserved 3

---------------------- Page: 11 ----------------------
oSIST prEN ISO/IEC 19896-3:2022
ISO/IEC 19896-3:2018(E)

EXAMPLE
— any sector specific policies, regulations and legislation;
— laboratory approval requirements for the evaluation scheme;
— evaluation scheme policies in regard to evaluation projects including entry criteria, time limits, report
requirements, site visit requirements;
— guidance to validators and evaluators;
— evaluation scheme specific interpretations;
— evaluation scheme specific guidance;
— approved protection profiles and their supporting documents;
— evaluation scheme specific assurance methods and activities; and
— reporting requirements.
b) the competence requirements of the evaluation scheme for evaluators.
NOTE See ISO/IEC 18045:2008, A.5 for guidance to evaluation schemes on this topic.
4.3.3 Knowledge of the laboratory and it’s management system
All evaluators shall have knowledge of:
a) the laboratory’s management system, including policies, processes and procedures that are
applicable to evaluators;
b) laboratory approved methods; and
c) laboratory competence requirements.
NOTE Management systems vary greatly in their implementations. However, items such as document
control, record control, control of nonconforming testing and/or calibration work, handling of technical records,
and conflict of interest are often the direct responsibility of evaluators. Most laboratory management systems
are based on ISO/IEC 17025.
4.4 Knowledge of information security
All evaluators shall have knowledge of:
a) security principles;
b) security properties;
c) mechanisms of attack;
d) concepts of attack potential;
e) secure development life cycles;
f) security testing; and
g) vulnerabilities and weaknesses.
4 © ISO/IEC 2018 – All rights reserved

---------------------- Page: 12 ----------------------
oSIST prEN ISO/IEC 19896-3:2022
ISO/IEC 19896-3:2018(E)

4.5 Knowledge of the technology being evaluated
4.5.1 Knowledge of the technology being evaluated
ISO/IEC 15408 (all parts) and ISO/IEC 18045 can be used in the evaluation of a wide variety of
information technologies. These technologies are often classified into various technology types by
evaluation schemes, evaluation authorities or others.
All evaluators shall have knowledge of the information technology types being evaluated by them,
including the common security architectures deployed for that technology type.
NOTE Annex A provides an informative list of knowledge topics presented by commonly identified
technology types.
EXAMPLE Commonly identified technology types include:
— access control devices and systems;
— encryption, key management and PKI systems, products for digital signatures;
— databases;
— operating systems;
— network and network-related devices and systems;
— mobile devices and systems;
— multi-function devices;
— ICs, smart cards and smart-card related devices and systems;
— hardware devices;
— detection devices and systems; and
— data protection, biometric systems and devices, trusted computing.
4.5.2 Protection Profiles, packages and supporting documents
All evaluators shall have knowledge of the following, where they are applicable for the information
technology evaluated by them:
a) protection profiles, packages and any related supporting documents specified in connection with
the evaluator's work;
b) the knowledge required to meet any additional evaluation methods and assurance activities
specified as applicable to an evaluation;
c) how to determine if any interpretations or guidance in regard to protection profiles, packages and
related supporting documents have been issued and whether they are applicable to a particular
evaluation project.
4.6 Knowledge required for specific assurance classes
Evaluators need the knowledge required by the evaluation methods and activities specified for the
assurance classes for which they are authorized to work. Examples for the knowledge required by ISO/
IEC 18045 are given in Annex B.
© ISO/IEC 2018 – All rights reserved 5

---------------------- Page: 13 ----------------------
oSIST prEN ISO/IEC 19896-3:2022
ISO/IEC 19896-3:2018(E)

4.7 Knowledge required when evaluating specific security functional requirements
Evaluators shall have the knowledge required as given by the security functional requirements they
are authorized to evaluate as specified in ISO/IEC 15408-2. Examples for the knowledge required by
ISO/IEC 15408-2 are given in Annex C.
4.8 Knowledge needed when evaluating specific technologies
Since technology can vary and are continually evolving it is not possible to identify all the skills
required. Annex A provides an informative list of both knowledge and skills for many technologies. In
addition, the Bibliography gives many technology related references.
Technology related knowledge can be obtained through experience with that technology. Such
experience can be developed by:
a) participating in education in regard to the technology;
...