ISO/IEC 18045

ISO/IEC 18045 is an international standard that provides guidance for the evaluation of information technology security. It offers a methodology for assessing the security of IT products and systems in contexts involving certification, accreditation, and assurance. The standard is intended to harmonize evaluation practices across international bodies and testing laboratories.

Overview

ISO/IEC 18045 establishes procedures and criteria used by evaluation laboratories, certification bodies, and procurement authorities to perform security evaluations. It complements other international instruments by prescribing roles for testing organizations such as Common Criteria evaluation laboratories, and aligns with practices used by bodies such as ISO, IEC, NIST, European Union Agency for Cybersecurity, and national schemes like those in United Kingdom, United States, Germany, France, and Japan. Evaluation practitioners from institutions including National Institute of Standards and Technology, Communications Security Establishment, Federal Office for Information Security, and Government Communications Headquarters commonly reference its methodology. The document guides interaction among stakeholders such as vendors represented by Microsoft Corporation, IBM, Oracle Corporation, and ARM Holdings when seeking assurance for products deployed in environments tied to United Nations procurement or NATO operations.

Scope and Purpose

The scope covers the planning, execution, and reporting of security evaluations for IT products and systems. Its purpose is to ensure consistent, repeatable evaluation processes that can be relied upon by certification authorities like Common Criteria Recognition Arrangement members and by national certification schemes in countries including Australia, Canada, South Korea, China, and India. The standard aims to reduce ambiguity for laboratories such as those accredited by International Laboratory Accreditation Cooperation and accreditation bodies like International Accreditation Forum and European co-operation for Accreditation. It supports assurance frameworks used by agencies such as European Commission directorates and ministries responsible for procurement in states like Sweden and Netherlands.

Structure and Contents

The standard is organized into sections that describe evaluation planning, conduct of tests, documentation requirements, and reporting. It details tasks for roles commonly found in evaluation projects including evaluators, test managers, and technical reviewers, paralleling organizational structures at entities such as European Defence Agency, U.S. Department of Defense, and corporate security teams at firms like Cisco Systems. Contents include criteria for test evidence, configuration management expected by bodies such as IEEE Standards Association, and procedures for vulnerability analysis that echo methods used by research groups at Massachusetts Institute of Technology, Carnegie Mellon University, and École Polytechnique Fédérale de Lausanne. Appendices and annexes provide templated artifacts similar to documentation formats used by International Organization for Standardization standards and by evaluation schemes in Belgium and Spain.

Relation to Other Standards

ISO/IEC 18045 interacts with evaluation and assurance standards and profiles including those set out in the Common Criteria family, and it complements technical specifications from ISO/IEC 15408 and guidance from ISO/IEC 17025 on testing laboratory competence. It is often cited alongside management and lifecycle standards such as ISO 9001, ISO/IEC 27001, and procurement standards referenced by institutions like the World Bank and European Investment Bank. National technical directives and certification guidance from agencies such as ANSSI, CSE, and BGA frequently reference its methodology to maintain interoperability between regional assurance regimes like the SOG-IS Memorandum and international arrangements including the Common Criteria Recognition Arrangement.

Implementation and Use Cases

Practical implementation occurs in contexts such as product certification for enterprise software vendors like Red Hat, SAP SE, and VMware, Inc., and for hardware vendors including Intel Corporation, AMD, and ARM Holdings. Government procurement requiring evaluated assurance levels for devices in critical infrastructure projects references the standard in programs run by authorities such as Department of Homeland Security, Ministry of Defence (United Kingdom), and civil agencies in Norway and Finland. Use cases include evaluation of smartcard products used by issuers like EMVCo members, secure operating system components employed by projects at European Space Agency, and network appliances used by service providers such as AT&T, Deutsche Telekom, and Vodafone Group. Laboratories accredited under regimes like ISO/IEC 17025 apply the standard when producing evaluation evidence for certification authorities.

History and Development

Development of the standard was coordinated through joint technical committees of ISO and IEC with contributions from national bodies including BSI, NIST, DIN, and AFNOR. Its roots trace to efforts during the 1990s to harmonize product assurance methods across schemes influenced by evaluations done under programs in United Kingdom, Canada, and Netherlands. Working groups included experts from academia such as University of Cambridge and University of Oxford, and industry representatives from firms like Siemens and Thales Group. Amendments and national adoptions followed engagement in conferences hosted by organizations such as IFIP and standards events convened by ITU. Category:Information technology standards