ISO/IEC INTERNATIONAL STANDARD 18045 Third edition 2022-08 Information security, cybersecurity and privacy protection Evaluation criteria for IT security Methodology for IT security evaluation Sécurite de I'information, cybersécurite et protection de la vie privée - Criteres d'évaluation pour la sécurité des technologies de I'information - Methodologie pour Il'évaluation de sécurite Reference number IS0/IEC 18045:2022(E) ISO @ IS0/IEC 2022 IS0/IEC 18045:2022(E) COPYRIGHTPROTECTED DOCUMENT @IS0/IEC2022 All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either Iso at the address below or Iso's memberbody inthe country of the requester. ISO copyright office CP 401 : Ch. de Blandonnet 8 CH-1214 Vernier, Geneva Phone: +41 22 749 0111 Email: [email protected] Website: www.iso.org Published in Switzerland ii IS0/IEC2022-Allrightsreserved IS0/IEC 18045:2022(E) Table of Contents LISTOFFIGURES IX LIST OF TABLES FOREWORD INTRODUCTION SCOPE 2 NORMATIVE REFERENCES. 3 TERMSANDDEFINITIONS 4 ABBREVIATED TERMS. 5 TERMINOLOGY 6 VERBUSAGE. 7 GENERAL EVALUATION GUIDANCE. 8 RELATIONSHIPBETWEEN THE IS0/IEC15408 SERIES ANDISO/IEC 18045 STRUCTURES.. 9 9.1 GENERAL.... 9.2 EVALUATION PROCESS OVERVIEW. 9.2.1 Objectives 9.2.2 Responsibilities of the roles.. 9.2.3 Relationshipofroles 9.2.4 General evaluation model 9.2.5 Evaluator verdicts.. 9.3 EVALUATION INPUT TASK.. 9.3.1 Objectives. 9.3.2 Applicationnotes. 9.3.3 Management of evaluation evidence sub-task. 10 9.4 EVALUATION SUB-ACTIVITIES. 10 9.5 EVALUATION OUTPUT TASK... 10 9.5.1 Objectives. 10 9.5.2 Managementofevaluationoutputs. 11 9.5.3 Application notes. 9.5.4 Write OR sub-task. 9.5.5 Write ETR sub-task 11 10 CLASSAPE:PROTECTION PROFILEEVALUATION 19 10.1 GENERAL. 19 10.2 RE-USING THE EVALUATION RESULTS OF CERTIFIED PPS .19 10.3 PP INTRODUCTION (APE_INT) ... .20 10.3.1 Evaluation of sub-activity (APE_INT.1) 20 10.4 CONFORMANCE CLAIMS (APE_CCL).. .21 10.4.1 Evaluation of sub-activity (APE_ CCL.1). 21 10.5 SECURITYPROBLEMDEFINITION(APE_SPD) 31 10.5.1 Evaluation of sub-activity (APE_SPD.1) 31 10.6SECURITY OBJECTIVES (APE_OB).. .32 10.6.1 Evaluationofsub-activity(APE_OBJ.1) 32 10.6.2 Evaluation of sub-activity (APE_OBJ.2) 33 10.7 EXTENDEDCOMPONENTSDEFINITION (APE_ECD) .36 10.7.1 Evaluation of sub-activity (APE_ECD.1) 36 @ IS0/IEC 2022 - All rights reserved iii IS0/IEC 18045:2022(E) 10.8 SECURITY REQUIREMENTS (APE_REQ) .40 10.8.1 Evaluation of sub-activity (APE_REQ.1) 40 10.8.2 Evaluation of sub-activity (APE_REQ.2)) 11 CLASSACE:PROTECTIONPROFILECONFIGURATIONEVALUATION 49 11.1 GENERAL.. .49 11.2 PP-MODULE INTRODUCTION (ACE_INT) .51 11.2.1 Evaluation of sub-activity (ACE_INT.1). 11.3 PP-MODULE CONFORMANCE CLAIMS (ACE_CCL) .53 11.3.1 Evaluation of sub-activity (ACE_CCL.1) .53 11.4 PP-MODULESECURITYPROBLEMDEFINITION(ACE_SPD) .58 11.4.1 Evaluation of sub-activity (ACE_SPD.1) .58 11.5 PP-MODULESECURITYOBJECTIVES(ACE_OBD) .59 11.5.1 Evaluation of sub-activity (ACE_OBJ.1). 59 11.5.2 Evaluation of sub-activity (ACE_OBJ.2) 11.6 PP-MODULEEXTENDED COMPONENTS DEFINITION (ACE_ECD) .63 11.6.1 Evaluation of sub-activity (ACE_ECD.1). 63 11.7 PP-MODULE SECURITY REQUIREMENTS (ACE_REQ) .67 11.7.1 Evaluation of sub-activity (ACE_REQ.1). ..67 11.7.2 Evaluationofsub-activity(ACE_REQ.2) 11.8 PP-MODULE CONSISTENCY(ACE_MCO). .76 11.8.1 Evaluationofsub-activity(ACE_MCO.1) .76 11.9 PP-CONFIGURATION CONSISTENCY (ACE_CCO) .79 11.9.1 Evaluation of sub-activity (ACE_CCO.1) 12 CLASSASE:SECURITYTARGETEVALUATION .87 12.1 GENERAL. .87 12.2 APPLICATIONNOTES .87 12.2.1 Re-using the evaluation results of certified PPs .87 12.3 STINTRODUCTION(ASE_INT).... 12.3.1 Evaluation of sub-activity (ASE_ INT.1) .88 12.4 CONFORMANCE CLAIMS (ASE_CCL) .9