ISO/IEC DIS 19896-1:2024(en)
ISO/IEC JTC 1/SC 27/WG 3
Secretariat: DIN
Date: 2024-08-05
Information security, cybersecurity and privacy protection ― Requirements for the competence of IT security conformance assessment body personnel ― Part 1: Overview and concepts
© ISO/IEC 2024
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
Contents
5.3.2 Testers and evaluators 5
5.3.3 Validators and certifiers 5
6.3 Validators and certifiers 7
7 Measurement of elements of competence 7
7.3 Recording elements of competence 8
Annex A (informative) Framework for describing competence requirements 9
A.1 Framework of testers or evaluators 9
A.2 Framework of validators or certifiers 9
Annex B (informative) Example records of experience and competence 11
Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
ISO draws attention to the possibility that the implementation of this document may involve the use of (a) patent(s). ISO takes no position concerning the evidence, validity or applicability of any claimed patent rights in respect thereof. As of the date of publication of this document, ISO had not received notice of (a) patent(s) which may be required to implement this document. However, implementers are cautioned that this may not represent the latest information, which may be obtained from the patent database available at www.iso.org/patents. ISO shall not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISO's adherence to the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT), see www.iso.org/iso/foreword.html.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 27, Information security, cybersecurity and privacy protection.
This second edition cancels and replaces the first edition (ISO/IEC 19896-1), which has been technically revised.
The main changes are as follows:
— the document has been restructured;
— delete subclauses subclauses related to experience, education and effectiveness
— technical changes have been introduced; and
— add competence concepts for the validators and the certifiers.
— rewrite knowledge and skill as the remaining part of the elements of competence; knowledge, skills, experience, education and effectiveness according to CASCO’s comments.
Any feedback or questions on this document should be directed to the user’s national standards body. A complete listing of these bodies can be found at www.iso.org/members.html.
Introduction
The objective of the ISO/IEC 19896 series is to provide the fundamental concepts related to the topic of the competence of the individuals responsible for performing IT product security evaluations and conformance testing as well as those individuals performing certification and validations. The ISO/IEC 19896 series provides the framework and the specialized requirements that specify the minimum competence of individuals performing IT product security evaluations and conformance testing, certification and validation using established standards.
In pursuit of this objective, the ISO/IEC 19896 series comprises the following:
a) the terms and definitions relating to the topic of competence in IT product security evaluators and testers;
b) the fundamental concepts relating to competence in IT product security evaluations and conformance testing;
c) the minimum competence requirements for IT product security evaluators and testers to conduct IT product testing/evaluation;
d) the terms and definitions relating to the topic of competence in IT product security certifiers and validators;
e) the fundamental concepts relating to competence in IT product security certifications and validation; and
f) the minimum competence requirements for IT product security certifiers and validators to conduct IT product validation/certification.
The ISO/IEC 19896 series is of interest to:
a) information security evaluation and conformance-testing specialists;
b) information security certification bodies for evaluation;
c) information security certification bodies for conformance-testing;
d) information security evaluation and conformance-testing laboratories;
e) vendors or technology providers whose IT products can be the subject of information security assurance evaluations or conformance-testing; and
f) organizations offering professional credentials or recognitions.
The ISO/IEC 19896 series is organized in parts to address the competence of evaluation and testing professionals as follows:
In this document, the introduction and concepts provide an overview of the definitions, fundamental concepts and a general description of the framework used to communicate the competence concepts for certain specialized areas. This material is aimed at providing the fundamental knowledge necessary to use the framework presented in the other parts of the ISO/IEC 19896 series appropriately.
ISO/IEC 19896-2 describes the minimum set of competence requirements at each competency level for conformance testers and validators working with ISO/IEC 19790, ISO/IEC 24759 and associated standards.
ISO/IEC 19896-3 describes the minimum set of competence requirements at each competency level for information security evaluators and certifiers working with ISO/IEC 15408 series, ISO/IEC 18045 and associated standards.
Information security, cybersecurity and privacy protection ― Requirements for the competence of IT security conformance assessment body personnel — Part 1: Overview and concepts
1.0 Scope
This document defines terms and establishes an organized set of concepts and relationships to understand the competency requirements for information security assurance conformance-testing and evaluation specialists, thereby establishing a basis for shared understanding of the concepts and principles central to the ISO/IEC 19896 series across its user communities. It provides fundamental information to users of the ISO/IEC 19896 series.
2.0 Normative references
The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 23532 (series:2021, Information security, cybersecurity and privacy protection — Requirements for the competence of IT security testing and evaluation laboratories
3.0 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 23532-1, ISO/IEC 23532-2 and the following apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https://www.iso.org/obp
— IEC Electropedia: available at https://www.electropedia.org/
3.1
certifier
certification body personnel assigned to perform certification activities in accordance with a given evaluation standard and associated evaluation methodology
Note 1 to entry: An example of evaluation standards is ISO/IEC 15408 series with the associated evaluation methodology given in ISO/IEC 18045.
3.2
certification body
third-party conformity assessment body operating certification schemes
Note 1 to entry: Certification body is called a validation authority in ISO/IEC 19790 and ISO/IEC 24759 and evaluation authority in ISO/IEC 15408 and ISO/IEC 18045.
3.3
certification scheme
certification system related to specified products, to which the same specified requirements, specific rules and procedures apply
3.4
competence
ability to apply knowledge and skills to achieve intended results
[SOURCE: ISO/IEC 17024:2012, 3.6]
3.5
conformance-tester
tester
individual assigned to perform test activities in accordance with a given conformance testing standard and associated testing methodology
Note 1 to entry: An example of such a standard is ISO/IEC 19790 and the testing methodology specified in ISO/IEC 24759.
3.6
evaluator
individual assigned to perform evaluations in accordance with a given evaluation standard and associated evaluation methodology
Note 1 to entry: An example of evaluation standards is ISO/IEC 15408 series with the associated evaluation methodology given in ISO/IEC 18045.
3.7
knowledge
facts, information, truths, principles or understanding acquired through experience or education
Note 1 to entry: An example of knowledge is the ability to describe the various parts of an information assurance standard.
[SOURCE: ISO/IEC TS 17027:2014, 2.56, modified — Note 1 to entry has been added.]
3.8
testing laboratory or evaluation laboratory
laboratory
organization with a management system providing evaluation or testing work in accordance with a defined set of policies and procedures and utilizing a defined methodology for testing or evaluating the security functionality of IT products
Note 1 to entry: These organizations are often given alternative names by various certification bodies. For example, IT Security Evaluation Facility (ITSEF), Common Criteria Testing Laboratory (CCTL), Commercial Evaluation Facility (CLEF).
3.9
skill
ability to perform a task or activity with a specific intended outcome acquired through education, training, experience or other means
Note 1 to entry: An example of a skill is the ability to identify and classify the risks associated with a project.
[SOURCE: ISO/IEC 17027:2014, 2.74, modified — Note 1 to entry has been added.]
3.10
validator
individual assigned to perform validation activities in accordance with a given conformance testing standard and associated testing methodology
Note 1 to entry: An example of such a standard is ISO/IEC 19790 and the testing methodology specified in ISO/IEC 24759.
4.0 Concepts
In order to support conformity in the evaluation or conformance-testing of IT security products, one factor is the competence of the individuals performing the evaluation or conformance-testing work. Despite the provision of standardized conformance-testing or evaluation methods, a minimum competence in performing the necessary activities is needed to support achieving conformity and repeatability of the results. This, in turn, supports the mutual recognition of IT product security assurance certifications and validations.
ISO/IEC 23532 series address the requirements for the competence of IT security testing and evaluation laboratories which are related to competency for the personnel that need to be met by a laboratory. These related requirements include:
— ensuring the competence of all personnel that can influence the testing or evaluation laboratory’s activities;
— defining and documenting the competence requirements for each function involved in testing evaluation laboratory activities;
— ensuring laboratory personnel have the competence to execute the activities for which they are responsible and understand the significance of and response to deviations found with regard to the testing or evaluation laboratory activities;
— having a documented process for the ongoing monitoring of personnel involved in testing or evaluation laboratory activities; and
— maintaining records of competence such as education, training, technical knowledge, skills, experience, authorizations and monitoring for all personnel involved in testing or evaluation laboratory activities.
NOTE ISO/IEC 23532 series complement and supplement the procedures and general requirements found in ISO/IEC 17025 which is specified to cover a broad range of calibration and testing laboratories and are used in the field of IT product security assurance testing and evaluation.
The requirements for bodies certifying products, processes and services which are identified in the field of IT product security assurance validation and certification are related to competency for validators or certifiers. These related requirements include:
— ensuring the competence of all personnel that can influence the certification body’s activities;
— defining and documenting the competence requirements for each function involved in the certification body’s activities;
— ensuring the personnel have the competence to execute the activities for which they are responsible and understand the significance of and response to deviations found with regard to the certification body’s activities;
— having a documented process for the ongoing monitoring of personnel involved in the certification body’s activities; and
— maintaining records of competence such as education, training, technical knowledge, skills, experience, authorizations and monitoring for all personnel involved in the certification body’s activities.
5.0 Elements of competence
5.1 Competences
In order to competently provide consistent conformance-testing and evaluation results and to support the goal of conformity in the results provided by different individuals and laboratories, it is necessary for conformance-testers and evaluators to have gained the minimum necessary knowledge and skills relevant to the target IT product security assurance standard, and to be able to perform their duties with effectiveness.
This clause defines the minimum elements of competence that are to be used by the ISO/IEC 19896 series when considering the requirements for competence in conformance-testers, evaluators, validators and/or certifiers for specific IT product security assurance standards.
Training may be provided in order to increase some elements of competence in individuals. For example, training is often performed in order to acquire or enhance existing skills or increase knowledge.
Additional elements of competence such as aptitude, enthusiasm, initiative, leadership, teamwork and willingness can be specified by laboratories or accreditation bodies.
5.1.1 Knowledge
The possession of knowledge by validators, certifiers, testers and evaluators is one of the elements of competence. The following form the basis of providing an appropriate and testable body of knowledge relevant for that product security assurance standard:
a) the relevant IT product security assurance standard;
b) any associated testing or evaluation methods;
c) any associated validation or certification methods;
d) policies and procedures of relevant certification bodies, accreditation bodies and laboratories which validators, certifiers, testers and evaluators are active in;
e) IT product architecture and design in relevant technology areas; and
f) IT product life cycles (e.g., manufacture, testing, delivery, operation and end of life).
When considering IT products, a variety of technologies can be pertinent to the scope of work of a laboratory or a certification body, and knowledge of these technologies should be considered when defining minimum competency levels. For a particular technology area, the following are important relevant knowledge classes:
a) the technology used in the design, development and deployment of the products being tested, evaluated, certified or validated;
b) the way in which the products are used or intended to be used;
c) the typical vulnerabilities and weaknesses which may occur in that technology; and
d) the domain in which the products are used or intended to be used.
Examples of technology areas include cryptography, biometrics, integrated circuits, operating systems, network devices, databases, smartcards and embedded systems. Technology areas are sometimes defined by the certification body, amongst others.
5.1.2 Skills
5.1.3 General
Skills required of laboratory and certification body personnel depend on the technology area and competency level. 5.3.2 addresses testers and evaluators. 5.3.3 addresses validators and certifiers.
5.1.4 Testers and evaluators
Typical skills for laboratory personnel (testers and evaluators) include:
a) understanding the scope and basis of an evaluation or a conformance-testing project;
b) understanding the boundaries of the implementation under test or the target of evaluation;
c) being able to select or adapt an appropriate evaluation or testing method;
d) performing documentation analysis;
e) understanding the source code, schematics and base components used in specifying and implementing products;
f) developing and performing functional and non-functional testing;
g) determining if test conditions are within stated parameters to allow for repeatable testing;
h) calibrating and using testing tools;
i) Prioritizing the test items and procedures for more efficient, effective and faster results;
j) interpreting the test results;
k) defining test/evaluation approaches and gathering results with a focus on sufficiency for the intended test/evaluation statement;
l) being able to write understandable reports detailing the results of their work;
m) being able to repeat a test, or replay an archived test, and obtain the same results;
n) being able to build a testing environment to achieve a proper running condition for the implementation under test; and
o) vulnerability analysis.
NOTE Vulnerability analysis is applicable depending on scheme.
Integrity, availability and confidentiality of test evidence, test results, and test records, including interpretations and test reports are ensured, therefore the use of adequate storage is expected.
At higher competency levels, communication and project management skills can also be expected.
5.1.5 Validators and certifiers
Typical skills for certification body personnel (validators and certifiers) include:
a) understanding the scope and basis of a certification or a validation project;
b) understanding the boundaries of the implementation under test or the target of evaluation;
c) being able to select or adapt appropriate certification or validation method;
d) performing documentation analysis;
e) understanding the source code, schematics and base components used in specifying and implementing products;
f) understanding the test results;
g) scrutinizing test/evaluation approach and results with a focus on sufficiency for the intended test/evaluation statement;
h) being able to write understandable reports detailing the results of their work; and
i) being able to repeat a certification or validation, or replay an archived certification or validation, and obtain the same results.
Integrity, availability and confidentiality of test evidence, test results, and test records, including interpretations and test reports are ensured, therefore the use of adequate storage is expected.
At higher competency levels, communication and project management skills can also be expected.
6.0 Competency levels
6.1 General
Testers, evaluators, validators and certifiers may be assigned a competency level for each specific competence area given in the other parts of the ISO/IEC 19896 series. These are described in 6.1 to 6.2 by a level number and a typical descriptor.
Competency levels for testers and evaluators are described in 6.2.1 to 6.2.3. Competency levels for validators and certifiers are described in 6.3.1 to 6.3.3. Level definitions are described in 6.2 to 6.3 by a level number may be a subset of competence levels.
6.1.1 Testers and evaluators
6.1.2 Competency level 1
— provides support for activities required by the validation or certification methods; and
— can perform validation or certification work under supervision.
6.1.3 Competency level 2
— is competent to work unsupervised in some validation or certification areas but can require supervision in a few areas;
— is able to understand the significance of and response to deviations found with regard to the certification body’s activities; and
— is able to supervise and provide mentorship in regard to the testing or evaluation work of those at Competency Level 1.
6.1.4 Competency level 3
— is competent in reviewing or consulting on all aspects of the validation or certification according to the defined standards and methods for at least one technology area;
— is competent in communicating with stakeholders including laboratories and vendors and can provide project management for a validation or certification project;
— is competent to work unsupervised in all validation/certification methods specified for the project;
— is able to understand the significance of and response to deviations found with regard to the certification body’s activities;
— is able to supervise and provide mentorship in regard to the validation or certification work of those at Competency levels 1 and 2; and
— is able to supervise and provide mentorship in regard to the validation or certification work of those at Competency Level 1.
6.2 Validators and certifiers
6.2.1 Competency Level 1
— provides support for activities required by the validation or certification methods; and
— can perform validation or certification work under supervision.
6.2.2 Competency Level 2
— is competent to work unsupervised in some validation or certification areas but can require supervision in a few areas; and
— is able to understand the significance of and response to deviations found with regard to the certification body’s activities.
6.2.3 Competency Level 3
— is competent in reviewing or consulting on all aspects of the validation or certification according to the defined standards and methods for at least one technology area;
— is competent in communicating with stakeholders including laboratories and vendors and can provide project management for a validation or certification project;
— is competent to work unsupervised in all validation/certification methods specified for the project;
— is able to understand the significance of and response to deviations found with regard to the certification body’s activities; and
— is able to supervise and provide mentorship in regard to the validation or certification work of those at Competency Levels 1 and 2.
7.0 Measurement of elements of competence
7.1 Knowledge
The knowledge areas defined in the ISO/IEC 19896 series provide, for each IT product security assurance standard, a body of knowledge that is measurable. Such evidences of knowledge can include professional qualifications gained through third parties or through testing developed and performed by certification bodies or the laboratory itself.
7.1.1 Skills
Various skills are required for validators, certifiers, testers and evaluators of IT security products, which are presented in the subsequent parts of the ISO/IEC 19896 series. These skills should be measured.
Examples of methods for measurement of skills for testers and evaluators include:
— aspects of the laboratories proficiency-testing programme performed as part of the requirements for conformance to ISO/IEC 23532;
— the use of training records, maintained in accordance with ISO/IEC 23532, in the specification of measures of training effectiveness, which, in turn, can demonstrate the mastery of a skill; and
— feedback from other personnel already deemed competent in a skill.
Examples of methods for measurement of skills for validators and certifiers include:
— aspects of the bodies proficiency-certifying programme performed as part of the requirements for certification body;
— the use of training records, maintained in accordance with the requirements for certification body, in the specification of measures of training effectiveness, which, in turn, can demonstrate the mastery of a skill;
— professional certifications in regard to particular skills; and
— feedback from other personnel already deemed competent in a skill.
7.1.2 Recording elements of competence
ISO/IEC 23532 series require that records of competence for testers or evaluators are maintained by a laboratory. Records of competence for validators or certifiers are maintained by a certification body. Annexes A and B provide example frameworks for recording this information.
(informative)
Framework for describing competence requirements- Framework of testers or evaluators
Table A.1 describes a structure that can be used by laboratories to define specific competency requirements using the criteria of knowledge and skills for each competency level. The information in the tables captures the guideline defined in Clause 7 as well as any other requirements defined by 19896-2, 19896-3, the laboratory, or the certification scheme.
ISO/IEC 19896-2 and ISO/IEC 19896-3 provide the specific competence criteria for ISO/IEC 19790 testers and ISO/IEC 15408 series evaluators that can be used in completing the tables.
Table A.1 — Competence requirements record for testers or evaluators
Competency Level: | |
Knowledge area name | Skill name |
|
|
|
|
Knowledge area description | Skill description |
|
|
|
|
|
|
|
|
- Framework of validators or certifiers
Table A.2 describes a structure that can be used by certification body to define specific competency requirements using the criteria of knowledge and skills. The information in the tables captures the guideline defined in Clause 7 as well as any other requirements defined by 19896-2, 19896-3, the laboratory, or the certification scheme.
ISO/IEC 19896-2 and ISO/IEC 19896-3 provide the specific competence criteria for ISO/IEC 19790 validator and ISO/IEC 15408 series certifiers that can be used in completing the tables.
Table A.2 — Competence requirements record for validators or certifiers
Competency Level: | |
Knowledge area name | Skill name |
|
|
|
|
Knowledge area description | Skill description |
|
|
|
|
|
|
|
|
(informative)
Example records of experience and competence
Table B.1 provides an example structure for recording the experience gained by an ISO/IEC 15408 series certifier or evaluator or ISO/IEC 19790 validator or tester.
It is possible that subsequent parts of the ISO/IEC 19896 series identify more specific examples of records.
Laboratories or certification bodies should devise a method of indicating project complexity based on their project portfolio.
EXAMPLE “simple” and “complex” can refer to the evaluation assurance level for evaluations performed using ISO/IEC 18045, or the security level of a cryptographic module tested using ISO/IEC 24759.
Table B.1 — Example record of experience
Experience record | ||||||
|---|---|---|---|---|---|---|
Name of |
| |||||
Project ID | Project | Technical domain | Project complexity | Hours worked on project | Test/Evaluation methods performed | Supervised by /Comments (N/A is a valid answer) |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Table B.2 provides an example structure for recording the competence gained by an ISO/IEC 15408 series certifier or evaluator or ISO/IEC 19790 validator or tester.
It is possible that subsequent parts of the ISO/IEC 19896 series identify other examples of records.
Table B.2 — Example record of competence
Competence record | |||
Name of |
| ||
Project ID | Knowledge | Skills | Competency Level |
|
|
|
|
|
|
|
|
|
|
|
|
Bibliography
[1] ISO/IEC 15408 (series), Information security, cybersecurity and privacy protection — Evaluation criteria for IT security
[2] ISO/IEC 15443, Information technology — Security techniques — Security assurance framework
[3] ISO/IEC 17024, Conformity assessment — General requirements for bodies operating certification of persons
[4] ISO/IEC 17025, General requirements for the competence of testing and calibration laboratories
[5] ISO/IEC/TS 17027, Conformity assessment — Vocabulary related to competence of persons used for certification of persons
[6] ISO/IEC 18045, Information security, cybersecurity and privacy protection — Methodology for IT security evaluation
[7] ISO/IEC 19790, Information technology — Security techniques — Security requirements for cryptographic modules
[8] ISO/IEC 24759, Information technology — Security techniques — Test requirements for cryptographic modules
