What is ISO/IEC 18045?
ISO/IEC 18045 is an international standard on Information security, cybersecurity and privacy protection. It describes the criteria and the methodology for IT security evaluation. It is a document intended to be used along with the ISO/IEC 15408 series as it outlines the procedures that an evaluator has to follow in order to perform an ISO/IEC 15408 series evaluation according to the evaluation criteria described within the ISO/IEC 15408.
There is a direct connection between the two standards in terms of structure which is demonstrated to the diagram below. Assurance class, assurance component and evaluator action element (ISO/IEC 15408) are directly associated with activity, sub-activity and action (ISO/IEC 18045).
How is the evaluation process under the ISO/IEC 18045?:
The evaluation process under the ISO/IEC 18045 has four evaluator tasks:
- Input task (the process of providing accurate evidence for the evaluation)
- Output task (describes the Observation Report and the Evaluation Technical Report)
- Evaluation sub-activities (vary as per type of evaluation i.e. PP, PP-Configuration, TOE)
- Demonstration of the technical competence (achieved by the evaluation authority analysis of the output tasks results. It is not an associated evaluator verdict, but an evaluator authority verdict.)
The evaluation process identifies the roles and responsibilities of the groups and individuals involved in the evaluation process. These are the sponsor who is responsible for requesting and supporting an evaluation, the developer who provides the evidence needed for the evaluation, the evaluator who conduct the evaluation tasks needed for the specific evaluation and the evaluation authority who monitors the evaluation process and issues certification.
The evaluator performs the evaluation input task, the evaluation output task and the evaluation sub-activities. Verdicts assigned by the evaluator according to the ISO/IEC 15408 requirements, and they are not part of ISO/IEC 18045 standard.