IST/33/-/3 is the technical panel that advises the British Standards Institution (BSI) on proposed standards for Information Technology - Security Techniques - Evaluation Criteria for IT Security.
It reports to IST/33, the BSI Standards Committee responsible for IT security techniques. IST/33 sets policy and advises BSI how to respond on behalf of the United Kingdom on ballots on proposed European or International Standards.
Are you looking for a brief overview of Security Evaluation standardisation and the work of Panel 3? Try this presentation (pdf format, truncated form presented at the International Standardisation Forum, Beijing, May 2009).
IST/33/-/3 is now exclusively an electronic panel; documents to be considered by members are posted to this web page whenever possible. There are no physical meetings. Comments are distributed and collated by E-mail. Membership of the panel is open to anyone resident in the UK with an interest in standardisation. Contact the Panel Convenor to join.
Under BSI rules, a voluntary charge may be made to cover the costs of running the panel. However, no charge has been made since the panel went electronic more than ten years ago, and there are currently no plans to levy a charge, now or in the future.
The formal way to obtain information on the work of the panel, including electronic notification of new documents, is to join BSI Committee IST/33. This also gives you the right to vote as to whether technical contributions should be put forward, and whether the UK should approve or disapprove formal drafts of standards in this area. For more information, please see the BSI Standards Getting Involved page. It can be pretty difficult to find information on the BSI Standards web pages. If necessary, contact the IST/33 Committee Secretary.
If you are a UK resident and interested in standardisation, you may view or download any documents from this page free of charge and formalities. Please observe copyright where applicable. Most Working Group documents are available without conditions; some documents may not be republished without permission from the author or (more usually) the SC 27 Secretariat. All such documents contain a clear copyright statement. Sometimes documents cannot be placed on the web, even for standards development purposes. In recent years, the number of such documents has been increasing, probably due to the standard copyright wording prepared by ISO. These documents are marked in the indexes below as "only available from the Convenor". A major change to the procedures used to prepare Information Technology standards will be implemented from January 2011. All draft documents will be "open access" (no restrictions or passwords required) for the first time. This means that substantially all of the documents currently marked as "only available from the Convenor" will become downloadable. This will significantly ease the administrative burden associated with document distribution.
IST/33/-/3 tracks the work of an International Standards Working Group - the International Organisation for Standardisation - International Electrotechnical Commission Joint Technical Committee 1 Subcommittee 27 Working Group 3: Security Evaluation Criteria. This is commonly called "SC 27 WG 3" for short. This WG is responsible for developing standards for IT security evaluation and certification. More information is available from the Subcommittee Secretariat.
SC 27 has an official web site.
The last meeting of SC 27 WG 3 was held in Redmond, USA between 2nd and 6th November 2009. The official meeting report is available here. The next meeting is in Melaka, Malaysia between 19th and 23rd April 2010. A Draft Agenda for this meeting is available here. The Convenor of SC 27 WG 3 is Miguel Bañón from Spain and the Secretary is Bertolt Krüger from Germany.
The main task of SC 27 WG 3 (and thus IST/33/-/3) has been to produce an ISO/IEC standard corresponding to the "Common Criteria" (CC), the large and rather complex IT security evaluation criteria originally developed by Government agencies in six North American and European Union countries as a replacement for their current national or EEA criteria. The WG3 version of the Common Criteria has now been adopted as an official International Standard, ISO/IEC 15408. The 2005 published edition can be purchased in printed form from BSI, and is also available from ISO in Geneva. It can also be downloaded free of charge as a pdf file from http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html. This corresponds to Version 2.3 of the Common Criteria. Parts 2 and 3 have been updated to match Version 3.1 Release 2 of the Common Criteria, and are available in printed and pdf form for purchase from BSI and ISO as ISO/IEC 15408-2:2008 and ISO/IEC 15408-3:2008. They are not available for free download from ISO.
Of course, Parts 2 and 3 of the Common Criteria are now at Version 3.1 Release 3. It has been a continual problem finding the best way to update ISO/IEC 15408 to match these minor changes to the Common Criteria. WG 3 decided in Redmond to update the 2008 versions of ISO/IEC 15408 Parts 2 and 3 through the publication of Technical Corrigenda to these Parts. The first step of this process, the preparation of a formal Defect Report, was completed during the meeting. Draft Technical Corrigenda now need to be prepared, and then balloted; an editor has been appointed for this process.
A new version of Part 1 of ISO/IEC 15408 has recently been developed to match the other parts of ISO/IEC 15408:2008. It has just been published by ISO. A list of final corrections is available here. For copyright reasons, the balloted text is only available from the Panel Convenor.
There is also an Evaluation Methodology Standard, ISO/IEC 18045, to match the Common Evaluation Methodology (CEM). The version corresponding to CEM Version 2.3 was published as ISO/IEC 18045:2005, and is available for purchase from BSI or ISO or free download from ISO. It has been updated to match CEM Version 3.1 Release 2 and published as ISO/IEC 18045:2008. This version is not available for free download from the ISO web site.
For many years, there has been a concern in WG 3 that the ISO/IEC 15408 criteria were inadequate to evaluate certain types of security requirements, in particular functional properties that must hold for the whole of a TOE, but cannot be mapped to individual interfaces of the TOE. A simple example would be that certain sensitive information is not retained within a TOE at all. It is conceptually possible to prove such requirements by examination of the security architecture of the TOE, and this has been done in some evaluations. However, it represents a misuse of the existing architectural assurance criteria, which are not intended - and designed - to be used in this way.
WG 3 held a dedicated drafting meeting to look at this specific problem, with a view to developing and submitting detailed technical solutions to both ISO and the Common Criteria Development Board. These solutions could be radically innovative. This meeting was held in Madrid, Spain on 12th and 13th February 2008. The report of the meeting is available here. The work was subsequently carried forward, and later documents are available here and here and here. A report of the latest discussion, held during the 2009 Beijing meeting, is available here.
Recent reprioritisations within the Common Criteria Project mean that this work is unlikely to be taken forward in the foreseeable future. However, WG 3 has recently proposed a New Project to look into a different and urgent problem associated with practical use of ISO/IEC 15408 and the Common Criteria, namely the relationship between those development and evaluation processes dealing with the analysis of potential attacks and the CAPEC public catalogue of attack patterns being developed by MITRE in the US under sponsorship from the Department of Homeland Security. If approved, this will be an extremely useful and practical Technical Report. More details are available in its New Work Item Proposal. Please note the submitted version is now available.
ISO and IEC sponsor a register of Protection Profiles, although this is currently inactive. In October 2007 a proposal from Centro Criptológico Nacional of Spain, who host the Common Criteria Portal Register, to take over the ISO Register was endorsed. This proposal has still not officially completed the ISO approval process, and it is likely that it will be withdrawn. The International Standard that defines the operation of this register, ISO/IEC 15292, is currently being reviewed. See here.
For many years, WG 3 concentrated almost exclusively on evaluation criteria. However, there has been a significant change in recent years and a number of other standards have been prepared, dealing with, for example, the security assessment of operational systems, security requirements for cryptographic modules and a framework for security evaluation and testing of biometric technologies.
WG 3 has prepared a three-part Technical Report (an official document, but not a standard) describing Security Assurance. This is ISO/IEC TR 15443, A Framework for IT Security Assurance. It can be purchased from ISO or through BSI. Early drafts can be downloaded from the "Documents for Download" section of this web page. Part 3 is due for routine review - please see here.
ISO/IEC 19790, Security Requirements for Cryptographic Modules, is closely related to American Federal Standard FIPS 140-2, but with a number of ambiguities removed and approved algorithms specified in terms of ISO standards. It can be purchased from BSI or ISO. The FDIS text and a list of subsequent changes are available free of charge from the Panel Convenor. A related standard is ISO/IEC 24759, Test Requirements for Cryptographic Modules. This can also be purchased from BSI or ISO. The FDIS text is again available from the Panel Convenor.
A missing test has been identified in ISO/IEC 19790. This was resolved by a Technical Corrigendum issued in 2008, adding a new subclause 7.8.2.5. The Draft Technical Corrigendum explaining this defect is available here.
ISO/IEC 19790 is currently being revised, following the technical content of proposed FIPS 140-3. A first Working Draft for the revision is now available, but for copyright reasons only from the Panel Convenor. Note that the WG 3 number for the document is inconsistent - it was allocated number N1004, but its delayed circulation means that it has been assigned a new-style number N37866. It is based upon the November 2009 draft of FIPS 140-3, which is freely available from NIST and has been contributed to the development of ISO/IEC 19790 here.
ISO/IEC TR 19791, Security Assessment of Operational Systems, is a Technical Report expanding the scope of ISO/IEC 15408 to systems evaluation, published in 2006. It can be purchased from BSI or ISO. The final text was circulated to SC 27 but for copyright reasons cannot be accessed from this page. It is available from the Panel Convenor for standards development purposes.
ISO/IEC TR 19791 has been updated to make it compatible with ISO/IEC 15408:2008 and CC Version 3.1, and is currently awaiting publication. The DTR text of the updated version is available here.
Project 19792, Security Evaluation of Biometrics, progressed more slowly, but has now been published as an International Standard. It can be purchased from BSI or ISO. Alternatively, the FDIS text and a list of minor corrections are available free of charge from the Panel Convenor. Biometrics is a difficult technical area, and the commenting process exposed significant technical problems in early drafts.
WG 3 is responsible for a very popular Technical Report, TR 15446, Guide to the Production of Protection Profiles and Security Targets. There is a separate section concerning this report later on this page. This has recently been updated to match ISO/IEC 15408:2008.
WG 3 is also responsible for ISO/IEC 21827, Systems Security Engineering - Capability Maturity Model. This has recently been revised and republished and is available for purchase from BSI and ISO. It should be available for free download from ISO at http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html, but at present this still offers the old (2002) version. The revised version as approved through the ISO balloting process is ISO copyright, and therefore available for standards development purposes only from the Panel Convenor, although the (original) text prepared by the editor for the ballot is available for downloading.
Project 29128, Verification of Cryptographic Protocols is a standard under development in a new area. Standards already exist for the specification of cryptographic algorithms, and for the implementation and test of cryptographic devices and modules. However, there is a gap between the algorithm and its implementation in communication between entities. There are no standards or generally accepted processes for the assessment of the protocols used in such communication, and this Project fills the gap. This project has reached Committee Draft stage. The text of the second CD is now available, but only from the Panel Convenor, for copyright reasons.
Project 29147, Responsible Vulnerability Disclosure, is an attempt to develop a standard for managing controlled publication of information concerning suspected defects in software products. At the moment, there is no generally agreed process that should be followed when researchers or users identify vulnerabilities in commercial software. Likewise, there is no consensus on how software vendors or vulnerability identification tool developers should respond to such information. A fourth Working Draft of this Project is available, but already ISO copyright, and therefore only available from the Panel Convenor.
Project 29193, Secure system engineering principles and techniques, is a recently approved new Technical Report. A second Working Draft is available, but for copyright reasons only from the Panel Convenor.
WG 3 has also renewed its study period into Tamper protection requirements and evaluation. The report on the initial study period is available here. There is no report covering the latest period, as no contributions were received. A further call for further contributions and potential editors is expected shortly.
Finally, WG 3 is responsible for the maintenance of ISO/IEC 11889, a new standard covering Trusted Platform Modules. This was developed by the Trusted Computing Group (TCG), a vendor-neutral industry group with interests in trusted computing building blocks, and approved as an ISO/IEC standard through the Publicly Available Specification transposition process. WG 3 will be working with the Trusted Computing Group in handling defect reports and error corrections relating to this standard.
SC 27 requested that the published version of ISO/IEC 11889:2009 should be downloadable from the ISO web site free of charge. However, this request was not approved by JTC 1 when it met in October 2009 due to an oversight at the meeting. A JTC 1 letter ballot was held to confirm there were no objections.
The Convenor of IST/33/-/3 is Mike Nash. He can always be contacted for any further information needed on any of these topics.
The 2005 published versions of ISO/IEC 15408:2005 and ISO/IEC 18045 are available for free downloading from the ITTF area of the ISO web site. Go to http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html, and scroll down until you come to the relevant entries. The 2008 versions are not available.
This very useful ISO/IEC Technical Report (usually referred to as the PPST Guide) on preparing Protection Profiles and Security Targets has been revised to bring it into line with modern methods of preparing for evaluation and the recent changes to the evaluation criteria, and can be purchased from ISO or National Bodies. It contains guidance and advice that anyone faced with the task of producing a CC or ISO/IEC 15408 Protection Profile or Security Target for the first time will find useful. The previous version, matching ISO/IEC 15408:1999 and Common Criteria Version 2.3, is available for free - and legal - downloading from the ITTF web site. Look for entry TR 15446 at http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html. Due to changes in the policy concerning no-cost availability of standards, it is very unlikely that the published version of TR 15446:2009 will ever be available for free downloading. If you want to buy it, it is available from BSI at a list price of £180.00. The ISBN is 978 0 580 56212 9.
You can download the final draft of the revised version here. This is a complete document - despite the warnings on the cover sheet! Only minor changes were made before final publication. You can find a list of these here.
It is regretted that the official text for ISO/IEC TR 15443-1, A Framework for IT Security Assurance, Part 1 - Overview and Framework cannot be posted here as its copyright has been transferred to ISO/IEC. Document SC27 N3987 contains the final Editor's Report and is available here. It is regretted that the official text for ISO/IEC TR 15443-2, A Framework for IT Security Assurance, Part 2 - Assurance Methods cannot be posted here as its copyright has been transferred to ISO/IEC, and unfortunately no record of changes from the Draft Technical Report text is available. It is regretted that the official text for ISO/IEC TR 15443-3, A Framework for IT Security Assurance, Part 3 - Analysis of Assurance Methods cannot be posted here as its copyright has been transferred to ISO/IEC, and unfortunately no record of changes from the PDTR text is available.
It is regretted that the final text submitted for publication for ISO/IEC 19790, Security Requirements for Cryptographic Modules, cannot be posted on this open-access web page due to ISO copyright restrictions. The balloted text and a list of subsequent changes is available from the Panel Convenor.
The final draft version of ISO/IEC TR 19791, Security Assessment of Operational Systems is available for download here.
Other published and latest draft versions of WG3 Standards and Technical Reports cannot be posted on this open-access web page due to ISO copyright restrictions.
Latest versions of documents that are available for immediate download are listed below. All documents are in pdf format.
Most WG 3 documents other than actual drafts of standards can be downloaded for private use and those issued in the last two meeting cycles are listed below. All documents are in pdf format. Please do check with the author or SC 27 secretariat before using them for other purposes. Older documents are available from the Panel Convenor.
Note that the use of consecutive Working Group numbers has now been abandoned. Working Group numbers are likely to disappear completely as part of the changes to JTC 1 procedures proposed for April 2010. Recent documents are referenced by their SC 27 number.
The International CC Project has its own web site at http://www.commoncriteriaportal.org/. This provides access to free copies of the current versions of the Common Criteria and Common Evaluation Methodology, an archive of older versions and interpretations, a discussion forum, and lots more. You can download the latest version of the Common Criteria, CC Version 3.1, from here.
Web space kindly donated by Gamma Secure Systems Limited
BSI IST 33/-/3 pages maintained by webmaster@gammassl.co.uk
Last updated: 03 March 2010