Information service
35.030 IT Security
New standards
ISO/IEC 18045:2026
Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Requirements and methodology for IT security evaluation
Scope: This document specifies requirements and the minimum actions performed by an evaluator in order to conduct an evaluation using the criteria and evaluation evidence defined in the ISO/IEC 15408 series evaluation.
Base documents:
Replaces: ISO/IEC 18045:2022
ISO/IEC 15408-4:2026
Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Part 4: Framework for the specification of evaluation methods and activities
Scope: This document specifies requirements and a standardized framework for specifying objective, repeatable and reproducible evaluation methods and evaluation activities.
This document does not specify how to evaluate, adopt, or maintain evaluation methods and evaluation activities. These aspects are a matter for those originating the evaluation methods and evaluation activities in their particular area of interest.
This document does not specify how to evaluate, adopt, or maintain evaluation methods and evaluation activities. These aspects are a matter for those originating the evaluation methods and evaluation activities in their particular area of interest.
Base documents:
Replaces: ISO/IEC 15408-4:2022
ISO/IEC 15408-3:2026
Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Part 3: Security assurance components
Scope: This document specifies the security assurance requirements of the ISO/IEC 15408 series. It includes the individual assurance components from which the evaluation assurance levels and other packages contained in ISO/IEC 15408-5 are composed, and the criteria for evaluation of Protection Profiles (PPs), PP-Configurations, PP-Modules and Security Targets (STs).
Base documents:
Replaces: ISO/IEC 15408-3:2022
ISO/IEC 15408-2:2026
Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Part 2: Security functional components
Scope: This document specifies requirements for the required structure and content of security functional components for use during a security evaluation. It includes a catalogue of functional components that meet the common security functionality requirements of many IT products.
Base documents:
Replaces: ISO/IEC 15408-2:2022
ISO/IEC 15408-1:2026
Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Part 1: Introduction and general model
Scope: This document establishes the general concepts and principles of information technology (IT) security evaluation. It specifies the general model of evaluation given in this document, which in its entirety is intended to be used as the basis for evaluation of security properties of IT products.
This document provides an overview of all parts of the ISO/IEC 15408 series. It describes the various parts of the ISO/IEC 15408 series i.e.
defines the terms and abbreviations used in all parts of the series; establishes the core concept of a Target of Evaluation (TOE);
describes the evaluation context; and
describes the audience to which the evaluation criteria is addressed.
Additionally, this document introduces the basic security concepts necessary for the evaluation of IT products.
This document provides an overview of all parts of the ISO/IEC 15408 series. It describes the various parts of the ISO/IEC 15408 series i.e.
defines the terms and abbreviations used in all parts of the series; establishes the core concept of a Target of Evaluation (TOE);
describes the evaluation context; and
describes the audience to which the evaluation criteria is addressed.
Additionally, this document introduces the basic security concepts necessary for the evaluation of IT products.
Base documents:
Replaces: ISO/IEC 15408-1:2022
ISO/IEC 25831-2:2026
Information technology — OpenID identity assurance 1.0 — Part 2: Schema definition
Scope: This document defines the schema of JSON objects used to describe identity assurance relating to a natural person. It consists of the definition of a new claim called verified_claims that will be registered with the IANA "JSON Web Token Claims Registry" established by [RFC 7519]. As part of the definition of the verified_claims claim there is also an element defined called verification that provides a flexible container for identity assurance metadata. It is anticipated that the verification element may be used by other spec authors and implementers where the verification metadata is needed independently of the end-user verified claims.
Base documents:
ISO/IEC 25831-1:2026
Information technology — OpenID identity assurance 1.0 — Part 1: General
Scope: This document is a definition of the technical mechanism to allow a relying party to request one or more verified claims about the end-user and to enable an OpenID provider to provide a relying party with a verified claim ("the tools").
Additional facets needed to deploy a complete solution for identity assurance, such as legal aspects (including liability), trust frameworks, or commercial agreements are out of scope. It is up to the particular deployment to complement the technical solution based on this document with the respective definitions ("the rules").
Note: Although such aspects are out of scope, the aim of the specification is to enable implementations of the technical mechanism to be flexible enough to fulfill different legal and commercial requirements in jurisdictions around the world. Consequently, such requirements will be discussed in this document as examples.
Additional facets needed to deploy a complete solution for identity assurance, such as legal aspects (including liability), trust frameworks, or commercial agreements are out of scope. It is up to the particular deployment to complement the technical solution based on this document with the respective definitions ("the rules").
Note: Although such aspects are out of scope, the aim of the specification is to enable implementations of the technical mechanism to be flexible enough to fulfill different legal and commercial requirements in jurisdictions around the world. Consequently, such requirements will be discussed in this document as examples.
Base documents:
Replaced standards
ISO/IEC 15408-4:2022
Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Part 4: Framework for the specification of evaluation methods and activities
Scope: This document provides a standardized framework for specifying objective, repeatable and reproducible evaluation methods and evaluation activities.
This document does not specify how to evaluate, adopt, or maintain evaluation methods and evaluation activities. These aspects are a matter for those originating the evaluation methods and evaluation activities in their particular area of interest.
This document does not specify how to evaluate, adopt, or maintain evaluation methods and evaluation activities. These aspects are a matter for those originating the evaluation methods and evaluation activities in their particular area of interest.
Base documents:
Replaced: ISO/IEC 15408-4:2026
ISO/IEC 15408-3:2022
Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Part 3: Security assurance components
Scope: This document defines the assurance requirements of the ISO/IEC 15408 series. It includes the individual assurance components from which the evaluation assurance levels and other packages contained in ISO/IEC 15408-5 are composed, and the criteria for evaluation of Protection Profiles (PPs), PP-Configurations, PP-Modules, and Security Targets (STs).
Base documents:
Replaced: ISO/IEC 15408-3:2026
ISO/IEC 15408-2:2022
Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Part 2: Security functional components
Scope: This document defines the required structure and content of security functional components for the purpose of security evaluation. It includes a catalogue of functional components that meets the common security functionality requirements of many IT products.
Base documents:
Replaced: ISO/IEC 15408-2:2026
ISO/IEC 15408-1:2022
Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Part 1: Introduction and general model
Scope: This document establishes the general concepts and principles of IT security evaluation and specifies the general model of evaluation given by various parts of the standard which in its entirety is meant to be used as the basis for evaluation of security properties of IT products.
This document provides an overview of all parts of the ISO/IEC 15408 series. It describes the various parts of the ISO/IEC 15408 series; defines the terms and abbreviations to be used in all parts of the standard; establishes the core concept of a Target of Evaluation (TOE); describes the evaluation context and describes the audience to which the evaluation criteria is addressed. An introduction to the basic security concepts necessary for evaluation of IT products is given.
This document introduces:
— the key concepts of Protection Profiles (PP), PP-Modules, PP-Configurations, packages, Security Targets (ST), and conformance types;
— a description of the organization of security components throughout the model;
— the various operations by which the functional and assurance components given in ISO/IEC 15408‑2 and ISO/IEC 15408‑3 can be tailored through the use of permitted operations;
— general information about the evaluation methods given in ISO/IEC 18045;
— guidance for the application of ISO/IEC 15408‑4 in order to develop evaluation methods (EM) and evaluation activities (EA) derived from ISO/IEC 18045;
— general information about the pre-defined Evaluation Assurance Levels (EALs) defined in ISO/IEC 15408‑5;
— information in regard to the scope of evaluation schemes.
This document provides an overview of all parts of the ISO/IEC 15408 series. It describes the various parts of the ISO/IEC 15408 series; defines the terms and abbreviations to be used in all parts of the standard; establishes the core concept of a Target of Evaluation (TOE); describes the evaluation context and describes the audience to which the evaluation criteria is addressed. An introduction to the basic security concepts necessary for evaluation of IT products is given.
This document introduces:
— the key concepts of Protection Profiles (PP), PP-Modules, PP-Configurations, packages, Security Targets (ST), and conformance types;
— a description of the organization of security components throughout the model;
— the various operations by which the functional and assurance components given in ISO/IEC 15408‑2 and ISO/IEC 15408‑3 can be tailored through the use of permitted operations;
— general information about the evaluation methods given in ISO/IEC 18045;
— guidance for the application of ISO/IEC 15408‑4 in order to develop evaluation methods (EM) and evaluation activities (EA) derived from ISO/IEC 18045;
— general information about the pre-defined Evaluation Assurance Levels (EALs) defined in ISO/IEC 15408‑5;
— information in regard to the scope of evaluation schemes.
Base documents:
Replaced: ISO/IEC 15408-1:2026
ISO/IEC 18045:2022
Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Methodology for IT security evaluation
Scope: This document defines the minimum actions to be performed by an evaluator in order to conduct an ISO/IEC 15408 series evaluation, using the criteria and evaluation evidence defined in the ISO/IEC 15408 series.
Base documents:
Replaced: ISO/IEC 18045:2026
Drafts
prEN ISO/IEC 24760-3
Information security, cybersecurity and privacy protection - A framework for identity management - Part 3: Practice (ISO/IEC 24760-3:2025)
Scope: This document:
— provides requirements and guidance for the management of identity information and for ensuring that an identity management system conforms to ISO/IEC 24760-1 and ISO/IEC 24760-2;
— is applicable to any information system where information relating to identity is processed or stored;
— is considered to be a horizontal document for the following reasons:
— it applies concepts such as distinguishing the term “identity” from the term “identifier” on the implementation of systems for the management of identity information and on the requirements for the implementation and operation of a framework for identity management,
— it provides an important contribution to assess identity management systems with regard to their privacy-friendliness and their ability to assure the relevant attributes of an identity, and consequently it provides a foundation and a common understanding for any other standard addressing identity, identity information, and identity management.
— provides requirements and guidance for the management of identity information and for ensuring that an identity management system conforms to ISO/IEC 24760-1 and ISO/IEC 24760-2;
— is applicable to any information system where information relating to identity is processed or stored;
— is considered to be a horizontal document for the following reasons:
— it applies concepts such as distinguishing the term “identity” from the term “identifier” on the implementation of systems for the management of identity information and on the requirements for the implementation and operation of a framework for identity management,
— it provides an important contribution to assess identity management systems with regard to their privacy-friendliness and their ability to assure the relevant attributes of an identity, and consequently it provides a foundation and a common understanding for any other standard addressing identity, identity information, and identity management.
Base documents: ISO/IEC 24760-3:2025; prEN ISO/IEC 24760-3
prEN ISO/IEC 24760-2
Information security, cybersecurity and privacy protection - A framework for identity management - Part 2: Reference architecture and requirements (ISO/IEC 24760-2:2025)
Scope: This document:
- provides guidelines for the implementation of systems for the management of identity information;
- specifies requirements for the implementation and operation of a framework for identity management;
- is applicable to any information system where information relating to identity is processed or stored;
- is considered to be a horizontal document for the following reasons:
- it applies concepts such as distinguishing the term "identity" from the term "identifier" on the implementation of systems for the management of identity information and on the requirements for the implementation and operation of a framework for identity management,
- it provides an important contribution to assess identity management systems with regard to their privacy-friendliness and their ability to assure the relevant attributes of an identity, and consequently it provides a foundation and a common understanding for any other standard addressing identity, identity information, and identity management
- provides guidelines for the implementation of systems for the management of identity information;
- specifies requirements for the implementation and operation of a framework for identity management;
- is applicable to any information system where information relating to identity is processed or stored;
- is considered to be a horizontal document for the following reasons:
- it applies concepts such as distinguishing the term "identity" from the term "identifier" on the implementation of systems for the management of identity information and on the requirements for the implementation and operation of a framework for identity management,
- it provides an important contribution to assess identity management systems with regard to their privacy-friendliness and their ability to assure the relevant attributes of an identity, and consequently it provides a foundation and a common understanding for any other standard addressing identity, identity information, and identity management
Base documents: ISO/IEC 24760-2:2025; prEN ISO/IEC 24760-2
prEN ISO/IEC 24760-1
Information security, cybersecurity and privacy protection - A framework for identity management - Part 1: Core concepts and terminology (ISO/IEC 24760-1:2025)
Scope: This document:
- defines terms for identity management and specifies core concepts of identity and identity management, and their relationships;
- is applicable to any information system where information relating to identity is processed or stored;
- is considered to be a horizontal document for the following reasons:
- it applies concepts such as distinguishing the term “identity” from the term “identifier” on the implementation of systems for the management of identity information and on the requirements for the implementation and operation of a framework for identity management,
- it provides an important contribution to assess identity management systems with regard to their privacy-friendliness and their ability to assure the relevant attributes of an identity, and consequently it provides a foundation and a common understanding for any other standard addressing identity, identity information, and identity management.
- defines terms for identity management and specifies core concepts of identity and identity management, and their relationships;
- is applicable to any information system where information relating to identity is processed or stored;
- is considered to be a horizontal document for the following reasons:
- it applies concepts such as distinguishing the term “identity” from the term “identifier” on the implementation of systems for the management of identity information and on the requirements for the implementation and operation of a framework for identity management,
- it provides an important contribution to assess identity management systems with regard to their privacy-friendliness and their ability to assure the relevant attributes of an identity, and consequently it provides a foundation and a common understanding for any other standard addressing identity, identity information, and identity management.
Base documents: ISO/IEC 24760-1:2025; prEN ISO/IEC 24760-1
prEN 40000-11
Essential cybersecurity requirements for products - Part 11: Hardware Devices with Security Boxes incorporating a hardware physical envelope and designed to provide security functions such as secure storage and cryptographic operations in an open environment
Scope: This document defines cyber security requirements for products with digital elements belonging to product category “Hardware Device with Security Boxes” (hereinafter called “Product” or “HWSB product”).
The technical description of “Hardware Devices with Security Boxes” can be found in Annex II of [CRA].
The Hardware Devices with Security Boxes in scope are designed for deployment in a range of environments and where the threat landscape includes attackers with various attack potential.
HWSB are hardware-based systems intended to provide secure storage, processing and use of sensitive data, including cryptographic assets, within a protected hardware boundary (envelope).
This document applies to the HWSB part of the product. The applicability of this document to specific products is determined based on their intended purpose, use case and risk assessment.
The technical description of “Hardware Devices with Security Boxes” can be found in Annex II of [CRA].
The Hardware Devices with Security Boxes in scope are designed for deployment in a range of environments and where the threat landscape includes attackers with various attack potential.
HWSB are hardware-based systems intended to provide secure storage, processing and use of sensitive data, including cryptographic assets, within a protected hardware boundary (envelope).
This document applies to the HWSB part of the product. The applicability of this document to specific products is determined based on their intended purpose, use case and risk assessment.
Base documents: prEN 40000-11