Home
ISO/IEC TR 22216:2022

ISO/IEC TR 22216:2022

Date published: 17/05/22

Information security, cybersecurity and privacy protection — New concepts and changes in ISO/IEC 15408:2022 and ISO/IEC 18045:2022

This document:

— introduces the break down between the former ISO/IEC 15408 series (ISO/IEC 15408-1:2009, ISO/IEC 15408-2:2008) and ISO/IEC 15408-3:2008) and ISO/IEC 18045:2008 and the new parts introduced in the ISO/IEC 15408:2022 series and ISO/IEC 18045:2022;

— presents the concepts newly introduced as well as the rationale for their inclusion;

— proposes an evolution path and information on how to move from CC 3.1 and CEM 3.1 to the ISO/IEC 15408:2022 series and ISO/IEC 18045:2022, respectively;

— maps the evolutions between the CC 3.1 and CEM 3.1 and the ISO/IEC 15408:2022 series and ISO/IEC 18045:2022, respectively.

Get this standard	Prices exclude GST
PDF ( Single user document)	$322.61 NZD
HardCopy	$362.61 NZD
Networkable PDF	Price varies

view preview view preview

Foreword

Introduction

1 Scope

2 Normative references

3 Terms, definitions and abbreviated terms

3.1 Terms and definitions

3.2 Abbreviated terms

4 Overview

4.1 General

4.2 Structure of this document

4.3 Impacts of the revision on the structure and partition of the documents

4.4 Using this document for transitional information

4.5 Using the ISO/IEC 15408:2022 series and ISO/IEC 18045:2022 for specific needs

5 Major new concepts introduced in the ISO/IEC 15408:2022 series and ISO/IEC 18045:2022

5.1 Approaches to security evaluation

5.1.1 General

5.1.2 The attack-based approach

5.1.3 The specification-based approach

5.2 Modularity

5.2.1 General

5.2.2 Composition mechanisms

5.2.3 Packages

5.2.4 Modular Protection Profiles

5.2.5 Multi-assurance evaluations

5.2.6 Evaluation by composition and multi-assurance

6 Applying the ISO/IEC 15408:2022 series to specific needs

6.1 Refining and deriving requirements

6.1.1 General

6.1.2 Refinements

6.1.3 Application Notes

6.1.4 Extended requirements

6.2 Refining and deriving evaluation methods

6.2.1 General

6.2.2 Attack-based approach

6.2.3 Specification-based approach

6.3 Practical aspects of supporting documents

7 Evolutions in the ISO/IEC 15408:2022 series and ISO/IEC 18045:2022

7.1 Changes in ISO/IEC 15408-1:2022

7.2 Changes in ISO/IEC 15408-2:2022

7.3 Changes in ISO/IEC 15408-3:2022

7.4 Addition of ISO/IEC 15408-4:2022

7.5 Addition of ISO/IEC 15408-5:2022

7.6 Changes in ISO/IEC 18045:2022

Bibliography

List of Figures

Figure 1 — ISO/IEC 15408:2022 series and ISO/IEC 18045:2022 structure and mapping to former ISO/IEC 15408 series (ISO/IEC 15408-1:2009, ISO/IEC 15408-2:2008, ISO/IEC 15408-3:2008) and ISO/IEC 18045:2008

Figure 2 — Specification-based and attack-based approaches

Figure 3 — Smartphone with hardware key store

Figure 4 — IoT gateway with personal area network

Figure 5 — POI developer

Figure 6 — POI risk owner

Figure 7 — POI developer vs risk owner

Figure 8 — POI assurance requirements

Figure 9 — Multi-assurance TOE

Figure 10 — Multiple single evaluations

Figure 11 — Composite TOE

Figure 12 — Composite evaluation

Figure 13 — Multi-assurance evaluation of a composite TOE

Figure 14 — Multi-assurance composite evaluation

Figure 15 — Clause structure — ISO/IEC 15408-1:2022 vs. CC v3.1 revision 5 [14]

Figure 16 — Contents of a PP —ISO/IEC 15408-1:2022 vs. CC v3.1 revision 5 [14]

Figure 17 — Contents of an ST — ISO/IEC 15408-1:2022 vs. CC v3.1 revision 5 [14]

Figure 18 — Contents of a PP-Module — ISO/IEC 15408-1:2022 vs. CC v3.1 revision 5 [14]

Figure 19 — Contents of a PP-Configuration — ISO/IEC 15408-1:2022 vs. CC v3.1 revision 5 [14]

List of Tables

Table 1 — Overview of newly introduced concepts

Table 2 — Changes in ISO/IEC 15408-1:2022

Table 3 — Changes in ISO/IEC 15408-2:2022

Table 4 — Changes in ISO/IEC 15408-3:2022

Table 5 — Class APE — ISO/IEC 15408-3:2022 vs. CC v3.1 revision 5

Table 6 — Class ACE — ISO/IEC 15408-3:2022 vs. CC v3.1 revision 5

Table 7 — Class ASE — ISO/IEC 15408-3:2022 vs. CC v3.1 revision 5

Table 8 — Class ADV — ISO/IEC 15408-3:2022 vs. CC v3.1 revision 5

Table 9 — Class AGD — ISO/IEC 15408-3:2022 vs. CC v3.1 revision 5

Table 10 — Class ALC — ISO/IEC 15408-3:2022 vs. CC v3.1 revision 5

Table 11 — Class ATE — ISO/IEC 15408-3:2022 vs. CC v3.1 revision 5

Table 12 — Class AVA — ISO/IEC 15408-3:2022 vs. CC v3.1 revision 5

Table 13 — Class ACO — ISO/IEC 15408-3:2022 vs. CC v3.1 revision 5

Table 14 — ISO/IEC 15408-4:2022 — Summary

Table 15 — ISO/IEC 15408-5:2022 — Summary

Table 16 — Changes in ISO/IEC 18045:2022

Pages: 46

Keep me up-to-date
Sign up to receive updates when there are changes to this standard

Related Information

: 35.030 IT Security

Similar Standards

AS/NZS ISO/IEC 27001:2023
Information security, cybersecurity and privacy protection – Information security management systems – Requirements
AS/NZS ISO/IEC 27001:2023 A1
Information security, cybersecurity and privacy protection - Privacy enhancing data de-identification framework
AS/NZS ISO/IEC 27002:2022
Information security, cybersecurity and privacy protection — Information security controls
AS/NZS ISO/IEC 27011:2025
Information security, cybersecurity and privacy protection – Information security controls based on ISO/IEC 27002 for telecommunications organizations