EN 17640:2022

Fixed-time cybersecurity evaluation methodology for ICT products

EN 17640:2022

Name:EN 17640:2022   Standard name:Fixed-time cybersecurity evaluation methodology for ICT products
Standard number:EN 17640:2022   language:English language
Release Date:18-Oct-2022   technical committee:CEN/CLC/TC 13 - Cybersecurity and Data Protection
Drafting committee:CEN/CLC/TC 13 - Cybersecurity and Data Protection   ICS number:35.030 - IT Security

SLOVENSKI STANDARD
01-januar-2023
Metodologija ocenjevanja kibernetske varnosti za izdelke IKT za določeno obdobje
Fixed time cybersecurity evaluation methodology for ICT products
Cybersicherheitsevaluationsmethodologie für IKT-Produkte
Méthode d'évaluation de la cybersécurité pour produits TIC
Ta slovenski standard je istoveten z: EN 17640:2022
ICS:
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD EN 17640
NORME EUROPÉENNE
EUROPÄISCHE NORM
October 2022
ICS 35.030
English version
Fixed-time cybersecurity evaluation methodology for ICT
products
Méthode d'évaluation de la cybersécurité pour Zeitlich festgelegte
produits TIC Cybersicherheitsevaluationsmethodologie für IKT-
Produkte
This European Standard was approved by CEN on 15 August 2022.

CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.

CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2022 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. EN 17640:2022 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 4
Introduction . 5
1 Scope . 7
2 Normative references . 7
3 Terms and definitions . 7
4 Conformance . 9
5 General concepts . 11
5.1 Usage of this methodology . 11
5.2 Knowledge of the TOE . 12
5.3 Development process evaluation . 12
5.4 Attack Potential . 12
5.5 Knowledge building . 13
6 Evaluation tasks . 13
6.1 Completeness check . 13
6.1.1 Aim . 13
6.1.2 Evaluation method . 13
6.1.3 Evaluator competence . 13
6.1.4 Evaluator work units . 13
6.2 FIT Protection Profile Evaluation . 14
6.2.1 Aim . 14
6.2.2 Evaluation method . 14
6.2.3 Evaluator competence . 14
6.2.4 Evaluator work units . 14
6.3 Review of security functionalities . 15
6.3.1 Aim . 15
6.3.2 Evaluation method . 15
6.3.3 Evaluator competence . 15
6.3.4 Evaluator work units . 15
6.4 FIT Security Target Evaluation . 16
6.4.1 Aim . 16
6.4.2 Evaluation method . 16
6.4.3 Evaluator competence . 16
6.4.4 Evaluator work units . 16
6.5 Development documentation . 17
6.5.1 Aim . 17
6.5.2 Evaluation method . 17
6.5.3 Evaluator competence . 17
6.5.4 Work units . 17
6.6 Evaluation of TOE Installation . 17
6.6.1 Aim . 17
6.6.2 Evaluation method . 18
6.6.3 Evaluator competence . 18
6.6.4 Evaluator work units . 18
6.7 Conformance testing . 18
6.7.1 Aim . 18
6.7.2 Evaluation method . 18
6.7.3 Evaluator competence . 19
6.7.4 Evaluator work units . 19
6.8 Vulnerability review . 20
6.8.1 Aim . 20
6.8.2 Evaluation method . 20
6.8.3 Evaluator competence . 21
6.8.4 Evaluator work units . 21
6.9 Vulnerability testing . 21
6.9.1 Aim . 21
6.9.2 Evaluation method . 22
6.9.3 Evaluator competence . 22
6.9.4 Evaluator work units . 22
6.10 Penetration testing . 24
6.10.1 Aim . 24
6.10.2 Evaluation method . 24
6.10.3 Evaluator competence . 25
6.10.4 Evaluator work units . 25
6.11 Basic crypto analysis . 26
6.11.1 Aim . 26
6.11.2 Evaluation method . 26
6.11.3 Evaluator competence . 26
6.11.4 Evaluator work units . 26
6.12 Extended crypto analysis . 27
6.12.1 Aim . 27
6.12.2 Evaluation method . 27
6.12.3 Evaluator competence . 28
6.12.4 Evaluator work units . 28
Annex A (informative) Example for a structure of a FIT Security Target (FIT ST) . 30
Annex B (normative) The concept of a FIT Protection Profile (FIT PP) . 32
Annex C (informative) Acceptance Criteria . 33
Annex D (informative) Guidance for integrating the methodology into a scheme . 40
Annex E (informative) Parameters of the methodology and the evaluation tasks . 45
Annex F (normative) Calculating the Attack Potential . 47
Annex G (normative) Reporting the results of an evaluation . 52
Bibliography .
...

  • Relates Information
  • ISO 8130-9:1992

    ISO 8130-9:1992 - Coating powders
    09-28
  • EN 352-2:2020/FprA1

    EN 352-2:2021/oprA1:2023
    09-28
  • IEC TS 61158-4:1999

    IEC TS 61158-4:1999 - Digital data communications for measurement and control - Fieldbus for use in industrial control systems - Part 4: Data Link protocol specification Released:3/24/1999 Isbn:2831847656
    09-28
  • HD 566 S1:1990

    HD 566 S1:1998
    09-28
  • ISO 5131:1982/Amd 1:1992

    ISO 5131:1982/Amd 1:1992
    09-28
  • EN 60598-2-22:1990

    EN 60598-2-22:1996
    09-27
  • ISO 8504-2:1992

    ISO 8504-2:1992 - Preparation of steel substrates before application of paints and related products -- Surface preparation methods
    09-27
  • EN 12165:2024

    prEN 12165:2022
    09-27
  • IEC TS 61158-6:1999

    IEC TS 61158-6:1999 - Digital data communications for measurement and control - Fieldbus for use in industrial control systems - Part 6: Application Layer protocol specification Released:3/24/1999 Isbn:2831847613
    09-27
  • ISO 4252:1992

    ISO 4252:1992 - Agricultural tractors -- Operator's workplace, access and exit -- Dimensions
    09-27