O’z DSt ISO/IEC 18045:2013 PDF

Full title and description

O’z DSt ISO/IEC 18045:2013 — Information technology. Security techniques. Methodology for Information Technology Security Evaluation. This is the national (O’z DSt) adoption in Uzbekistan of the ISO/IEC 18045 evaluation methodology for information technology security, aligning national practice with the international Common Criteria evaluation methodology.

Abstract

Provides a structured, repeatable methodology for independent evaluation of IT product and system security claims. The document defines evaluator actions, evidence and testing requirements, verdict criteria and reporting formats used when assessing conformance to the Common Criteria (ISO/IEC 15408). It is intended to ensure consistent, objective security evaluations by accredited laboratories and certification schemes.

General information

• Status: National adoption (O’z DSt) of the ISO/IEC 18045 methodology; published as a Uzbekistan state standard in 2013 (IDT adoption of the ISO text).
• Publication date: 2013 (date of O’z DSt national adoption).
• Publisher: O’zstandart / Agency for Standardization (national standards body of the Republic of Uzbekistan).
• ICS / categories: 35.030 — Information technology (Information security techniques / evaluation).
• Edition / version: O’z DSt 2013 (national edition), corresponding to ISO/IEC 18045 Edition 2 (2008) text as adopted nationally.
• Number of pages: The underlying ISO/IEC 18045:2008 edition comprises approximately 290 pages; national published pagination may follow the identical-text adoption.

Scope

Specifies minimum evaluator activities, work units and evidence requirements to perform security evaluations of IT products and systems under the Common Criteria framework (ISO/IEC 15408). It covers planning and conduct of evaluations, independent testing, vulnerability analysis, verdict criteria and preparation of evaluation technical reports to support scheme-level certification decisions. National adoption provides the same methodology for organizations and laboratories operating within Uzbekistan’s conformity assessment system.

Key topics and requirements

• Evaluator roles and required actions for assurance components and security assurance requirements (SARs).
• Types of evaluation evidence (design documentation, test records, developer and evaluator test evidence, vulnerability analysis reports).
• Independent testing activities and guidance for test coverage and test procedures.
• Vulnerability analysis and penetration testing approaches to discover and evaluate exploitable weaknesses.
• Verdict criteria and rules for pass/fail/inconclusive at component and overall evaluation levels.
• Structure and content requirements for the Evaluation Technical Report (ETR) used by certification bodies.
• Alignment with Common Criteria (ISO/IEC 15408) functional and assurance requirements; intended for accredited testing laboratories and scheme bodies.

Typical use and users

Used by Common Criteria evaluators, accredited testing laboratories, certification scheme managers, national scheme operators, security product vendors preparing Security Targets or Protection Profiles, and procurement authorities seeking objective assurance of IT product security. The standard guides day-to-day evaluation work, test planning and reporting in conformity assessment activities.

Related standards

Closely related to ISO/IEC 15408 (Common Criteria for Information Technology Security Evaluation) and to other IT security standards in the ISO/IEC 27000 family for information security management. Note: the ISO/IEC 18045 international text has been revised (new international edition published in 2022); national schemes may adopt revisions subsequently.

Keywords

Common Criteria, CEM, evaluation methodology, IT security evaluation, security assurance, evaluator, testing, vulnerability analysis, Evaluation Technical Report (ETR), O’z DSt, Uzbekistan, ISO/IEC 18045.

FAQ

Q: What is this standard?

A: It is the Uzbekistan national adoption (O’z DSt) of the ISO/IEC 18045 methodology, titled "Information technology — Security techniques — Methodology for Information Technology Security Evaluation", used to define how Common Criteria evaluations are performed.

Q: What does it cover?

A: It covers evaluator actions, evidence requirements, testing and vulnerability analysis, verdict criteria and reporting formats required to evaluate IT products and systems against Common Criteria security requirements.

Q: Who typically uses it?

A: Accredited evaluators and testing laboratories, certification bodies, product vendors preparing Security Targets/Protection Profiles, and organizations conducting or overseeing IT security conformity assessment.

Q: Is it current or superseded?

A: The O’z DSt adoption was published in 2013 and reflects the international text it adopted; internationally, ISO/IEC 18045 (2008 edition) was later revised and an updated ISO/IEC 18045 edition was published in 2022. Users should check whether a national revision or re-adoption has been published in Uzbekistan if they need the most recent alignment with the 2022 international edition.

Q: Is it part of a series?

A: Yes — it is the Common Evaluation Methodology companion to the Common Criteria series (ISO/IEC 15408) and is used together with functional and assurance component standards and other related ISO/IEC security and management standards.

Q: What are the key keywords?

A: Common Criteria, evaluation methodology (CEM), ISO/IEC 15408, evaluator actions, testing, vulnerability analysis, Evaluation Technical Report, information security evaluation, O’z DSt.