This document specifies an extension for the ISO/IEC 15408 series and ISO/IEC 18045 to specify patch management requirements.
The document focuses on the initial TOE. The security assurance requirements specified in this document do not include evaluation or test activities on the final TOE, but on the initial TOE and on the life cycle processes used by manufacturers. Additionally, this document gives guidance to facilitate the evaluation of the TOE including the patch and development processes which support the patch management.
This document lists options for evaluation authorities (or mutual recognition agreements) on how to utilize the additional assurance and additional evidence in their processes to enable the developer to consistently re-certify their updated or patched TOEs to the benefit of the users of these TOEs. The implementation of these options by an evaluation scheme is out of the scope of this document.
Status: Under development
Technical Committee: ISO/IEC JTC 1/SC 27 Information security, cybersecurity and privacy protection