Elzbieta Andrukiewicz

• Revision of ISO/IEC 15408-1:2022

Cybersecurity/Network and Information security

• Upgrading prEN 18037 to final stage

Cybersecurity/Network and Information security

A unified approach to developing cybersecurity certification schemes and the possibility of reusing evaluation results produced under different certification schemes would be a dominant factor in decreasing the costs and workload needed for the certification of composite products or services. This could, at least partly, remove financial barriers for SMSs to enter the certification market.

The societal impact measured by increasing confidence in the certification as a powerful cybersecurity tool would be real.

• revision of ISO/IEC 15408:2022 (all parts) and ISO/IEC 18045:2022

Cybersecurity/Network and Information security

The resulting study in the form of PWI 25543 is aimed at keeping the reference standards as the-state-of_the_art documents which cope with emerging and future technologies in cybersecurity certification. The goal set up in the plan is strongly supported by sound standards with appropriate scope of application. In this way the assessments can be repeatable and comparable thus create the basis for wide recognition of results which usually appear as certificates respected by all EU Member States.

• Improving presentation and quality of Terminology for EN-ISO/IEC 15408 series and EN-ISO/IEC 18045

Cybersecurity/Network and Information security

Gaining the customer confidence they are using secure and safe ICT products is the objective of security assessment. Considering technical complexity of cybersecurity evaluation these processes should rely on robust and mature standards. The customers and risk owners do not need to know all details of such evaluation, but they should have solid ground of trust in the results of evaluations usually expressed by the certificates. Common Criteria provide highly sophisticated tools for gaining confidence in correct and sufficient implementations of security controls under the principles of the “cybersecurity-by-design-and-default” in the ICT products and the ground of their resilience in case of cyberattacks which could happen in the future.