The ISO PPST Guide – Tool or Irrelevance?


The Guide to the Development of Protection Profiles and Security Targets, ISO/IEC TR 15446, was developed in ISO/IEC JTC 1/SC 27/WG 3 as a companion to ISO/IEC 15408, the ISO equivalent of the Common Criteria. At the time it was written in the late 1990s, it represented some of the best guidance available to developers and system integrators in preparing for evaluation, supported by some excellent worked examples. Unfortunately, it was delayed in completion due to the lack of availability of the designated editor, and the current speaker was asked in 2003 to take over and complete the work. This was done as quickly as possible, but still took until August 2004 – the world of standards moves exceeding slowly. Indeed, it only became available for free download from the ISO web site in April this year.

In the time since it was written, best practice in preparing Protection Profiles and Security Targets has changed, and the examples in particular show their age. The Guide also needs updating to reflect the proposed changes to the CC and ISO/IEC 15408 resulting from the current revision and consultation process for CC V3.0. Outside ISO, other sources of guidance have become available – indeed, a number of commercial books have been published on preparing for evaluation. Perhaps the Guide is now an irrelevance.

WG 3 has decided to start a revision of the Guide in November 2005, shortly after this Conference. This is not normal ISO practice – it would be customary to wait three years from the date of publication.

At the moment, WG 3 is looking for ideas on how to improve the Guide – its content and presentation, as well as technical accuracy. The speaker will put forward some ideas of his own to see if people like them. Of course, if you disagree, it's not too late to send your own ideas to ISO and the speaker will explain how to do this.