European Standardization in Support of Consistent Definition of Cybersecurity Certification Schemes (B22c)
The CSA stipulates that the definition of security and assurance requirements for ICT products, ICT processes and ICT services should reflect the risk associated with their intended use. The identification of such risk is typically conducted at business system level using an ISO/IEC 27005-compliant risk assessment. However, the specification of the security and assurance requirements to an ICT product is typically carried out using ISO/IEC 15408. A new European Standard proposes a link between the two standards, which could be used to transfer the information in a defined way. The standard introduces several normalized measures including: meta-risk classes‚Äù (MRC) that allow a common approach to risk assessment , ‚Äúcommon security levels‚Äù (CSL) that allow a consistent approach to security controls, and ‚Äúcommon assurance references‚Äù (CAR) that allow flexibility for comparing assurance level implementations. Each level of common assurance reference (CAR) and common security level (CSL) corresponds to a particular meta-risk class (MRC).