1
/
of
8
PayPal, credit cards. Download editable-PDF and invoice in 1 second!
GB/T 20274.1-2023 English PDF (GBT20274.1-2023)
GB/T 20274.1-2023 English PDF (GBT20274.1-2023)
Regular price
$185.00 USD
Regular price
Sale price
$185.00 USD
Unit price
/
per
Shipping calculated at checkout.
Couldn't load pickup availability
Delivery: 3 seconds. Download true-PDF + Invoice.
Get QUOTATION in 1-minute: Click GB/T 20274.1-2023
Historical versions: GB/T 20274.1-2023
Preview True-PDF (Reload/Scroll if blank)
GB/T 20274.1-2023: Information security technology -- Evaluation framework for information systems security assurance -- Part 1: Introduction and general model
GB/T 20274.1-2023
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.030
CCS L 80
Replacing GB/T 20274.1-2006
Information Security Technology - Evaluation Framework
for Information Systems Security Assurance - Part 1:
Introduction and General Model
ISSUED ON: MARCH 17, 2023
IMPLEMENTED ON: OCTOBER 1, 2023
Issued by: State Administration for Market Regulation;
Standardization Administration of the People’s Republic of China.
Table of Contents
Foreword ... 3
Introduction ... 6
1 Scope ... 7
2 Normative References ... 7
3 Terms and Definitions ... 7
4 Overview ... 8
5 Information System Security Assurance Model and Level ... 9
5.1 Concept of Assurance ... 9
5.2 Assurance Model ... 10
5.3 Assurance Capability Level ... 11
6 Information System Security Assurance Elements ... 12
6.1 Structure of Information System Security Assurance Elements ... 12
6.2 Generation of Information System Security Assurance Elements ... 14
7 Evaluation Framework for Information System Security Assurance ... 17
7.1 Concept and Relations of Evaluation of Information System Security Assurance ... 17
7.2 Evaluation Content of Information System Security Assurance ... 18
7.3 Judgment of Information System Security Assurance Evaluation ... 20
Bibliography ... 22
Information Security Technology - Evaluation Framework
for Information Systems Security Assurance - Part 1:
Introduction and General Model
1 Scope
This document provides the basic concept and model of information system security assurance,
and proposes the evaluation framework for information system security assurance.
This document is applicable to guide system builders, operators, service providers and
evaluators in carrying out information system security assurance work.
2 Normative References
The contents of the following documents constitute indispensable clauses of this document
through the normative references in the text. In terms of references with a specified date, only
versions with a specified date are applicable to this document. In terms of references without a
specified date, the latest version (including all the modifications) is applicable to this document.
GB/T 18336.1-2015 Information Technology - Security Techniques - Evaluation Criteria for IT
Security - Part 1: Introduction and General Model
GB/T 25069-2022 Information Security Techniques - Terminology
3 Terms and Definitions
What is defined in GB/T 25069-2022 and GB/T 18336.1-2015, and the following terms and
definitions are applicable to this document.
3.1 information system
Information system refers to a combination of applications, services, information technology
assets or other information processing components.
NOTE 1: information system is usually composed of computers or other information terminals and
related equipment, and carries out information processing or process control in
accordance with certain application objectives and rules.
NOTE 2: typical information systems, such as: office automation system, cloud computing
platform / system, Internet of Things, industrial control system and systems adopting
mobile Internet technology, etc.
[source: GB/T 29246-2017, 2.39, modified]
3.2 information system security assurance
Information system security assurance refers to a series of appropriate behaviors or processes
that guarantee the security attributes, functions and efficiency of information system.
3.3 organizational security policies
Organizational security policies refer to number of security rules, procedures, practices and
guidelines established by an organization to guarantee its operation.
[source: GB/T 25069-2022, 3.817]
4 Overview
The relevant parties related to the evaluation of information system security assurance generally
include information system builders, information system operators, service providers and
evaluators, etc.
Information system builders include planning, design and engineering implementation
personnel. Builders take the general description language, method and structure as a reference,
and express their information system security assurance requirements from the fields of
techniques, management and engineering of information system security assurance. Adopting
this document can help builders better describe their information system security demands, and
prepare information system security assurance schemes and specifications that comply with the
requirements of their operating environment. Builders can understand the current situation of
their information system security assurance based on the evaluation of information system
security assurance, and further perfect and continuously improve their information system
security assurance capabilities based on the evaluation results.
Information system operators take the general description language, method and structure as a
reference, and express their information system security assurance requirements from the fields
of techniques and management of information system security assurance. Operators can adopt
this document to communicate more effectively with information system builders and other
relevant personnel, and understand each other. Operators can understand the current situation
of their information system security assurance based on the evaluation of information system
security assurance, and further perfect and continuously improve their information system
security assurance capabilities based on the evaluation results, so as to gain confidence in
information system security assurance.
Service providers take the general description language, method and structure as a reference,
and express relevant information system security assurance requirements from the fields of
techniques, management and engineering of information system security assurance, and
effectively communicate and implement projects with system operators and builders.
assurance class, security management assurance class and security engineering assurance class.
Members of the classes are called subclasses.
The security assurance subclass is a combination of several sets of security assurance
requirements, which aim at the same security assurance purpose, but differ in strength and
degree. The subclasses of the security technical assurance class, security management assurance
class and security engineering assurance class are respectively security technical assurance
subclass, security management assurance subclass and security engineering assurance subclass.
Members of the subclasses are called security assurance components. Each security assurance
subclass consists of one or multiple security assurance components that implement the security
assurance purpose.
The security assurance component is a collection that describes an explicit security assurance
requirement, and it is an optional minimum security assurance requirement collection included
in the structure defined in this document. The security assurance component is a specific control
measure for information security assurance to realize the security assurance purpose of its
security assurance subclass. In accordance with the different fields, to which, the security
assurance requirements belong, they are divided into security technical assurance component,
security management assurance component and security engineering assurance component. The
security assurance component consists of optional security assurance elements.
The security assurance component is the ...
Get QUOTATION in 1-minute: Click GB/T 20274.1-2023
Historical versions: GB/T 20274.1-2023
Preview True-PDF (Reload/Scroll if blank)
GB/T 20274.1-2023: Information security technology -- Evaluation framework for information systems security assurance -- Part 1: Introduction and general model
GB/T 20274.1-2023
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.030
CCS L 80
Replacing GB/T 20274.1-2006
Information Security Technology - Evaluation Framework
for Information Systems Security Assurance - Part 1:
Introduction and General Model
ISSUED ON: MARCH 17, 2023
IMPLEMENTED ON: OCTOBER 1, 2023
Issued by: State Administration for Market Regulation;
Standardization Administration of the People’s Republic of China.
Table of Contents
Foreword ... 3
Introduction ... 6
1 Scope ... 7
2 Normative References ... 7
3 Terms and Definitions ... 7
4 Overview ... 8
5 Information System Security Assurance Model and Level ... 9
5.1 Concept of Assurance ... 9
5.2 Assurance Model ... 10
5.3 Assurance Capability Level ... 11
6 Information System Security Assurance Elements ... 12
6.1 Structure of Information System Security Assurance Elements ... 12
6.2 Generation of Information System Security Assurance Elements ... 14
7 Evaluation Framework for Information System Security Assurance ... 17
7.1 Concept and Relations of Evaluation of Information System Security Assurance ... 17
7.2 Evaluation Content of Information System Security Assurance ... 18
7.3 Judgment of Information System Security Assurance Evaluation ... 20
Bibliography ... 22
Information Security Technology - Evaluation Framework
for Information Systems Security Assurance - Part 1:
Introduction and General Model
1 Scope
This document provides the basic concept and model of information system security assurance,
and proposes the evaluation framework for information system security assurance.
This document is applicable to guide system builders, operators, service providers and
evaluators in carrying out information system security assurance work.
2 Normative References
The contents of the following documents constitute indispensable clauses of this document
through the normative references in the text. In terms of references with a specified date, only
versions with a specified date are applicable to this document. In terms of references without a
specified date, the latest version (including all the modifications) is applicable to this document.
GB/T 18336.1-2015 Information Technology - Security Techniques - Evaluation Criteria for IT
Security - Part 1: Introduction and General Model
GB/T 25069-2022 Information Security Techniques - Terminology
3 Terms and Definitions
What is defined in GB/T 25069-2022 and GB/T 18336.1-2015, and the following terms and
definitions are applicable to this document.
3.1 information system
Information system refers to a combination of applications, services, information technology
assets or other information processing components.
NOTE 1: information system is usually composed of computers or other information terminals and
related equipment, and carries out information processing or process control in
accordance with certain application objectives and rules.
NOTE 2: typical information systems, such as: office automation system, cloud computing
platform / system, Internet of Things, industrial control system and systems adopting
mobile Internet technology, etc.
[source: GB/T 29246-2017, 2.39, modified]
3.2 information system security assurance
Information system security assurance refers to a series of appropriate behaviors or processes
that guarantee the security attributes, functions and efficiency of information system.
3.3 organizational security policies
Organizational security policies refer to number of security rules, procedures, practices and
guidelines established by an organization to guarantee its operation.
[source: GB/T 25069-2022, 3.817]
4 Overview
The relevant parties related to the evaluation of information system security assurance generally
include information system builders, information system operators, service providers and
evaluators, etc.
Information system builders include planning, design and engineering implementation
personnel. Builders take the general description language, method and structure as a reference,
and express their information system security assurance requirements from the fields of
techniques, management and engineering of information system security assurance. Adopting
this document can help builders better describe their information system security demands, and
prepare information system security assurance schemes and specifications that comply with the
requirements of their operating environment. Builders can understand the current situation of
their information system security assurance based on the evaluation of information system
security assurance, and further perfect and continuously improve their information system
security assurance capabilities based on the evaluation results.
Information system operators take the general description language, method and structure as a
reference, and express their information system security assurance requirements from the fields
of techniques and management of information system security assurance. Operators can adopt
this document to communicate more effectively with information system builders and other
relevant personnel, and understand each other. Operators can understand the current situation
of their information system security assurance based on the evaluation of information system
security assurance, and further perfect and continuously improve their information system
security assurance capabilities based on the evaluation results, so as to gain confidence in
information system security assurance.
Service providers take the general description language, method and structure as a reference,
and express relevant information system security assurance requirements from the fields of
techniques, management and engineering of information system security assurance, and
effectively communicate and implement projects with system operators and builders.
assurance class, security management assurance class and security engineering assurance class.
Members of the classes are called subclasses.
The security assurance subclass is a combination of several sets of security assurance
requirements, which aim at the same security assurance purpose, but differ in strength and
degree. The subclasses of the security technical assurance class, security management assurance
class and security engineering assurance class are respectively security technical assurance
subclass, security management assurance subclass and security engineering assurance subclass.
Members of the subclasses are called security assurance components. Each security assurance
subclass consists of one or multiple security assurance components that implement the security
assurance purpose.
The security assurance component is a collection that describes an explicit security assurance
requirement, and it is an optional minimum security assurance requirement collection included
in the structure defined in this document. The security assurance component is a specific control
measure for information security assurance to realize the security assurance purpose of its
security assurance subclass. In accordance with the different fields, to which, the security
assurance requirements belong, they are divided into security technical assurance component,
security management assurance component and security engineering assurance component. The
security assurance component consists of optional security assurance elements.
The security assurance component is the ...
Share
