ISO/IEC TS 27115
ISO/IEC TS 27115 — Cybersecurity evaluation of complex systems — Introduction and framework overview
(DRAFT)
Abstract
ISO/IEC TS 27115 "provides the foundations and concepts for the cybersecurity evaluation of complex systems.
Two frameworks are defined:
The first is used to specify the cybersecurity of a complex system, including system of systems.
The second is used to evaluate the corresponding cybersecurity solutions.
The frameworks use basic architecture concepts:
to enable description of reference or solution cybersecurity architectures;
to support model-based, comprehensive and scalable security solutions and their evaluation; and
to allow for the definition of architecture-based cybersecurity profiles (ACP) and hierarchies of profiles.”
[Source: ISO.org info page]
Introduction
The standard attempts to explain how to (a) develop a security architecture (or design) for a complex system, and (b) evaluate a complex system against the architecture, using concepts and terms borrowed from the Common Criteria such as Target of Evaluation and security profile.
Scope
The formal definition of "complex system" as "a system or system of systems" is self-referential and unhelpful. The introduction refers somewhat obtusely to complex system as:
The complexity of security and legislation for privacy, cybersecurity or AI (hinting, perhaps, at 'the complex system' being a computer system of some sort plus its associated security arrangements and compliance framework);
'Scaling up towards' ecosystems, or socio-technical systems (your guess is as good as mine on that one!);
Systems of systems ... which apparently means subsystems or discrete systems that interact to provide services, within an environment.
Structure
Main sections:
5 - Overview
6 - Security architecture description - "concepts and elements supporting the framework for constructing a security architecture description"
7 - Security architecture evaluation - evaluating systems against criteria declared in their security profiles
8 - Architecture-based security profiles
9 - Composed security profiles (compilation of security profiles from individual systems comprising system-of-systems)
Annex A - Architecture foundations
Annex B - Guidance for elaborating a security architecture
Annex C - Guidance for evaluating a security architecture
Annex D - Security example for a network infrastructure
Status
The standard development project commenced in 2023.
It is now at Working Draft stage.
It is due to be published in 2026 or 2027.
Commentary
This is all Greek to me, patently not my area of expertise. It is theoretical or adademic rather than pragmatic. It doesn't help that the Working Draft has hardly any usable references, most being replaced by "Error: Reference source not found", while what I presume are internal references within the text to particular figures (e.g. "Figure 11) or tables are completely missing (e.g. "The security process can be iterative, as shown on step H in ,"). So no clues there either.