ISO/IEC TS 27115
ISO/IEC TS 27115 — Cybersecurity evaluation of complex systems — Introduction and framework overview
(DRAFT)
Abstract
ISO/IEC TS 27115 "provides the foundations and concepts for the cybersecurity evaluation of complex systems.
Two frameworks are defined:
The first is used to specify the cybersecurity of a complex system, including system of systems.
The second is used to evaluate the corresponding cybersecurity solutions.
The frameworks use basic architecture concepts:
to enable description of reference or solution cybersecurity architectures;
to support model-based, comprehensive and scalable security solutions and their evaluation; and
to allow for the definition of architecture-based cybersecurity profiles (ACP) and hierarchies of profiles.”
[Source: ISO.org info page]
Introduction
Using concepts and terms borrowed from the Common Criteria such as Target Of Evaluation and security profile, this Technical Specification intends to explain how to:
(a) develop a security architecture (or design) for a complex system; and
(b) evaluate a complex system against the architecture.
Scope
The Working Draft's formal definition of "complex system" as "a system or system of systems" is self-referential and unhelpful, especially with two of those "Error: Reference source not found" citations embedded.
The WD introduction refers somewhat obtusely to complex system:
The complexity of security and legislation for privacy, cybersecurity or AI (hinting, perhaps, at 'the complex system' being a computer system of some sort plus its associated security arrangements ... and perhaps the associated compliance framework/s?);
'Scaling up towards' ecosystems, or socio-technical systems (your guess is as good as mine on that one!);
Systems of systems ... which apparently means subsystems or discrete systems that interact to provide services, within an environment.
"System" is defined in the WD as "arrangement of parts or elements that together exhibit a stated behaviour or meaning that the individual constituents do not
Note 1 to entry: A system (Error: Reference source not found) is sometimes considered as a product or as the services it provides.
Note 2 to entry: In practice, the interpretation of its meaning is frequently clarified by the use of an associative noun, e.g. aircraft system. Alternatively, the word “system” is substituted simply by a context-dependent synonym (e.g. aircraft), though this potentially obscures a system principles perspective.
Note 3 to entry: A complete system (Error: Reference source not found) includes all of the associated equipment, facilities, material, computer programs, firmware, technical documentation, services, and personnel required for operations and support to the degree necessary for self-sufficient use in its intended environment.
[SOURCE: Error: Reference source not found, 3.46]"
Structure
Main sections:
5 - Overview
6 - Security architecture description - "concepts and elements supporting the framework for constructing a security architecture description"
7 - Security architecture evaluation - evaluating systems against criteria declared in their security profiles
8 - Architecture-based security profiles
9 - Composed security profiles (compilation of security profiles from individual systems comprising system-of-systems)
Annex A - Architecture foundations
Annex B - Guidance for elaborating a security architecture
Annex C - Guidance for evaluating a security architecture
Annex D - Security example for a network infrastructure
Status
The standard development project commenced in 2023.
I think it is now at Working Draft stage ... although the WD file name says CD so maybe it is at the end of drafting.
It is due to be published in 2026, more likely 2027.
Commentary
This is all Greek to me, patently not my area of expertise. It is theoretical or adademic rather than pragmatic. It doesn't help that the Working Draft has hardly any usable references, most being replaced by "Error: Reference source not found", while what I presume are internal references within the text to particular figures (e.g. "Figure 11) or tables are completely missing (e.g. "The security process can be iterative, as shown on step H in ,"). So no clues there either.