New Information Technology Standards

A new Information Technology series of standards is being published on Security Techniques for IT networks.

The ISO 18028 standards detail the specific operations and mechanisms needed to implement network security safeguards and controls in a wide range of network environments, providing a bridge between general IT security management issues and network security technical implementations. ISO 18028 comes in five parts:

ISO/FCD 18028-1:200x – Information Technology – Security Techniques – IT Network Security – Part 1: Network Security Management
Defines and describes the concepts associated with, and provides management guidance on, network security.

ISO 18028-2:2006 – Information Technology – Security Techniques – IT Network Security – Part 2: Network Security Architecture
Defines a standard security architecture, which describes a framework to support the planning, design, and implementation of network security.

ISO 18028-3:2005 – Information Technology – Security Techniques – IT Network Security – Part 3: Securing Communications Between Networks Using Security Gateways
Defines techniques for securing information flows between networks using security gateways.

ISO 18028-4:2005 – Information Technology – Security Techniques – IT Network Security – Part 4: Securing Remote Access
Provides guidance for accessing networks remotely – either for using email, file transfer, or simply working remotely.

ISO/FCD 18028-5:200x – Information Technology – Security Techniques – IT Network Security – Part 5: Securing Communications Across Networks Using Virtual Private Networks
Defines techniques for securing inter-network connections that are established using Virtual Private Networks (VPNs).

Information held by IT products or systems is a critical resource that enables organizations to succeed in their mission. Additionally, individuals have a reasonable expectation that their personal information contained in IT products or systems remain private, be available to them as needed, and not be subject to unauthorized modification. IT products or systems should perform their functions while exercising proper control of the information to ensure it is protected against hazards such as unwanted or unwarranted dissemination, alteration, or loss.

The term “IT security” is used to cover prevention and mitigation of these and similar hazards. Many consumers of IT lack the knowledge, expertise, or resources necessary to judge whether their confidence in the security of their IT products or systems is appropriate, and they may not wish to rely solely on the assertions of the developers. Consumers may therefore choose to increase their confidence in the security measures of an IT product or system by ordering an analysis of its security (i.e., a security evaluation).


ISO 15408 can be used to select the appropriate IT security measures and it contains criteria for evaluation of security requirements. It comes in three parts:

ISO 15408-1:2005 – Information Technology – Security Techniques – Evaluation Criteria for IT Security – Introduction and General Model 

Allows you to compare between the results of independent security evaluations. It does so by providing a common set of requirements for the security functions of IT products and systems and for assurance measures applied to them during a security evaluation.

ISO 15408-2:2005 – Information Technology – Security Techniques – Evaluation Criteria for IT Security – Security Functional Requirements 

Defines the required structure and content of security functional components for the purpose of security evaluation. It includes a catalog of functional components that will meet the common security functionality requirements of many IT products and systems.

ISO 15408-3:2005 – Information Technology – Security Techniques – Evaluation Criteria for IT Security – Security Assurance Requirements
Defines the security assurance requirements. It includes the evaluation assurance levels that define a scale for measuring assurance, the individual assurance components from which the assurance levels are composed, and the criteria for evaluation of Protection Profiles or Security Targets.


ISO 18045 is a companion document to the ISO 15408 family of standards:

ISO 18045:2005 – Information Technology – Security Techniques – Methodology for IT Security Evaluation 
It describes the minimum actions to be performed by an evaluator in order to conduct an ISO 15408 evaluation, using the criteria and evaluation evidence defined in ISO 15408.

Copies of these IT Security standards can be acquired at the ANSI e-Standards Store.