@@ -1178,29 +1178,6 @@ This clause describes the methodology followed in the current text.
1. Develop security profiles from the use cases, which are collections of risk factor levels that can be used to fully describe the risk levels of all relevant threats. There may be one use case per security profile or multiple. There should be as many security profiles as are useful to manufacturers.
1. Using the risk factors in the security profiles and the risk formulas and mitigations for all threats, derive the completed list of required mitigations for each security profile.
For each risk untreated by the product itself, a corresponding mitigation has been created to explicitly permit the risk to be transferred to the user or operational environment. These are:
@@ -1068,9 +1068,34 @@ The product shall protect data stored on the product from unauthorized access.
## 5.3 Risk mitigation sets
### 5.3.1 General
This clause lists all the mitigations necessary to meet requirements for each security profile. Security profiles are derived from the Use Cases in 4.7. See Annex C for more information.
### 5.3.1 Overview
This clause lists all the mitigations necessary to meet requirements for each security profile. Security profiles are derived from the Use Cases in 4.7. See Annex B for more information.
#### Mapping of risks to requirements
**Table 1: Mapping of risks to requirements**
_Editor's note: this table must be updated before the draft can be considered Final_