Commit 79708335 authored by Santeri Toikka's avatar Santeri Toikka
Browse files

Added intro to Clause 6

Closes #397
parent e36c2922
Loading
Loading
Loading
Loading
+16 −0
Original line number Diff line number Diff line
@@ -1125,6 +1125,22 @@ The assessment criteria clause shall be structured by requirement defined in cla

<mark>Editor’s Note: Elements of the assessment clause should map one-to-one to elements of the technical requirements clause, ensuring there is a direct correspondence both ways. This means there shall be no summary assessment criteria.</mark>

The assessment has the purpose to verify that the requirements of the present standard are met in consideration of the use case and the thereout resulting risks.
The requirements need to counter these risks with an appropriate level of security.
Consequently, those need to be fulfilled by product functions and mechanisms, and, where there is none, the related risk assessment needs to prove that non-product means, such as obligations for the operational environment and user information, even obligation, mitigate the risks left open by the product.

The assessment focuses on the product functions, mechanisms and its user documentation.
The latter assessment ensures that the user can apply and operate the product in concrete practical, secure and safe ways.
The assessment needs thereby to be functional complete and sufficient:

* Functional completeness:
  Verify that all claimed interfaces, functions and mechanisms meet the selected requirements of the present document according to the actual product use case.
  In this functional assessment, the assessor’s evidence aims to confirm not only the product’s functioning and completeness, but also the implementation correctness.
* Functional sufficiency:
  Verify that the product implementation is adequate to meet the desired purpose and the requirements of the present document in the according use case.
  The assessment needs to consider the appropriateness of the evaluation efforts.
  This is typically applied in relation with the architecture documentation, when concrete measurements and quantitative testing would break the principle of appropriateness.

## 6.1 Introduction to the assessment and compliance criteria

This clause provides objective and reproducible assessment criteria to determine whether a product complies with the technical security requirements of clause 5.