1、BSI Standards Publication BS ISO/IEC 15026-3:2015 Systems and software engineering Systems and software assurance Part 3: System integrity levelsBS ISO/IEC 15026-3:2015 BRITISH STANDARD National foreword This British Standard is the UK implementation of ISO/IEC 15026-3:2015. It supersedes BS ISO/IEC
2、 15026-3:2011 which is withdrawn. The UK participation in its preparation was entrusted to Technical Committee IST/15, Software and systems engineering. A list of organizations represented on this committee can be obtained on request to its secretary. This publication does not purport to include all
3、 the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2015. Published by BSI Standards Limited 2015 ISBN 978 0 580 84227 6 ICS 35.080 Compliance with a British Standard cannot confer immunity from legal obligations. This British
4、 Standard was published under the authority of the Standards Policy and Strategy Committee on 30 November 2015. Amendments/corrigenda issued since publication Date T e x t a f f e c t e dBS ISO/IEC 15026-3:2015 Systems and software engineering Systems and software assurance Part 3: System integrity
5、levels Ingnierie du logiciel et des systmes Assurance du logiciel et des systmes Partie 3: Niveaux dintgrit du systme INTERNATIONAL STANDARD ISO/IEC 15026-3 Reference number ISO/IEC 15026-3:2015(E) Second edition 2015-12-01 ISO/IEC 2015 BS ISO/IEC 15026-3:2015ii ISO/IEC 2015 All rights reserved COPY
6、RIGHT PROTECTED DOCUMENT ISO/IEC 2015, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intrane
7、t, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org
8、www.iso.org ISO/IEC 15026-3:2015(E)BS ISO/IEC 15026-3:2015ISO/IEC 15026-3:2015(E)Foreword iv 1 Scope . 1 2 Normative references 1 3 T erms and definitions . 1 4 Defining int egrity le v els 5 4.1 Expected readers of this Clause 5 4.2 Appropriate area to define integrity levels. 6 4.3 Specifying cont
9、ext of integrity levels . 7 4.3.1 Specifying system-related information 7 4.3.2 Specifying risk-related information 7 4.4 Specifying integrity levels . 8 4.4.1 Specifying an integrity level claim 9 4.4.2 Specifying a set of integrity levels 10 4.5 Specifying integrity level requirements .11 4.5.1 Sp
10、ecifying a set of integrity level requirements 11 4.5.2 Specifying the justification between integrity levels and their integrity level requirements 11 4.6 Specifying integrity level determination process 11 5 Using integrity levels .12 5.1 Expected readers of this clause .12 5.2 Purpose for using i
11、ntegrity levels 13 5.3 Outcomes of using integrity levels 13 6 System integrity level determination 13 6.1 General 13 6.2 Purpose of the system integrity level determination process.13 6.3 Outcome of the system integrity level determination process .14 6.4 Activities of the system integrity level de
12、termination process 14 7 Assigning system element integrity levels .15 7.1 Purpose of the assigning system element integrity levels process .15 7.2 Outcome of the assigning system element integrity levels process .15 7.3 Activities of the assigning system element integrity levels process 15 8 Meetin
13、g integrity level requirements 16 8.1 General 16 8.2 Purpose of meeting integrity level requirements 16 8.3 Outcome of meeting integrity level requirements 16 8.4 Activities of meeting integrity level requirements .17 9 Agreement and approval authorities .18 Annex A (informative) An example of use o
14、f ISO/IEC 150263 .19 Bibliography .23 ISO/IEC 2015 All rights reserved iii Contents PageBS ISO/IEC 15026-3:2015ISO/IEC 15026-3:2015(E) Foreword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide s
15、tandardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in field
16、s of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. The procedures used to develop this do
17、cument and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the different types of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives,
18、 Part 2 (see www.iso.org/directives). Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the deve
19、lopment of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents). Any trade name used in this document is information given for the convenience of users and does not constitute an endorsement. For an explanation on the meaning of IS
20、O specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information. The committee responsible for this document is ISO/IEC JTC 1, Inf
21、ormation Technology, Subcommittee SC 7, Software and systems engineering. This second edition cancels and replaces the first edition (ISO/IEC 15026-3:2011), which has been technically revised. ISO/IEC 15026 consists of the following parts, under the general title Systems and software engineering Sys
22、tems and software assurance: Part 1: Concepts and vocabulary Part 2: Assurance case Part 3: System integrity levels Part 4: Assurance in the life cycle The IEEE Computer Society collaborated with ISO/IEC JTC 1 in the development of the ISO/IEC 15026 series.iv ISO/IEC 2015 All rights reservedBS ISO/I
23、EC 15026-3:2015INTERNATIONAL ST ANDARD ISO/IEC 15026-3:2015(E) Systems and software engineering Systems and software assurance Part 3: System integrity levels 1 Scope This part of ISO/IEC 15026 specifies the concept of integrity levels with corresponding integrity level requirements that are require
24、d to be met in order to show the achievement of the integrity level. It places requirements on and recommends methods for defining and using integrity levels and their corresponding integrity level requirements. It covers systems, software products, and their elements, as well as relevant external d
25、ependences. This part of ISO/IEC 15026 is applicable to systems and software and is intended for use by the following: a) definers of integrity levels such as industry and professional organizations, standards organizations, and government agencies; b) users of integrity levels such as developers an
26、d maintainers, suppliers and acquirers, system or software users, assessors of systems or software and administrative and technical support staff of systems and/or software products. One important use of integrity levels is by suppliers and acquirers in agreements; for example, to aid in assuring sa
27、fety, financial, or security characteristics of a delivered system or product. This part of ISO/IEC 15026 does not prescribe a specific set of integrity levels or their integrity level requirements. In addition, it does not prescribe the way in which integrity level use is integrated with the overal
28、l system or software engineering life cycle processes. It does, however, provide an example of use of this part of ISO/IEC 15026 in Annex A. 2 Normative references The following documents, in whole or in part, are normatively referenced in this document and are indispensable for its application. For
29、 dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies. ISO/IEC/IEEE 12207, Systems and software engineering Software life cycle processes ISO/IEC/IEEE 15288, Systems and software engineering System
30、life cycle processes 3 T erms a nd definiti ons For the purposes of this document, the following terms and definitions apply. 3.1 adverse consequence consequence (3.3) that results in a specified level of loss Note 1 to entry: An adverse consequence results from the system-of-interest (3.23) being i
31、n a dangerous condition (3.4) combined with the environment of the system (3.21) being in its worst-case state (relative to the adverse consequence). ISO/IEC 2015 All rights reserved 1BS ISO/IEC 15026-3:2015ISO/IEC 15026-3:2015(E) Note 2 to entry: Harm in ISO Guide 51 is an instance of an adverse co
32、nsequence. The concept of adverse consequences is introduced in order to cover not only harm in the safety context but also other losses such as loss of assets in the security context. 3.2 claim proposition representing a requirement of the system-of-interest (3.23) that enables the system-of- inter
33、est to achieve tolerable risk (3.25) if it were met Note 1 to entry: A claim is consistent with claims in the other parts of ISO/IEC 15026 series but issues of claims here are restricted to achievement of a tolerable risk. Note 2 to entry: A safety goal required in ISO 26262 is an instance of a clai
34、m. 3.3 consequence outcome of an event affecting objectives SOURCE: ISO Guide 73:2009, 3.5.1.3 3.4 dangerous condition state of a system (3.21) which, in combination with some states of the environment, will result in adverse consequence (3.1) Note 1 to entry: A hazardous situation in ISO/IEC Guide
35、51 and IEC 615084 is an instance of a dangerous condition. A concept of dangerous conditions is introduced in order to cover not only hazardous situations in the safety context but also errors in the reliability, integrity, confidentiality, or dependability contexts and other states of a system whic
36、h can lead to adverse consequences. Note 2 to entry: Occurrences of failures in the context of reliability or as defined in IEC 615084 often, but not always, lead to dangerous conditions. Note 3 to entry: A dangerous condition therefore has attributes, at least, a) the associated adverse consequence
37、s, b) the trigger events that lead to the dangerous condition, and c) the trigger events that lead to the adverse consequences from the dangerous condition. 3.5 design authority person or organization that is responsible for the design of the product SOURCE: ISO/IEC 150261 3.6 initial risk estimated
38、 risk (3.16) before applying risk reduction measures (3.18) 3.7 integrity level required degree of confidence that the system-of-interest (3.23) meets the associated integrity level claim (3.10) Note 1 to entry: The words “integrity level” forms an indivisible label. This International Standard does
39、 not pronounce on, nor depend on, a concept of integrity by itself. Note 2 to entry: An integrity level is different from the likelihood (3.13) that the integrity level claim is met but they are closely related. Note 3 to entry: The word “confidence” implies that the definition of integrity levels c
40、an be a subjective concept. Note 4 to entry: In this part of ISO/IEC 15026, integrity levels are defined in terms of risk and hence, cover safety, security, financial and any other dimension of risk that is relevant to the system-of-interest.2 ISO/IEC 2015 All rights reservedBS ISO/IEC 15026-3:2015I
41、SO/IEC 15026-3:2015(E) 3.8 integrity level assurance authority independent person or organization responsible for certifying compliance with the integrity level requirements (3.11) SOURCE: ISO/IEC 150261 3.9 i n t e g r i t y l e v e l d e f i n i t i o n a u t h o r i t y person or organization res
42、ponsible for defining integrity levels (3.7) and integrity level requirements (3.11) 3.10 integrity level claim claim (3.2) representing a requirement for a risk reduction measure (3.18) identified in the risk treatment (3.20) process of the system-of-interest (3.23) Note 1 to entry: In general, it
43、is described in terms of requirements that, when met, would avoid, control or mitigate the consequences (3.3) of dangerous conditions (3.4) and provide tolerable risk (3.25). Note 2 to entry: The claim that can be regarded as an integrity level claim in IEC 61508 is that an E/E/PE safety- related sy
44、stem satisfactorily performs the specified safety functions under all the stated conditions. 3.11 integrity level requirement set of requirements that, when met, will provide a level of confidence in the associated integrity level claim (3.10) commensurate with the associated integrity level (3.7) 3
45、.12 level of risk magnitude of a risk (3.16) or combination of risks, expressed in terms of the combination of consequences (3.3) and their likelihood (3.13) SOURCE: ISO Guide 73:2009, 3.6.1.8 3.13 likelihood probability of something happening 3.14 property-of-interest any property that, if lost, is
46、 considered a negative effect Note 1 to entry: The concept of property-of-interest is introduced in order to characterize negative effects of consequences (3.3). Note 2 to entry: In the safety context, human lives and health are instances of properties-of-interest. Note 3 to entry: Assets in the sec
47、urity context, e.g. defined in ISO/IEC 15408-1, are instances of properties-of- interest. 3.15 residual risk risk (3.16) remaining after risk treatment (3.20) SOURCE: ISO Guide 73:2009, 3.8.1.6 ISO/IEC 2015 All rights reserved 3BS ISO/IEC 15026-3:2015ISO/IEC 15026-3:2015(E) 3.16 risk effect of uncer
48、tainty on objectives SOURCE: ISO Guide 73:2009, 1.1 Note 1 to entry: An effect is a deviation from the expected: positive and/or negative. In this International Standard, the focus is on negative deviations leading to adverse consequences (3.1). Note 2 to entry: Risk is often characterized by refere
49、nce to potential events and consequences (3.3), or a combination of them. Note 3 to entry: Risk is often expressed in terms of a combination of the consequences of an event (including changes in circumstances) and the associated likelihood (3.13) of occurrence. In this International Standard, risk is characterized as the combination of the severity of the adverse consequence and the likelihood of an adverse consequence occurring. Note 4 to entry: Objectives can have diff
