ISO/IEC 15026-3:2015

INTERNATIONAL ISO/IEC
STANDARD 15026-3
Second edition
2015-12-01
Systems and software engineering —
Systems and software assurance —
Part 3:
System integrity levels
Ingénierie du logiciel et des systèmes — Assurance du logiciel et
des systèmes —
Partie 3: Niveaux d’intégrité du système
Reference number
©
ISO/IEC 2015
© ISO/IEC 2015, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO/IEC 2015 – All rights reserved

Contents Page
Foreword .iv
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Defining integrity levels . 5
4.1 Expected readers of this Clause. 5
4.2 Appropriate area to define integrity levels. 6
4.3 Specifying context of integrity levels . 7
4.3.1 Specifying system-related information . 7
4.3.2 Specifying risk-related information . 7
4.4 Specifying integrity levels . 8
4.4.1 Specifying an integrity level claim . 9
4.4.2 Specifying a set of integrity levels .10
4.5 Specifying integrity level requirements .11
4.5.1 Specifying a set of integrity level requirements .11
4.5.2 Specifying the justification between integrity levels and their integrity
level requirements .11
4.6 Specifying integrity level determination process .11
5 Using integrity levels .12
5.1 Expected readers of this clause .12
5.2 Purpose for using integrity levels .13
5.3 Outcomes of using integrity levels .13
6 System integrity level determination .13
6.1 General .13
6.2 Purpose of the system integrity level determination process.13
6.3 Outcome of the system integrity level determination process .14
6.4 Activities of the system integrity level determination process .14
7 Assigning system element integrity levels .15
7.1 Purpose of the assigning system element integrity levels process .15
7.2 Outcome of the assigning system element integrity levels process .15
7.3 Activities of the assigning system element integrity levels process .15
8 Meeting integrity level requirements .16
8.1 General .16
8.2 Purpose of meeting integrity level requirements .16
8.3 Outcome of meeting integrity level requirements .16
8.4 Activities of meeting integrity level requirements .17
9 Agreement and approval authorities .18
Annex A (informative) An example of use of ISO/IEC 15026–3 .19
Bibliography .23
© ISO/IEC 2015 – All rights reserved iii

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work. In the field of information technology, ISO and IEC have established a joint technical committee,
ISO/IEC JTC 1.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for
the different types of document should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical
Barriers to Trade (TBT) see the following URL: Foreword - Supplementary information.
The committee responsible for this document is ISO/IEC JTC 1, Information Technology, Subcommittee
SC 7, Software and systems engineering.
This second edition cancels and replaces the first edition (ISO/IEC 15026-3:2011), which has been
technically revised.
ISO/IEC 15026 consists of the following parts, under the general title Systems and software engineering —
Systems and software assurance:
— Part 1: Concepts and vocabulary
— Part 2: Assurance case
— Part 3: System integrity levels
— Part 4: Assurance in the life cycle
The IEEE Computer Society collaborated with ISO/IEC JTC 1 in the development of the ISO/IEC 15026
series.
iv © ISO/IEC 2015 – All rights reserved

INTERNATIONAL STANDARD ISO/IEC 15026-3:2015(E)
Systems and software engineering — Systems and
software assurance —
Part 3:
System integrity levels
1 Scope
This part of ISO/IEC 15026 specifies the concept of integrity levels with corresponding integrity level
requirements that are required to be met in order to show the achievement of the integrity level. It
places requirements on and recommends methods for defining and using integrity levels and their
corresponding integrity level requirements. It covers systems, software products, and their elements,
as well as relevant external dependences.
This part of ISO/IEC 15026 is applicable to systems and software and is intended for use by the following:
a) definers of integrity levels such as industry and professional organizations, standards
organizations, and government agencies;
b) users of integrity levels such as developers and maintainers, suppliers and acquirers, system or
software users, assessors of systems or software and administrative and technical support staff of
systems and/or software products.
One important use of integrity levels is by suppliers and acquirers in agreements; for example, to aid in
assuring safety, financial, or security characteristics of a delivered system or product.
This part of ISO/IEC 15026 does not prescribe a specific set of integrity levels or their integrity level
requirements. In addition, it does not prescribe the way in which integrity level use is integrated with
the overall system or software engineering life cycle processes. It does, however, provide an example of
use of this part of ISO/IEC 15026 in Annex A.
2 Normative references
The following documents, in whole or in part, are normatively referenced in this document and are
indispensable for its application. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC/IEEE 12207, Systems and software engineering — Software life cycle processes
ISO/IEC/IEEE 15288, Systems and software engineering — System life cycle processes
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
adverse consequence
consequence (3.3) that results in a specified level of loss
Note 1 to entry: An adverse consequence results from the system-of-interest (3.23) being in a dangerous condition
(3.4) combined with the environment of the system (3.21) being in its worst-case state (relative to the adverse
consequence).
© ISO/IEC 2015 – All rights reserved 1

Note 2 to entry: Harm in ISO Guide 51 is an instance of an adverse consequence. The concept of adverse
consequences is introduced in order to cover not only harm in the safety context but also other losses such as loss
of assets in the security context.
3.2
claim
proposition representing a requirement of the system-of-interest (3.23) that enables the system-of-
interest to achieve tolerable risk (3.25) if it were met
Note 1 to entry: A claim is consistent with claims in the other parts of ISO/IEC 15026 series but issues of claims
here are restricted to achievement of a tolerable risk.
Note 2 to entry: A safety goal required in ISO 26262 is an instance of a claim.
3.3
consequence
outcome of an event affecting objectives
[SOURCE: ISO Guide 73:2009, 3.5.1.3]
3.4
dangerous condition
state of a system (3.21) which, in combination with some states of the environment, will result in adverse
consequence (3.1)
Note 1 to entry: A hazardous situation in ISO/IEC Guide 51 and IEC 61508–4 is an instance of a dangerous
condition. A concept of dangerous conditions is introduced in order to cover not only hazardous situations in
the safety context but also errors in the reliability, integrity, confidentiality, or dependability contexts and other
states of a system which can lead to adverse consequences.
Note 2 to entry: Occurrences of failures in the context of reliability or as defined in IEC 61508–4 often, but not
always, lead to dangerous conditions.
Note 3 to entry: A dangerous condition therefore has attributes, at least, a) the associated adverse consequences,
b) the trigger events that lead to the dangerous condition, and
...