SIST EN 17640:2023/oprA1:2025
(Amendment)Fixed-time cybersecurity evaluation methodology for ICT products
Fixed-time cybersecurity evaluation methodology for ICT products
The scope of EN 17640 remains unchanged, adding the content of composition within:
This document describes a cybersecurity evaluation methodology that can be implemented using pre-defined time and workload
resources, for ICT products. It is intended to be applicable for all three assurance levels defined in the CSA (i.e. basic, substantial and
high).
The methodology is comprised of different evaluation blocks including assessment activities that comply with the evaluation
requirements of the CSA for the mentioned three assurance levels. Where appropriate, it can be applied both to 3rd party evaluation
and self-assessment.
Zeitlich festgelegte Cybersicherheitsevaluationsmethodologie für IKT‑Produkte
Méthode d’évaluation de la cybersécurité à temps fixe pour les produits TIC
Metodologija ocenjevanja kibernetske varnosti za izdelke IKT za določeno obdobje - Dopolnilo A1
General Information
- Status
- Not Published
- Public Enquiry End Date
- 21-Dec-2025
- Technical Committee
- ITC - Information technology
- Current Stage
- 4020 - Public enquire (PE) (Adopted Project)
- Start Date
- 16-Oct-2025
- Due Date
- 05-Mar-2026
- Completion Date
- 22-Dec-2025
Relations
- Effective Date
- 08-Apr-2024
Overview
SIST EN 17640:2023/oprA1:2025 is a draft European standard developed by the Slovenian Institute for Standardization (SIST) detailing a fixed-time cybersecurity evaluation methodology for ICT products. This methodology is designed for deployment with pre-defined time and resource constraints and supports all three assurance levels as defined in the Cybersecurity Act (CSA): basic, substantial, and high. The standard introduces refined guidance on evaluating composite ICT products, including clear processes and documentation requirements for the assessment of products built from multiple evaluated components.
By incorporating amendments from EN ISO/IEC 15408-1:2023, this standard enhances clarity around composite evaluation and the reuse of previously certified components, streamlining assurance processes for both independent and integrated ICT products.
Key Topics
- Cybersecurity Evaluation Methodology: Defines a structured approach to assess security functionality of ICT products, ensuring alignment with CSA assurance levels.
- Composite Product Evaluation: Describes processes for evaluating products made up of multiple components, some of which may have already been assessed or certified.
- Assurance Reuse: Enables reuse of prior evaluation results for base components, reducing duplication of testing and enhancing evaluation efficiency.
- Required Documentation: Specifies necessary developer documentation and evaluation reports for composition-based evaluation tasks, allowing effective integration and assessment of components.
- Evaluator Qualifications: Outlines knowledge and skills required by evaluators, including expertise in composition methods and familiarity with involved technologies.
- Testing and Verification: Details the necessity for test coverage of both individual component security features and their interactions when integrated.
- Conformance and Certification Conditions: Guides scheme developers on specifying requirements and conditions for using previously issued certificates in composite evaluations.
Applications
- Third-party and Self-assessment: The methodology supports both independent evaluations by external assessors and internal self-assessments by organizations developing ICT products.
- Efficient Security Assurance: The approach enhances efficiency in cybersecurity evaluation by leveraging approved components and minimizing duplication across the ICT supply chain.
- Modular and Composite ICT Products: Particularly beneficial for vendors producing modular systems, integrated solutions, or products composed of certified third-party elements.
- Certification Support: Provides a clear framework for national and European cybersecurity certification schemes looking to adopt uniform, fixed-time approaches.
- Risk-based Assurance: Ensures appropriate scaling of evaluation effort to the defined assurance level, supporting regulatory compliance and product market entry across Europe.
- Cross-industry Use: Applies to a wide array of ICT products, from embedded devices to enterprise IT solutions, supporting secure digital infrastructure.
Related Standards
- EN ISO/IEC 15408-1:2023 – Provides foundational terminology, concepts, and models for IT security evaluations, including principles of component composition.
- CSA (Cybersecurity Act) – Outlines assurance levels for cybersecurity certification within the European Union, forming the basis for the levels addressed in EN 17640.
- Relevant CEN/CENELEC Standards: Other information security and IT evaluation standards under ICS 35.030 addressing IT security requirements and evaluation processes.
- Common Criteria (ISO/IEC 15408 series): Offers a globally recognized framework for security evaluation of IT products, on which many principles of EN 17640 are based.
By implementing the methodologies and requirements outlined in SIST EN 17640:2023/oprA1:2025, ICT product vendors and certification authorities can strengthen the security posture of the digital supply chain, increase trust in certified solutions, and streamline certification processes through a harmonized, resource-effective evaluation standard.
Get Certified
Connect with accredited certification bodies for this standard
BSI Group
BSI (British Standards Institution) is the business standards company that helps organizations make excellence a habit.
Bureau Veritas
Bureau Veritas is a world leader in laboratory testing, inspection and certification services.
DNV
DNV is an independent assurance and risk management provider.
Sponsored listings
Frequently Asked Questions
SIST EN 17640:2023/oprA1:2025 is a draft published by the Slovenian Institute for Standardization (SIST). Its full title is "Fixed-time cybersecurity evaluation methodology for ICT products". This standard covers: The scope of EN 17640 remains unchanged, adding the content of composition within: This document describes a cybersecurity evaluation methodology that can be implemented using pre-defined time and workload resources, for ICT products. It is intended to be applicable for all three assurance levels defined in the CSA (i.e. basic, substantial and high). The methodology is comprised of different evaluation blocks including assessment activities that comply with the evaluation requirements of the CSA for the mentioned three assurance levels. Where appropriate, it can be applied both to 3rd party evaluation and self-assessment.
The scope of EN 17640 remains unchanged, adding the content of composition within: This document describes a cybersecurity evaluation methodology that can be implemented using pre-defined time and workload resources, for ICT products. It is intended to be applicable for all three assurance levels defined in the CSA (i.e. basic, substantial and high). The methodology is comprised of different evaluation blocks including assessment activities that comply with the evaluation requirements of the CSA for the mentioned three assurance levels. Where appropriate, it can be applied both to 3rd party evaluation and self-assessment.
SIST EN 17640:2023/oprA1:2025 is classified under the following ICS (International Classification for Standards) categories: 35.030 - IT Security. The ICS classification helps identify the subject area and facilitates finding related standards.
SIST EN 17640:2023/oprA1:2025 has the following relationships with other standards: It is inter standard links to SIST EN 17640:2023. Understanding these relationships helps ensure you are using the most current and applicable version of the standard.
SIST EN 17640:2023/oprA1:2025 is available in PDF format for immediate download after purchase. The document can be added to your cart and obtained through the secure checkout process. Digital delivery ensures instant access to the complete standard document.
Standards Content (Sample)
SLOVENSKI STANDARD
01-december-2025
Metodologija ocenjevanja kibernetske varnosti za izdelke IKT za določeno obdobje
- Dopolnilo A1
Fixed-time cybersecurity evaluation methodology for ICT products
Zeitlich festgelegte Cybersicherheitsevaluationsmethodologie für IKT‑Produkte
Méthode d’évaluation de la cybersécurité à temps fixe pour les produits TIC
Ta slovenski standard je istoveten z: EN 17640:2022/prA1
ICS:
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
EUROPEAN STANDARD DRAFT
EN 17640:2022
NORME EUROPÉENNE
EUROPÄISCHE NORM
prA1
October 2025
ICS 35.030
English version
Fixed-time cybersecurity evaluation methodology for ICT
products
Méthode d'évaluation de la cybersécurité à temps fixe Zeitlich festgelegte
pour les produits TIC Cybersicherheitsevaluationsmethodologie für IKT-
Produkte
This draft amendment is submitted to CEN members for enquiry. It has been drawn up by the Technical Committee CEN/CLC/JTC
13.
This draft amendment A1, if approved, will modify the European Standard EN 17640:2022. If this draft becomes an amendment,
CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
inclusion of this amendment into the relevant national standard without any alteration.
This draft amendment was established by CEN and CENELEC in three official versions (English, French, German). A version in any
other language made by translation under the responsibility of a CEN and CENELEC member into its own language and notified
to the CEN-CENELEC Management Centre has the same status as the official versions.
CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.
Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of which they are
aware and to provide supporting documentation.Recipients of this draft are invited to submit, with their comments, notification
of any relevant patent rights of which they are aware and to provide supporting documentation.
Warning : This document is not a European Standard. It is distributed for review and comments. It is subject to change without
notice and shall not be referred to as a European Standard.
Contents Page
European foreword . 3
1 Modification to Clause 3, “Terms and definitions” . 4
2 Modification to Clause 4, “Conformance” . 5
3 Modification to Clause 5, “General concepts” . 5
4 Modification to Clause 6, “Evaluation tasks” . 6
5 Modification to Annex A (informative), “Example for a structure of a FIT Security
Target (FIT ST)” . 9
6 Modification to Annex E (informative), “Parameters of the methodology and the
evaluation tasks” . 10
7 Addition of a new Annex H (informative), “Clarification of ‘composition of assurance’
developed in EN ISO/IEC 15408-1:2023 in support of ‘composition’ introduced in
EN 17640/A1” . 10
European foreword
This document (EN 17640:2022/prA1:2025) has been prepared by Technical Committee CEN/TC 121
“Welding and allied processes”, the secretariat of which is held by AFNOR.
This document is currently submitted to the CEN Enquiry.
1 Modification to Clause 3, “Terms and definitions”
Add the following definitions:
“
3.19
component
entity (3.20) which provides resources and services in a product
[SOURCE: EN ISO/IEC 15408-1:2023, 3.18 modified, is omitted]
3.20
entity
identifiable item that is described by a set or collection of properties
Note 1 to entry: Entities include subjects, users (including external IT products), objects, information, sessions
and/or resources
[SOURCE: EN ISO/IEC 15408-1:2023, 3.36]
3.21
composite product
product comprised of two or more components (3.19) which one already evaluated component (3.19)
and another component (3.19)
Note 1 to entry: The component (3.19) which has already been evaluated provides resources and services to
another component(s) (3.19), and these components (3.19) are called ‘base component’ and ‘dependant
component’, respectively.
Note 2 to entry: Already evaluated base component is called ‘base TOE’.
Note 4 to entry: A dependant component can rely on one or more base components.
Note 3 to entry: A dependent component potentially consists of one or more dependent sub-components. For
simplification, they are considered as ‘one dependent component’.
[SOURCE: EN ISO/IEC 15408-1:2023, 3.24 with references to layer removed and Notes to entries
added.]
3.22
composite target of evaluation
composite TOE
part of a composite product (3.21) being subject to composite TOE evaluation
Note 1 to entry: A composite TOE can contain parts that are independent from the base component or base TOE
respectively. For simplification, such parts are considered as belonging to the dependent component.
Note 2 to entry: The composite TOE evaluation can be applied as many times as necessary to a multi-component
product, in an incremental approach.
3.23
evaluation technical report for composite TOE evaluation
ETR for composite TOE evaluation
documentation intended to be used within the composite TOE (3.22) evaluation and derived by the base
component evaluator from the full evaluation technical report (ETR) (3.13) for the evaluated
component
Note 1 to entry: The ETR for composite TOE evaluation is used for the evaluation of a composite product with
such base component when using the composite evaluation approach.
Note 2 to entry: The ETR for composite TOE evaluation related to a base component is set up to provide sufficient
information for a composite evaluation of a composite product that integrates such already evaluated component.
It enables the composite product evaluator and the respective composite product evaluation authority to
understand the attack paths and the tests that have been considered and performed for the base component and
the effectiveness of the countermeasures implemented by the base component.
[SOURCE: EN ISO/IEC 15408-1:2023, 3.44, adapted.]
”
2 Modification to Clause 4, “Conformance”
Add the following paragraph:
“The concept of composite evaluation is not explicitly contained in the CSA and hence not explicitly
mentioned in any assurance level. Moreover, composite evaluation is not applicable in every TOE. If
scheme developers intend to implement composite TOE evaluation, they need to specify conditions and
requirements on the certificates concerning base components that can be used as evidence in the
composite TOE evaluation.”
3 Modification to Clause 5, “General concepts”
Add the following Clause 5.6:
“
5.6 Composition
Often a product consists of several components, developed by different parties. Sometimes some of
these components are evaluated or certified independently of the entire TOE they will be integrated in.
In this specific case the evaluation of the certified component can be replaced by certain evaluation
tasks listed in Clause 6.13.
rd
NOTE Other means of gaining assurance in 3 party components are not considered composition in this
document.
To enable efficient evaluations and avoid double evaluation work, composition typically requires
certain inputs to be provided. These inputs are divided into two groups. The names and further
requirements on theses inputs are scheme dependent. The inputs includes the following:
• Developer guidelines with
— sufficient requirements for integration and use, ensuring that all the related claimed security
features are indeed active;
— a description with which other type of component(s) the component is expected to be
composed;
— assumptions regarding the environment the composite TOE operates in;
— which actions are required to be performed during composition to maintain the TOE resistance
to the specified attack potential;
— how to securely use the component interfaces;
— what are the security dependencies to other components;
• Evaluation report for composition with
— assurance level of the evaluation / certification;
— what tests have been performed, with which intention, means, depth and observations;
— when applicable, what need to be tested at a composite level and why it was not tested at the
individual component level;
— relevant evaluation results for composite TOE evaluation.
In case a component is supposed to be used later in a composition, then these documents should be
provided alongside the component.”
4 Modification to Clause 6, “Evaluation tasks”
Add the following Clause 6.13:
“
6.13 Composition TOE Evaluation
6.13.1 Aim
This evaluation tasks aims at verifying that all relevant components fulfil the requirements for
integration into the TOE, identifying the extend the evaluation results of these components can be
reused in the evaluation of the TOE, and performing tests that confirm the security features that are
depending on the integrated components work as specified.
6.13.2 Evaluation method
This evaluation task contains a documentation review and testing of the relevant security functionality
of the composite TOE. An access to specific composition documents is required. Depending on the TOE,
access to publicly available specifications or other documents distributed with or referenced by the TOE
might be necessary. Access to the TOE (and possibly background systems provided by the vendor) is
required.
6.13.3 Evaluator qualification
The evaluators need to have knowledge of composition. They need to be able to review the information
provided by the developer. The evaluator shall be able to analyse the evaluation report for composition.
The evaluator shall have knowledge of the technology the base components support and technology
used in the integrated components.
6.13.4 Evaluator work units
6.13.4.1 Work unit 1
The evaluator shall check first that the following documents are provided:
• the developer guidelines of each evaluated component which is subject to integration;
• the evaluation report for composition of each evaluated component which is subject to integration;
• the composition rationale provided by the composite TOE.
NOTE The names and further requirements on these documents can be defined by the scheme. This includes
possible further subdivision of the content.
6.13.4.2 Work unit 2
Th
...