ISO IEC 20243-2-2023 PDF

Full title and description

ISO/IEC 20243-2:2023 — Information technology — Open Trusted Technology Provider™ Standard (O-TTPS) — Part 2: Assessment procedures for the O-TTPS. This publication (Edition 2, 2023) defines the procedures an assessor should follow when performing conformity assessments against the mandatory requirements of the O-TTPS, with the intent of ensuring repeatability, reproducibility and objectivity of assessments.

Abstract

Part 2 provides the assessment procedures used by independent assessors and certification bodies to evaluate an ICT provider’s conformance with the O-TTPS mandatory requirements. It covers assessment planning, evidence collection, sampling and testing approaches, assessor competence, reporting and follow-up actions. While primarily intended for assessors, organizations preparing for assessment and supply-chain security teams will find the procedures useful for readiness and internal audit activities.

General information

• Status: Published.
• Publication date: 24 November 2023.
• Publisher: ISO/IEC (ISO/IEC JTC 1 Information technology).
• ICS / categories: 35.030 (IT security) / 13.310 (Protection against crime / supply-chain security).
• Edition / version: Edition 2.0 (2023).
• Number of pages: 50 pages.

Scope

This standard specifies the assessment procedures to be used when conducting a conformity assessment against the O-TTPS mandatory requirements. It establishes consistent processes for planning and performing assessments, gathering and retaining objective evidence, applying sampling and testing where appropriate, judging conformity, documenting findings, and managing nonconformities and follow-up. The procedures are applicable to assessments of commercial off-the-shelf (COTS) ICT products and their providers across the product life cycle (design, sourcing, build, fulfillment, distribution, sustainment and disposal).

Key topics and requirements

• Assessment planning and scope definition (objectives, resources, timelines).
• Assessor qualifications, impartiality and competency requirements.
• Evidence collection methods, documentation and retention.
• Sampling, inspection and testing approaches for COTS ICT components.
• Evaluation criteria and decision rules for conformity versus mandatory O-TTPS requirements.
• Reporting templates, findings classification, and corrective action tracking.
• Confidentiality, chain-of-custody and handling of sensitive information during assessments.
• Conflict-of-interest controls and assessor independence safeguards.
• Follow-up assessment, surveillance and re-assessment procedures.
• Recordkeeping, traceability and audit trail requirements for assessment evidence.

Typical use and users

Primary users are independent assessors, certification bodies and conformity assessment organizations performing O-TTPS assessments. Secondary users include ICT product and component providers preparing for assessment, internal audit and compliance teams, procurement and supply-chain security managers, systems integrators, and government or regulated-entity evaluators seeking to verify supplier integrity and resilience against tainted or counterfeit products.

Related standards

ISO/IEC 20243-1:2023 — Part 1 (Requirements and recommendations for mitigating maliciously tainted and counterfeit products) is the companion document that defines the mandatory requirements and recommended practices that Part 2 assessment procedures evaluate. Earlier editions (ISO/IEC 20243-2:2018 and ISO/IEC 20243-1:2018) have been withdrawn and superseded by the 2023 two-part release.

Keywords

O-TTPS, Open Trusted Technology Provider, supply chain security, tainted product, counterfeit product, conformity assessment, assessor procedures, ICT product integrity, COTS, audit, certification.

FAQ

Q: What is this standard?

A: ISO/IEC 20243-2:2023 is the assessment-procedures part of the Open Trusted Technology Provider Standard (O-TTPS). It prescribes how assessors should conduct conformity assessments to determine whether a provider meets the O-TTPS mandatory requirements.

Q: What does it cover?

A: It covers assessment planning, assessor competence, evidence collection and handling, sampling and testing approaches, evaluation rules, reporting, corrective actions and follow-up — all to ensure assessments are repeatable, reproducible and objective.

Q: Who typically uses it?

A: Independent assessors and certification bodies performing O-TTPS assessments are the primary users. ICT vendors, supply-chain security and procurement teams, internal auditors and government evaluators use it for preparedness, internal assessment and supplier evaluation.

Q: Is it current or superseded?

A: This is the current (published) second edition of Part 2, released in November 2023. It supersedes the 2018 edition, which has been withdrawn and replaced by the 2023 edition.

Q: Is it part of a series?

A: Yes — it is Part 2 of the ISO/IEC 20243 series. Part 1 (ISO/IEC 20243-1:2023) defines the requirements and recommendations; Part 2 defines the assessment procedures used to verify conformance to Part 1.

Q: What are the key keywords?

A: Key keywords include O-TTPS, supply-chain security, assessment procedures, conformity assessment, ICT integrity, counterfeit mitigation, assessor competence, COTS.