ISO IEC TS 19249-2017 PDF

Full title and description

Information technology — Security techniques — Catalogue of architectural and design principles for secure products, systems and applications. This Technical Specification provides a structured catalogue of architectural and design principles intended to support the development and assessment of secure products, systems and applications by describing each principle, its security contribution, usage guidance, inter‑dependencies and illustrative examples.

Abstract

ISO/IEC TS 19249:2017 gives a catalogue of architectural and design principles that can be used when developing secure products, systems and applications, together with guidance on how to apply those principles effectively. It aims to support more effective security assessments by clarifying the security properties the principles address. The Technical Specification does not impose requirements on evaluation or assessment processes or implementation details.

General information

• Status: Published (Technical Specification).
• Publication date: 27 October 2017.
• Publisher: ISO/IEC (published under ISO/IEC JTC 1/SC 27: Information security, cybersecurity and privacy protection).
• ICS / categories: 35.030 (IT security).
• Edition / version: Edition 1.0 (2017).
• Number of pages: 26 pages.

Scope

This Technical Specification catalogs architectural and design principles relevant to securing IT products, systems and applications. It provides structured descriptions of principles, guidance on how to apply them, examples of implementation approaches and notes on how principles support security properties (for example confidentiality, integrity and availability). The document is advisory: it offers guidance to designers, implementers and assessors but does not define mandatory evaluation or certification requirements.

Key topics and requirements

• Catalogue of architectural principles (e.g., least privilege, separation of duties, defense in depth) and how they map to security properties and threats.
• Catalogue of design principles for secure implementation (e.g., secure defaults, fail‑safe behavior, input validation, cryptographic use guidance).
• Guidance on using principles effectively during development and design reviews, including examples and implementation considerations (usability, performance trade‑offs).
• Advice on evaluation activities to assess whether architectural principles are realized and how they contribute to claimed security properties (assessment pointers rather than prescriptive test procedures).
• Notes on inter‑dependencies among principles and considerations for integrating multiple principles in a coherent architecture.

Typical use and users

Intended users include security architects, system and software designers, product managers, security assessors and auditors, integrators and standards writers. Common uses are informing secure architecture and design decisions, creating security checklists and design-review checklists, supporting threat/requirements analysis and aiding assessors in mapping implementation evidence to architectural principles.

Related standards

ISO/IEC TS 19249:2017 is part of the information security techniques family and is complementary to evaluation and assurance standards such as ISO/IEC 15408 (Common Criteria) and ISO/IEC 18045 (evaluation methodology), and to information security management guidance such as ISO/IEC 27001/27002. National/adoption publications (for example PD/INCITS adoptions) reproduce the Technical Specification content for local use.

Keywords

security architecture, design principles, secure-by-design, information security, cybersecurity, product security, IT security, catalogue of principles, assessment guidance, smart city (keyword used by publisher).

FAQ

Q: What is this standard?

A: ISO/IEC TS 19249:2017 is a Technical Specification that provides a catalogue and guidance of architectural and design principles to help develop and assess secure products, systems and applications. It is advisory rather than a mandatory requirements standard.

Q: What does it cover?

A: It covers structured descriptions of architectural and design principles, examples of how to apply them, considerations for implementation (including usability and performance trade‑offs) and guidance for evaluation activities that help determine whether the principles are realized in a product or system.

Q: Who typically uses it?

A: Security architects, system and software designers, product teams, integrators, security assessors and auditors use the document to inform secure design, create security checklists, map implementation evidence to design principles and support security assessments.

Q: Is it current or superseded?

A: As published on 27 October 2017, the document is a current Technical Specification; the ISO record shows it as published and subject to periodic review (standards in ISO are reviewed on a regular cycle). Users should check the national standards body or ISO catalogue for any later revisions or confirmations.

Q: Is it part of a series?

A: It sits within the ISO/IEC JTC 1/SC 27 portfolio of information security, cybersecurity and privacy protection work and is complementary to other security‑techniques and evaluation standards (for example the Common Criteria family ISO/IEC 15408 and related evaluation methodology ISO/IEC 18045).

Q: What are the key keywords?

A: Key keywords are security architecture, design principles, secure products, systems, applications, IT security, cybersecurity, product security and smart city (as used by the publisher).