Relevant ISO & ETSI Standards for Software Security: A Practical Overview
While the Cyber Resilience Act (CRA) does not yet have a single harmonized standard for cybersecurity risk assessment, expert guidance from bodies like ENISA points to two key documents as the most relevant and practical choices for software developers today.
ISO/IEC 27005:2022 - The "What to Do" Framework
Think of ISO 27005 as your high-level framework for managing information security risks. It outlines the entire risk management process, from establishing context and assessing risk to treating it and monitoring the results. The presentation maps this exact process to the requirements of the CRA, such as Article 13. It provides the structure for your risk management system but does not prescribe a specific methodology for the analysis itself.
ETSI TS 102 165-1 - The "How to Do It" Methodology
This technical specification from the European Telecommunications Standards Institute (ETSI) offers a specific, hands-on methodology for product-focused security analysis called Threat, Vulnerability, Risk Analysis (TVRA). It is a practical guide for performing the core risk identification and analysis steps required by the CRA and ISO 27005. It helps you answer the questions "what could go wrong?" and "how bad could it be?" for your specific software product.
The Winning Combination
For practical CRA compliance, using these two standards together is the recommended approach:
- ISO 27005: Use it to structure your overall risk management process and ensure all CRA requirements are met.
- ETSI TS 102 165-1: Use its TVRA method to perform the detailed, product-specific risk assessment within your ISO 27005 framework.
Key Takeway
For a robust and compliant risk assessment process, use ISO 27005 to define your overall management framework and the ETSI TS 102 165-1 (TVRA) standard to execute the detailed product-level threat and vulnerability analysis.