What is this standard about?
It provides a specification for improving the trustworthiness of systems, software and services. It’s intended to be a widely applicable approach that can be customized for any organization and software.
Who is this standard for?
This standard is applicable to any organization aiming to adopt system trustworthiness practices. It can be used by all three major segments of the IT industry, namely:
- Specifiers (procurement/acquisition)
- Realizers (developers and system integrators)
- Software end users
Why should you use this standard?
Its requirements define the overall principles for effective trustworthiness, and include technical, physical, cultural and behavioural measures alongside effective leadership and governance.
The standard identifies the necessary tools, techniques and processes, and covers the five facets of trustworthiness: safety, reliability, availability, resilience and security.
It includes a comprehensive Trustworthiness System Framework (TSFr), which provides a domain- and implementation-agnostic way to reference the large existing body of knowledge, including functional safety, information security, and systems and software engineering and collate good practice for software trustworthiness.
It can be deployed as a stand-alone document for organizations with no current approach to software trustworthiness. Conversely, where organizations already address system trustworthiness through one or more of the five facets, this specification provides a companion and complement to other relevant standards.
Use of this standard will help an organization improve its:
- Controls
- Operational effectiveness and efficiency
- Organizational learning
- Stakeholder confidence and trust
- Risk management
- Business reputation
- Likelihood of achieving objectives
By helping improve software trustworthiness, this specification could result in significant savings for the economy and reduce the risk major disruptions to a range of sectors.
NOTE: This document does not specify how any technique should be applied to a specific application. This information is available in other standards, such as ISO/IEC 15408‑1 and ISO/IEC 27001 for information security, and IEC 61508 for functional safety.