GOST ISO/IEC TS 19249-2021 PDF

Full title and description

GOST ISO/IEC TS 19249-2021 — Information technology. Security techniques. Catalogue of architectural and design principles for secure products, systems and applications. This is the Russian (GOST) adoption of the ISO/IEC technical specification that provides a catalog of architectural and design principles intended to support secure-by-design development of IT products, systems and applications.

Abstract

This technical specification presents a structured catalogue of architectural and design principles (for example: domain separation, layering, encapsulation, redundancy, virtualization and related principles) together with guidance on applying those principles to develop and assess the security properties of products, systems and applications. The document is informative (guidance) rather than normative for evaluation procedures and does not itself set formal assessment requirements.

General information

• Status: Active (adopted as a national/interstate GOST standard and in force in Russia and ЕАЭС jurisdictions as of publication).
• Publication date: 30 November 2021.
• Publisher: Adopted and published under the Russian national/regional standards system (introduced into force by Rosstandart / interstate standards procedure).
• ICS / categories: Information technology — security techniques (ICS 35.030).
• Edition / version: 1st GOST adoption (based on ISO/IEC TS 19249 technical specification originally published in 2017).
• Number of pages: 32 (GOST published text).

Scope

The standard provides a catalogue of architectural and conceptual design principles that can be applied during design and development to improve security of products, systems and applications. It covers high-level principles (domain separation, layering, encapsulation, redundancy, virtualization, minimization of trusted computing base, secure boot/initialization concepts, least privilege, etc.), examples of application, and considerations useful for design and evaluation activities. It is intended for use as guidance; it does not prescribe evaluation or certification procedures.

Key topics and requirements

• Catalogue of architectural principles: domain separation, layering, encapsulation, redundancy, virtualization and related concepts.
• Guidance on defining domain structures and inter-domain communication, including policies for information flows and trust boundaries.
• Principles for defining interfaces and interactions between layers and components to reduce attack surface.
• Considerations for consistency, redundancy management and secure configuration of virtualized environments.
• Advice on applying principles to support security properties such as confidentiality, integrity and availability and on how these principles relate to evaluation considerations (informative guidance, not normative assessment criteria).

Typical use and users

Engineers and architects designing secure IT products and systems; system integrators; software developers applying security-by-design practices; security assessors and auditors who need to understand common architectural controls; product managers and compliance teams aligning product design with recognized security principles.

Related standards

Related international and national standards include ISO/IEC TS 19249 (base TS), ISO/IEC 27000-series (information security management and terminology), ISO/IEC 27001 (ISMS requirements) and other ISO/IEC guidance documents on secure development and application security. The GOST adoption aligns the TS with Russian national/regional standards practice.

Keywords

secure architecture, security-by-design, architectural principles, domain separation, layering, encapsulation, redundancy, virtualization, information security, secure product design, GOST, ISO/IEC TS 19249.

FAQ

Q: What is this standard?

A: GOST ISO/IEC TS 19249-2021 is the Russian/interstate adoption of ISO/IEC TS 19249 — a technical specification cataloguing architectural and design principles for secure products, systems and applications.

Q: What does it cover?

A: It provides a catalogue of architectural and conceptual security principles (such as domain separation, layering, encapsulation, redundancy, virtualization and others), examples of their application and guidance for using these principles to design and assess security properties. It is guidance (informative), not a prescriptive assessment standard.

Q: Who typically uses it?

A: Software and system architects, security engineers, integrators, product teams, and evaluators who need a reference of established architectural principles to guide secure design choices and to support security reviews.

Q: Is it current or superseded?

A: The GOST adoption was published and put into force on 30 November 2021 and is listed as active. The original ISO/IEC TS was published in 2017; users should check for any later revisions or related ISO/IEC publications when planning compliance or procurement.

Q: Is it part of a series?

A: This TS is part of the broader family of ISO/IEC information security/cybersecurity guidance originating from JTC 1/SC 27 and is complementary to the ISO/IEC 27000-series and other application- and product-level security guidance documents.

Q: What are the key keywords?

A: Secure architecture, domain separation, layering, encapsulation, redundancy, virtualization, security principles, security-by-design, information security.