前言这是CSA/ANSI T200《软件开发和网络安全计划评估》的第一版。本标准由运营安全技术委员会和信息和通信技术战略指导委员会管辖下的网络安全验证小组委员会编制，并已由技术委员会正式批准。本标准是根据加拿大标准委员会对加拿大国家标准的要求制定的。 CSA集团已将其发布为加拿大国家标准。本标准已被美国国家标准协会（ANSI）批准为美国国家标准。范围1.1本标准描述了评估组织的产品软件和网络安全控制成熟度的方法。本标准为评估人员和供应商提供了一种方法，以确定组织和正在开发的产品/解决方案的控制成熟度，而不考虑解决方案的垂直性。它涵盖了整个产品系统生命周期，从概念到全面调试，直到生命结束。 它支持有效的执行业务决策，为网络安全建立全面的成熟度模型方法。1.2本标准适用于所有物联网和相关产品/解决方案。1.3在本标准中，“应”用于表示要求，即用户为遵守本标准而有义务满足的规定；“宜”用于表示建议或建议但不需要的建议；“may”用于表示一个选项或在标准范围内允许的选项。 注释随附条款不包括要求或替代要求；随附条款的注释旨在与文本中的解释性或信息性材料分开。表和图的注释被视为表或图的一部分，可以作为要求编写。附录被指定为规范性（强制性）或信息性（非强制性）以定义其预期应用。

PrefaceThis is the first edition of CSA/ANSI T200, Evaluation of software development and cybersecurity programs. This Standard was prepared by the Subcommittee on Cybersecurity Verification, under the jurisdiction of the Technical Committee on Operational Security and the Strategic Steering Committee on Information and Communication Technology, and has been formally approved by the Technical Committee. This Standard has been developed in compliance with Standards Council of Canada requirements for National Standards of Canada. It has been published as a National Standard of Canada by CSA Group. This Standard has been approved by the American National Standards Institute (ANSI) as an American National Standard.Scope1.1 This Standard describes a methodology for assessing the product software and cybersecurity control maturity of an organization. This Standard provides the evaluators and vendors a method to determine the control maturity of the organization and products/solutions being developed regardless of solution vertical. It covers the entire product system life cycle from conception to full commissioning and until the end of life. It supports effective executive business decisions that establish a comprehensive maturity model approach to cybersecurity.1.2 This Standard is applicable to all IoT and related products/solutions.1.3 In this Standard, "shall" is used to express a requirement, i.e., a provision that the user is obliged to satisfy in order to comply with the Standard; "should" is used to express a recommendation or that which is advised but not required; and "may" is used to express an option or that which is permissible within the limits of the Standard. Notes accompanying clauses do not include requirements or alternative requirements; the purpose of a note accompanying a clause is to separate from the text explanatory or informative material. Notes to tables and figures are considered part of the table or figure and may be written as requirements. Annexes are designated normative (mandatory) or informative (non-mandatory) to define their intended application.