Iso Iec 15408 Pdf May 2026

ISO/IEC 15408, popularly known as the Common Criteria (CC) , is often described as the "Constitution" of IT security. Instead of just listing "best practices," it provides a rigorous, internationally recognized framework that allows products to be evaluated against specific security claims by independent labs. Why It Is the "Ultimate Decoder Ring" for Security Common Criteria | ISO/IEC 15408 - TÜV AUSTRIA Belgium %

ISO/IEC 15408, widely known as the Common Criteria (CC), is the international standard for evaluating the security of Information Technology (IT) products. It provides a standardized framework where users can specify security requirements, vendors can implement them, and independent labs can evaluate products to ensure they meet claimed security attributes. Structure of ISO/IEC 15408

The latest version, ISO/IEC 15408:2022, is divided into five parts that form the foundation of any evaluation:

Part 1: Introduction and General Model: Defines basic concepts, terminology, and the overall evaluation model.

Part 2: Security Functional Components: Catalogs a comprehensive set of standardized security behaviors, such as access control, cryptography, and user authentication.

Part 3: Security Assurance Components: Outlines the criteria for establishing confidence that a product's security functions are correctly implemented and effective.

Part 4: Framework for Methods & Activities: Specifies the framework for developing evaluation methods used by assessors. iso iec 15408 pdf

Part 5: Pre-defined Packages: Provides bundles of requirements, including the well-known Evaluation Assurance Levels (EAL). Key Concepts for Certification

To understand how products are certified, three core concepts are essential:

Target of Evaluation (TOE): The specific software, firmware, or hardware being evaluated.

Protection Profile (PP): An implementation-independent statement of security needs for a specific category of products (e.g., firewalls or mobile devices).

Security Target (ST): A vendor-specific document that defines how their particular product meets the security requirements of a PP or its own unique security claims. Evaluation Assurance Levels (EAL)

The standard uses EALs to measure the rigor of the evaluation process, ranging from 1 to 7: ISO/IEC 15408, popularly known as the Common Criteria

EAL1 (Functionally Tested): Basic assessment suitable where threats are not substantial.

EAL4 (Methodically Designed, Tested, and Reviewed): The most common level for commercial products, requiring detailed design analysis.

EAL7 (Formally Verified Design and Tested): The most rigorous level, typically reserved for high-risk national security applications. Importance in Business and Government

Certification is often a prerequisite for procurement in government and regulated industries like defense, healthcare, and finance. It allows organizations to verify vendor claims through independent third-party validation, reducing supply-chain risk and ensuring global interoperability through the Common Criteria Recognition Arrangement (CCRA).

For further detailed research, you can access the standard through official repositories like the ISO Online Browsing Platform or the Common Criteria Portal for the latest PDF documentation.

ISO 15408: What it means and how it impacts businesses (2026) such as the depth of testing

ISO/IEC 15408, widely known as the Common Criteria (CC), is the international standard for evaluating the security functionality and assurance of IT products and systems. The standard provides a framework for consumers to specify security requirements and for developers to have their products independently evaluated. Structure of ISO/IEC 15408 (2022 Edition)

The most recent major update in August 2022 expanded the standard from three parts to five to improve modularity and flexibility. ISO/IEC 15408-1:2022 - Evaluation criteria for IT security

Report: ISO/IEC 15408 (Common Criteria) ISO/IEC 15408, internationally known as the Common Criteria (CC), is the global standard for evaluating the security functionality and assurance of IT products. It provides a standardized framework that allows vendors to make security claims and ensures that independent laboratories can verify those claims in a consistent manner. 1. Framework Structure

As of the 2022 revision, the ISO/IEC 15408 series is organized into five primary parts: ISO/IEC 15408-1:2022 - iTeh Standards

5. The Evaluation Process

The certification process follows a strict lifecycle managed by a licensing scheme (e.g., NIAP in the USA, CESG in the UK, BSI in Germany).

  1. Requirements Definition: The developer creates a Security Target (ST), often based on an existing Protection Profile (PP).
  2. Preparation: The developer provides the product, documentation, and test evidence to an accredited laboratory.
  3. Evaluation: An independent laboratory performs the evaluation based on the EAL level chosen. This includes:
    • Examining design documents.
    • Testing the product to verify claimed functionality.
    • Vulnerability analysis (penetration testing).
  4. Certification: If the laboratory determines the product meets the requirements, the Certification Body issues a Common Criteria certificate. This is recognized internationally via the CCRA (Common Criteria Recognition Arrangement).

Breaking Down the PDF Structure (What’s Inside)

If you finally open a ISO/IEC 15408 PDF, the table of contents can be intimidating. Here is a plain-English breakdown of the critical sections you should bookmark.

Scope

  • Applies to a broad range of IT products and systems, including operating systems, firewalls, smart cards, applications, hardware devices, and embedded systems.
  • Focuses on the security functionality and assurance measures associated with those products.

Structure of the Standard

The standard is divided into three distinct parts, each serving a specific function in the evaluation process:

  • Part 1: Introduction and General Model. This part outlines the general concepts and principles of the standard. It introduces the key terminology, such as the Target of Evaluation (TOE), and describes the roles of the participants in the evaluation process.
  • Part 2: Security Functional Components. This section acts as a catalog of standardized security functions. It details specific requirements ranging from cryptographic support and user data protection to identification and authentication mechanisms. Developers select components from this catalog to define what their product does.
  • Part 3: Security Assurance Components. This part focuses on the rigor of the development process. It establishes assurance requirements, such as the depth of testing, vulnerability analysis, and configuration management. This is often measured through Evaluation Assurance Levels (EAL), which rate the depth of security verification from EAL1 (functionally tested) to EAL7 (formally verified).