ISO/IEC 15408, universally known as the Common Criteria (CC)
, is the international standard for evaluating the security properties of IT products and systems. It provides a consistent framework for vendors to implement security features and for independent laboratories to test and certify them. Konfirmity Core Structure of ISO/IEC 15408
The standard is divided into several parts that work together to define the evaluation process: Part 1: Introduction and General Model
– Defines the terminology and the overall model of evaluation. Part 2: Security Functional Components
– Catalogs a set of standardized security functions (e.g., access control, audit, and cryptographic support) that a product can claim. Part 3: Security Assurance Components
– Defines requirements for the evaluation process itself to ensure that security claims are verified effectively. Part 4 & 5 (Latest Versions) – Modern updates like the ISO/IEC 15408:2022
edition include frameworks for evaluation methods (Part 4) and predefined Evaluation Assurance Levels (Part 5). Key Concepts in the PDF ISO/IEC 15408-1 - Evaluation criteria for IT security
ISO/IEC 15408, often called the Common Criteria (CC), is the global benchmark for evaluating the security of IT products. It provides a structured framework for vendors to implement security and for consumers to verify it. 🛡️ Core Functionality
Product Evaluation: Specifically targets the security of IT products (software, hardware, or firmware) rather than organizational processes.
Security Functional Requirements (SFRs): Defines the specific security capabilities a product must demonstrate, such as encryption or access control.
Security Assurance Requirements (SARs): Measures the level of confidence that those security features are correctly implemented.
Global Mutual Recognition: Certification in one member country is often recognized by others, reducing the need for duplicate testing. 📂 Key Structural Parts
The standard is divided into multiple components to guide the evaluation process: iso iec 15408 pdf
Part 1: Introduction and general model; defines the core concepts and principles.
Part 2: Security functional components; lists the technical capabilities required.
Part 3: Security assurance components; details the criteria for the evaluation process itself. 📊 ISO/IEC 15408 vs. ISO/IEC 27001
While both deal with information security, their focuses differ significantly: ISO/IEC 15408 (Common Criteria) ISO/IEC 27001 Focus IT Product or System Organizational Management Orientation Product-oriented Process-oriented Goal Verify specific security features Build a Security Management System (ISMS) 🔍 Key Terminology
Target of Evaluation (TOE): The specific product or system being tested.
Protection Profile (PP): A template of security requirements for a specific category of products (e.g., firewalls).
Security Target (ST): A document created by the vendor describing how their specific product meets the security goals.
To find official copies of the standard in PDF format, you can visit the ISO Store or the Common Criteria portal. Common Criteria | Secure Development - Oracle
The ISO/IEC 15408 standard, widely known as the Common Criteria (CC), is the international benchmark for evaluating and certifying the security of information technology products. It provides a standardized framework that allows vendors to make security claims and ensures that independent laboratories can rigorously verify those claims. Understanding ISO/IEC 15408 (Common Criteria)
The primary goal of ISO/IEC 15408 is to provide confidence to consumers that a product's security features—whether implemented in hardware, software, or firmware—meet specific, documented requirements. Unlike ISO/IEC 27001, which focuses on an organization's overall management processes, ISO/IEC 15408 is strictly product-oriented. The Five Parts of ISO/IEC 15408:2022
The latest major revision, published in August 2022, expanded the standard from three parts to five to better address modern cybersecurity needs: ISO/IEC 15408-1:2009(en), Information technology
ISO/IEC 15408, commonly known as the Common Criteria (CC), is the international standard for evaluating the security of IT products. Writing documentation for it involves following a rigid framework to ensure that security claims are testable and consistent across global markets. 1. Understand the Core Structure ISO/IEC 15408, universally known as the Common Criteria
The standard is divided into five parts that guide the evaluation process:
Part 1: Introduction and General Model – Defines the terminology and the general concepts used throughout the standard.
Part 2: Security Functional Components – A catalog of standard security functions (e.g., identification, authentication, audit) that a product can perform.
Part 3: Security Assurance Components – Focuses on the "trust" aspect, defining the rigor of the evaluation process.
Part 4: Framework for the Specification of Evaluation Methods and Activities – Guidance for evaluators on how to conduct tests.
Part 5: Pre-defined Packages of Security Requirements – Standardized sets of requirements for common product types. 2. Define Your Writing Goals
When writing a guide or technical document for ISO/IEC 15408, you typically focus on one of two documents:
Protection Profile (PP): A document created by a user or community that identifies security requirements for a specific class of products (e.g., "Firewalls" or "Smart Cards").
Security Target (ST): A document created by a vendor that describes the specific security features and "Assurance Level" of their particular product. 3. Key Components to Include
A professional ISO/IEC 15408 guide should help authors address these critical sections:
Target of Evaluation (TOE): Clearly define what exactly is being evaluated (hardware, software, or both).
Security Problem Definition: Outline the specific threats, organizational policies, and assumptions the product is designed to address. Part 3: Decoding the Core Concepts of the
Security Objectives: Explain how the product (and its environment) will counter the identified threats.
Security Functional Requirements (SFRs): Select the specific functions from Part 2 of the standard that satisfy the objectives.
Evaluation Assurance Level (EAL): Choose a level (from EAL1 to EAL7) that represents the depth and rigor of the evaluation. 4. Drafting Best Practices
Use Precise Language: Avoid vague terms. Stick to the definitions provided in Part 1 of the standard to ensure global mutual recognition.
Ensure Traceability: Every security requirement must be traced back to a specific threat or objective.
Focus on the Product: Unlike ISO 27001, which focuses on organizational management, your guide must focus strictly on the technical and process security of the IT product itself.
For more detailed technical specifications, you can find official documentation and resources through the Common Criteria Portal or the ISO Website. ISO/IEC 15408 | Mobile Security Glossary - Zimperium
INTERNAL REPORT: ISO/IEC 15408 (Common Criteria)
Date: October 26, 2023 Subject: Overview and Analysis of ISO/IEC 15408 (Common Criteria for Information Technology Security Evaluation)
Once you have the PDF open, you will encounter dense, technical language. Let us translate the most critical concepts.
With agile development and DevSecOps, some argue that Common Criteria is too slow. However, its relevance is unshaken for three reasons:
You have the ISO IEC 15408 PDF on your desk. Now, how do you use it to certify your product? Follow this 6-step process.