Introduced in more recent iterations, this part outlines the methodologies used by evaluation authorities to establish equivalence and rigor across different testing labs, ensuring that an evaluation conducted in one country holds the same weight globally. Part 5: Pre-defined Packages of Security Requirements
Many forum-shared PDFs are missing Annexes (e.g., Annex A – Cross-referencing tables). These annexes are critical for mapping functional components. Without them, the standard is nearly unusable.
In an era of sophisticated cyber threats, organizations must verify that their IT security products actually perform as advertised. This is where —internationally known as the Common Criteria (CC) —comes into play. It serves as the global blueprint for evaluating and certifying the security attributes of information technology products.
The documents can be purchased directly from the ISO Store or the IEC Webstore. iso iec 15408 pdf
The manufacturer’s claim of what their specific product actually does to meet those needs. Evaluation Assurance Level (EAL):
Defines the security requirements for IT products (e.g., encryption, access control).
A numerical rating (from EAL1 to EAL7) representing the depth and rigor of the evaluation process. The Structure of the ISO/IEC 15408 Standard Introduced in more recent iterations, this part outlines
is an international standard (ISO/IEC 15408:2022) that provides a framework for evaluating the security properties of IT products. It allows manufacturers to claim security features and requires independent testing laboratories to verify these claims.
The official ISO/IEC 15408 documents (Common Criteria parts 1–3) are available from national standards bodies and authorized distributors; some national certification bodies and the Common Criteria portal also publish copies or guidance documents. (Search your national standards organization or the Common Criteria portal for the latest PDF versions.)
Do you need assistance understanding how to write a ? Share public link Without them, the standard is nearly unusable
This part acts as a catalog of predefined security functional requirements (SFRs). These are the specific security behaviors expected from a product, such as: User identification and authentication Cryptographic support Data protection and access control Security audit logging Part 3: Security Assurance Components
This section contains pre-defined packages of security requirements that are commonly used across industries. It simplifies the creation of Security Targets and Protection Profiles by offering proven blueprints. Key Concepts Within the Standard