For those building Security Targets or Protection Profiles, it's important to consider the free supporting documents available. For example, the provides detailed guidance on how to conduct an evaluation. Additionally, guidance documents like ISO/IEC TS 19608 offer free, practical advice on selecting and specifying security functional requirements for protecting Personally Identifiable Information (PII) using ISO/IEC 15408.
A document that identifies security requirements for a specific class of devices (e.g., "Firewalls" or "Smart Cards").
Measures taken during design and production to assure the product's security holds up. Evaluation Assurance Level
It provides a trusted, independent verification of a product’s security claims.
Uses semi-formal methods to design and test the product. Usually applied to high-security systems like military hardware or banking microchips. iso iec 15408 pdf
One of the most talked-about aspects of the ISO/IEC 15408 PDF is the . EAL levels do not measure how secure a product is; rather, they measure how thoroughly the product was tested .
You can find official documentation and parts of the standard on the Common Criteria Portal or purchase the full PDF via the of the 15408 standard, or do you need a guide on how to get a product certified Common Criteria | Secure Development - Oracle
Developed by the United States Department of Defense. ITSEC: The European alternative used in the early 1990s. CTCPEC: The Canadian standard.
: Defines basic concepts, terminology, and the overall evaluation model. For those building Security Targets or Protection Profiles,
You may wonder if you should invest time in 15408 or shift to newer frameworks.
) that defines a framework for evaluating the security properties of IT products and systems. It allows creators of IT products to claim security attributes and enables users to verify that these products meet their specific security needs.
Verification of developer testing and basic configuration controls.
Helps organizations mitigate risks by ensuring IT products are evaluated against common threats. ISO/IEC 15408 vs. ISO/IEC 27001 It is crucial to distinguish between these two standards: A document that identifies security requirements for a
Before ISO/IEC 15408, the cybersecurity landscape was fractured by regional validation standards:
The impact of ISO/IEC 15408 is truly global, thanks to the Common Criteria Recognition Arrangement (CCRA). Under this arrangement, a product certified in one member country is recognized by all other signatories, reducing the need for redundant testing and streamlining global trade. This mutual recognition is the primary reason the Common Criteria is considered the gold standard for IT security certification worldwide. The certification process involves several stages: planning, document review, on-site visits, testing, and ultimately, a certification decision.
This section establishes a catalog of standardized . These are the specific security behaviors expected from a product (e.g., user identification, data encryption, audit logging, and access control). Vendors select components from this catalog to describe what their product physically does to protect data. Part 3: Security Assurance Components
The EALs represent the level of rigor in the evaluation process. A higher EAL indicates a more comprehensive evaluation, not necessarily better security, but higher confidence in the security functions. Functionally Tested EAL2: Structurally Tested EAL3: Methodically Tested and Checked EAL4: Methodically Designed, Tested, and Reviewed EAL5: Semi-formally Designed and Tested EAL6: Semi-formally Verified Design and Tested EAL7: Formally Verified Design and Tested Where to Find the ISO/IEC 15408 PDF
How the system knows who a user is. Part 3: Security Assurance Components