📌 What is ISO/IEC 15408?
ISO/IEC 15408, commonly known as the Common Criteria (CC), is an international standard for evaluating the security of IT products and systems. It provides a framework for specifying security requirements and assurance levels.
🔍 Why does it matter?
Governments, defense agencies, and regulated industries require Common Criteria certification to ensure products (e.g., firewalls, smart cards, operating systems) meet rigorous security standards.
📘 Key components of the standard (3 parts):
✅ Where to get the official PDF:
Purchase from the ISO or IEC webstores:
⚠️ Important note:
Be cautious of free PDFs found online — many are outdated, incomplete, or unauthorized copies. Always refer to the official version for compliance work.
💡 Final tip:
If you're studying Common Criteria, check the official Common Criteria Portal for supplementary documents (e.g., Supporting Documents, CEM — Common Evaluation Methodology).
ISO/IEC 15408 , universally known as the Common Criteria (CC)
, is the premier international standard for evaluating the security of IT products. It provides a rigorous framework where vendors can claim specific security properties for their products (software, hardware, or firmware) and have those claims independently verified by accredited laboratories. Konfirmity Core Structure of the Standard
The standard is divided into multiple parts, typically found as a series of PDF documents. The most recent major revision is ISO/IEC 15408:2022 Common Criteria portal Part 1: Introduction and General Model
– Defines the terminology and the overall philosophy of the evaluation process. Part 2: Security Functional Components
– Catalogs the "What": a library of security functions like access control, audit, and cryptography. Part 3: Security Assurance Components
– Defines the "How well": the rigor of the development and testing process. Part 4: Framework for Evaluation Methods
– Provides a structure for deriving specific evaluation activities. Part 5: Pre-defined Packages – Contains the well-known Evaluation Assurance Levels (EALs) ISO - International Organization for Standardization Key Concepts Target of Evaluation (TOE): The specific product or system being evaluated. Protection Profile (PP):
A document created by users or industries (e.g., government) that defines the security requirements for a of products (like firewalls or mobile devices). Security Target (ST): A document created by the vendor that specifies how their product meets the requirements. EAL Levels: Ranging from (functionally tested) to (formally verified). Most commercial products aim for EAL2 to EAL4 ISO - International Organization for Standardization Why It Matters CC2022PART1R1.pdf - Common Criteria
Achieving ISO/IEC 15408 (Common Criteria) certification involves a rigorous, multi-stage process, including defining the Target of Evaluation (TOE), selecting a Protection Profile, and drafting a Security Target for evaluator scrutiny. Organizations typically aim for specific Evaluation Assurance Levels (EAL) to prove security compliance through documentation review, penetration testing, and secure development verification. Learn more about the evaluation process at KONFIRMITY ISO/IEC 15408-1:2022 - Evaluation criteria for IT security
The ISO/IEC 15408 standard, widely known as the Common Criteria (CC), is the international benchmark for evaluating and certifying the security of information technology products. It provides a standardized framework that allows vendors to make security claims and ensures that independent laboratories can rigorously verify those claims. Understanding ISO/IEC 15408 (Common Criteria)
The primary goal of ISO/IEC 15408 is to provide confidence to consumers that a product's security features—whether implemented in hardware, software, or firmware—meet specific, documented requirements. Unlike ISO/IEC 27001, which focuses on an organization's overall management processes, ISO/IEC 15408 is strictly product-oriented. The Five Parts of ISO/IEC 15408:2022
The latest major revision, published in August 2022, expanded the standard from three parts to five to better address modern cybersecurity needs: ISO/IEC 15408-1:2009(en), Information technology
ISO/IEC 15408, commonly known as the Common Criteria (CC), is the international standard for evaluating the security properties of IT products and systems. It provides a rigorous, standardized framework for vendors to demonstrate that their products meet specific security requirements through independent, third-party assessment. Core Structure of ISO/IEC 15408
The standard was updated in August 2022 (the fourth edition) and now consists of five primary parts:
Part 1: Introduction and General Model – Defines terms, abbreviations, and basic security concepts like the Target of Evaluation (TOE).
Part 2: Security Functional Components – Catalogs requirements for security behavior, such as access control, cryptography, and audit capabilities.
Part 3: Security Assurance Components – Outlines measures to ensure security functions are implemented correctly, including development and testing procedures.
Part 4: Framework for Specification of Evaluation Methods – Sets the ground rules for developing evaluation activities derived from the Common Evaluation Methodology (ISO/IEC 18045). iso iec 15408 pdf
Part 5: Pre-defined Packages of Security Requirements – Includes standard security assurance packages and Evaluation Assurance Levels (EALs). Key Concepts in Evaluation
Evaluation Assurance Level (EAL): A scale from EAL1 (functionally tested) to EAL7 (formally verified) that indicates the depth and rigor of the evaluation. Most commercial products target EAL2 to EAL4.
Protection Profile (PP): A document defining implementation-independent security requirements for a specific category of products (e.g., firewalls or mobile devices).
Security Target (ST): A document specifying the exact security requirements a particular product meets, often used as the "contract" between the developer and evaluator. How to Access the PDF
ISO/IEC 15408, commonly known as the Common Criteria (CC), is the international standard for evaluating the security of IT products. Writing documentation for it involves following a rigid framework to ensure that security claims are testable and consistent across global markets. 1. Understand the Core Structure
The standard is divided into five parts that guide the evaluation process:
Part 1: Introduction and General Model – Defines the terminology and the general concepts used throughout the standard.
Part 2: Security Functional Components – A catalog of standard security functions (e.g., identification, authentication, audit) that a product can perform.
Part 3: Security Assurance Components – Focuses on the "trust" aspect, defining the rigor of the evaluation process.
Part 4: Framework for the Specification of Evaluation Methods and Activities – Guidance for evaluators on how to conduct tests.
Part 5: Pre-defined Packages of Security Requirements – Standardized sets of requirements for common product types. 2. Define Your Writing Goals
When writing a guide or technical document for ISO/IEC 15408, you typically focus on one of two documents:
Protection Profile (PP): A document created by a user or community that identifies security requirements for a specific class of products (e.g., "Firewalls" or "Smart Cards").
Security Target (ST): A document created by a vendor that describes the specific security features and "Assurance Level" of their particular product. 3. Key Components to Include
A professional ISO/IEC 15408 guide should help authors address these critical sections:
Target of Evaluation (TOE): Clearly define what exactly is being evaluated (hardware, software, or both).
Security Problem Definition: Outline the specific threats, organizational policies, and assumptions the product is designed to address.
Security Objectives: Explain how the product (and its environment) will counter the identified threats.
Security Functional Requirements (SFRs): Select the specific functions from Part 2 of the standard that satisfy the objectives.
Evaluation Assurance Level (EAL): Choose a level (from EAL1 to EAL7) that represents the depth and rigor of the evaluation. 4. Drafting Best Practices
Use Precise Language: Avoid vague terms. Stick to the definitions provided in Part 1 of the standard to ensure global mutual recognition.
Ensure Traceability: Every security requirement must be traced back to a specific threat or objective.
Focus on the Product: Unlike ISO 27001, which focuses on organizational management, your guide must focus strictly on the technical and process security of the IT product itself. 📌 What is ISO/IEC 15408
For more detailed technical specifications, you can find official documentation and resources through the Common Criteria Portal or the ISO Website. ISO/IEC 15408 | Mobile Security Glossary - Zimperium
INTERNAL REPORT: ISO/IEC 15408 (Common Criteria)
Date: October 26, 2023 Subject: Overview and Analysis of ISO/IEC 15408 (Common Criteria for Information Technology Security Evaluation)
Instead of guessing what "secure" means, download Part 2 of the PDF. Use the listed components as your product’s requirement sheet. If your product enforces FDP_ACF.1 (Subset access control), you can market that using ISO-compliant language.
Searching for an "iso iec 15408 pdf" is the beginning of a serious commitment to product security. Whether you are a CISO planning a procurement mandate or a product manager preparing for a government contract, this standard is your authoritative guide.
Your action plan:
The standard is dense, but mastery of ISO/IEC 15408 separates market leaders from also-rans in high-stakes cybersecurity. Get the PDF. Read Part 1. Write your Security Target. And secure your product with the world’s most respected evaluation framework.
Meta Information:
Disclaimer: This article is for informational purposes. Always consult the official ISO or Common Criteria portal for the latest legal texts and certification requirements.
ISO/IEC 15408, often called the Common Criteria (CC), is the global benchmark for evaluating the security of IT products. It provides a structured framework for vendors to implement security and for consumers to verify it. 🛡️ Core Functionality
Product Evaluation: Specifically targets the security of IT products (software, hardware, or firmware) rather than organizational processes.
Security Functional Requirements (SFRs): Defines the specific security capabilities a product must demonstrate, such as encryption or access control.
Security Assurance Requirements (SARs): Measures the level of confidence that those security features are correctly implemented.
Global Mutual Recognition: Certification in one member country is often recognized by others, reducing the need for duplicate testing. 📂 Key Structural Parts
The standard is divided into multiple components to guide the evaluation process:
Part 1: Introduction and general model; defines the core concepts and principles.
Part 2: Security functional components; lists the technical capabilities required.
Part 3: Security assurance components; details the criteria for the evaluation process itself. 📊 ISO/IEC 15408 vs. ISO/IEC 27001
While both deal with information security, their focuses differ significantly: ISO/IEC 15408 (Common Criteria) ISO/IEC 27001 Focus IT Product or System Organizational Management Orientation Product-oriented Process-oriented Goal Verify specific security features Build a Security Management System (ISMS) 🔍 Key Terminology
Target of Evaluation (TOE): The specific product or system being tested.
Protection Profile (PP): A template of security requirements for a specific category of products (e.g., firewalls).
Security Target (ST): A document created by the vendor describing how their specific product meets the security goals.
To find official copies of the standard in PDF format, you can visit the ISO Store or the Common Criteria portal. Common Criteria | Secure Development - Oracle ✅ Where to get the official PDF: Purchase
Understanding ISO/IEC 15408: The Standard for IT Security Evaluation
In the world of information technology, trust is everything. Whether you are a government agency handling classified data or a private enterprise protecting intellectual property, you need to know that your security software and hardware do exactly what they claim to do. This is where ISO/IEC 15408, commonly known as the Common Criteria (CC), comes into play.
If you are searching for an ISO/IEC 15408 PDF, you are likely looking for the technical specifications that govern how IT products are evaluated. This article breaks down what the standard covers, why it matters, and how to navigate its complex structure. What is ISO/IEC 15408?
ISO/IEC 15408 is an international standard for IT security evaluation. It provides a structured framework where: Users can specify their security requirements.
Vendors can implement security features and make claims about them.
Evaluators (independent labs) can test those claims to see if the product actually meets the requirements.
Essentially, it moves security from "take our word for it" to "here is the verified proof." The Components of the ISO/IEC 15408 PDF
The standard is traditionally divided into several parts. When you download the full ISO/IEC 15408 documentation, you will typically find three core sections: Part 1: Introduction and General Model
This part defines the terminology and the conceptual framework. It explains how to define a Target of Evaluation (TOE)—the specific product or system being tested—and introduces the core concepts of Security Targets (ST) and Protection Profiles (PP). Part 2: Security Functional Components
This is the "menu" of security features. It lists hundreds of individual functional requirements, such as: Audit: How the system logs events. Cryptographic Support: How data is encrypted. User Data Protection: How access controls are enforced.
Identification and Authentication: How the system knows who a user is. Part 3: Security Assurance Components
While Part 2 focuses on what the product does, Part 3 focuses on how well it was built. This section defines the Evaluation Assurance Levels (EALs), ranging from EAL1 (functionally tested) to EAL7 (formally verified design and tested). Key Terms You’ll Encounter
To understand an ISO/IEC 15408 PDF, you need to speak the language of Common Criteria:
Protection Profile (PP): A document that identifies security requirements for a specific class of devices (e.g., "Firewalls" or "Smart Cards").
Security Target (ST): A document provided by the vendor that explains how their specific product meets the requirements of a Protection Profile.
Evaluation Assurance Level (EAL): A numerical rating (1-7) reflecting the depth and rigor of the evaluation. A higher EAL does not necessarily mean a "better" product, but rather a more "thoroughly tested" one. Why Search for the PDF?
Professionals typically seek the ISO/IEC 15408 PDF for three reasons:
Compliance: Government agencies (especially within the SOG-IS or CCRA nations) often mandate that any IT product used in sensitive infrastructure must be CC-certified.
Product Development: Developers use the functional components in Part 2 as a roadmap to build "secure by design" products that meet international expectations.
Procurement: IT managers use the standard to compare different products objectively. If Product A is certified to EAL4 and Product B has no certification, Product A offers a verifiable level of trust that Product B lacks. How to Obtain ISO/IEC 15408
The ISO/IEC 15408 standard is maintained by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
While the official ISO versions often require a purchase fee, the Common Criteria Recognition Arrangement (CCRA) provides the equivalent technical documentation for free on the official Common Criteria portal. If you are looking for the PDF to understand the technical requirements rather than for formal legal compliance, the version available at commoncriteriaportal.org is generally the industry standard.
The ISO/IEC 15408 PDF is the blueprint for global IT security. By providing a common language for buyers, sellers, and testers, it ensures that the "secure" label on a product actually means something. Whether you are a developer aiming for EAL certification or a security officer vetting new vendors, mastering this standard is essential for high-assurance environments.
You cannot self-certify. You must hire a lab accredited under the CCRA (e.g., in the US: Leidos, Booz Allen; in Europe: TÜV, SGS). The lab will use ISO/IEC 18045 (the methodology PDF) to plan the evaluation.