A document that outlines the specific security requirements for a particular TOE, often created by the vendor.
A numerical rating from EAL1 to EAL7 that reflects the depth and rigor of the evaluation process. Understanding Evaluation Assurance Levels (EAL)
This part establishes the foundational concepts and general principles of IT security evaluation. It provides an overview of the entire series, defines core terminology, and introduces the concept of a ——the specific IT product or system being assessed. It also describes the key roles (developers, consumers, and evaluators) and the general evaluation context.
If you're studying Common Criteria, check the official Common Criteria Portal for supplementary documents (e.g., Supporting Documents, CEM — Common Evaluation Methodology). iso iec 15408 pdf
A document that identifies the security needs for a specific category of products (e.g., firewalls or smart cards) independent of any specific vendor implementation.
ISO/IEC 15408 is the cornerstone of IT product security certification. By understanding the standard, organizations can ensure that their products meet strict, internationally recognized security requirements, fostering trust and security in an interconnected world. Whether you are a developer preparing for certification or a buyer looking to secure your infrastructure, the Common Criteria framework is an indispensable tool.
A numerical rating from EAL1 to EAL7 that reflects the depth and rigor of the evaluation. Higher numbers mean the product underwent stricter analysis, not necessarily that it is "more secure." The EAL Scale Explained A document that outlines the specific security requirements
Modern PDFs (2022 edition) introduce better support for composite evaluations—where you certify a software app running on a certified operating system, running on certified hardware. This reduces cost and reusability.
A single evaluation unlocks sales opportunities across all CCRA member nations, including lucrative government, defense, and financial sectors.
This is the most critical section for the majority of readers. The PDF versions of the standard are . Be wary of free third-party websites promising "free downloads" of active standards—these are almost universally unlicensed and illegal. It provides an overview of the entire series,
– Catalogs requirements for security behavior, such as access control, cryptography, and audit capabilities.
ISO/IEC 15408 establishes a uniform framework for specifying, designing, and testing the security attributes of computer hardware, software, and networks. Rather than trusting a vendor's marketing claims, organizations use this standard to verify security claims through independent, third-party laboratories. The Historical Evolution
But the trap door wasn't just theoretical. The PDF itself, by embedding that proof, became a self-referential exploit. Any machine that opened the document and rendered Annex F.4 would, by parsing the proof, execute a silent heap overflow in the PDF reader's logical inference engine. The attacker could then write new evaluation criteria into the reader's firmware.
Part 3 defines the seven increasingly strict levels of assurance. This is perhaps the most recognizable aspect of the standard for procurement.