Iso Iec | 15408 Pdf

The ISO/IEC 15408 standard, widely known as the Common Criteria (CC), is the international benchmark for evaluating and certifying the security of information technology products. It provides a standardized framework that allows vendors to make security claims and ensures that independent laboratories can rigorously verify those claims. Understanding ISO/IEC 15408 (Common Criteria)

The primary goal of ISO/IEC 15408 is to provide confidence to consumers that a product's security features—whether implemented in hardware, software, or firmware—meet specific, documented requirements. Unlike ISO/IEC 27001, which focuses on an organization's overall management processes, ISO/IEC 15408 is strictly product-oriented. The Five Parts of ISO/IEC 15408:2022 iso iec 15408 pdf

The latest major revision, published in August 2022, expanded the standard from three parts to five to better address modern cybersecurity needs: ISO/IEC 15408-1:2009(en), Information technology The ISO/IEC 15408 standard, widely known as the

Report: ISO/IEC 15408 (Common Criteria) ISO/IEC 15408, internationally known as the Common Criteria (CC), is the global standard for evaluating the security functionality and assurance of IT products. It provides a standardized framework that allows vendors to make security claims and ensures that independent laboratories can verify those claims in a consistent manner. 1. Framework Structure Key Concepts

As of the 2022 revision, the ISO/IEC 15408 series is organized into five primary parts: ISO/IEC 15408-1:2022 - iTeh Standards

Key Concepts

• Target of Evaluation (TOE): the product or system being evaluated.
• Security Target (ST): a document created by the vendor that describes the TOE, its security environment, the security requirements, and the TOE’s security functions.
• Protection Profile (PP): a reusable, implementation-independent set of security requirements and objectives for a category of products (e.g., firewalls, smart cards). PPs can be used by consumers or procurers.
• Evaluation Assurance Levels (EALs): a scale (EAL1–EAL7) that indicates the depth and rigor of evaluation. Higher EALs require more extensive development and testing evidence.
  • EAL1: Functionally tested
  • EAL2: Structurally tested
  • EAL3: Methodically tested and checked
  • EAL4: Methodically designed, tested and reviewed (commonly targeted)
  • EAL5–EAL7: Increasingly rigorous evidence of engineering and formal methods

1. Regulatory Mandates

• US Government: Federal agencies must use CC-certified products for sensitive systems (FISMA and FedRAMP often point to 15408).
• EU : The Cybersecurity Act allows vendors to use CC as the basis for EU-wide cybersecurity certifications.
• Banking & Finance : Payment card security (PCI-DSS) often mandates certified hardware security modules.

Benefits

• Independent, repeatable evaluation that improves trust in product security.
• Facilitates international acceptance and procurement through standardized measures.
• Encourages vendors to follow sound security engineering practices.