Iso Iec 15408 Pdf Official

ISO/IEC 15408, popularly known as the Common Criteria (CC) , is often described as the "Constitution" of IT security. Instead of just listing "best practices," it provides a rigorous, internationally recognized framework that allows products to be evaluated against specific security claims by independent labs. Why It Is the "Ultimate Decoder Ring" for Security Common Criteria | ISO/IEC 15408 - TÜV AUSTRIA Belgium %

INTERNAL REPORT: ISO/IEC 15408 (Common Criteria)

Date: October 26, 2023 Subject: Overview and Analysis of ISO/IEC 15408 (Common Criteria for Information Technology Security Evaluation) iso iec 15408 pdf

The Ultimate Guide to ISO/IEC 15408: How to Access the PDF, Understand the Standard, and Achieve Common Criteria Certification

Understanding ISO/IEC 15408: The Common Criteria

ISO/IEC 15408, universally recognized as the Common Criteria (CC), is the international standard for computer security certification. It provides a framework for evaluating the security properties of Information Technology (IT) products and systems. By establishing a common language and a rigorous methodology for security evaluation, ISO/IEC 15408 ensures that the security claims made by vendors are independently verified and consistent across the global market.

3. Key Concepts and Terminology

To understand the standard, one must grasp the fundamental terminology: ISO/IEC 15408, popularly known as the Common Criteria

• TOE (Target of Evaluation): The product or system that is the subject of the evaluation.
• PP (Protection Profile): An implementation-independent set of security requirements for a category of products (e.g., "Firewalls" or "Smart Cards"). This allows consumers to standardize their requirements.
• ST (Security Target): The security requirements and specifications for a specific TOE. It acts as the basis for the evaluation agreement between the developer and the evaluator.
• SFRs (Security Functional Requirements): Specific security functions that the TOE must provide (defined in Part 2).
• SARs (Security Assurance Requirements): Measures taken during development and evaluation to ensure the TOE meets the SFRs (defined in Part 3).

The Three Pillars of the Standard

The ISO/IEC 15408 family is split into three distinct parts. When you search for an "ISO IEC 15408 PDF," you are actually looking for three separate documents:

1. ISO/IEC 15408-1: Introduction and General Model – This part defines the core concepts: Targets of Evaluation (TOE), Security Targets (ST), Protection Profiles (PP), and the overall evaluation methodology.
2. ISO/IEC 15408-2: Security Functional Components – A massive catalog of security functions you can assemble, such as "User authentication," "Audit log generation," or "Cryptographic key management."
3. ISO/IEC 15408-3: Security Assurance Components – This defines the assurance levels (EAL1 through EAL7) and the rigor of testing required. It covers how the product was developed, how it is delivered, and how it operates.

Crucial Distinction: ISO/IEC 15408 is often confused with ISO/IEC 18045 (the Common Evaluation Methodology, or CEM). While 15408 defines what to evaluate, 18045 defines how to evaluate it. You will need both for full compliance. The Ultimate Guide to ISO/IEC 15408: How to

2. Standard Structure

The standard is divided into three distinct parts. When searching for the "PDF" of this standard, one must typically acquire three separate documents:

• ISO/IEC 15408-1: Introduction and General Model

  • Defines the general concepts and principles of IT security evaluation.
  • Presents the general model of evaluation.
  • Outlines the constructs used for expressing security targets and protection profiles.

• ISO/IEC 15408-2: Security Functional Components

  • Establishes a set of functional components as a standard way of expressing the functional requirements for Target of Evaluations (TOEs).
  • Contains a catalog of functional components, families, and classes (e.g., Cryptographic Support, User Data Protection, Identification and Authentication).

• ISO/IEC 15408-3: Security Assurance Components

  • Establishes a set of assurance components as a standard way of expressing the assurance requirements for TOEs.
  • Defines the criteria for evaluating Protection Profiles (PP) and Security Targets (ST).
  • Defines the Evaluation Assurance Levels (EAL).