Iso Iec 15408 Pdf May 2026
You cannot self-certify. You must hire a lab accredited under the CCRA (e.g., in the US: Leidos, Booz Allen; in Europe: TÜV, SGS). The lab will use ISO/IEC 18045 (the methodology PDF) to plan the evaluation.
If you have opened the document, do not try to read it cover-to-cover. Follow this strategy instead:
Use the Annexes: The back of Part 2 and Part 3 contain cross-reference tables. If you have a requirement from a customer (e.g., "We need FDP_ACC.2"), the annex tells you which page number to flip to.
Ignore the "Notes": The official PDF includes editorial notes for standards bodies. You can ignore 90% of them—they are not part of the requirement.
The ISO/IEC 15408 PDF is not a document you read on a beach. It is a dense, technical toolkit designed to remove ambiguity from security claims. Whether you purchase the official copy from ISO or download the free Common Criteria version from NIST, owning this PDF is the first step toward credible IT security evaluation.
Actionable Next Steps:
By mastering this standard, you stop relying on vague promises of "security" and start speaking the global language of IT trust.
Disclaimer: This article is for informational purposes. Standard documents are subject to copyright laws. Always verify you are downloading the latest revision (currently version 3.1 revision 5 or newer) from official sources.
ISO/IEC 15408, widely known as the Common Criteria (CC), is the international standard for evaluating the security of Information Technology (IT) products. It provides a standardized framework where users can specify security requirements, vendors can implement them, and independent labs can evaluate products to ensure they meet claimed security attributes. Structure of ISO/IEC 15408
The latest version, ISO/IEC 15408:2022, is divided into five parts that form the foundation of any evaluation:
Part 1: Introduction and General Model: Defines basic concepts, terminology, and the overall evaluation model.
Part 2: Security Functional Components: Catalogs a comprehensive set of standardized security behaviors, such as access control, cryptography, and user authentication.
Part 3: Security Assurance Components: Outlines the criteria for establishing confidence that a product's security functions are correctly implemented and effective. iso iec 15408 pdf
Part 4: Framework for Methods & Activities: Specifies the framework for developing evaluation methods used by assessors.
Part 5: Pre-defined Packages: Provides bundles of requirements, including the well-known Evaluation Assurance Levels (EAL). Key Concepts for Certification
To understand how products are certified, three core concepts are essential:
Target of Evaluation (TOE): The specific software, firmware, or hardware being evaluated.
Protection Profile (PP): An implementation-independent statement of security needs for a specific category of products (e.g., firewalls or mobile devices).
Security Target (ST): A vendor-specific document that defines how their particular product meets the security requirements of a PP or its own unique security claims. Evaluation Assurance Levels (EAL)
The standard uses EALs to measure the rigor of the evaluation process, ranging from 1 to 7:
EAL1 (Functionally Tested): Basic assessment suitable where threats are not substantial.
EAL4 (Methodically Designed, Tested, and Reviewed): The most common level for commercial products, requiring detailed design analysis.
EAL7 (Formally Verified Design and Tested): The most rigorous level, typically reserved for high-risk national security applications. Importance in Business and Government
Certification is often a prerequisite for procurement in government and regulated industries like defense, healthcare, and finance. It allows organizations to verify vendor claims through independent third-party validation, reducing supply-chain risk and ensuring global interoperability through the Common Criteria Recognition Arrangement (CCRA).
For further detailed research, you can access the standard through official repositories like the ISO Online Browsing Platform or the Common Criteria Portal for the latest PDF documentation. You cannot self-certify
ISO 15408: What it means and how it impacts businesses (2026)
The standard ISO/IEC 15408 , better known as the Common Criteria (CC)
, is the "gold standard" for evaluating the security of IT products. Its "story" is one of unification, born from a need to create a single international language for digital trust. The Origin Story
Before the 1990s, different countries had their own separate rulebooks for testing computer security. This was a nightmare for global tech companies, who had to get their products re-tested every time they crossed a border. had the "Orange Book" (TCSEC). used ITSEC. used CTCPEC.
In the mid-90s, these regions decided to merge their rules into one. The result was ISO/IEC 15408
, a framework that allowed a product evaluated in one country to be recognized as secure in another. How the Standard "Works" (The Framework)
The standard doesn't just give a "pass" or "fail." It uses a specific vocabulary to tell the story of a product’s security: Target of Evaluation (TOE): The specific product being tested. Protection Profile (PP):
A "wish list" of security features that a certain type of product (like a firewall or a smart card) should have. Security Target (ST):
The manufacturer’s claim of what their specific product actually does to meet those needs. Evaluation Assurance Level (EAL):
A rating from 1 to 7. EAL1 is a basic check, while EAL7 is a rigorous, mathematical verification. Why It Matters
Today, governments and critical infrastructure (like power plants or banks) often require Common Criteria certification before they will buy a product. While
looks at how a company manages its overall security processes, Use the Annexes: The back of Part 2
looks directly at the "guts" of the product itself to ensure it can withstand an attack.
You can find official documentation and parts of the standard on the Common Criteria Portal or purchase the full PDF via the of the 15408 standard, or do you need a guide on how to get a product certified Common Criteria | Secure Development - Oracle
The Common Criteria (CC) is an international standard (ISO/IEC 15408) for the security evaluation of IT products.
Common criteria certification (ISO/IEC 15408) Security Evaluations
The primary objective of ISO/IEC 15408 is to bridge the gap between the security needs of consumers and the security implementations provided by developers. Before the adoption of the Common Criteria, security evaluations were often fragmented, with different standards applying in different countries. ISO/IEC 15408 harmonized these requirements, allowing a product certified in one participating country to be recognized in others. This mutual recognition saves time, reduces costs, and increases confidence in IT security products globally.
The National Institute of Standards and Technology (NIST) hosts the "Common Criteria v3.1" documents. These are the technical equivalents of ISO/IEC 15408. Search for "CC Portal – Final Specifications." You can download the PDFs for free (Part 1, Part 2, Part 3, and evaluation methodology).
Searching for an "iso iec 15408 pdf" is the beginning of a serious commitment to product security. Whether you are a CISO planning a procurement mandate or a product manager preparing for a government contract, this standard is your authoritative guide.
Your action plan:
The standard is dense, but mastery of ISO/IEC 15408 separates market leaders from also-rans in high-stakes cybersecurity. Get the PDF. Read Part 1. Write your Security Target. And secure your product with the world’s most respected evaluation framework.
Meta Information:
Disclaimer: This article is for informational purposes. Always consult the official ISO or Common Criteria portal for the latest legal texts and certification requirements.