The most recent major update in expanded the standard from three parts to five to improve modularity and flexibility. ISO/IEC 15408-1:2022 - Evaluation criteria for IT security
ISO/IEC 15408 is the cornerstone of IT product security certification worldwide. It provides a rigorous, objective, and internationally recognized framework for evaluating security properties. However, navigating the standard's PDF ecosystem requires diligence: understand the distinction between the obsolete free editions and the mandatory DRM-protected 2022 documents.
The documents can be purchased directly from the ISO Store or the IEC Webstore.
Part 3 details the . Instead of defining what the product must do, SARs define how the product must be built, tested, and maintained to ensure it meets its claims. This section guides evaluators on assessing development lifecycle security, configuration management, vulnerability analysis, and flaw remediation. iso iec 15408 pdf
This is the most critical section for the majority of readers. The PDF versions of the standard are . Be wary of free third-party websites promising "free downloads" of active standards—these are almost universally unlicensed and illegal.
EAL7 vs. EAL4 does not mean the product is "more secure" against hackers. It means the development process was more rigorous. A poorly configured EAL5 product is less secure than a well-administered EAL2 product.
A vendor-written document mapping out exactly how their specific TOE meets the necessary security requirements. Security Functional Requirement The most recent major update in expanded the
The vendor hires an accredited, independent Common Criteria Testing Laboratory (CCTL). The lab inspects the source code, examines development pipelines, runs penetration tests, and runs vulnerability assessments to confirm the ST claims are accurate. 3. Certification and Oversight
Software architects use the standard as a blueprint to design robust, self-defending software from the ground up, ensuring they do not overlook vital components like cryptographic support or identity management. How to Access and Download the Official PDF
While Part 2 focuses on what the product does, Part 3 focuses on how well it was built. This section defines the , ranging from EAL1 (functionally tested) to EAL7 (formally verified design and tested). Key Terms You’ll Encounter Instead of defining what the product must do,
What the product does to ensure security.
As of 2025, Common Criteria national schemes within the European Union are only applicable for national security purposes. For commercial use, these have been replaced by the EUCC cybersecurity certification scheme .
If you are looking to purchase the official, up-to-date , I highly recommend visiting the official ISO Website or checking the Common Criteria Portal for the latest available versions.
: A basic level where an evaluator tests the product to confirm that it appears to work as documented. It is used when threats are not serious and where confidence in security is not a critical concern.