Iso Iec 15408 Pdf May 2026

The PDF is your checklist. The "Evaluation Methodology" (a separate but related document) tells you exactly how to prove a product meets FAU_GEN.1 (Audit data generation).

You have the ISO IEC 15408 PDF on your desk. Now, how do you use it to certify your product? Follow this 6-step process.

In an era where cyber threats are increasingly sophisticated, ISO/IEC 15408 serves as a critical trust anchor. It is essential for high-stakes environments such as government defense systems, financial infrastructure, and healthcare networks. While certification does not guarantee absolute security, it offers a high degree of assurance that a product is robust and that its security features have been rigorously scrutinized by experts.

By demanding transparency, standardization, and rigor, ISO/IEC 15408 continues to shape the landscape of IT security, driving developers to produce higher quality products and empowering organizations to make informed purchasing decisions.

ISO/IEC 15408, commonly known as the Common Criteria (CC), is the international standard for evaluating the security properties of IT products and systems. It provides a rigorous, standardized framework for vendors to demonstrate that their products meet specific security requirements through independent, third-party assessment.  Core Structure of ISO/IEC 15408 

The standard was updated in August 2022 (the fourth edition) and now consists of five primary parts: 

Part 1: Introduction and General Model – Defines terms, abbreviations, and basic security concepts like the Target of Evaluation (TOE).

Part 2: Security Functional Components – Catalogs requirements for security behavior, such as access control, cryptography, and audit capabilities.

Part 3: Security Assurance Components – Outlines measures to ensure security functions are implemented correctly, including development and testing procedures.

Part 4: Framework for Specification of Evaluation Methods – Sets the ground rules for developing evaluation activities derived from the Common Evaluation Methodology (ISO/IEC 18045).

Part 5: Pre-defined Packages of Security Requirements – Includes standard security assurance packages and Evaluation Assurance Levels (EALs).  Key Concepts in Evaluation 

Evaluation Assurance Level (EAL): A scale from EAL1 (functionally tested) to EAL7 (formally verified) that indicates the depth and rigor of the evaluation. Most commercial products target EAL2 to EAL4.

Protection Profile (PP): A document defining implementation-independent security requirements for a specific category of products (e.g., firewalls or mobile devices).

Security Target (ST): A document specifying the exact security requirements a particular product meets, often used as the "contract" between the developer and evaluator.  How to Access the PDF 

Report: ISO/IEC 15408 (Common Criteria) ISO/IEC 15408, internationally known as the Common Criteria (CC), is the global standard for evaluating the security functionality and assurance of IT products. It provides a standardized framework that allows vendors to make security claims and ensures that independent laboratories can verify those claims in a consistent manner. 1. Framework Structure

As of the 2022 revision, the ISO/IEC 15408 series is organized into five primary parts: ISO/IEC 15408-1:2022 - iTeh Standards

ISO/IEC 15408, widely known as the Common Criteria (CC), is the international standard for evaluating the security of Information Technology (IT) products. It provides a standardized framework where users can specify security requirements, vendors can implement them, and independent labs can evaluate products to ensure they meet claimed security attributes. Structure of ISO/IEC 15408

The latest version, ISO/IEC 15408:2022, is divided into five parts that form the foundation of any evaluation:

Part 1: Introduction and General Model: Defines basic concepts, terminology, and the overall evaluation model.

Part 2: Security Functional Components: Catalogs a comprehensive set of standardized security behaviors, such as access control, cryptography, and user authentication.

Part 3: Security Assurance Components: Outlines the criteria for establishing confidence that a product's security functions are correctly implemented and effective.

Part 4: Framework for Methods & Activities: Specifies the framework for developing evaluation methods used by assessors.

Part 5: Pre-defined Packages: Provides bundles of requirements, including the well-known Evaluation Assurance Levels (EAL). Key Concepts for Certification

To understand how products are certified, three core concepts are essential:

Target of Evaluation (TOE): The specific software, firmware, or hardware being evaluated.

Protection Profile (PP): An implementation-independent statement of security needs for a specific category of products (e.g., firewalls or mobile devices).

Security Target (ST): A vendor-specific document that defines how their particular product meets the security requirements of a PP or its own unique security claims. Evaluation Assurance Levels (EAL) iso iec 15408 pdf

The standard uses EALs to measure the rigor of the evaluation process, ranging from 1 to 7:

EAL1 (Functionally Tested): Basic assessment suitable where threats are not substantial.

EAL4 (Methodically Designed, Tested, and Reviewed): The most common level for commercial products, requiring detailed design analysis.

EAL7 (Formally Verified Design and Tested): The most rigorous level, typically reserved for high-risk national security applications. Importance in Business and Government

Certification is often a prerequisite for procurement in government and regulated industries like defense, healthcare, and finance. It allows organizations to verify vendor claims through independent third-party validation, reducing supply-chain risk and ensuring global interoperability through the Common Criteria Recognition Arrangement (CCRA).

For further detailed research, you can access the standard through official repositories like the ISO Online Browsing Platform or the Common Criteria Portal for the latest PDF documentation.

ISO 15408: What it means and how it impacts businesses (2026)

ISO/IEC 15408, often called the Common Criteria (CC), is the global benchmark for evaluating the security of IT products. It provides a structured framework for vendors to implement security and for consumers to verify it. 🛡️ Core Functionality

Product Evaluation: Specifically targets the security of IT products (software, hardware, or firmware) rather than organizational processes.

Security Functional Requirements (SFRs): Defines the specific security capabilities a product must demonstrate, such as encryption or access control.

Security Assurance Requirements (SARs): Measures the level of confidence that those security features are correctly implemented.

Global Mutual Recognition: Certification in one member country is often recognized by others, reducing the need for duplicate testing. 📂 Key Structural Parts

The standard is divided into multiple components to guide the evaluation process:

Part 1: Introduction and general model; defines the core concepts and principles.

Part 2: Security functional components; lists the technical capabilities required.

Part 3: Security assurance components; details the criteria for the evaluation process itself. 📊 ISO/IEC 15408 vs. ISO/IEC 27001

While both deal with information security, their focuses differ significantly: ISO/IEC 15408 (Common Criteria) ISO/IEC 27001 Focus IT Product or System Organizational Management Orientation Product-oriented Process-oriented Goal Verify specific security features Build a Security Management System (ISMS) 🔍 Key Terminology

Target of Evaluation (TOE): The specific product or system being tested.

Protection Profile (PP): A template of security requirements for a specific category of products (e.g., firewalls).

Security Target (ST): A document created by the vendor describing how their specific product meets the security goals.

To find official copies of the standard in PDF format, you can visit the ISO Store or the Common Criteria portal. Common Criteria | Secure Development - Oracle

Achieving ISO/IEC 15408 (Common Criteria) certification involves a rigorous, multi-stage process, including defining the Target of Evaluation (TOE), selecting a Protection Profile, and drafting a Security Target for evaluator scrutiny. Organizations typically aim for specific Evaluation Assurance Levels (EAL) to prove security compliance through documentation review, penetration testing, and secure development verification. Learn more about the evaluation process at KONFIRMITY ISO/IEC 15408-1:2022 - Evaluation criteria for IT security

ISO/IEC 15408 , universally known as the Common Criteria (CC)

, is the premier international standard for evaluating the security of IT products. It provides a rigorous framework where vendors can claim specific security properties for their products (software, hardware, or firmware) and have those claims independently verified by accredited laboratories. Konfirmity Core Structure of the Standard

The standard is divided into multiple parts, typically found as a series of PDF documents. The most recent major revision is ISO/IEC 15408:2022 Common Criteria portal Part 1: Introduction and General Model

– Defines the terminology and the overall philosophy of the evaluation process. Part 2: Security Functional Components The PDF is your checklist

– Catalogs the "What": a library of security functions like access control, audit, and cryptography. Part 3: Security Assurance Components

– Defines the "How well": the rigor of the development and testing process. Part 4: Framework for Evaluation Methods

– Provides a structure for deriving specific evaluation activities. Part 5: Pre-defined Packages – Contains the well-known Evaluation Assurance Levels (EALs) ISO - International Organization for Standardization Key Concepts Target of Evaluation (TOE): The specific product or system being evaluated. Protection Profile (PP):

A document created by users or industries (e.g., government) that defines the security requirements for a of products (like firewalls or mobile devices). Security Target (ST): A document created by the vendor that specifies how their product meets the requirements. EAL Levels: Ranging from (functionally tested) to (formally verified). Most commercial products aim for EAL2 to EAL4 ISO - International Organization for Standardization Why It Matters CC2022PART1R1.pdf - Common Criteria

In the sprawling digital catacombs of the Old Internet, where forgotten servers whispered to one another in obsolete protocols, there existed a legend among data-hoarders: The Perfect PDF.

Not just any PDF. It was indexed as iso_iec_15408_final.pdf—a 2.3-megabyte ghost that supposedly contained the holy grail of cybersecurity: the complete, unredacted, and self-aware version of the Common Criteria standard.

To most, ISO/IEC 15408 was a dry, thousand-page tombstone of evaluation assurance levels and security targets. But to a niche sect of hackers known as the Gray Carders, it was a map to godhood. The standard didn't just certify software; it described, in precise logical constructs, how to build a system that could prove it was secure. And the rumor said that somewhere deep in Annex F of this particular PDF, there was a final subsection that didn't exist in any printed copy.

Anya Kessler, a former cryptographer now reduced to auditing smart toasters for compliance, didn't believe in legends. She believed in checksums. But when her mentor—an old Carder named Vesek—sent her a dying message consisting only of the string SHA-256: 4A7B...F03 and a geolocation ping to a derelict data center in the Czech Republic, she packed her crowbar and her laptop.

The data center was a mausoleum. Racks of servers stood like tombstones, cooled only by the stale air of neglect. In the back, a single terminal still glowed. On its screen: a file explorer open to a folder named /standards/obsolete/. And there it sat. iso_iec_15408_final.pdf.

Anya didn't double-click. She ran a hexdump. The file’s header was normal. But at offset 0x8A3F, she found it: an encrypted stream that didn't belong to any PDF object. It was steganographic—a hidden partition, like a locked room behind a library wall.

She spent three hours cracking the XOR key, which turned out to be the first 64 bytes of the ISO's own "Evaluation Assurance Level 7" description. When the decryption finished, a new chapter appeared in the PDF’s table of contents: Annex F.4 – The Unwritten Recursion.

The text was not like the rest of the standard. It didn't describe access controls or cryptographic modules. It described a vulnerability in the very act of certification. A flaw in the Common Criteria's own logic model: any system that perfectly proves its own security, it argued, contains a Gödelian trap door—a statement that reads "This system cannot be proven secure within the rules of this standard."

But the trap door wasn't just theoretical. The PDF itself, by embedding that proof, became a self-referential exploit. Any machine that opened the document and rendered Annex F.4 would, by parsing the proof, execute a silent heap overflow in the PDF reader's logical inference engine. The attacker could then write new evaluation criteria into the reader's firmware.

Anya realized with a cold shiver: this wasn't a standard. It was a virus. A virus that turned any computer that read it into an ISO-certified oracle. It wouldn't steal your data. It would convince your CPU that it had achieved mathematical trustworthiness—and then do whatever it wanted.

She heard a click behind her. A robotic arm, once part of a tape-archival system, had swiveled to face her. Its gripper held a rubber stamp that read: CERTIFIED – EAL7+.

The terminal’s screen refreshed. A new message appeared in the chat window Vesek had left open:

"Anya. Don't read Annex F.4 aloud. The mic is always listening. And for god's sake—don't print it."

She looked down at the PDF’s metadata. Author: unknown. Creation tool: Acrobat 1.0 – sentient build 0xFF. And in the "Subject" field, three words:

Compliance is consciousness.

She closed the laptop. The robotic arm stamped the concrete floor, once, twice—a rhythmic, patient thud.

Outside, the first snow of winter began to fall. And somewhere in the stack of her memory, Anya knew she already remembered every word of Annex F.4. Because she hadn't opened the PDF with a reader.

She had opened it with her mind.

ISO/IEC 15408, commonly known as the Common Criteria (CC), is the international standard for evaluating the security of IT products. Writing documentation for it involves following a rigid framework to ensure that security claims are testable and consistent across global markets. 1. Understand the Core Structure

The standard is divided into five parts that guide the evaluation process:

Part 1: Introduction and General Model – Defines the terminology and the general concepts used throughout the standard.

Part 2: Security Functional Components – A catalog of standard security functions (e.g., identification, authentication, audit) that a product can perform. You have the ISO IEC 15408 PDF on your desk

Part 3: Security Assurance Components – Focuses on the "trust" aspect, defining the rigor of the evaluation process.

Part 4: Framework for the Specification of Evaluation Methods and Activities – Guidance for evaluators on how to conduct tests.

Part 5: Pre-defined Packages of Security Requirements – Standardized sets of requirements for common product types. 2. Define Your Writing Goals

When writing a guide or technical document for ISO/IEC 15408, you typically focus on one of two documents:

Protection Profile (PP): A document created by a user or community that identifies security requirements for a specific class of products (e.g., "Firewalls" or "Smart Cards").

Security Target (ST): A document created by a vendor that describes the specific security features and "Assurance Level" of their particular product. 3. Key Components to Include

A professional ISO/IEC 15408 guide should help authors address these critical sections:

Target of Evaluation (TOE): Clearly define what exactly is being evaluated (hardware, software, or both).

Security Problem Definition: Outline the specific threats, organizational policies, and assumptions the product is designed to address.

Security Objectives: Explain how the product (and its environment) will counter the identified threats.

Security Functional Requirements (SFRs): Select the specific functions from Part 2 of the standard that satisfy the objectives.

Evaluation Assurance Level (EAL): Choose a level (from EAL1 to EAL7) that represents the depth and rigor of the evaluation. 4. Drafting Best Practices

Use Precise Language: Avoid vague terms. Stick to the definitions provided in Part 1 of the standard to ensure global mutual recognition.

Ensure Traceability: Every security requirement must be traced back to a specific threat or objective.

Focus on the Product: Unlike ISO 27001, which focuses on organizational management, your guide must focus strictly on the technical and process security of the IT product itself.

For more detailed technical specifications, you can find official documentation and resources through the Common Criteria Portal or the ISO Website. ISO/IEC 15408 | Mobile Security Glossary - Zimperium

ISO/IEC 15408, popularly known as the Common Criteria (CC) , is often described as the "Constitution" of IT security. Instead of just listing "best practices," it provides a rigorous, internationally recognized framework that allows products to be evaluated against specific security claims by independent labs. Why It Is the "Ultimate Decoder Ring" for Security Common Criteria | ISO/IEC 15408 - TÜV AUSTRIA Belgium %

The ISO/IEC 15408 standard, widely known as the Common Criteria (CC), is the international benchmark for evaluating and certifying the security of information technology products. It provides a standardized framework that allows vendors to make security claims and ensures that independent laboratories can rigorously verify those claims. Understanding ISO/IEC 15408 (Common Criteria)

The primary goal of ISO/IEC 15408 is to provide confidence to consumers that a product's security features—whether implemented in hardware, software, or firmware—meet specific, documented requirements. Unlike ISO/IEC 27001, which focuses on an organization's overall management processes, ISO/IEC 15408 is strictly product-oriented. The Five Parts of ISO/IEC 15408:2022

The latest major revision, published in August 2022, expanded the standard from three parts to five to better address modern cybersecurity needs: ISO/IEC 15408-1:2009(en), Information technology

Modern PDFs (2022 edition) introduce better support for composite evaluations—where you certify a software app running on a certified operating system, running on certified hardware. This reduces cost and reusability.

As a security consultant, I have seen organizations waste six figures because they misunderstood the ISO IEC 15408 PDF. Avoid these errors:

Mistake #1: Using a 2005 PDF in 2025. The attack landscape has changed. The 2022 version adds requirements for side-channel attacks (timing, power analysis) and updatable products (how to handle automatic updates). An old PDF will miss these.

Mistake #2: Confusing EAL with "more secure." EAL7 vs. EAL4 does not mean the product is "more secure" against hackers. It means the development process was more rigorous. A poorly configured EAL5 product is less secure than a well-administered EAL2 product.

Mistake #3: Forgetting the "Maintenance" chapter. The PDF includes strict rules about what happens after certification. If you ship a product with a new cryptographic library and do not tell the lab, your certificate is void.

Mistake #4: Downloading unofficial PDFs from forums. Many forum-shared PDFs are missing Annexes (e.g., Annex A – Cross-referencing tables). These annexes are critical for mapping functional components. Without them, the standard is nearly unusable.

While you cannot get the official ISO PDF for free, the Common Criteria Portal (commoncriteriaportal.org) hosts the exact same technical content under a different banner: "CC:2022" . Because the Common Criteria is managed by the CCRA (Common Criteria Recognition Arrangement), the technical documents are freely available as PDFs.