ISO/IEC 15408, popularly known as the Common Criteria (CC), is an international standard that provides a framework for evaluating the security properties of Information Technology (IT) products and systems.
Definition and purpose
The main aim of ISO/IEC 15408 or Common Criteria is to provide a standard set of requirements for the security functionality of IT products and for assurance measures applied to these products during a security evaluation. It allows vendors to have their products independently evaluated and certified against recognized security standards, and it provides purchasers with a metric to determine the security properties of IT products.
The standard is jointly developed and published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
ISO/IEC 15288 was last updated in 2022, known as ISO/IEC15288-1:2022.
ISO/IEC 15408 applies to IT industries and any other sector that relies on IT products and wants to ensure that those products meet specific security criteria. This includes, but isn't limited to, sectors such as government, defense, healthcare, finance, and telecommunications.
Controls and requirements
The Common Criteria framework consists of three main parts:
- Introduction and General Model - This encompasses the general concepts and principles of IT security evaluation and lays the foundation for the other parts.
- Security Functional Components - Defines a set of security functional requirements, which are used as the criteria for evaluating a product's security capabilities.
- Security Assurance Components - Describes the detailed criteria for the assurance measures applied to products during a security evaluation.
To achieve certification, a product must meet specific Protection Profiles (PP) that define a standard set of security requirements for a particular type of product or system.
Please refer to the official ISO/IEC15288-1:2022 documentation for a detailed list of controls and requirements.
Audit type, frequency, and duration
Evaluations against the Common Criteria are conducted in licensed evaluation facilities, leading to the granting of a security certification by the certifying body of a participating country. The frequency of evaluations will often be driven by changes to the product, the need to achieve a higher Evaluation Assurance Level (EAL), or the expiration of an existing certification.
The time taken for an evaluation depends on the depth and scope of the assessment and the Evaluation Assurance Level (EAL) being pursued, with EAL1 being the most basic and EAL7 the most rigorous.