Definition and purpose

The main aim of ISO/IEC 15408 or Common Criteria is to provide a standard set of requirements for the security functionality of IT products and for assurance measures applied to these products during a security evaluation. It allows vendors to have their products independently evaluated and certified against recognized security standards, and it provides purchasers with a metric to determine the security properties of IT products.

Governing Body

The standard is jointly developed and published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

Last updated

ISO/IEC 15288 was last updated in 2022, known as ISO/IEC15288-1:2022.

Applies to

ISO/IEC 15408 applies to IT industries and any other sector that relies on IT products and wants to ensure that those products meet specific security criteria. This includes, but isn't limited to, sectors such as government, defense, healthcare, finance, and telecommunications.

Controls and requirements

The Common Criteria framework consists of three main parts:

• Introduction and General Model - This encompasses the general concepts and principles of IT security evaluation and lays the foundation for the other parts.
• Security Functional Components - Defines a set of security functional requirements, which are used as the criteria for evaluating a product's security capabilities.
• Security Assurance Components - Describes the detailed criteria for the assurance measures applied to products during a security evaluation.

To achieve certification, a product must meet specific Protection Profiles (PP) that define a standard set of security requirements for a particular type of product or system.

Please refer to the official ISO/IEC15288-1:2022 documentation for a detailed list of controls and requirements.

Audit type, frequency, and duration

Evaluations against the Common Criteria are conducted in licensed evaluation facilities, leading to the granting of a security certification by the certifying body of a participating country. The frequency of evaluations will often be driven by changes to the product, the need to achieve a higher Evaluation Assurance Level (EAL), or the expiration of an existing certification.

The time taken for an evaluation depends on the depth and scope of the assessment and the Evaluation Assurance Level (EAL) being pursued, with EAL1 being the most basic and EAL7 the most rigorous.