ISO/IEC 15408-1:2022 – Evaluation Criteria for IT Security

Key Definitions in ISO 15408

1. Target of Evaluation (TOE): The IT product or system being evaluated for security
2. Security Target (ST): A document that identifies the security properties and objectives of the TOE
3. Protection Profile (PP): A reusable set of security requirements for a category of products or systems
4. Evaluation Assurance Level (EAL): A predefined set of assurance components that indicate the depth and rigor of an evaluation
5. Security Functional Requirements (SFRs): Requirements related to specific security capabilities of the TOE (e.g., access control, encryption)
6. Security Assurance Requirements (SARs): Requirements related to how confidence in the TOE’s security is established (design, testing, vulnerability assessment)

Clause-wise Structure of ISO 15408

This structure sets the foundation for the more technical criteria in ISO/IEC 15408-2 (functional requirements) and ISO/IEC 15408-3 (assurance requirements).

What are the requirements of ISO 15408?

1. Define a clear Security Target (ST) for the product, specifying its intended security behavior and evaluation context
2. Determine the appropriate Evaluation Assurance Level (EAL) based on security needs and stakeholder expectations
3. Develop a Protection Profile (PP) if your product category is widely used or regulated (firewalls, smart cards etc)
4. Document all security functions of the product (e.g., authentication, audit logging, cryptographic controls)
5. Collaborate with evaluation laboratories or accredited certification bodies during assessment phases
6. Ensure alignment with ISO/IEC 15408-2 and ISO/IEC 15408-3 for selecting SFRs and SARs
7. Maintain detailed design documentation, test plans, and vulnerability analysis for evaluator review
8. Consider how the TOE is delivered, maintained, and operated over its lifecycle

Looking to map your cybersecurity controls to ISO requirements? Contact support@pacificcert.com.

Documentation Required

To align with ISO/IEC 15408-1 and prepare for evaluation, organizations should maintain:

1. Security Target (ST) with detailed objectives, environment assumptions, and threats
2. Protection Profile (if applicable) and its justification
3. TOE architecture, specifications, and component diagrams
4. SFR and SAR mappings based on product functionality and assurance level
5. Vulnerability assessment reports and mitigations
6. TOE lifecycle documentation: installation, delivery, configuration, and maintenance procedures
7. Test plans, execution results, and developer evidence
8. Evaluation agreement or certification scope with authorized labs

What are the benefits of ISO 15408-1?

ISO/IEC 15408 remains the most widely accepted international framework for IT security product evaluation. In the era of zero-trust architectures and embedded AI systems, stakeholders are demanding independently evaluated security assurances before procurement or integration. Below are the benefits of implementing:

• Enables formal security assurance of IT products through standardized, repeatable evaluation
• Facilitates market access and procurement approval in regulated sectors (e.g., defense, finance, healthcare)
• Supports international recognition via CCRA (Common Criteria Recognition Arrangement)
• Builds stakeholder trust by validating that the product meets defined security expectations
• Allows customization of evaluation depth based on risk and usage (EAL1 to EAL7)
• Promotes transparency and clarity in security feature documentation and implementation
• Strengthens product development practices through secure design and documentation discipline
• Aligns with broader cybersecurity standards such as ISO/IEC 27001, ISO/IEC 27034, and ISO/IEC 15443
• Reduces procurement risks by verifying functional and assurance compliance before deployment
• Supports continuous improvement of cybersecurity products through evaluation feedback

Governments, financial institutions, and multinational corporations are increasingly requiring Common Criteria evaluations for devices like firewalls, VPNs, smart cards, cryptographic modules, medical devices, and IoT endpoints. ISO/IEC 15408-1 plays a foundational role by defining the common language and high-level framework to scope, plan, and manage security evaluations across jurisdictions.

With cybersecurity product liability and AI governance regulations emerging globally, It is also evolving to support evaluation of autonomous systems, privacy-enhancing technologies, and cross-border compliance.

How can Pacific Certifications help?

Pacific Certifications provides audit and certification services aligned with ISO/IEC 27001, ISO 9001, and other management system standards that intersect with ISO/IEC 15408 implementation.

For ISO/IEC 15408-1 our role includes:

• Supporting organizations preparing for Common Criteria evaluations under ISO frameworks
• Auditing security assurance integration into ISO/IEC 27001 or ISO/IEC 42001 ISMS/AIMS systems
• Reviewing alignment of documentation, testing, and design practices with ISO security standards
• Conducting gap assessments and verification of security process documentation
• Providing third-party certification for systems managing evaluated IT products

To align your cybersecurity strategy with ISO assurance requirements, contact support@pacificcert.com.