What is ISO 15408?
ISO/IEC 15408-1:2022 is part of the internationally recognized Common Criteria (CC) framework for evaluating the security of IT products and systems. This standard provides the foundational introduction and general model for the series, offering a conceptual structure for defining, assessing, and verifying IT security properties.
Common Criteria (CC), formalized through the ISO/IEC 15408 series, enables product developers to speak a common language for cybersecurity assurance. Part 1 introduces key concepts like security targets (STs), protection profiles (PPs), evaluation assurance levels (EALs) and functional and assurance requirements.
Whether you’re developing secure software, embedded systems or cryptographic modules, ISO/IEC 15408-1 provides the essential model for achieving verifiable, comparable, and repeatable IT security evaluations.
Looking to align your cybersecurity products with ISO evaluations? Contact support@pacificcert.com.
Scope and Applicability
ISO/IEC 15408-1:2022 provides the structural framework and foundational terminology for evaluating the security properties of IT systems, products, and components using a standardized approach. It applies to:
- Developers of secure software, hardware or embedded devices
- Government agencies and defense contractors requiring trusted IT systems
- Certification bodies and evaluation labs conducting IT security assessments
- Cybersecurity product vendors preparing for procurement or international validation
- IT auditors and assurance professionals needing a standardized security evaluation model
The standard supports evaluations at varying degrees of rigor (through EALs) and enables cross-recognition of certifications across countries through schemes like the Common Criteria Recognition Arrangement (CCRA).
Key Definitions in ISO 15408
- Target of Evaluation (TOE): The IT product or system being evaluated for security
- Security Target (ST): A document that identifies the security properties and objectives of the TOE
- Protection Profile (PP): A reusable set of security requirements for a category of products or systems
- Evaluation Assurance Level (EAL): A predefined set of assurance components that indicate the depth and rigor of an evaluation
- Security Functional Requirements (SFRs): Requirements related to specific security capabilities of the TOE (e.g., access control, encryption)
- Security Assurance Requirements (SARs): Requirements related to how confidence in the TOE’s security is established (design, testing, vulnerability assessment)
Clause-wise Structure of ISO 15408
Clause | Title | Key Content |
Clause 1 | Scope | Defines applicability to IT product/system evaluation |
Clause 2 | Normative References | Identifies ISO/IEC 15408-2 and 15408-3 as core parts of the Common Criteria set |
Clause 3 | Terms and Definitions | Introduces CC-specific terminology and references ISO/IEC 18045 |
Clause 4 | Abbreviated Terms | Definitions of CC-related acronyms (e.g., TOE, ST, PP, EAL) |
Clause 5 | General Concepts | Explains key CC concepts and rationale for security evaluation |
Clause 6 | The Evaluation Model | Introduces the relationship between PPs, STs, assurance, and evaluation roles |
Clause 7 | Evaluation Context and Stakeholders | Identifies roles of developers, evaluators, consumers, and certifiers |
Clause 8 | TOE Lifecycle Considerations | Discusses TOE development, maintenance, and operational use |
This structure sets the foundation for the more technical criteria in ISO/IEC 15408-2 (functional requirements) and ISO/IEC 15408-3 (assurance requirements).
What are the requirements of ISO 15408?
- Define a clear Security Target (ST) for the product, specifying its intended security behavior and evaluation context
- Determine the appropriate Evaluation Assurance Level (EAL) based on security needs and stakeholder expectations
- Develop a Protection Profile (PP) if your product category is widely used or regulated (firewalls, smart cards etc)
- Document all security functions of the product (e.g., authentication, audit logging, cryptographic controls)
- Collaborate with evaluation laboratories or accredited certification bodies during assessment phases
- Ensure alignment with ISO/IEC 15408-2 and ISO/IEC 15408-3 for selecting SFRs and SARs
- Maintain detailed design documentation, test plans, and vulnerability analysis for evaluator review
- Consider how the TOE is delivered, maintained, and operated over its lifecycle
Looking to map your cybersecurity controls to ISO requirements? Contact support@pacificcert.com.
Documentation Required
To align with ISO/IEC 15408-1 and prepare for evaluation, organizations should maintain:
- Security Target (ST) with detailed objectives, environment assumptions, and threats
- Protection Profile (if applicable) and its justification
- TOE architecture, specifications, and component diagrams
- SFR and SAR mappings based on product functionality and assurance level
- Vulnerability assessment reports and mitigations
- TOE lifecycle documentation: installation, delivery, configuration, and maintenance procedures
- Test plans, execution results, and developer evidence
- Evaluation agreement or certification scope with authorized labs
What are the benefits of ISO 15408-1?
ISO/IEC 15408 remains the most widely accepted international framework for IT security product evaluation. In the era of zero-trust architectures and embedded AI systems, stakeholders are demanding independently evaluated security assurances before procurement or integration. Below are the benefits of implementing:
- Enables formal security assurance of IT products through standardized, repeatable evaluation
- Facilitates market access and procurement approval in regulated sectors (e.g., defense, finance, healthcare)
- Supports international recognition via CCRA (Common Criteria Recognition Arrangement)
- Builds stakeholder trust by validating that the product meets defined security expectations
- Allows customization of evaluation depth based on risk and usage (EAL1 to EAL7)
- Promotes transparency and clarity in security feature documentation and implementation
- Strengthens product development practices through secure design and documentation discipline
- Aligns with broader cybersecurity standards such as ISO/IEC 27001, ISO/IEC 27034, and ISO/IEC 15443
- Reduces procurement risks by verifying functional and assurance compliance before deployment
- Supports continuous improvement of cybersecurity products through evaluation feedback
Governments, financial institutions, and multinational corporations are increasingly requiring Common Criteria evaluations for devices like firewalls, VPNs, smart cards, cryptographic modules, medical devices, and IoT endpoints. ISO/IEC 15408-1 plays a foundational role by defining the common language and high-level framework to scope, plan, and manage security evaluations across jurisdictions.
With cybersecurity product liability and AI governance regulations emerging globally, It is also evolving to support evaluation of autonomous systems, privacy-enhancing technologies, and cross-border compliance.
How can Pacific Certifications help?
Pacific Certifications provides audit and certification services aligned with ISO/IEC 27001, ISO 9001, and other management system standards that intersect with ISO/IEC 15408 implementation.
For ISO/IEC 15408-1 our role includes:
- Supporting organizations preparing for Common Criteria evaluations under ISO frameworks
- Auditing security assurance integration into ISO/IEC 27001 or ISO/IEC 42001 ISMS/AIMS systems
- Reviewing alignment of documentation, testing, and design practices with ISO security standards
- Conducting gap assessments and verification of security process documentation
- Providing third-party certification for systems managing evaluated IT products
To align your cybersecurity strategy with ISO assurance requirements, contact support@pacificcert.com.
FAQ on ISO 15408
Is ISO 15408-1 certifiable?
It is part of a framework for product evaluation and provides the foundational model. Certification applies to the product, not the organization.
What is the difference between a Protection Profile and a Security Target?
A Protection Profile is a reusable template for a category of products. A Security Target is specific to the product being evaluated.
What is an EAL?
Evaluation Assurance Levels (EAL1–EAL7) define the depth and rigor of the evaluation process. Higher EALs require more evidence and testing.
How does ISO 15408 align with ISO/IEC 27001?
ISO/IEC 27001 can include ISO/IEC 15408-aligned processes for secure system development and procurement within its risk and control framework.
Can Pacific Certifications certify ISO/IEC 15408?
We certify management systems that support ISO/IEC 15408 alignment but do not certify IT products directly. Evaluation labs handle product-level CC certification.
Ready to get ISO 15408 certified?
Contact Pacific Certifications to begin your certification journey today!
Suggested Certifications –
Read more: Pacific Blogs