loader image

ISO/IEC 15408-1:2022 – Evaluation Criteria for IT Security

What is ISO 15408?

ISO/IEC 15408-1:2022 is part of the internationally recognized Common Criteria (CC) framework for evaluating the security of IT products and systems. This standard provides the foundational introduction and general model for the series, offering a conceptual structure for defining, assessing, and verifying IT security properties.

ISO 15408

Common Criteria (CC), formalized through the ISO/IEC 15408 series, enables product developers to speak a common language for cybersecurity assurance. Part 1 introduces key concepts like security targets (STs), protection profiles (PPs), evaluation assurance levels (EALs) and functional and assurance requirements.

Whether you’re developing secure software, embedded systems or cryptographic modules, ISO/IEC 15408-1 provides the essential model for achieving verifiable, comparable, and repeatable IT security evaluations.

Looking to align your cybersecurity products with ISO evaluations? Contact support@pacificcert.com.

Scope and Applicability

ISO/IEC 15408-1:2022 provides the structural framework and foundational terminology for evaluating the security properties of IT systems, products, and components using a standardized approach. It applies to:

  • Developers of secure software, hardware or embedded devices
  • Government agencies and defense contractors requiring trusted IT systems
  • Certification bodies and evaluation labs conducting IT security assessments
  • Cybersecurity product vendors preparing for procurement or international validation
  • IT auditors and assurance professionals needing a standardized security evaluation model

The standard supports evaluations at varying degrees of rigor (through EALs) and enables cross-recognition of certifications across countries through schemes like the Common Criteria Recognition Arrangement (CCRA).

Key Definitions in ISO 15408

  1. Target of Evaluation (TOE): The IT product or system being evaluated for security
  2. Security Target (ST): A document that identifies the security properties and objectives of the TOE
  3. Protection Profile (PP): A reusable set of security requirements for a category of products or systems
  4. Evaluation Assurance Level (EAL): A predefined set of assurance components that indicate the depth and rigor of an evaluation
  5. Security Functional Requirements (SFRs): Requirements related to specific security capabilities of the TOE (e.g., access control, encryption)
  6. Security Assurance Requirements (SARs): Requirements related to how confidence in the TOE’s security is established (design, testing, vulnerability assessment)

Clause-wise Structure of ISO 15408

Clause

Title

Key Content

Clause 1

Scope

Defines applicability to IT product/system evaluation

Clause 2

Normative References

Identifies ISO/IEC 15408-2 and 15408-3 as core parts of the Common Criteria set

Clause 3

Terms and Definitions

Introduces CC-specific terminology and references ISO/IEC 18045

Clause 4

Abbreviated Terms

Definitions of CC-related acronyms (e.g., TOE, ST, PP, EAL)

Clause 5

General Concepts

Explains key CC concepts and rationale for security evaluation

Clause 6

The Evaluation Model

Introduces the relationship between PPs, STs, assurance, and evaluation roles

Clause 7

Evaluation Context and Stakeholders

Identifies roles of developers, evaluators, consumers, and certifiers

Clause 8

TOE Lifecycle Considerations

Discusses TOE development, maintenance, and operational use

This structure sets the foundation for the more technical criteria in ISO/IEC 15408-2 (functional requirements) and ISO/IEC 15408-3 (assurance requirements).

What are the requirements of ISO 15408?

  1. Define a clear Security Target (ST) for the product, specifying its intended security behavior and evaluation context
  2. Determine the appropriate Evaluation Assurance Level (EAL) based on security needs and stakeholder expectations
  3. Develop a Protection Profile (PP) if your product category is widely used or regulated (firewalls, smart cards etc)
  4. Document all security functions of the product (e.g., authentication, audit logging, cryptographic controls)
  5. Collaborate with evaluation laboratories or accredited certification bodies during assessment phases
  6. Ensure alignment with ISO/IEC 15408-2 and ISO/IEC 15408-3 for selecting SFRs and SARs
  7. Maintain detailed design documentation, test plans, and vulnerability analysis for evaluator review
  8. Consider how the TOE is delivered, maintained, and operated over its lifecycle

Requirements of ISO 15408

Looking to map your cybersecurity controls to ISO requirements? Contact support@pacificcert.com.

Documentation Required

To align with ISO/IEC 15408-1 and prepare for evaluation, organizations should maintain:

  1. Security Target (ST) with detailed objectives, environment assumptions, and threats
  2. Protection Profile (if applicable) and its justification
  3. TOE architecture, specifications, and component diagrams
  4. SFR and SAR mappings based on product functionality and assurance level
  5. Vulnerability assessment reports and mitigations
  6. TOE lifecycle documentation: installation, delivery, configuration, and maintenance procedures
  7. Test plans, execution results, and developer evidence
  8. Evaluation agreement or certification scope with authorized labs

What are the benefits of ISO 15408-1?

ISO/IEC 15408 remains the most widely accepted international framework for IT security product evaluation. In the era of zero-trust architectures and embedded AI systems, stakeholders are demanding independently evaluated security assurances before procurement or integration. Below are the benefits of implementing:

Benefits of ISO 15408

  • Enables formal security assurance of IT products through standardized, repeatable evaluation
  • Facilitates market access and procurement approval in regulated sectors (e.g., defense, finance, healthcare)
  • Supports international recognition via CCRA (Common Criteria Recognition Arrangement)
  • Builds stakeholder trust by validating that the product meets defined security expectations
  • Allows customization of evaluation depth based on risk and usage (EAL1 to EAL7)
  • Promotes transparency and clarity in security feature documentation and implementation
  • Strengthens product development practices through secure design and documentation discipline
  • Aligns with broader cybersecurity standards such as ISO/IEC 27001, ISO/IEC 27034, and ISO/IEC 15443
  • Reduces procurement risks by verifying functional and assurance compliance before deployment
  • Supports continuous improvement of cybersecurity products through evaluation feedback

Governments, financial institutions, and multinational corporations are increasingly requiring Common Criteria evaluations for devices like firewalls, VPNs, smart cards, cryptographic modules, medical devices, and IoT endpoints. ISO/IEC 15408-1 plays a foundational role by defining the common language and high-level framework to scope, plan, and manage security evaluations across jurisdictions.

With cybersecurity product liability and AI governance regulations emerging globally, It is also evolving to support evaluation of autonomous systems, privacy-enhancing technologies, and cross-border compliance.

How can Pacific Certifications help?

Pacific Certifications provides audit and certification services aligned with ISO/IEC 27001, ISO 9001, and other management system standards that intersect with ISO/IEC 15408 implementation.

For ISO/IEC 15408-1 our role includes:

  • Supporting organizations preparing for Common Criteria evaluations under ISO frameworks
  • Auditing security assurance integration into ISO/IEC 27001 or ISO/IEC 42001 ISMS/AIMS systems
  • Reviewing alignment of documentation, testing, and design practices with ISO security standards
  • Conducting gap assessments and verification of security process documentation
  • Providing third-party certification for systems managing evaluated IT products

To align your cybersecurity strategy with ISO assurance requirements, contact support@pacificcert.com

FAQ on ISO 15408

It is part of a framework for product evaluation and provides the foundational model. Certification applies to the product, not the organization.

A Protection Profile is a reusable template for a category of products. A Security Target is specific to the product being evaluated.

Evaluation Assurance Levels (EAL1–EAL7) define the depth and rigor of the evaluation process. Higher EALs require more evidence and testing.

ISO/IEC 27001 can include ISO/IEC 15408-aligned processes for secure system development and procurement within its risk and control framework.

We certify management systems that support ISO/IEC 15408 alignment but do not certify IT products directly. Evaluation labs handle product-level CC certification.

Ready to get ISO 15408 certified?

Contact Pacific Certifications to begin your certification journey today!

Suggested Certifications –

  1. ISO 9001:2015
  2. ISO 14001:2015
  3. ISO 45001:2018
  4. ISO 22000:2018
  5. ISO 27001:2022
  6. ISO 13485:2016
  7. ISO 50001:2018

 

Read more: Pacific Blogs

 

ISO/IEC 15408-1:2022 – Evaluation Criteria for IT Security

Want to know more about ISO/IEC 15408-1:2022 – Evaluation Criteria for IT Security ?

Get in touch!

Email Address

support@pacificcert.com

Call Us

+918595603096

Free Cost Calculator

Get a rough Estimate for your Required Certification by entering your basic details.


Free Cost Calculator
  • Certification Required
  • Company Details
  • Contact Details
Please Select Service Type:

This will close in 0 seconds

Get in touch!

Contact us form

This will close in 0 seconds