ISO/IEC 15408-1:2022: Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 1: Introduction and general model
Acronyms, Abbreviations, and Initialisms
|Short Form||Full Form|
|EAL||Evaluation Assurance Level|
|IEC||International Electrotechnical Commission|
|ISO||International Organization for Standardization|
|TOE||Target of Evaluation|
ISO/IEC 15408-1, also known as the Common Criteria for Information Technology Security Evaluation (referred to more simply as Common Criteria or CC), establishes the general concepts and principles of IT security evaluation and specifies the general model of evaluation given by various parts of the standard which in its entirety is meant to be used as the basis for evaluation of security properties of IT products.
ISO/IEC 15408-1 is designed for evaluating the security properties of IT products, not administrative or business processes. Furthermore, misconfiguration or improper management of a product does not guarantee a certain level of security.
Target of Evaluation (TOE)
The Target of Evaluation (TOE) is the set of software, firmware and/or hardware possibly accompanied by guidance, which is the subject of an evaluation.
Protection Profiles (PPs)
A Protection Profile (PP) is an implementation-independent statement of security needs for a TOE.
A PP allows security requirements to be expressed using a template in an implementation-independent way, and is thus reusable. This provides benefits when implementing a family of related products or a product line.
Security Targets (STs)
A Security Target (ST) is an implementation-dependent statement of security requirements for a TOE.
An ST contains a set of security requirements that can be stated explicitly. An ST includes detailed product-specific information. It can be viewed as a refinement of the PP, and forms the agreed-upon basis for evaluation.
Evaluation Assurance Levels (EALs)
Evaluation Assurance Levels (EALs) define how thoroughly the product is tested. There are seven EALs. The higher the level, the more confidence you can have that the security functional requirements have been met.
|EAL3||Methodically tested and checked|
|EAL4||Methodically designed, tested, and reviewed|
|EAL5||Semiformally designed and tested|
|EAL6||Semiformally verified design and tested|
|EAL7||Formally verified design and tested|
The higher the level of evaluation, the more security assurance tests the product would have undergone; however, this does not guarantee that the product is more secure.
- ISO/IEC 15408-1 is also known as the Common Criteria for Information Technology Security Evaluation (referred to more simply as Common Criteria or CC).
- ISO/IEC 15408-1 introduces the concept of Protection Profiles (PPs), Security Targets (STs), and Evaluation Assurance Levels (EALs).
- There are 7 EALs with varying levels of security assurance requirements.