# ISO/IEC 15408-1:2022: Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 1: Introduction and general model

# Acronyms, Abbreviations, and Initialisms

Short Form Full Form
CC Common Criteria
EAL Evaluation Assurance Level
IEC International Electrotechnical Commission
ISO International Organization for Standardization
IT Information Technology
PP Protection Profile
ST Security Target
TOE Target of Evaluation

# Overview

ISO/IEC 15408-1, also known as the Common Criteria for Information Technology Security Evaluation (referred to more simply as Common Criteria or CC), establishes the general concepts and principles of IT security evaluation and specifies the general model of evaluation given by various parts of the standard which in its entirety is meant to be used as the basis for evaluation of security properties of IT products.

# Target of Evaluation (TOE)

The Target of Evaluation (TOE) is the set of software, firmware and/or hardware possibly accompanied by guidance, which is the subject of an evaluation.

# Protection Profiles (PPs)

A Protection Profile (PP) is an implementation-independent statement of security needs for a TOE.

A PP allows security requirements to be expressed using a template in an implementation-independent way, and is thus reusable. This provides benefits when implementing a family of related products or a product line.

# Security Targets (STs)

A Security Target (ST) is an implementation-dependent statement of security requirements for a TOE.

An ST contains a set of security requirements that can be stated explicitly. An ST includes detailed product-specific information. It can be viewed as a refinement of the PP, and forms the agreed-upon basis for evaluation.

# Evaluation Assurance Levels (EALs)

Evaluation Assurance Levels (EALs) define how thoroughly the product is tested. There are seven EALs. The higher the level, the more confidence you can have that the security functional requirements have been met.

EAL Description
EAL1 Functionally tested
EAL2 Structurally tested
EAL3 Methodically tested and checked
EAL4 Methodically designed, tested, and reviewed
EAL5 Semiformally designed and tested
EAL6 Semiformally verified design and tested
EAL7 Formally verified design and tested

# Noteworthy

  • ISO/IEC 15408-1 is also known as the Common Criteria for Information Technology Security Evaluation (referred to more simply as Common Criteria or CC).
  • ISO/IEC 15408-1 introduces the concept of Protection Profiles (PPs), Security Targets (STs), and Evaluation Assurance Levels (EALs).
  • There are 7 EALs with varying levels of security assurance requirements.

# Sources