# ISO/IEC 15408:2009*

Information technology - Security techniques - Evaluation criteria for IT security

# Acronyms, Abbreviations, and Initialisms

Short Form Full Form
CC Common Criteria
EAL Evaluation Assurance Level
IEC International Electrotechnical Commission
IDS Intrusion Detection System
IPS Intrusion Prevention System
ISO International Organization for Standardization
ST Security Target
TCSEC Trusted Computer System Evaluation Criteria
UTM Unified Threat Management

# Overview

ISO/IEC 15408:2009 is an international set of guidelines and specifications developed for evaluating information security products, with the view to ensuring they meet an agreed-upon security standard for government entities and agencies.

The guidelines look at certifying a product only and does not include administrative or business processes.

# Components

# Protection Profiles

Protection profiles define a standard set of security requirements for a specific type of product, such as a firewall, IPS/IDS, or UTM.

# Evaluation Assurance Levels (EALs)

EALs define how thoroughly the product is tested. EALs are rated using a sliding scale from 1-7, with 1 being the lowest-level evaluation and 7 being the highest.

The higher the level of evaluation, the more QA tests the product would have undergone; however, undergoing more tests does not necessarily mean the product is more secure.

EAL Description
EAL1 Functionally tested
EAL2 Structurally tested
EAL3 Methodically tested and checked
EAL4 Methodically designed, tested, and reviewed
EAL5 Semiformally designed and tested
EAL6 Semiformally verified design and tested
EAL7 Formally verified design and tested

# Process

There are three steps to successfully submit a product for evaluation according to the Common Criteria:

  1. The vendor must detail the security features of a product using what is called a Security Target (ST).
  2. The product, along with the ST, goes to a certified laboratory for testing according to evaluate how well it meets the specifications defined in the protection profile.
  3. A successful evaluation leads to an official certification of the product.