A Technical Deep Dive into ISO/IEC 15408-3: Security Assurance Components and EALs

Scope and Role of ISO/IEC 15408-3

ISO/IEC 15408, the Common Criteria (CC) for Information Technology Security Evaluation, is the globally recognized standard for certifying the security of IT products. The standard is structured into three main parts. ISO/IEC 15408-3:2008 (Security Assurance Components) defines the assurance requirements that stakeholders (developers, evaluators, and consumers) use to establish a degree of confidence in the security functions of a Target of Evaluation (TOE). While Part 2 defines the security functional requirements (SFRs), Part 3 exclusively defines the security assurance requirements (SARs).

The core of Part 3 is the definition of the Evaluation Assurance Level (EAL) system, a seven-tier progressive scale (EAL1 through EAL7) that provides a globally recognized measure for the depth and rigor of an evaluation.

Assurance Families and Requirements

ISO/IEC 15408-3 organizes assurance requirements into seven distinct classes. Each class contains several families, and each family comprises individual assurance components. These components are the building blocks for requesting a specific EAL or an augmented assurance package.

The Seven Assurance Classes

• APE (Protection Profile Evaluation): Defines the evaluation criteria for Protection Profiles (PPs) to ensure they are complete, consistent, and technically sound.
• ASE (Security Target Evaluation): Outlines the criteria for evaluating Security Targets (STs), ensuring the security problem, objectives, and requirements are properly defined for the TOE.
• ADV (Development): Specifies requirements for the refinement of the TOE design, from the functional specification down to the implementation representation.
• AGD (Guidance Documents): Covers the requirements for operational user guidance and preparatory
  © 2026 tnlab.org — This article is for educational and technical reference purposes.