ISO/IEC 15408-1: A Technical Guide to the Common Criteria IT Security Evaluation

Scope and Significance of ISO/IEC 15408

The ISO/IEC 15408 standard, universally recognized as the Common Criteria (CC), is the preeminent international framework for evaluating the security properties of Information Technology (IT) products and systems. It provides a comprehensive taxonomy of Security Functional Requirements (SFRs) and Security Assurance Requirements (SARs) that enable a structured, repeatable, and mutually recognizable evaluation process across international borders. Part 1 of the standard (ISO/IEC 15408-1) establishes the general model, concepts, and architectural principles that underpin the entire CC ecosystem. It defines the foundational terminology—from the Target of Evaluation (TOE) and Operational Environment to the introduction of the Evaluation Assurance Level (EAL) scale—that all subsequent evaluations rely upon.

The primary objective of the series is to provide a reliable, standardized methodology for specifying, implementing, and evaluating security features in products such as firewalls, operating systems, smart cards, and cryptographic modules. By establishing a common language for security claims and their rigorous assessment, ISO/IEC 15408 helps eliminate the fragmentation caused by proprietary or purely national security evaluation schemes, significantly reducing costs for vendors and complexity for consumers.

Key Technical Requirements and Evaluation Assurance Levels (EALs)

The technical core of ISO/IEC 15408 is its hierarchical structure of security requirements. Security Functional Requirements (SFRs), detailed in Part 2, outline the desired security behaviors of the TOE (e.g., audit, cryptographic support, user data protection). Security Assurance Requirements (SARs), detailed in Part 3, define the measures of confidence in the correctness and effectiveness of those SFRs. These SARs are grouped into the Evaluation