This section contains pre-defined packages of security requirements that are commonly used across industries. It simplifies the creation of Security Targets and Protection Profiles by offering proven blueprints. Key Concepts Within the Standard
Whether you choose to purchase the official standard, explore a preview, or utilize free guidance documents, the knowledge you gain from ISO/IEC 15408 is an investment in security and credibility for any IT product.
A PP is an implementation-independent set of security requirements for a specific category of products (e.g., a PP for Firewalls). 3. Security Target (ST)
As a security consultant, I have seen organizations waste six figures because they misunderstood the ISO IEC 15408 PDF. Avoid these errors: iso iec 15408 pdf
The standard is divided into five parts that guide the evaluation process:
Thanks to the CCRA, a certificate issued in Japan is recognized in 28+ countries, including the USA, UK, Germany, France, and Canada. No other security standard offers this level of global trade facilitation.
Part 2 is a massive catalog of standard security behaviors expected from IT products. These are called . They define what the product does to enforce security. SFRs are organized into classes, including: A PP is an implementation-independent set of security
This part establishes the foundational concepts and general principles of IT security evaluation. It provides an overview of the entire series, defines core terminology, and introduces the concept of a ——the specific IT product or system being assessed. It also describes the key roles (developers, consumers, and evaluators) and the general evaluation context.
A numerical rating (EAL1 to EAL7) that describes the depth and rigor of the evaluation. Higher numbers indicate more rigorous testing. How to Obtain the ISO/IEC 15408 PDF
: Builds on EAL1 by adding a review of the high-level design and a cursory vulnerability analysis. Avoid these errors: The standard is divided into
Before the Common Criteria existed, different countries operated under their own disparate security evaluation systems, such as the U.S. Department of Defense's —famously known as the "Orange Book"—Canada's CTCPEC , and Europe's ITSEC . In 1999, the CC was officially adopted as an international standard, effectively harmonizing these various frameworks into one globally accepted system.
A document created by a vendor that describes the specific security features and "Assurance Level" of their particular product. 3. Key Components to Include