Site loading image

Iso Iec 15408 Pdf May 2026

ISO/IEC 15408 is an international standard (developed jointly by the International Organization for Standardization and the International Electrotechnical Commission) that establishes the Common Criteria for Information Technology Security Evaluation.

In simple terms, it allows vendors to have their products tested by an accredited lab. If the product passes, it receives a certification (EAL1 through EAL7) that proves it meets specific security claims.

The standard is famously dense. The full ISO/IEC 15408 PDF runs hundreds of pages, divided into three main parts:

Do not download a file labeled "ISO/IEC 15408:2005" or "ISO/IEC 15408:2009." These are over a decade old. The current version is ISO/IEC 15408:2022 (or CC:2022). Using an old version will result in failed certifications, as labs no longer evaluate against outdated criteria. iso iec 15408 pdf

The certification process follows a strict lifecycle managed by a licensing scheme (e.g., NIAP in the USA, CESG in the UK, BSI in Germany).

  • Certification: If the laboratory determines the product meets the requirements, the Certification Body issues a Common Criteria certificate. This is recognized internationally via the CCRA (Common Criteria Recognition Arrangement).

    • As a security consultant, I have seen organizations waste six figures because they misunderstood the ISO IEC 15408 PDF. Avoid these errors:

    Mistake #1: Using a 2005 PDF in 2025. The attack landscape has changed. The 2022 version adds requirements for side-channel attacks (timing, power analysis) and updatable products (how to handle automatic updates). An old PDF will miss these. Do not download a file labeled "ISO/IEC 15408:2005"

    Mistake #2: Confusing EAL with "more secure." EAL7 vs. EAL4 does not mean the product is "more secure" against hackers. It means the development process was more rigorous. A poorly configured EAL5 product is less secure than a well-administered EAL2 product.

    Mistake #3: Forgetting the "Maintenance" chapter. The PDF includes strict rules about what happens after certification. If you ship a product with a new cryptographic library and do not tell the lab, your certificate is void.

    Mistake #4: Downloading unofficial PDFs from forums. Many forum-shared PDFs are missing Annexes (e.g., Annex A – Cross-referencing tables). These annexes are critical for mapping functional components. Without them, the standard is nearly unusable. The certification process follows a strict lifecycle managed

    The International Organization for Standardization (ISO) sells the official PDF. As of 2025, a single part of the standard costs approximately 138 to 198 CHF (Swiss Francs). The entire set (Parts 1, 2, and 3) will cost over 500 CHF.

    The TOE is the product or system being evaluated. It could be a USB token, a database management system, or a VPN gateway. The ISO/IEC 15408 PDF dictates that you must define the TOE’s boundaries clearly—what is inside the scope of evaluation and what is excluded (e.g., the physical server it runs on).

    If you are a CISO purchasing a new firewall, request the vendor’s "Security Target" (ST) PDF. Do not just ask for the EAL level. Using the ISO/IEC 15408 framework, you can compare two firewalls side-by-side by seeing which SFRs (from Part 2 of the PDF) they actually passed.

    The PDF is your checklist. The "Evaluation Methodology" (a separate but related document) tells you exactly how to prove a product meets FAU_GEN.1 (Audit data generation).