ISO/IEC 15408, also known as the Common Criteria for Information Technology Security Evaluation, is an international standard that defines a framework for evaluating and certifying the security of IT products and systems. It provides a standardized approach to assessing the security features and capabilities of products across different countries and organizations.
The Common Criteria (CC) standard is maintained by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It aims to establish a common set of criteria and evaluation methods to ensure consistent and reliable security evaluations of IT products.
The Common Criteria framework consists of several key components:
1. Protection Profiles (PP): A Protection Profile defines the security requirements for a specific type of IT product or system. It describes the intended security functions and the level of assurance expected from the product.
2. Security Targets (ST): A Security Target is a document that specifies the security properties and requirements of a specific product or system. It describes how the product meets the security requirements outlined in the corresponding Protection Profile.
3. Evaluation Assurance Levels (EALs): The Evaluation Assurance Level defines the depth and rigor of the evaluation process. There are seven EALs, ranging from EAL1 (the lowest level of assurance) to EAL7 (the highest level of assurance). Each EAL corresponds to a set of assurance requirements that the product must meet.
4. Security Functional Requirements (SFRs): Security Functional Requirements define specific security features and functions that a product must possess. These requirements cover areas such as access control, cryptography, audit, and identification and authentication.
The Common Criteria certification process involves several stages, including requirements specification, security evaluation, and the issuance of a certification report. Evaluation laboratories accredited by the appropriate national or international bodies carry out the evaluations.
The Common Criteria certification is widely recognized and accepted by governments, organizations, and industries around the world. It provides a means to assess and compare the security capabilities of different IT products and systems, enabling informed purchasing decisions and ensuring a certain level of security for critical environments.