ISO/IEC 15408, commonly known as Common Criteria (CC), is the international standard for evaluating the security properties of IT products and systems. It provides a rigorous, internationally recognised framework for assessing whether a product’s security functions meet defined requirements.
Common Criteria is used to evaluate products, not organisations. Successful evaluations result in certification of the product against defined security requirements and assurance levels.
What is ISO/IEC 15408?
ISO/IEC 15408 is jointly published by the International Organization for Standardization and the International Electrotechnical Commission.
The standard defines a common language, structure, and methodology for specifying security requirements and assurance measures, enabling governments, enterprises, and buyers to compare the security of evaluated IT products.
What does Common Criteria cover?
ISO/IEC 15408 focuses on the evaluation of IT security functionality and assurance, including:
- Identification of security objectives and threats
- Definition of security functional requirements (SFRs)
- Definition of security assurance requirements (SARs)
- Evaluation methods and evidence requirements
- Independent testing and analysis by accredited laboratories
It applies to products such as operating systems, databases, firewalls, smart cards, hardware security modules (HSMs), network devices, and embedded systems.
The Common Criteria structure explained
Common Criteria is organised into three complementary parts:
Part 1 – Introduction and general model
Explains core concepts, terminology, and the overall evaluation framework.
Part 2 – Security functional requirements
Defines a catalogue of security functions (for example, access control, identification and authentication, cryptographic support).
Part 3 – Security assurance requirements
Defines assurance measures that determine how much confidence can be placed in the product’s security (design review, testing depth, lifecycle controls).
Together, these parts enable consistent and comparable evaluations.
Protection Profiles (PPs) and Security Targets (STs)
Protection Profiles (PPs)
Reusable sets of security requirements for a category of products (for example, firewalls or smart cards). PPs are often mandated by regulators or procurement frameworks.
Security Targets (STs)
Product-specific documents that state the security claims being evaluated. The ST defines what the product is expected to do and the assurance level sought.
Evaluations are performed against the Security Target, and, where applicable, a Protection Profile.
Evaluation Assurance Levels (EALs)
Common Criteria defines Evaluation Assurance Levels (EAL1–EAL7), which indicate the depth and rigour of the evaluation:
- EAL1–EAL2: Basic to structured testing
- EAL3–EAL4: Methodical design review and testing (EAL4 is common for commercial products)
- EAL5–EAL7: Semi-formal to formal verification (used for high-assurance or national security contexts)
Higher EALs require more evidence, analysis, and cost, but provide greater assurance.
Who is ISO/IEC 15408 for?
Common Criteria is relevant to:
- IT product vendors seeking security certification
- Government and defence procurement bodies
- Regulated industries requiring evaluated products
- Buyers comparing security assurances across vendors
- Security labs and certification schemes
It is widely referenced in public-sector procurement and cross-border security recognition schemes.
Certification vs organisational standards
| Common Criteria (ISO/IEC 15408) | Organisational ISO standards |
|---|---|
| Product evaluation | Management system certification |
| Certifies products | Certifies organisations |
| Assurance-focused | Process and governance-focused |
| Independent lab testing | System audits |
Common Criteria does not certify organisations. It certifies specific product versions and configurations.
How a Common Criteria evaluation works
A typical evaluation involves:
- Defining the product scope and Security Target
- Selecting applicable Protection Profiles (if required)
- Independent evaluation by an accredited laboratory
- Technical analysis, testing, and vulnerability assessment
- Review by a national certification body
- Issuance of a Common Criteria certificate (if successful)
Evaluations are time- and resource-intensive, reflecting the depth of assurance provided.
Is ISO/IEC 15408 certification mandatory?
No. Common Criteria certification is voluntary, but it is often required by regulation or procurement in government, defence, and critical infrastructure sectors.
Where required, only evaluated product versions and configurations are acceptable.
Benefits of Common Criteria certification
Vendors and buyers benefit from:
- Internationally recognised security assurance
- Increased trust and credibility in security claims
- Access to regulated or government markets
- Clear, comparable security specifications
- Independent verification of security functionality
The strongest value lies in objective, third-party assurance.
Common misunderstandings about Common Criteria
- “It certifies companies” – it certifies products
- “Higher EAL is always better” – assurance must be proportionate
- “It guarantees no vulnerabilities” – it provides confidence, not guarantees
- “It replaces secure development” – it complements it
Understanding scope and limits is essential when using CC results.
How Common Criteria fits with other ISO standards
Common Criteria is often used alongside:
- ISO/IEC 27001 (information security management)
- ISO/IEC 27002 (security controls)
- ISO/IEC 12207 (software lifecycle processes)
- ISO/IEC 15288 (system lifecycle processes)
Together, these standards link secure development and governance with independent product assurance.
Next steps
If you are considering Common Criteria:
- Determine whether certification is required by customers or regulators
- Identify applicable Protection Profiles
- Define a realistic Security Target and EAL
- Plan time, cost, and evidence requirements early
ISOcertified.net provides guidance on Common Criteria, including evaluation scope, assurance levels, costs, and how ISO/IEC 15408 fits alongside information security and lifecycle management standards.