DA SV
standards

ISO/IEC 15408 Common Criteria for IT security explained

15 minutes read
ISO/IEC 15408 Common Criteria for IT security explained

Common Criteria (ISO/IEC 15408) is the international standard for IT security. Discover the core concepts, evaluation procedures, and certification processes.

This standard provides a structured and recognized framework for assessing the security properties of IT products and systems. Its relevance is highlighted by its integration into the EU Cybersecurity Certification Scheme on Common Criteria (EUCC) within the EU Cybersecurity Act, underlining the role the Common Criteria play in harmonizing and strengthening cybersecurity across Europe.

This article offers a comprehensive look at the Common Criteria, their structure and practical application. We examine recent changes, shed light on the relationship with the EU Cybersecurity Act and explain central concepts such as protection profiles, security targets and evaluation assurance levels. In addition, we take a detailed look at the evaluation process and the important role of testing laboratories and certification bodies.

The relationship between ISO/IEC and Common Criteria

The relationship between ISO/IEC 15408 and the Common Criteria (CC) is an example of the successful integration of a specialized standard into the international standardization system. Originally developed as an independent standard for the evaluation and certification of information technology security, the Common Criteria were adopted into the ISO/IEC family in 1999 and published as ISO/IEC 15408. This made the CC an internationally recognized standard and increased their worldwide acceptance and applicability. Since then, the standard is often referred to both as "Common Criteria" and as "ISO/IEC 15408," with both names referring to the same content and commonly used interchangeably.

The management and further development of the CC takes place in a unique collaboration between the international Common Criteria community and the ISO/IEC JTC 1/SC 27 (IT Security Techniques). Changes and updates are coordinated across both communities, leading to continuous improvement of the standard. New versions are published both as CC documents and as ISO/IEC standards, with the ISO/IEC versions typically being paid while CC documents are often freely available. In addition, the Common Evaluation Methodology (CEM) was standardized as ISO/IEC 18045, creating a consistent framework for evaluation and certification.

The current version of the Common Criteria can be downloaded free of charge from the official Common Criteria Portal. There you will find all relevant documents, including the main parts of the CC and associated methodologies. The corresponding ISO/IEC standards can be obtained at the ISO publicly available standards page.

Structure of the Common Criteria

The five parts of ISO/IEC 15408 together with ISO/IEC 18045 (CEM) form a comprehensive framework for the specification, development and evaluation of IT security products. While parts 1 - 5 of ISO/IEC 15408 define requirements and structures, the CEM provides the necessary methodology for the practical execution of evaluations.

ISO/IEC 15408-1: introduction and general model

This part gives an overview of the CC and defines basic concepts, principles and terminology. It explains the evaluation process and the evaluation results as well as the relationships between the various parts of the CC.

ISO/IEC 15408-2: functional security requirements

This part contains a detailed catalogue of standardized functional security requirements. It is used for the precise specification of security functions in protection profiles (PP) and security targets (ST). The requirements are organized into classes, families and components, allowing customization and extension for specific products or systems.

ISO/IEC 15408-3: assurance requirements

This part contains a comprehensive catalogue of assurance requirements. It defines measures for assessing the correct implementation of security functions and specifies requirements for development, testing and delivery processes.

ISO/IEC 15408-4: framework for the specification of evaluation methods

This section lays the foundations for the development of consistent and reproducible evaluation methods. It defines their structure and content and enables the development of specific methods for different technology areas.

ISO/IEC 15408-5: predefined packages of security requirements

This part contains predefined collections of security requirements. It also defines the evaluation levels (EAL1 to EAL7), which represent different degrees of evaluation depth. These packages and EALs simplify the creation of protection profiles and security targets by providing frequently needed combinations of requirements and standardized assurance levels.

Relationship between the Common Criteria and the Common Evaluation Methodology

ISO/IEC 18045, also known as the Common Evaluation Methodology (CEM), complements the five parts of the Common Criteria by describing how evaluations are carried out in practice. The relationship in detail:

  • The CEM builds directly on the concepts and principles defined in part 1 and concretizes them for practical application.
  • For the functional and assurance requirements specified in parts 2 and 3, the CEM provides detailed test procedures and techniques. It guides evaluators on how to verify these requirements in practice.
  • The CEM implements the framework for evaluation methods defined in part 4 by providing a standardized methodology for CC evaluations.
  • When evaluating products that use the predefined packages in part 5, the CEM offers specific guidance for efficient test execution.

Overall, the CEM forms the bridge between the theoretical specification of security requirements in the Common Criteria and their practical verification. It ensures evaluations under the CC are consistent, reproducible and comparable.

Changes in the 2022 edition

The 2022 update of the Common Criteria (ISO/IEC 15408) and ISO/IEC 18045 (CEM) introduced several significant changes. The key novelties compared to the previous version include:

  • The structure of the standard was fundamentally revised. Instead of the previous three parts, ISO/IEC 15408 now consists of five parts. The new part 4 introduces a framework for the specification of evaluation methods, while part 5 contains predefined packages of security requirements. This expansion aims to improve the applicability and flexibility of the standard.
  • A central focus of the revision was the modernization and alignment with current technologies and threat scenarios. This is reflected in updated and new functional security requirements that better consider modern IT environments.
  • The assurance requirements were also revised to make the evaluation process more efficient and better meet the needs of different stakeholders. This includes simplifying some requirements and introducing new concepts to better assess the security of complex systems.
  • The update increased the practical orientation of the standard. The new versions place greater emphasis on practical applicability and evaluation efficiency. This is evident, among other things, in the introduction of predefined packages of security requirements in part 5, which simplify the creation of protection profiles and security targets.
  • The evaluation methodology described in ISO/IEC 18045 (CEM) was adjusted accordingly to keep pace with the changes in ISO/IEC 15408. This ensures consistent application of the new requirements and concepts during the evaluation process.
  • In addition, compatibility with other relevant standards and regulations was improved to enable better integration into existing certification frameworks such as the EUCC-Schema.

Overall, the changes aim to make the standard more flexible, efficient and relevant for modern IT security challenges while preserving the core principles of the Common Criteria. The revision reflects the effort to keep up with rapid developments in the cybersecurity landscape and to maintain the standard as a valuable tool for the evaluation and certification of IT security products.

Common Criteria and the EUCC schema under the EU Cybersecurity Act

The EUCC scheme (European Cybersecurity Certification Scheme) was developed under the EU Cybersecurity Act. It is based on the Common Criteria and aims to enable a harmonized certification of IT products, services and processes across the EU.

Main aspects of the connection:

  • Harmonization: the EUCC scheme uses the CC as a foundation to establish an EU-wide uniform certification.
  • Adaptation: it adapts the CC to the specific requirements and goals of the EU.
  • Simplification: the scheme seeks to simplify the certification process to make it more accessible and efficient.
  • Mutual recognition: it promotes mutual recognition of certifications within the EU.
  • Assurance levels: the EUCC scheme defines assurance levels (Basic, Substantial, High) that correspond to the CC evaluation levels.

Through this connection, the Common Criteria are integrated into the EU's legal and regulatory framework to strengthen and standardize cybersecurity in Europe.

Common Criteria building blocks: protection profile, security target and target of evaluation

At the heart of the Common Criteria evaluation process are three essential concepts: the Target of Evaluation (TOE), the Protection Profile (PP) and the Security Target (ST). These building blocks form the basis for a structured and comparable security assessment of IT products and systems.

Evaluated item

The Target of Evaluation (TOE) denotes the IT product or system to be evaluated. This can be software, hardware or a combination of both. The TOE embodies the concrete security functions that are assessed in the evaluation.

Protection profile

A Protection Profile (PP) is an implementation-independent collection of security requirements for a particular category of TOE. It defines general security objectives and requirements for a product type without referring to a specific product. PPs are often created by user groups or authorities to set standardized security expectations for certain product classes. They serve as a reference for developers and evaluators and promote comparability of security evaluations.

Security target

The Security Target (ST) is an implementation-specific description of the security properties of a concrete TOE. It contains detailed security objectives, functional and assurance requirements and a description of the TOE's security functions. An ST may reference one or more PPs and must demonstrate how the TOE satisfies the requirements defined in the PP.

Interaction of the building blocks

These three building blocks are closely linked: an ST can be based on one or more PPs and refines their general requirements for the specific TOE. During the evaluation, it is checked whether the TOE meets the security requirements defined in the ST. If the ST is based on a PP, compliance with the PP is also verified.

Using these building blocks promotes the standardization and reusability of security requirements. PPs enable customers to specify standardized requirements for IT products, while manufacturers can develop their TOEs accordingly and document this in their STs. This structured approach supports the evaluation process and simplifies the comparison and selection of IT security products on the market.

Security analysis and specification in the Common Criteria

The Common Criteria provide a structured approach for the security analysis and specification of IT products and systems. This process follows a logical chain from problem definition to concrete implementation and verification. The main elements of this chain are the Security Problem Definition (SPD), the Security Objectives, the Security Functional Requirements (SFRs) and the Security Assurance Requirements (SARs).

Relationship between the definition of the security problem, the security objectives and the security requirements

Definition of the security problem

The starting point is the Security Problem Definition (SPD). It describes the security problem to be solved by identifying potential threats, relevant organizational security policies and assumptions about the operational environment. Based on this SPD, the Security Objectives are formulated, describing how the identified security problem should be addressed. These objectives are defined both for the TOE itself and for its operational environment.

Security functional requirements

The Security Functional Requirements (SFRs) concretize the Security Objectives through specific functional requirements for the TOE. They describe exactly what the product must do in terms of security. SFRs cover areas such as access control, authentication, auditing and cryptography. In the Security Target (ST), these requirements are specified in detail, often taken from a Protection Profile (PP) or adapted to the specific needs of the TOE.

Security assurance requirements

In addition, the Security Assurance Requirements (SARs) specify the depth and rigor with which the implementation of security functions is to be verified during the evaluation. They define the scope and extent of testing and include requirements for development documentation, testing, vulnerability analysis and lifecycle support. SARs therefore determine the degree of confidence in the correct implementation of the SFRs.

Evaluation assurance levels

To simplify the selection and application of SARs, Evaluation Assurance Levels (EALs) were introduced. EALs are predefined packages of SARs that represent different assurance levels. They range from EAL1 (functionally tested) to EAL7 (formally verified and tested). Higher EALs require more extensive and rigorous evaluations, but also involve higher costs and effort. EAL packages provide consistent requirement sets for different assurance levels and thus facilitate the comparability of evaluations.

Interrelationships of the elements

The components are closely linked: SFRs and SARs are specified in the ST and form the basis for the TOE evaluation. The choice of EAL influences the scope and depth of the SFR verification. During the evaluation, it is checked whether the TOE satisfies the SFRs and whether this has been demonstrated in accordance with the SARs.

During the evaluation, it is checked whether the TOE satisfies the SFRs and whether this has been demonstrated in accordance with the SARs.

This structured approach enables the Common Criteria to offer a flexible yet standardized procedure for evaluating IT security. SFRs define the required functionality, SARs set the verification depth and EALs provide standardized assurance levels. Together they enable a comprehensive and comparable assessment of the security of IT products and systems.

The evaluation process in the Common Criteria

The classic evaluation process begins with the manufacturer preparing a Security Target (ST) for the product to be evaluated (Target of Evaluation, TOE). The ST defines the security objectives and functions of the TOE. Optionally, the ST can be based on one or more Protection Profiles (PPs) that set out general security requirements for a product class. PPs are not mandatory but can promote comparability and standardization.

The evaluator first reviews the ST for completeness and consistency. The TOE is then evaluated against the requirements defined in the ST. This includes reviewing documentation, testing security functions and assessing development and delivery processes. The evaluator produces an evaluation report, which is reviewed by a certification body.

In a composite evaluation, a complex product composed of several components is evaluated, some of which may already have been certified separately. The process is similar to the classic procedure, but additionally takes into account the interactions between components and uses results from earlier evaluations. This reduces effort and avoids duplication.

In both cases, the ST serves as the reference for the evaluation, while PPs, if used, form the basis for the ST and ensure conformity with the interests of the PP authors. The evaluation ultimately verifies whether the TOE meets the security requirements defined in the ST (and indirectly in the referenced PPs).

Evaluation laboratories and certification bodies: key actors in the Common Criteria

Testing laboratories and certification bodies play a central role in the Common Criteria (CC) process and are essential for conducting and validating security evaluations. Their cooperation ensures independent, thorough and standardized evaluations of IT products and systems.

Testing laboratories are responsible for the actual evaluation of the TOE. They review the ST and the manufacturer's documentation, test the TOE's security functions and produce the evaluation report. They work closely with the manufacturer to clarify questions and obtain additional information. To ensure independence and competence, laboratories must be accredited.

Examples of such testing laboratories include:

  • atsec information security (Germany, USA)
  • TÜV Informationstechnik GmbH (Germany)
  • Secuvera GmbH (Germany)
  • SGS Brightsight (Netherlands)
  • Gossamer Security Solutions (USA)

Certification bodies oversee and ensure quality in the CC process. They monitor the evaluation, review the work of the testing laboratories and issue the final certificate. They also ensure compliance with national and international standards and represent their country in the Common Criteria Recognition Arrangement (CCRA). In some cases, they are responsible for accrediting testing laboratories.

Well-known certification bodies include:

  • Federal Office for Information Security (BSI) (Germany)
  • National Information Assurance Partnership (NIAP) (USA)
  • Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) (France)
  • Canadian Centre for Cyber Security (CCCS) (Canada)

The interplay between testing laboratories and certification bodies is crucial to the CC process. While the labs carry out the technical work, the certification bodies supervise the process and ensure quality.

A typical workflow is as follows: a manufacturer commissions an accredited testing laboratory to evaluate its product. The lab conducts the evaluation and submits the report to the certification body. The certification body reviews the report, may ask questions or request additional tests, and issues the CC certificate upon successful verification.

This system ensures an independent, thorough and standardized assessment of IT products and systems and helps build trust in evaluated products while enabling international recognition of certifications under the CCRA.

Support for implementation and certification

The Common Criteria (ISO/IEC 15408) provide an internationally recognized framework for assessing the security of IT products - especially where formal certification is required or strategically advisable. The path to certification can be resource-intensive: from defining security objectives to the successful evaluation by a testing laboratory.

Secuvi supports manufacturers in implementing the Common Criteria - from selecting suitable protection profiles and preparing the required documentation to coordinating the evaluation process. We focus on solutions that meet regulatory requirements while integrating with internal development processes.

If you are considering a CC certification or preparing for one, we offer expert and methodological support.