Iso Iec 15408 Pdf Review
INTERNAL REPORT: ISO/IEC 15408 (Common Criteria)
Date: October 26, 2023 Subject: Overview and Analysis of ISO/IEC 15408 (Common Criteria for Information Technology Security Evaluation)
The Architecture of Trust: Meditations on ISO/IEC 15408
Open the PDF. It is not a document; it is a cathedral of paranoia. Millions of words, structured like a medieval summa, attempt to do something that feels almost arrogant: to freeze the concept of trust into a mathematical skeleton.
We scroll past the title page. ISO/IEC 15408: Information technology — Security techniques — Evaluation criteria for IT security. The language is passive, sterile. But beneath the bureaucratic veneer is a quiet scream: How do you know the machine is not lying to you?
Part 1: The Grammar of Fear
The first section introduces the Target of Evaluation (TOE). Not "the software." Not "the firewall." The TOE. A term so clinical it could describe a specimen under a microscope. This is the first deep truth of 15408: you cannot secure everything. You must draw a circle in the sand. Inside the circle is order; outside is chaos, the Operational Environment. The document implicitly admits its own failure—it only judges the artifact, never the human holding it.
Then come the Security Functional Requirements (SFRs). A library of verbs for an imagined apocalypse. FAU_GEN.1 (Security audit data generation). FDP_ACC.1 (Subset access control). Each alphanumeric code is a tiny legal contract between silicon and spirit. They read like spells. If you recite FIA_UAU.1 (Timing of authentication) correctly, you might ward off the demon of credential replay.
Part 2: The Assurance Labyrinth
Part 2 is where the PDF grows teeth. Evaluation Assurance Levels (EALs) from 1 to 7. A ladder of ontological commitment. iso iec 15408 pdf
- EAL 1: "Functionally tested." (We glanced at it.)
- EAL 4: "Methodically designed, tested, and reviewed." (Most commercial products live here. The sweet spot of plausible rigor.)
- EAL 7: "Formally verified design and tested." (The realm of nuclear launch codes and air-gapped nightmares. Here, code is not written; it is derived from predicate calculus. Here, a compiler is a suspect.)
To read the EAL7 requirements is to stare into an abyss. They demand that the system's design be proven correct in a mathematical logic system. This is not engineering. This is metaphysics. The PDF asks: Can truth be compiled?
Part 3: The Protection Profiles
Part 3 gives the document its soul. Protection Profiles (PPs) are user-side manifestos. Instead of vendors saying "look at my cool firewall," a government says: "We need a Collaborative Protection Profile for Network Devices." They define the problem before the solution exists.
This inverts capitalism. Normally, you build, then sell. Here, you define the cage, then ask who can grow inside it. A PP for a Smart Card is a different universe than a PP for a Database Management System. The PDF becomes a library of species of paranoia—each suited to a different predator.
The Hidden Tragedy: The Gap Between the PDF and Reality
But the deepest cut of ISO/IEC 15408 is what it cannot capture. It evaluates the product, not the process. You can have an EAL5+ certified operating system, installed by an intern who leaves the root password on a sticky note. The PDF has no clause for exhaustion, for laziness, for the moment a developer pushes a hotfix at 2 AM without re-evaluating the security target.
Furthermore, the document is a fossil. By the time a product is evaluated (a process taking 12–24 months), the threat landscape has evolved. The PDF describes a world of static, enumerable threats. But we live in a world of zero-days, of side-channels, of AI-generated exploits that do not fit into the Class FIA (Identification and Authentication) taxonomy.
Conclusion: The Beautiful Failure
Why keep this massive, expensive, glacial PDF alive? Because it represents the only honest attempt at structured distrust. The Common Criteria does not believe you. It does not trust the developer, the integrator, or the user. It demands that you show your work, in a language as close to math as English can get.
When you download iso_iec_15408-2022.pdf (roughly 15 MB of compressed suspicion), you are not downloading a standard. You are downloading a confession: that absolute security is impossible, but accountability is not. The document is a monument to the idea that before you can trust a machine, you must first prove, in the dry, unforgiving syntax of a standard, that you have thought of every way it could betray you.
And even then, the PDF quietly admits: You probably missed one.
Would you like a practical summary of the key sections, or a guide on how to read this standard for a specific product evaluation?
ISO/IEC 15408, commonly known as the Common Criteria (CC), is the international standard for evaluating the security properties of IT products and systems. It provides a rigorous, standardized framework for vendors to demonstrate that their products meet specific security requirements through independent, third-party assessment. Core Structure of ISO/IEC 15408
The standard was updated in August 2022 (the fourth edition) and now consists of five primary parts:
Part 1: Introduction and General Model – Defines terms, abbreviations, and basic security concepts like the Target of Evaluation (TOE).
Part 2: Security Functional Components – Catalogs requirements for security behavior, such as access control, cryptography, and audit capabilities. The Architecture of Trust: Meditations on ISO/IEC 15408
Part 3: Security Assurance Components – Outlines measures to ensure security functions are implemented correctly, including development and testing procedures.
Part 4: Framework for Specification of Evaluation Methods – Sets the ground rules for developing evaluation activities derived from the Common Evaluation Methodology (ISO/IEC 18045).
Part 5: Pre-defined Packages of Security Requirements – Includes standard security assurance packages and Evaluation Assurance Levels (EALs). Key Concepts in Evaluation
Evaluation Assurance Level (EAL): A scale from EAL1 (functionally tested) to EAL7 (formally verified) that indicates the depth and rigor of the evaluation. Most commercial products target EAL2 to EAL4.
Protection Profile (PP): A document defining implementation-independent security requirements for a specific category of products (e.g., firewalls or mobile devices).
Security Target (ST): A document specifying the exact security requirements a particular product meets, often used as the "contract" between the developer and evaluator. How to Access the PDF
7. Availability (PDF Note)
Note on obtaining the PDF: ISO/IEC 15408 is a copyrighted standard published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
- Official Purchase: The official PDFs can be purchased from the ISO Store or national standards bodies (e.g., ANSI, BSI, AFNOR).
- Publicly Available Versions: For research purposes, previous versions of the Common Criteria documentation are often hosted publicly by the Common Criteria community, though the official ISO PDFs are commercial products.
2. International Mutual Recognition
Thanks to the CCRA, a certificate issued in Japan is recognized in 28+ countries, including the USA, UK, Germany, France, and Canada. No other security standard offers this level of global trade facilitation. EAL 1: "Functionally tested
4. Evaluation Assurance Levels (EAL)
Part 3 defines the seven increasingly strict levels of assurance. This is perhaps the most recognizable aspect of the standard for procurement.
- EAL1 – Functionally Tested: Applies where some confidence in correct operation is required, but the threats to security are not viewed as serious. (Least rigorous).
- EAL2 – Structurally Tested: Requires developer testing, vulnerability analysis, and a basic configuration management system.
- EAL3 – Methodically Tested and Checked: Suitable where moderate independent assurance is required.
- EAL4 – Methodically Designed, Tested, and Reviewed: The highest level that is economically feasible for existing product lines. It is the standard level for commercial products.
- EAL5 – Semiformally Designed and Tested: Allows a developer to gain maximum assurance from rigorous security engineering without incurring unreasonable costs.
- EAL6 – Semiformally Verified Design and Tested: Applicable to high-value assets where the risk of attack is high.
- EAL7 – Formally Verified Design and Tested: Applicable to extremely high-risk situations. (Most rigorous).
Warning: Avoid Obsolete Versions
Do not download a file labeled "ISO/IEC 15408:2005" or "ISO/IEC 15408:2009." These are over a decade old. The current version is ISO/IEC 15408:2022 (or CC:2022). Using an old version will result in failed certifications, as labs no longer evaluate against outdated criteria.