ISO/IEC 15408-1:2022

INTERNATIONAL ISO/IEC
STANDARD 15408-1
Fourth edition
2022-08
Information security, cybersecurity
and privacy protection — Evaluation
criteria for IT security —
Part 1:
Introduction and general model
Sécurité de l'information, cybersécurité et protection de la vie
privée — Critères d'évaluation pour la sécurité des technologies de
l'information —
Partie 1: Introduction et modèle général
Reference number
© ISO/IEC 2022
© ISO/IEC 2022
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2022 – All rights reserved

Contents Page
Foreword . vi
Introduction .viii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 2
4 Abbreviated terms .13
5 Overview .15
5.1 General . 15
5.2 ISO/IEC 15408 series description . 15
5.2.1 General .15
5.2.2 Audience . . 16
5.3 Target of evaluation (TOE) . 19
5.3.1 General . 19
5.3.2 TOE boundaries . 19
5.3.3 Different representations of the TOE . 20
5.3.4 Different configurations of the TOE . 20
5.3.5 Operational environment of the TOE . 20
5.4 Presentation of material in this document . 21
6 General model .21
6.1 Background . 21
6.2 Assets and security controls . 21
6.3 Core constructs of the paradigm of the ISO/IEC 15408 series . 24
6.3.1 General . 24
6.3.2 Conformance types . 24
6.3.3 Communicating security requirements. 24
6.3.4 Meeting the needs of consumers (risk owners) . 27
7 Specifying security requirements .29
7.1 Security problem definition (SPD) .29
7.1.1 General .29
7.1.2 Threats .29
7.1.3 Organizational security policies (OSPs) .30
7.1.4 Assumptions . 30
7.2 Security objectives . 31
7.2.1 General . 31
7.2.2 Security objectives for the TOE . 31
7.2.3 Security objectives for the operational environment . 31
7.2.4 Relation between security objectives and the SPD . 32
7.2.5 Tracing between security objectives and the SPD . 32
7.2.6 Providing a justification for the tracing . 33
7.2.7 On countering threats.33
7.2.8 Security objectives: conclusion . 33
7.3 Security requirements . . 33
7.3.1 General . 33
7.3.2 Security Functional Requirements (SFRs) .34
7.3.3 Security assurance requirements (SARs) .36
7.3.4 Security requirements: conclusion . 37
8 Security components .38
8.1 Hierarchical structure of security components .38
8.1.1 General .38
8.1.2 Class .38
8.1.3 Family .39
iii
© ISO/IEC 2022 – All rights reserved

8.1.4 Component . 39
8.1.5 Element . 39
8.2 Operations . 39
8.2.1 General .39
8.2.2 Iteration .40
8.2.3 Assignment .40
8.2.4 Selection . 41
8.2.5 Refinement . . 43
8.3 Dependencies between components .44
8.4 Extended components.44
8.4.1 General .44
8.4.2 Defining extended components . 45
9 Packages .45
9.1 General . 45
9.2 Package types .46
9.2.1 General .46
9.2.2 Assurance packages .46
9.2.3 Functional packages . 47
9.3 Package dependencies . 47
9.4 Evaluation method(s) and activities. 47
10 Protection Profiles (PPs) .48
10.1 General .48
10.2 PP introduction .48
10.3 Conformance claims and conformance statements.48
10.4 Security assurance requirements (SARs) . 51
10.5 Additional requirements common to strict and demonstrable conformance . 51
10.5.1 Conformance claims and conformance statements . 51
10.5.2 Security problem definition (SPD) . 51
10.5.3 Security objectives . 52
10.6 Additional requirements specific to strict conformance . 52
10.6.1 Requirements for the security problem definition (SPD) . 52
10.6.2 Requirements for the security objectives . 52
10.6.3 Requirements for the security requirements . . 52
10.7 Additional requirements specific to demonstrable conformance .53
10.8 Additional requirements specific to exact conformance . 53
10.8.1 General .53
10.8.2 Conformance claims and statements . 53
10.9 Using PPs .54
10.10 Conformance statements and claims in the case of multiple PPs .54
10.10.1 General .54
10.10.2 Where strict or demonstrable conformance is specified .54
10.10.3 Where exact conformance is specified .54
11 Modular requirements construction .54
11.1 General .54
11.2 PP-Modules. 55
11.2.1 General . 55
11.2.2 PP-Module Base .55
11.2.3 Requirements for PP-Modules . 55
11.3 PP-Configurations . . 59
11.3.1 General . 59
11.3.2 Requirements for PP-Configurations . 59
11.3.3 Usage of PP-Configurations .65
12 Security Targets (STs) .68
12.1 General .68
12.2 Conformance claims and statements .68
12.3 Assurance requirements . 71
iv
© ISO/IEC 2022 – All rights reserved

12.4 Additional requirements in the exact conformance case . 71
12.4.1 Additional requirements for the conformance claim . 71
12.4.2 Additional requirements for the SPD . 71
12.4.3 Additional requirements for the security objectives.72
12.4.4 Additional requirements for the security requirements .72
12.5 Additional requirements in the multi-assurance case .72
13 Evaluation and evaluation results .74
13.1 General .74
13.2 Evaluation context . 76
13.3 Evaluation of PPs and PP-Configurations .77
13.4 Evaluation of STs .77
13.5 Evaluation of TOEs .77
13.6 Evaluation methods and evaluation activities . 78
13.7 Evaluation results . 78
13.7.1 Results of a PP evaluation . 78
13.7.2 Results of a PP-Configuration evaluation . 78
13.7.3 Results of a ST/TOE evaluation . 78
13.8 Multi-assurance evaluation .79
14 Composition of assurance .80
14.1 General .80
14.2 Composition models .81
14.2.1 Layered composition model . 81
14.2.2 Network or bi-directional composition model .82
14.2.3 Embedded composition model .82
14.3 Evaluation techniques for providing assurance in composition models .83
14.3.1 General .83
14.3.2 ACO class for composed TOEs .83
14.3.3 Composite evaluation for composite products .84
14.4 Requirements for evaluations using composition techniques . 95
14.4.1 Re-use of evaluation results . 95
14.4.2 Composition evaluation issues .96
14.5 Evaluation by composition and multi-assurance.97
Annex A (normative) Specification of packages .98
Annex B (normative) Specification of Protection Profiles (PPs) . 102
Annex C (normative) Specification of PP-Modules and PP-Configurations . 112
Annex D (normative) Specification of Security Targets (STs) and Direct Rationale STs . 125
Annex E (normative) PP/PP-Configuration conformance . 136
Bibliography .141
v
© ISO/IEC 2022 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria
needed for the different types of document should be noted. This document was drafted in
accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or
www.iec.ch/members_experts/refdocs).
Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents) or the IEC
list of patent declarations received (see https://patents.iec.ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see
www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
This fourth edition cancels and replaces the third edition (ISO/IEC 15408-1:2009), which has been
technically revised.
The main changes are as follows:
— the document has been restructured;
— technical changes have been introduced:
— the terminology has been reviewed and updated;
— the exact conformance type has been introduced;
— low assurance protection profiles (PPs) have been removed and direct rationale PPs have been
introduced;
— PP-Modules and PP-Configurations for modular evaluations have been introduced;
— multi-assurance evaluation has been introduced.
A list of all parts in the ISO/IEC 15408 series can be found on the ISO and IEC websites.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.
vi
© ISO/IEC 2022 – All rights reserved

Legal notice
The governmental organizations listed below contributed to the development of this version of the
Common Criteria for Information Technology Security Evaluations. As the joint holders of the copyright
in the Common Criteria for Information Technology Security Evaluations (called CC), they hereby
grant non-exclusive license to ISO/IEC to use CC in the continued development/maintenance of the
ISO/IEC 15408 series of standards. However, these governmental organizations retain the right to use,
copy, distribute, translate or modify CC as they see fit.
Australia The Australian Signals Directorate
Canada Communications Security Establishment
France Agence Nationale de la Sécurité des Systèmes d'Information
Germany Bundesamt für Sicherheit in der Informationstechnik
Japan Information-technology Promotion Agency
Netherlands Netherlands National Communications Security Agency
New Zealand Government Communications Security Bureau
Republic of Korea National Security Research Institute
Spain Ministerio de Asuntos Económicos y Transformación Digital
Sweden FMV, Swedish Defence Materiel Administration
United Kingdom National Cyber Security Centre
United States The National Security Agency
vii
© ISO/IEC 2022 – All rights reserved

Introduction
The ISO/IEC 15408 series permits comparability between the results of independent security
evaluations by providing a common set of requirements for the security functionality of IT products and
for assurance measures applied to these IT products during a security evaluation. These IT products
may be implemented in hardware, firmware, or software.
The evaluation process establishes a level of confidence that the security functionality of these IT
products and the assurance measures applied to these IT products meet these requirements. The
evaluation results may help consumers to determine whether these IT products fulfil their security
needs.
The ISO/IEC 15408 series is useful as a guide for the development, evaluation and/or procurement of IT
products with security functionality.
The ISO/IEC 15408 series is intentionally flexible, enabling a range of evaluation approaches to be
applied to a range of security properties of a range of IT products. Therefore, users of the standard are
cautioned to exercise care that this flexibility is not misused. For example, using the ISO/IEC 15408
series in conjunction with unsuitable evaluation methods/activities, irrelevant security properties, or
inappropriate IT products, can result in meaningless evaluation results.
Consequently, the fact that an IT product has been evaluated has meaning only in the context of the
security properties that were evaluated and the evaluation methods that were used. Evaluation
authorities are advised to carefully check the products, properties, and methods to determine that an
evaluation provides meaningful results. Additionally, purchasers of evaluated products are advised to
carefully consider this context to determine whether the evaluated product is useful and applicable to
their specific situation and needs.
The ISO/IEC 15408 series addresses the protection of assets from unauthorized disclosure, modification,
or loss of use. The categories of protection relating to these three types of failure of security are
commonly called confidentiality, integrity, and availability, respectively. The ISO/IEC 15408 series may
also be applicable to aspects of IT security outside of these three categories. The ISO/IEC 15408 series
is applicable to risks arising from human activities (malicious or otherwise) and to risks arising from
non-human activities. The ISO/IEC 15408 series may be applied in other areas of IT but makes no claim
of applicability in these areas.
Certain topics, because they involve specialized techniques or because they are somewhat peripheral
to IT security, are considered to be outside the scope of the ISO/IEC 15408 series. Some of these are
identified below:
a) the ISO/IEC 15408 series does not contain security evaluation criteria pertaining to administrative
security measures not related directly to the IT security functionality. However, it is recognized
that significant security can often be achieved through or supported by administrative measures
such as organizational, personnel, physical, and procedural controls;
b) the ISO/IEC 15408 series does not address the evaluation methodology under which the criteria
should be applied;
NOTE 1 The baseline methodology is defined in ISO/IEC 18045. ISO/IEC 15408-4 can be used to further
derive evaluation activities and methods from ISO/IEC 18045.
c) the ISO/IEC 15408 series does not address the administrative and legal framework under which the
criteria may be applied by evaluation authorities. However, it is expected that the ISO/IEC 15408
series is intended to be used for evaluation purposes in the context of such a framework;
d) the procedures for use of evaluation results in accreditation are outside the scope of the
ISO/IEC 15408 series. Accreditation is the administrative process whereby authority is granted for
the operation of an IT product (or collection thereof) in its full operational environment including
all of its non-IT parts. The results of the evaluation process are an input to the accreditation process.
However, as other techniques are more appropriate for the assessments of non-IT related properties
viii
© ISO/IEC 2022 – All rights reserved

and their relationship to the IT security parts, accreditors must make separate provisions for those
aspects;
e) the subject of criteria for the assessment of the inherent qualities of cryptographic algorithms is
not covered in the ISO/IEC 15408 series. In the case that independent assessment of mathematical
properties of cryptography is required, the evaluation scheme under which the ISO/IEC 15408
series is applied shall make provision for such assessments.
NOTE 2 This document uses bold and italic type in some cases to distinguish terms from the rest of the text.
The relationship between components within a family is highlighted using a bolding convention. This convention
calls for the use of bold type for all new requirements. For hierarchical components, requirements are presented
in bold type when they are enhanced or modified beyond the requirements of the previous component. In
addition, any new or enhanced permitted operations beyond the previous component are also highlighted using
bold type.
The use of italics indicates text that has a precise meaning. For security assurance requirements the convention
is for special verbs relating to evaluation.
ix
© ISO/IEC 2022 – All rights reserved

INTERNATIONAL STANDARD ISO/IEC 15408-1:2022(E)
Information security, cybersecurity and privacy
protection — Evaluation criteria for IT security —
Part 1:
Introduction and general model
1 Scope
This document establishes the general concepts and principles of IT security evaluation and specifies
the general model of evaluation given by various parts of the standard which in its entirety is meant to
be used as the basis for evaluation of security properties of IT products.
This document provides an overview of all parts of the ISO/IEC 15408 series. It describes the various
parts of the ISO/IEC 15408 series; defines the terms and abbreviations to be used in all parts of the
standard; establishes the core concept of a Target of Evaluation (TOE); describes the evaluation context
and describes the audience to which the evaluation criteria is addressed. An introduction to the basic
security concepts necessary for evaluation of IT products is given.
This document introduces:
— the key concepts of Protection Profiles (PP), PP-Modules, PP-Configurations, packages, Security
Targets (ST), and conformance types;
— a description of the organization of security components throughout the model;
— the various operations by which the functional and assurance components given in ISO/IEC 15408-2
and ISO/IEC 15408-3 can be tailored through the use of permitted operations;
— general information about the evaluation methods given in ISO/IEC 18045;
— guidance for the application of ISO/IEC 15408-4 in order to develop evaluation methods (EM) and
evaluation activities (EA) derived from ISO/IEC 18045;
— general information about the pre-defined Evaluation Assurance Levels (EALs) defined in
ISO/IEC 15408-5;
— information in regard to the scope of evaluation schemes.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 15408-2:2022, Information security, cybersecurity and privacy protection — Evaluation criteria
for IT security — Part 2: Security functional components
ISO/IEC 15408-3:2022, Information security, cybersecurity and privacy protection — Evaluation criteria
for IT security — Part 3: Security assurance components
ISO/IEC 18045, IT security techniques — Methodology for IT security evaluation
ISO/IEC IEEE 24765, Systems and software engineering — Vocabulary
© ISO/IEC 2022 – All rights reserved

3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 15408-2, ISO/IEC 15408-3,
ISO/IEC 18045 and ISO/IEC IEEE 24765 apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
action
documented activity of the evaluator (3.45) or developer (3.33)
Note 1 to entry: Evaluator actions and developer actions are required by ISO/IEC 15408-3.
3.2
administrator
entity (3.36) that has a level of trust with respect to all policies implemented by the TOE security
functionality (TSF) (3.92)
Note 1 to entry: Not all protection profiles (PPs) (3.68) or security targets (STs) assume the same level of trust for
administrators. Typically, administrators are assumed to adhere at all times to the policies in the ST of the target
of evaluation (TOE) (3.90). Some of these policies can be related to the functionality of the TOE, while others can
be related to the operational environment (3.63).
3.3
adverse action
action (3.1) performed by a threat agent (3.91) on an asset (3.4)
3.4
asset
entity (3.36) that the owner of the target of evaluation (TOE) (3.90) presumably places value on
3.5
assignment
specification of an identified parameter in a functional or assurance component
3.6
assurance
grounds for confidence that a target of evaluation (TOE) (3.90) meets the security functional requirements
(SFRs) (3.78)
3.7
assurance package
named set of security assurance requirements (3.76)
EXAMPLE “EAL 3”.
3.8
attack potential
measure of the effort needed to exploit a vulnerability in a target of evaluation (TOE) (3.90)
Note 1 to entry: The effort is expressed as a function of properties related to the attacker (e.g. expertise,
resources, and motivation) and properties related to the vulnerability itself (e.g. window of opportunity, time to
exposure).
© ISO/IEC 2022 – All rights reserved

3.9
attack surface
set of logical or physical interfaces to a target, consisting of points through which access to the target
and its functions may be attempted
EXAMPLE 1 The casing of a payment terminal is a part of physical attack surface for that device.
EXAMPLE 2 The communications protocols available for connection to a network device are part of the logical
attack surface for that network device.
3.10
augmentation
addition of one or more requirements to a package
Note 1 to entry: In case of a functional package (3.51), such an augmentation is considered only in the context
of one package and is not considered in the context with other packages or protection profiles (PPs) (3.68) or
security targets (STs) (3.82).
Note 2 to entry: In case of an assurance package (3.7), augmentation refers to one or more security assurance
requirements (SARs) (3.76).
3.11
authorized user
entity (3.36) who may, in accordance with the security functional requirements (SFRs) (3.78), perform an
operation on the target of evaluation (TOE) (3.90)
3.12
base component
independent entity (3.36) in a multi-component product that provides services and resources to one or
more dependent component(s) (3.31)
Note 1 to entry: This applies in particular to ‘composed TOEs’ (3.21) and ‘composite products / composite TOEs’
(3.25).
3.13
base Protection Profile
base PP
Protection Profile (3.68) specified in a PP-Module (3.71), as part of that PP-Module’s PP-Module Base
(3.72), used as a basis to build a PP-Configuration (3.69)
3.14
base PP-Module
PP-Module (3.71) specified in a different PP-Module, as part of that PP-Module’s PP-Module Base (3.72),
used as a basis to build a PP-Configuration (3.69)
Note 1 to entry: Specifying a base PP-Module in a PP-Module implicitly includes the base PP-Module’s PP-Module
Base.
3.15
base target of evaluation
base TOE
base component (3.12) which is itself the subject of an evaluation
Note 1 to entry: This applies in particular to 'composed TOEs' (3.21) and 'composite products/composite TOEs'
(3.25).
3.16
class
〈taxonomy〉 set of families that share a common focus
Note 1 to entry: Class is further defined in ISO/IEC 15408-2, which defines security functional classes and
ISO/IEC 15408-3, which defines security assurance classes.
© ISO/IEC 2022 – All rights reserved

3.17
component
〈taxonomy〉 smallest selectable set of elements on which requirements may be based
3.18
component
entity (3.36) which provides resources and services in a product
3.19
component target of evaluation
component TOE
(evaluated) target of evaluation (TOE) (3.90) that is a component of another composed TOE (3.21)
3.20
composed assurance packa
...