May 2026: New IT Security and IoT System Evaluation Standards Released

The month of May 2026 marks a significant milestone in the evolution of information technology security and IoT system assessment. This release includes five pivotal international standards, each addressing critical aspects of IT security assurance, evaluation methodologies, and the benchmarking of IoT systems. These updates come at a time when organizations are increasingly challenged by evolving cyber threats and regulatory demands, necessitating improved guidance for product evaluations and system deployments across industries.

With coordinated updates to the seminal ISO/IEC 15408 series (Common Criteria) and the introduction of a robust evaluation indicator framework for the Internet of Things, professionals in IT security, compliance, system development, and procurement are better equipped than ever to address contemporary challenges and future-proof their operations.

Overview / Introduction

The Foundation of Security and Trust in Information Technology

In the current digital era, Information Technology and Office Equipment standards serve as the backbone for secure product development, effective system deployment, and robust risk management. International standards streamline interoperability, drive industry best practices, and help organizations demonstrate compliance with regulatory requirements.

This article reviews five newly published standards under the ISO/IEC banner, released in May 2026. They cover:

• Security functional components and assurance for IT products
• Structuring and conducting security evaluations
• Objective frameworks for repeatable testing
• Systematic evaluation indicators for IoT systems

Readers will gain insights into the intent, requirements, and industry implications of these standards—critical knowledge for professionals involved in security assurance, product certification, or IoT solution deployments.

Detailed Standards Coverage

ISO/IEC 15408-2:2026 – Security Functional Components

Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Part 2: Security functional components

This standard defines the detailed structure, content, and catalogue of security functional components essential for evaluating IT products against internationally recognized criteria. It is an integral part of the well-established Common Criteria (CC) suite, enabling organizations to specify and assess the security functions that products must deliver.

Key areas include:

• The functional requirements paradigm
• Structure and taxonomy of security functions
• Component catalogues for authentication, audit, access control, and more

Who should comply:

• Product developers and vendors targeting global markets
• Security evaluators and testing laboratories
• Procurement and compliance officers specifying security in IT acquisitions

Practical implications:

• Streamlined specification and assessment of required security features
• Greater assurance that products meet standardized security functionality
• Easier mapping of compliance with regulatory mandates and procurement criteria

Notable changes:

• Extended catalogue of component functions
• Updated auditing and identity association definitions
• Enhanced focus on distributed environments and evolving threats

Key highlights:

• Comprehensive taxonomy for security functions
• Guidance for tailoring component use to specific product types
• Clarifications for audit and anomaly detection in modern IT systems

Access the full standard:View ISO/IEC 15408-2:2026 on iTeh Standards

ISO/IEC 15408-3:2026 – Security Assurance Components

Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Part 3: Security assurance components

ISO/IEC 15408-3:2026 details the assurance requirements for IT products in the context of security evaluations. Unlike functional requirements, these specify how confidence in the claimed security functionality is established and maintained.

Key areas include:

• The assurance paradigm and evaluation assurance scale
• Classes, families, and components of assurance requirements
• Frameworks for Protection Profiles, Security Targets, and module evaluation

Who should comply:

• Security evaluation laboratories
• Organizations developing products for high-assurance environments (e.g., finance, government, telecom)
• Procurement teams requiring verifiable security assurances

Practical implications:

• Structured methods for demonstrating product trustworthiness
• Support for tailored profiles that align with specific organizational risks
• Rigorous process for security target evaluation and validation

Notable changes:

• Refined taxonomy for security assurance components
• Enhanced support for modular evaluations (e.g., PP-Modules)
• More granular methods for determining conformance and coverage

Key highlights:

• Standardized criteria for Security Target and Protection Profile evaluation
• Component-based structure for scalable assurance levels
• Alignment with international certification schemes

Access the full standard:View ISO/IEC 15408-3:2026 on iTeh Standards

ISO/IEC 15408-4:2026 – Framework for Evaluation Methods and Activities

Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Part 4: Framework for the specification of evaluation methods and activities

Part 4 introduces a standardized framework for defining and documenting evaluation methods and activities. Its primary focus is to ensure that security evaluations are:

• Objective
• Repeatable
• Reproducible

It offers a blueprint for:

• Mapping between assurance requirements and testing activities
• Describing evaluation methods for Protection Profiles, PP-Modules, and Security Targets
• Documenting evaluation pass/fail criteria and reporting requirements

Who should comply:

• Evaluation authorities and third-party certifiers
• Developers requiring clarity on testable security criteria
• Those creating Protection Profiles or custom evaluation packages

Practical implications:

• Facilitates consistency in how IT security evaluations are specified and conducted
• Supports international recognition of evaluation results
• Reduces ambiguity by providing structure for evaluation documentation

Notable changes:

• Clarifies relationships between methods, activities, and work units
• Expands support for technology-specific evaluation customizations

Key highlights:

• Framework for aligning evaluation activities to security requirements
• Tools for tailoring evaluation methods to technology context
• Basis for comparability across different evaluation authorities

Access the full standard:View ISO/IEC 15408-4:2026 on iTeh Standards

ISO/IEC 18045:2026 – Requirements and Methodology for IT Security Evaluation

Information security, cybersecurity and privacy protection — Evaluation criteria for IT security — Requirements and methodology for IT security evaluation

This updated edition offers a comprehensive methodology for conducting IT security evaluations according to the criteria spelled out in the ISO/IEC 15408 series. It sets out the evaluator’s core responsibilities, minimum actions, and best practices for assessment, reporting, and management of evaluation evidence.

Key contents:

• End-to-end process for IT security evaluation, from planning and scoping to verdict and reporting
• Guidance on evaluating Protection Profiles, Security Targets, and associated components
• Techniques for tailored and modular evaluation in line with organizational and regulatory requirements

Who should comply:

• Accredited evaluation laboratories
• Product vendors submitting solutions to security assessment
• Procurement specialists seeking evidence of robust evaluation

Practical implications:

• Consistency in evaluator approaches across different assessment contexts
• Clarity of expectations for both developers and assessors
• Support for reuse of evaluation results and modular extension of existing profiles

Notable changes:

• Updated guidance for evaluating new types of products and systems
• Expanded support for evidence management and reporting

Key highlights:

• Minimum evaluator actions clearly defined
• Stronger links between evidence and assurance verdicts
• Contemporary examples for practical application

Access the full standard:View ISO/IEC 18045:2026 on iTeh Standards

ISO/IEC 30187:2026 – Evaluation Indicators for IoT Systems

Internet of Things (IoT) — Evaluation indicators for IoT systems

This new standard delivers a systematic framework for compiling, selecting, and applying performance and quality indicators to IoT systems across diverse industries. As IoT implementations surge in complexity and scale, organizations need objective, industry-neutral benchmarks for selection, implementation, and oversight.

Key structure:

• System architecture indicators (e.g., management, interoperability)
• Functional indicators (e.g., sensing, service support, user system capability)
• Quality indicators (e.g., trustworthiness, security, privacy, resilience)

Who should comply:

• IoT platform developers, integrators, and solution architects
• Vertical industry operators (e.g., energy, healthcare, manufacturing)
• Procurement teams establishing requirements for IoT solution RFPs

Practical implications:

• Provides measurable, comparable benchmarks for evaluating IoT systems
• Supports lifecycle assessments: planning, monitoring, and post-deployment evaluation
• Enables customization of indicator profiles to match industry/domain needs

Notable features:

• Indicator scheme and categorization for flexible, repeatable evaluation
• Guidance for incorporating system-specific and sector-specific indicators
• Alignment with broader IT quality and risk frameworks

Key highlights:

• Categorized indicator reference framework (architecture, function, quality)
• Templates for evaluation processes and use-case-based assessments
• Emphasis on scalability, interoperability, and security in IoT environments

Access the full standard:View ISO/IEC 30187:2026 on iTeh Standards

Industry Impact & Compliance

The May 2026 standards release delivers profound impacts for businesses and organizations operating in the Information Technology and Office Equipment sector and beyond. The expanded Common Criteria suite (ISO/IEC 15408 and ISO/IEC 18045) solidifies the global foundation for IT security certification and regulatory alignment, while the new IoT evaluation indicators standard recognizes the growing convergence of security, functionality, and quality in connected environments.

Key compliance implications:

• New and updated standards may affect procurement specifications, internal audit frameworks, and regulatory reporting
• Organizations seeking product certification must ensure their solutions—and the evaluation methods used—align with the new editions
• The modular, component-based evaluation and assurance approach simplifies compliance for complex systems and integrations
• For IoT, a standardized evaluation baseline supports transparent, objective selection and ongoing monitoring

Adoption timeline: Organizations are encouraged to migrate to these new standards as part of their next product development, procurement, or evaluation cycle. Early adoption can ease regulatory audits and enhance market acceptance.

Benefits of adoption:

• Stronger risk management and reduced likelihood of security breaches
• Enhanced trust from customers, partners, and regulators
• Efficient, repeatable, and internationally recognized security evaluation processes

Risks of non-compliance:

• Increased exposure to regulatory penalties or certification delays
• Potential for gaps in security coverage and failure to meet customer requirements

Technical Insights

Across these standards, common technical requirements and frameworks emerge, designed to foster clarity, repeatability, and interoperability:

• Component-Based Structure: Both functional and assurance requirements are modular—allowing tailored use according to technology and organizational risk.
• Objective Evaluation Methods: ISO/IEC 15408-4 and 18045 emphasize standardized documentation of analysis, pass/fail criteria, and evidence management.
• Lifecycle Alignment: IoT indicators in ISO/IEC 30187 support evaluation from design through monitoring and maintenance.
• Emphasis on Audit, Anomaly Detection, and Resilience: Modern IT and IoT systems face dynamic threats, necessitating deeper focus on auditing, identity management, event selection, and consistency of evaluation.

Implementation best practices:

1. Map internal requirements to the new component and indicator catalogues
2. Engage certified evaluation labs familiar with the updated methodologies
3. Customize evaluation indicators for IoT systems based on sector and use-case
4. Leverage structured reporting and evidence gathering to support certification audits

Testing and certification:

• Organizations should ensure evaluators use the latest edition standards
• Early planning around functional and assurance requirements can streamline certification
• Integrate evaluation indicator frameworks (like in ISO/IEC 30187) into vendor selection and performance monitoring

Conclusion / Next Steps

The May 2026 standards update delivers essential tools for securing modern information systems and IoT deployments. Each new or revised specification brings clarity, objectivity, and scalability to the processes of security evaluation, assurance demonstration, and quality benchmarking.

Key takeaways:

• Five influential standards now shape the landscape for IT security and IoT system assessment
• Organizations must update their internal processes, procurement criteria, and evaluation documentation
• Early adoption positions companies for regulatory compliance, market advantage, and resilient digital operations

Recommendations for organizations:

• Review and align procurement and development processes with new standards
• Train relevant teams on updated evaluation methods and indicator schemes
• Engage with certified labs and expert consultants for certification and implementation

Stay informed and gain full access: Explore all new Information Technology standards on iTeh Standards

Stay ahead of emerging requirements and secure your operations by embracing the latest international best practices for IT and IoT system evaluation.