iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
CEN

EN ISO/IEC 15408-1:2020

(Main)

Information technology - Security techniques - Evaluation criteria for IT security - Part 1: Introduction and general model (ISO/IEC 15408-1:2009)

Information technology - Security techniques - Evaluation criteria for IT security - Part 1: Introduction and general model (ISO/IEC 15408-1:2009)

ISO/IEC 15408-1:2009 establishes the general concepts and principles of IT security evaluation and specifies the general model of evaluation given by various parts of ISO/IEC 15408 which in its entirety is meant to be used as the basis for evaluation of security properties of IT products.
It provides an overview of all parts of ISO/IEC 15408. It describes the various parts of ISO/IEC 15408; defines the terms and abbreviations to be used in all parts ISO/IEC 15408; establishes the core concept of a Target of Evaluation (TOE); the evaluation context; and describes the audience to which the evaluation criteria are addressed. An introduction to the basic security concepts necessary for evaluation of IT products is given.
It defines the various operations by which the functional and assurance components given in ISO/IEC 15408-2 and ISO/IEC 15408-3 may be tailored through the use of permitted operations.
The key concepts of protection profiles (PP), packages of security requirements and the topic of conformance are specified and the consequences of evaluation and evaluation results are described.
ISO/IEC 15408-1:2009 gives guidelines for the specification of Security Targets (ST) and provides a description of the organization of components throughout the model.
General information about the evaluation methodology is given in ISO/IEC 18045 and the scope of evaluation schemes is provided.

Informationstechnik - IT-Sicherheitsverfahren - Evaluationskriterien für IT-Sicherheit - Teil 1: Einführung und allgemeines Modell (ISO/IEC 15408-1:2009)

Technologies de l'information - Techniques de sécurité - Critères d'évaluation pour la sécurité TI - Partie 1: Introduction et modèle général (ISO/IEC 15408-1:2009)

La présente partie de l'ISO/IEC 15408 établit les concepts et principes généraux de l'évaluation de la sécurité des technologies de l'information (TI). Elle spécifie le modèle général d'évaluation donné par les différentes parties de la norme qui, dans son intégralité, est destinée à servir de base à l'évaluation des propriétés de sécurité des produits TI.
La Partie 1 fournit une vue d'ensemble de toutes les parties de la norme ISO/IEC 15408. Elle décrit les différentes parties de la norme, définit les termes et abréviations à utiliser dans toutes les parties de la norme, établit le concept fondamental d'une cible d'évaluation (TOE, de l'anglais Target of Evaluation), spécifie le contexte d'une évaluation et décrit le public à qui s'adressent les critères d'évaluation. Elle fournit en outre une introduction aux concepts de sécurité de base nécessaires pour l'évaluation de produits TI.
Elle définit les diverses opérations dans le cadre desquelles les composants fonctionnels et d'assurance décrits dans l'ISO/IEC 15408‑2 et dans l'ISO/IEC 15408‑3 peuvent être adaptés par l'utilisation d'opérations autorisées.
Elle spécifie les concepts clés de profils de protection (PP), les ensembles d'exigences de sécurité et le sujet de la conformité, et décrit les conséquences d'une évaluation ainsi que les résultats d'une évaluation. La présente partie de l'ISO/IEC 15408 donne des lignes directrices pour la spécification de cibles de sécurité (ST, de l'anglais Security Targets) et fournit une description de l'organisation des composants sur l'ensemble du modèle. Des informations générales sur la méthodologie d'évaluation sont données dans l'ISO/IEC 18045 et le domaine d'application des plans d'évaluation est fourni.

Informacijska tehnologija - Varnostne tehnike - Merila za vrednotenje varnosti IT - 1. del: Uvod in splošni model (ISO/IEC 15408-1:2009)

General Information

Status
Withdrawn
Publication Date
17-Mar-2020
Withdrawal Date
13-Apr-2025
ICS
35.030 - IT Security
Technical Committee
CEN/CLC/TC 13 - Cybersecurity and Data Protection
Drafting Committee
CEN/CLC/TC 13 - Cybersecurity and Data Protection
Current Stage
9960 - Withdrawal effective - Withdrawal
Start Date
06-Dec-2023
Completion Date
14-Apr-2025
Ref Project
SIST EN ISO/IEC 15408-1:2020 - Information technology - Security techniques - Evaluation criteria for IT security - Part 1: Introduction and general model (ISO/IEC 15408-1:2009)

Relations

Replaced By
EN ISO/IEC 15408-1:2023 - Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 1: Introduction and general model (ISO/IEC 15408-1:2022)
Effective Date
19-Jan-2023

Buy Standard

EN ISO/IEC 15408-1:2020EN ISO/IEC 15408-1:2020
PreviousNext
Standard
EN ISO/IEC 15408-1:2020
English language
74 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Standards Content (Sample)


SLOVENSKI STANDARD
01-maj-2020
Informacijska tehnologija - Varnostne tehnike - Merila za vrednotenje varnosti IT -
1. del: Uvod in splošni model (ISO/IEC 15408-1:2009)
Information technology - Security techniques - Evaluation criteria for IT security - Part 1:
Introduction and general model (ISO/IEC 15408-1:2009)
Informationstechnik - IT-Sicherheitsverfahren - Evaluationskriterien für IT-Sicherheit -
Teil 1: Einführung und allgemeines Modell (ISO/IEC 15408-1:2009)
Technologies de l'information - Techniques de sécurité - Critères d'évaluation pour la
sécurité TI - Partie 1: Introduction et modèle général (ISO/IEC 15408-1:2009)
Ta slovenski standard je istoveten z: EN ISO/IEC 15408-1:2020
ICS:
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

EUROPEAN STANDARD
EN ISO/IEC 15408-1
NORME EUROPÉENNE
EUROPÄISCHE NORM
March 2020
ICS 35.030
English version
Information technology - Security techniques - Evaluation
criteria for IT security - Part 1: Introduction and general
model (ISO/IEC 15408-1:2009)
Technologies de l'information - Techniques de sécurité Informationstechnik - IT-Sicherheitsverfahren -
- Critères d'évaluation pour la sécurité TI - Partie 1: Evaluationskriterien für IT-Sicherheit - Teil 1:
Introduction et modèle général (ISO/IEC 15408- Einführung und allgemeines Modell (ISO/IEC 15408-
1:2009) 1:2009)
This European Standard was approved by CEN on 2 March 2020.

CEN and CENELEC members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for
giving this European Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical
references concerning such national standards may be obtained on application to the CEN-CENELEC Management Centre or to
any CEN and CENELEC member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by
translation under the responsibility of a CEN and CENELEC member into its own language and notified to the CEN-CENELEC
Management Centre has the same status as the official versions.

CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and United Kingdom.

CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2020 CEN/CENELEC All rights of exploitation in any form and by any means Ref. No. EN ISO/IEC 15408-1:2020 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 3

European foreword
The text of ISO/IEC 15408-1:2009 has been prepared by Technical Committee ISO/IEC JTC 1
"Information technology” of the International Organization for Standardization (ISO) and has been
taken over as EN ISO/IEC 15408-1:2020 by Technical Committee CEN/CLC/JTC 13 “Cybersecurity and
Data Protection” the secretariat of which is held by DIN.
This European Standard shall be given the status of a national standard, either by publication of an
identical text or by endorsement, at the latest by September 2020, and conflicting national standards
shall be withdrawn at the latest by September 2020.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
According to the CEN-CENELEC Internal Regulations, the national standards organizations of the
following countries are bound to implement this European Standard: Austria, Belgium, Bulgaria,
Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland,
Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of
North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Turkey and the
United Kingdom.
Endorsement notice
The text of ISO/IEC 15408-1:2009 has been approved by CEN as EN ISO/IEC 15408-1:2020 without any
modification.
INTERNATIONAL ISO/IEC
STANDARD 15408-1
Third edition
2009-12-15
Corrected version
2014-01-15
Information technology — Security
techniques — Evaluation criteria for IT
security —
Part 1:
Introduction and general model
Technologies de l'information — Techniques de sécurité — Critères
d'évaluation pour la sécurité TI — Partie 1: Introduction et modèle
général
Reference number
ISO/IEC 15408-1:2009(E)
©
ISO/IEC 2009
ISO/IEC 15408-1:2009(E)
©  ISO/IEC 2009
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO/IEC 2009 – All rights reserved

ISO/IEC 15408-1:2009(E)
Contents Page
Foreword . v
Introduction . vi
2 Normative references . 1
3 Terms and definitions . 1
3.1 Terms and definitions common in ISO/IEC 15408 . 2
3.2 Terms and definitions related to the ADV class . 9
3.3 Terms and definitions related to the AGD class . 13
3.4 Terms and definitions related to the ALC class . 13
3.5 Terms and definitions related to the AVA class . 17
3.6 Terms and definitions related to the ACO class . 17
4 Abbreviated terms . 18
5 Overview. 19
5.1 General . 19
5.2 The TOE . 19
5.3 Target audience of ISO/IEC 15408 . 20
5.4 The different parts of ISO/IEC 15408 . 21
5.5 Evaluation context . 22
6 General model . 22
6.1 Introduction to the general model . 22
6.2 Assets and countermeasures . 23
6.3 Evaluation . 27
7 Tailoring Security Requirements . 27
7.1 Operations . 27
7.2 Dependencies between components . 30
7.3 Extended components . 30
8 Protection Profiles and Packages . 31
8.1 Introduction . 31
8.2 Packages . 31
8.3 Protection Profiles. 31
8.4 Using PPs and packages . 34
8.5 Using Multiple Protection Profiles . 34
9 Evaluation results . 34
9.1 Introduction . 34
9.2 Results of a PP evaluation . 35
9.3 Results of an ST/TOE evaluation . 35
9.4 Conformance claim . 35
© ISO/IEC 2009 – All rights reserved iii

ISO/IEC 15408-1:2009(E)
9.5 Use of ST/TOE evaluation results . 36
Annex A (informative) Specification of Security Targets . 38
Annex B (informative) Specification of Protection Profiles . 54
Annex C (informative) Guidance for Operations . 59
Annex D (informative) PP conformance . 62
Bibliography . 64

iv © ISO/IEC 2009 – All rights reserved

ISO/IEC 15408-1:2009(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are members of
ISO or IEC participate in the development of International Standards through technical committees
established by the respective organization to deal with particular fields of technical activity. ISO and IEC
technical committees collaborate in fields of mutual interest. Other international organizations, governmental
and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information
technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of the joint technical committee is to prepare International Standards. Draft International
Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as
an International Standard requires approval by at least 75 % of the national bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 15408-1 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, IT Security techniques. The identical text of ISO/IEC 15408 is published by the
Common Criteria Project Sponsoring Organisations as Common Criteria for Information Technology Security
Evaluation. The common XML source for both publications can be found at
http://www.co
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

CEN
EN 18037:2025(Main)
Guidelines on a sectoral cybersecurity assessment
SIST EN 18037:2025

This document contains guidelines to be used in the process of drafting requirements of cybersecurity certification schemes for sectoral ICT services and systems. It includes all steps necessary to define, implement and maintain such requirements.

  • Draft
    64 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 27555:2025(Main)
Information security, cybersecurity and privacy protection - Guidelines on personally identifiable information deletion (ISO/IEC 27555:2021)
SIST EN ISO/IEC 27555:2025

The standard contains guidelines for developing and establishing policies and procedures for deletion
of PII in organizations by specifying:
—   a harmonized terminology for PII deletion;
—   an approach for defining deletion rules in an efficient way;
—   a description of required documentation; and
—   a broad definition of roles, responsibilities and processes.
This document is intended to be used by organizations where PII are stored or processed.
This document does not address:
—   specific legal provision, as given by national law or specified in contracts;
—   specific deletion rules for particular clusters of PII as are to be defined by PII controllers for
—   processing PII;
—   deletion mechanisms;
—   reliability, security and suitability of deletion mechanisms;
—   specific techniques for de-identification of data.

  • Standard
    34 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/CLC ISO/IEC/TS 23532-1:2024(Main)
Information security, cybersecurity and privacy protection - Requirements for the competence of IT security testing and evaluation laboratories - Part 1: Evaluation for ISO/IEC 15408 (ISO/IEC/TS 23532-1:2021)
SIST-TS CEN/CLC ISO/IEC/TS 23532-1:2025

This document complements and supplements the procedures and general requirements found in ISO/IEC 17025:2017 for laboratories performing evaluations based on the ISO/IEC 15408 series and ISO/IEC 18045.

  • Technical specification
    29 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Technical specification
    29 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/CLC ISO/IEC/TS 23532-2:2024(Main)
Information security, cybersecurity and privacy protection - Requirements for the competence of IT security testing and evaluation laboratories - Part 2: Testing for ISO/IEC 19790 (ISO/IEC/TS 23532-2:2021)
SIST-TS CEN/CLC ISO/IEC/TS 23532-2:2025

This document complements and supplements the procedures and general requirements found in ISO/IEC 17025:2017 for laboratories performing testing based on ISO/IEC 19790 and ISO/IEC 24759.

  • Technical specification
    35 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Technical specification
    35 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 27001:2023/A1:2024(Amendment)
Information security, cybersecurity and privacy protection - Information security management systems - Requirements - Amendment 1: Climate action changes (ISO/IEC 27001:2022/Amd 1:2024)
SIST EN ISO/IEC 27001:2023/A1:2025
  • Amendment
    7 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Amendment
    7 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Amendment
    7 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 18031-3:2024(Main)
Common security requirements for radio equipment - Part 3: Internet connected radio equipment processing virtual money or monetary value
SIST EN 18031-3:2024

Common security requirements for internet connected radio equipment that equipment enables the holder or user to transfer money, monetary value or virtual currency. This document provides technical specifications for radio equipment processing virtual money or monetary value, which apply to electrical or electronic products that are capable to communicate over the internet, regardless of whether these products communicate directly or via any other equipment.

  • Standard
    185 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 18031-2:2024(Main)
Common security requirements for radio equipment - Part 2: radio equipment processing data, namely Internet connected radio equipment, childcare radio equipment, toys radio equipment and wearable radio equipment
SIST EN 18031-2:2024

Common security requirements for radio equipment processing personal data or traffic data or location data being either internet connected radio equipment, radio equipment designed or intended exclusively for childcare; toys and wearable radio equipment. The standard provides technical specifications for radio equipment processing personal data, traffic data or location data, which concerns electrical or electronic products that are capable to communicate over the internet, regardless of whether these products communicate directly or via any other equipment, childcare, toys or wearable radio equipment.
The scope does not apply to 5G network equipment used by providers of public electronic communications networks and publicly available electronic communications services within the meaning of in Directive (EU) 2018/1972 of the European Parliament and of the Council as defined in that Regulation.

  • Standard
    220 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 18031-1:2024(Main)
Common security requirements for radio equipment - Part 1: Internet connected radio equipment
SIST EN 18031-1:2024

This document specifies common security requirements for internet-connected radio equipment. This document provides technical specifications for radio equipment, which concerns electrical or electronic products that are capable to communicate over the internet, regardless of whether these products communicate directly or via any other equipment.

  • Standard
    180 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 27005:2024(Main)
Information security, cybersecurity and privacy protection - Guidance on managing information security risks (ISO/IEC 27005:2022)
SIST EN ISO/IEC 27005:2024

This document provides guidance to assist organizations to:
—    fulfil the requirements of ISO/IEC 27001 concerning actions to address information security risks;
—    perform information security risk management activities, specifically information security risk assessment and treatment.
This document is applicable to all organizations, regardless of type, size or sector.

  • Standard
    71 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Standard
    71 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/TS 18026:2024(Main)
Three-level approach for a set of cybersecurity requirements for cloud services
SIST-TS CEN/CLC/TS 18026:2024

This Technical Specification (TS) provides a set of cybersecurity requirements for cloud services.
This TS is applicable to organizations providing cloud services and their subservice organizations

  • Technical specification
    180 pages
    English language
    sale 10% off
    e-Library read for
    1 day