iTeh Standards logo
EURUSD
Your shopping cart is empty.
CEN

FprEN ISO/IEC 15408-1

(Main)

Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 1: Introduction and general model (ISO/IEC FDIS 15408-1:2025)

Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 1: Introduction and general model (ISO/IEC FDIS 15408-1:2025)

This document establishes the general concepts and principles of IT security evaluation and specifies the general model of evaluation given by various parts of the standard which in its entirety is meant to be used as the basis for evaluation of security properties of IT products.
This document provides an overview of all parts of the ISO/IEC 15408 series. It describes the various parts of the ISO/IEC 15408 series; defines the terms and abbreviations to be used in all parts of the standard; establishes the core concept of a Target of Evaluation (TOE); describes the evaluation context and describes the audience to which the evaluation criteria is addressed. An introduction to the basic security concepts necessary for evaluation of IT products is given.
This document introduces:
—    the key concepts of Protection Profiles (PP), PP-Modules, PP-Configurations, packages, Security Targets (ST), and conformance types;
—    a description of the organization of security components throughout the model;
—    the various operations by which the functional and assurance components given in ISO/IEC 15408‑2 and ISO/IEC 15408‑3 can be tailored through the use of permitted operations;
—    general information about the evaluation methods given in ISO/IEC 18045;
—    guidance for the application of ISO/IEC 15408‑4 in order to develop evaluation methods (EM) and evaluation activities (EA) derived from ISO/IEC 18045;
—    general information about the pre-defined Evaluation Assurance Levels (EALs) defined in ISO/IEC 15408‑5;
—    information in regard to the scope of evaluation schemes.

Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre - Evaluationskriterien für IT-Sicherheit - Teil 1: Einführung und allgemeines Modell (ISO/IEC FDIS 15408-1:2025)

Sécurité de l'information, cybersécurité et protection de la vie privée - Critères d'évaluation pour la sécurité des technologies de l'information - Partie 1: Introduction et modèle général (ISO/IEC FDIS 15408-1:2025)

Informacijska varnost, kibernetska varnost in varovanje zasebnosti - Merila za vrednotenje varnosti IT - 1. del: Uvod in splošni model (ISO/IEC DIS 15408-1:2024)

General Information

Status
Not Published
Publication Date
12-May-2026
ICS
35.030 - IT Security
Technical Committee
CEN/CLC/TC 13 - Cybersecurity and Data Protection
Current Stage
5020 - Submission to Vote - Formal Approval
Start Date
18-Dec-2025
Completion Date
18-Dec-2025
Ref Project
oSIST prEN ISO/IEC 15408-1:2024 - Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 1: Introduction and general model (ISO/IEC DIS 15408-1:2024)

Relations

Revises
EN ISO/IEC 15408-1:2023 - Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 1: Introduction and general model (ISO/IEC 15408-1:2022)
Effective Date
22-May-2024

Overview

The FprEN ISO/IEC 15408-1 standard, titled Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 1: Introduction and general model (ISO/IEC FDIS 15408-1:2025), is a pivotal document developed by CEN that sets out the fundamental concepts and principles for evaluating IT security. This standard serves as the foundational part of the comprehensive ISO/IEC 15408 series, which is widely recognized in the field of cybersecurity and IT product evaluation. It establishes a general model to assess the security properties of IT products, promoting consistent and reliable evaluation practices on an international scale.

The document provides an introductory framework for understanding the security evaluation process. It defines essential terminology such as the Target of Evaluation (TOE), Protection Profiles (PPs), Security Targets (STs), and conformance types, which are key for structuring security evaluations. Moreover, it outlines the evaluation context and specifies the intended audience, including security professionals, evaluators, developers, and organizations looking to adopt rigorous IT security evaluation frameworks.

Key Topics

  • Target of Evaluation (TOE): Clarifies the concept of TOE, defining the boundaries, configurations, operational environments, and different representations of an IT product or system under evaluation.

  • Protection Profiles (PPs) and Security Targets (STs): Introduces the structuring of security requirements into reusable PPs, modules, configurations, and individual STs that detail the specific security needs for different IT environments.

  • Security Requirements: Covers how to specify security problems, including threats, organizational security policies, and assumptions. It also discusses setting measurable security objectives and requirements appropriate to functional and assurance needs.

  • Security Components and Packages: Describes the hierarchical structure of security components-from classes and families to elements-and how they are organized using operations like iteration, assignment, and refinement. It explains assurance and functional packages crucial for tailoring evaluations.

  • Evaluation Methods and Assurance Levels: Provides an overview of evaluation methods per ISO/IEC 18045 and references predefined Evaluation Assurance Levels (EALs) from ISO/IEC 15408-5, guiding consistent evaluation rigor.

  • Conformance and Compliance: Defines conformance types and claims, enabling clear communication regarding the security evaluation status of IT products and facilitating market acceptance and regulatory adherence.

Applications

  • IT Product Security Evaluation: Organizations developing or procuring IT systems can leverage this standard to systematically evaluate product security, identifying vulnerabilities and verifying compliance with security requirements.

  • Cybersecurity Certification: Bodies issuing certifications or security approvals for IT products use this model to perform standardized assessments that support industry and government mandates.

  • Risk Management: By defining threats and security objectives clearly, enterprises can better align their risk management practices with internationally recognized evaluation criteria.

  • Privacy Protection: Incorporating privacy protection within cybersecurity evaluation, the standard assists in conforming to data protection laws and standards.

  • Security Architecture Design: Security architects and developers can use the general model to design IT solutions that meet specified assurance and functional security requirements.

Related Standards

  • ISO/IEC 15408-2 & ISO/IEC 15408-3: These parts detail specific functional and assurance security components introduced and structured in Part 1.

  • ISO/IEC 15408-4: Guides the development of evaluation methods and activities, complementing the evaluation principles of Part 1.

  • ISO/IEC 15408-5: Defines Evaluation Assurance Levels (EALs), specifying predefined assurance gradations.

  • ISO/IEC 18045: Provides the evaluation methodology employed within the ISO/IEC 15408 series, referenced for consistent assessment processes.

  • Other Cybersecurity Standards: This standard aligns with broader information security and privacy regulations, supporting compliance with frameworks such as ISO/IEC 27001, GDPR, and national cybersecurity regulations.

By adopting the FprEN ISO/IEC 15408-1 standard, organizations and security practitioners benefit from a proven, internationally accepted framework that enhances the reliability, consistency, and effectiveness of IT security evaluations-ultimately strengthening cybersecurity and privacy protection across IT products globally.

prEN ISO/IEC 15408-1:2024 - BARVEprEN ISO/IEC 15408-1:2024 - BARVE
PreviousNext
Draft
prEN ISO/IEC 15408-1:2024 - BARVE
English language
150 pages
sale 10% off
Preview
sale 10% off
Preview
e-Library read for
1 day

Frequently Asked Questions

FprEN ISO/IEC 15408-1 is a draft published by the European Committee for Standardization (CEN). Its full title is "Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 1: Introduction and general model (ISO/IEC FDIS 15408-1:2025)". This standard covers: This document establishes the general concepts and principles of IT security evaluation and specifies the general model of evaluation given by various parts of the standard which in its entirety is meant to be used as the basis for evaluation of security properties of IT products. This document provides an overview of all parts of the ISO/IEC 15408 series. It describes the various parts of the ISO/IEC 15408 series; defines the terms and abbreviations to be used in all parts of the standard; establishes the core concept of a Target of Evaluation (TOE); describes the evaluation context and describes the audience to which the evaluation criteria is addressed. An introduction to the basic security concepts necessary for evaluation of IT products is given. This document introduces: —    the key concepts of Protection Profiles (PP), PP-Modules, PP-Configurations, packages, Security Targets (ST), and conformance types; —    a description of the organization of security components throughout the model; —    the various operations by which the functional and assurance components given in ISO/IEC 15408‑2 and ISO/IEC 15408‑3 can be tailored through the use of permitted operations; —    general information about the evaluation methods given in ISO/IEC 18045; —    guidance for the application of ISO/IEC 15408‑4 in order to develop evaluation methods (EM) and evaluation activities (EA) derived from ISO/IEC 18045; —    general information about the pre-defined Evaluation Assurance Levels (EALs) defined in ISO/IEC 15408‑5; —    information in regard to the scope of evaluation schemes.

This document establishes the general concepts and principles of IT security evaluation and specifies the general model of evaluation given by various parts of the standard which in its entirety is meant to be used as the basis for evaluation of security properties of IT products. This document provides an overview of all parts of the ISO/IEC 15408 series. It describes the various parts of the ISO/IEC 15408 series; defines the terms and abbreviations to be used in all parts of the standard; establishes the core concept of a Target of Evaluation (TOE); describes the evaluation context and describes the audience to which the evaluation criteria is addressed. An introduction to the basic security concepts necessary for evaluation of IT products is given. This document introduces: —    the key concepts of Protection Profiles (PP), PP-Modules, PP-Configurations, packages, Security Targets (ST), and conformance types; —    a description of the organization of security components throughout the model; —    the various operations by which the functional and assurance components given in ISO/IEC 15408‑2 and ISO/IEC 15408‑3 can be tailored through the use of permitted operations; —    general information about the evaluation methods given in ISO/IEC 18045; —    guidance for the application of ISO/IEC 15408‑4 in order to develop evaluation methods (EM) and evaluation activities (EA) derived from ISO/IEC 18045; —    general information about the pre-defined Evaluation Assurance Levels (EALs) defined in ISO/IEC 15408‑5; —    information in regard to the scope of evaluation schemes.

FprEN ISO/IEC 15408-1 is classified under the following ICS (International Classification for Standards) categories: 35.030 - IT Security. The ICS classification helps identify the subject area and facilitates finding related standards.

FprEN ISO/IEC 15408-1 has the following relationships with other standards: It is inter standard links to EN ISO/IEC 15408-1:2023. Understanding these relationships helps ensure you are using the most current and applicable version of the standard.

You can purchase FprEN ISO/IEC 15408-1 directly from iTeh Standards. The document is available in PDF format and is delivered instantly after payment. Add the standard to your cart and complete the secure checkout process. iTeh Standards is an authorized distributor of CEN standards.

Standards Content (Sample)


SLOVENSKI STANDARD
01-november-2024
Informacijska varnost, kibernetska varnost in varovanje zasebnosti - Merila za
vrednotenje varnosti IT - 1. del: Uvod in splošni model (ISO/IEC DIS 15408-1:2024)
Information security, cybersecurity and privacy protection - Evaluation criteria for IT
security - Part 1: Introduction and general model (ISO/IEC DIS 15408-1:2024)
Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre -
Evaluationskriterien für IT-Sicherheit - Teil 1: Einführung und allgemeines Modell
Sécurité de l'information, cybersécurité et protection de la vie privée - Critères
d'évaluation pour la sécurité des technologies de l'information - Partie 1: Introduction et
modèle général (ISO/IEC DIS 15408-1:2024)
Ta slovenski standard je istoveten z: prEN ISO/IEC 15408-1
ICS:
35.030 Informacijska varnost IT Security
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

DRAFT
International
Standard
ISO/IEC
DIS
15408-1
ISO/IEC JTC 1/SC 27
Information security, cybersecurity
Secretariat: DIN
and privacy protection —
Voting begins on:
Evaluation criteria for IT security —
2024-08-19
Part 1:
Voting terminates on:
2024-11-11
Introduction and general model
Sécurité de l'information, cybersécurité et protection de la vie
privée — Critères d'évaluation pour la sécurité des technologies
de l'information —
Partie 1: Introduction et modèle général
ICS: 35.030
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS.
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Reference number
© ISO/IEC 2024
ISO/IEC DIS 15408-1:2024(en)
DRAFT
ISO/IEC DIS 15408-1:2024(en)
International
Standard
ISO/IEC
DIS
15408-1
ISO/IEC JTC 1/SC 27
Information security, cybersecurity
Secretariat: DIN
and privacy protection —
Voting begins on:
Evaluation criteria for IT security —
2024-08-19
Part 1:
Voting terminates on:
2024-11-11
Introduction and general model
Sécurité de l'information, cybersécurité et protection de la vie
privée — Critères d'évaluation pour la sécurité des technologies
de l'information —
Partie 1: Introduction et modèle général
ICS: 35.030
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
© ISO/IEC 2024
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
BE CONSIDERED IN THE LIGHT OF THEIR
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
or ISO’s member body in the country of the requester.
NATIONAL REGULATIONS.
ISO copyright office
RECIPIENTS OF THIS DRAFT ARE INVITED
CP 401 • Ch. de Blandonnet 8
TO SUBMIT, WITH THEIR COMMENTS,
CH-1214 Vernier, Geneva
NOTIFICATION OF ANY RELEVANT PATENT
Phone: +41 22 749 01 11
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland Reference number
© ISO/IEC 2024
ISO/IEC DIS 15408-1:2024(en)
© ISO/IEC 2024 – All rights reserved
ii
ISO/IEC DIS 15408-1:2024(en)
Contents Page
Foreword .vi
Introduction .viii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 2
4 Abbreviated terms .13
5 Overview .15
5.1 General . 15
5.2 ISO/IEC 15408 series description . 15
5.2.1 General . 15
5.2.2 Audience . . 15
5.3 Target of evaluation (TOE) .18
5.3.1 General .18
5.3.2 TOE boundaries .19
5.3.3 Different representations of the TOE .19
5.3.4 Different configurations of the TOE .19
5.3.5 Operational environment of the TOE . 20
5.4 Presentation of material in this document . 20
6 General model .20
6.1 Background . 20
6.2 Assets and security controls .21
6.3 Core constructs of the paradigm of the ISO/IEC 15408 series . 23
6.3.1 General . 23
6.3.2 Conformance types .24
6.3.3 Communicating security requirements.24
6.3.4 Meeting the needs of consumers (risk owners) .27
7 Specifying security requirements .28
7.1 Security problem definition (SPD) . 28
7.1.1 General . 28
7.1.2 Threats . 28
7.1.3 Organizational security policies (OSPs) . 29
7.1.4 Assumptions . 29
7.2 Security objectives . 30
7.2.1 General . 30
7.2.2 Security objectives for the TOE . 30
7.2.3 Security objectives for the operational environment .31
7.2.4 Relation between security objectives and the SPD .31
7.2.5 Tracing between security objectives and the SPD .31
7.2.6 Providing a justification for the tracing .32
7.2.7 On countering threats.32
7.2.8 Security objectives: conclusion . 33
7.3 Security requirements . . 33
7.3.1 General . 33
7.3.2 Security Functional Requirements (SFRs) . 33
7.3.3 Security assurance requirements (SARs) . 36
7.3.4 Security requirements: conclusion . 36
8 Security components .38
8.1 Hierarchical structure of security components . 38
8.1.1 General . 38
8.1.2 Class . 38
8.1.3 Family . 38
8.1.4 Component . 38

© ISO/IEC 2024 – All rights reserved
iii
ISO/IEC DIS 15408-1:2024(en)
8.1.5 Element . 38
8.2 Operations . 39
8.2.1 General . 39
8.2.2 Iteration . 39
8.2.3 Assignment . 40
8.2.4 Selection .41
8.2.5 Refinement . .42
8.3 Dependencies between components .43
8.4 Extended components. 44
8.4.1 General . 44
8.4.2 Defining extended components . 44
9 Packages .45
9.1 General .45
9.2 Package types .45
9.2.1 General .45
9.2.2 Assurance packages . 46
9.2.3 Functional packages . 46
9.3 Package dependencies . 46
9.4 Evaluation method(s) and activities.47
10 Protection Profiles (PPs) . 47
10.1 General .47
10.2 PP introduction .47
10.3 Conformance claims and conformance statements.47
10.4 Security assurance requirements (SARs) . 50
10.5 Additional requirements common to strict and demonstrable conformance . 50
10.5.1 Conformance claims and conformance statements . 50
10.5.2 Security problem definition (SPD) . 50
10.5.3 Security objectives .51
10.6 Additional requirements specific to strict conformance .51
10.6.1 Requirements for the security problem definition (SPD) .51
10.6.2 Requirements for the security objectives .51
10.6.3 Requirements for the security requirements . .51
10.7 Additional requirements specific to demonstrable conformance .52
10.8 Additional requirements specific to exact conformance .52
10.8.1 General .52
10.8.2 Conformance claims and conformance statements .52
10.9 Using PPs . 53
10.10 Conformance statements and claims in the case of multiple PPs . 53
10.10.1 General . 53
10.10.2 Where strict or demonstrable conformance is specified . 53
10.10.3 Where exact conformance is specified . 53
11 Modular requirements construction .53
11.1 General . 53
11.2 PP-Modules. 54
11.2.1 General . 54
11.2.2 PP-Module Base . 54
11.2.3 Requirements for PP-Modules . 54
11.3 PP-Configurations . . 58
11.3.1 General . 58
11.3.2 Requirements for PP-Configurations . 58
11.3.3 Usage of PP-Configurations . 63
12 Security Targets (STs) .66
12.1 General . 66
12.2 Conformance claims and conformance statements.67
12.3 Assurance requirements . 69
12.4 Additional requirements in the exact conformance case .70
12.4.1 Additional requirements for the conformance claim .70

© ISO/IEC 2024 – All rights reserved
iv
ISO/IEC DIS 15408-1:2024(en)
12.4.2 Additional requirements for the SPD .70
12.4.3 Additional requirements for the security objectives.70
12.4.4 Additional requirements for the security requirements .70
12.5 Additional requirements in the multi-assurance case .71
13 Evaluation and evaluation results .73
13.1 General . 73
13.2 Evaluation context .74
13.3 Evaluation of PPs and PP-Configurations . 75
13.4 Evaluation of STs . 75
13.5 Evaluation of TOEs . 75
13.6 Evaluation methods and evaluation activities .76
13.7 Evaluation results .76
13.7.1 Results of a PP evaluation .76
13.7.2 Results of a PP-Configuration evaluation .76
13.7.3 Results of an ST/TOE evaluation.76
13.8 Multi-assurance evaluation . 77
14 Composition of assurance .78
14.1 General . 78
14.2 Composition models . 79
14.2.1 Layered composition model . 79
14.2.2 Network or bi-directional composition model . 79
14.2.3 Embedded composition model . 80
14.3 Evaluation techniques for providing assurance in composition models . 81
14.3.1 General . 81
14.3.2 ACO class for composed TOEs . 81
14.3.3 Composite evaluation for composite products . 82
14.4 Requirements for evaluations using composition techniques . 93
14.4.1 Re-use of evaluation results . 93
14.4.2 Composition evaluation issues . 94
14.5 Evaluation by composition and multi-assurance. 95
Annex A (normative) Specification of packages .96
Annex B (normative) Specification of Protection Profiles (PPs) .100
Annex C (normative) Specification of PP-Modules and PP-Configurations .110
Annex D (normative) Specification of Security Targets (STs) and Direct Rationale STs . 124
Annex E (normative) PP/PP-Configuration conformance .135
Bibliography .140

© ISO/IEC 2024 – All rights reserved
v
ISO/IEC DIS 15408-1:2024(en)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations,
governmental and non-governmental, in liaison with ISO and IEC, also take part in the work.
The procedures used to develop this document and those intended for its further maintenance are described
in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the different types
of document should be noted. This document was drafted in accordance with the editorial rules of the ISO/
IEC Directives, Part 2 (see www.iso.org/directives or www.iec.ch/members_experts/refdocs).
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details of any
patent rights identified during the development of the document will be in the Introduction and/or on the
ISO list of patent declarations received (see www.iso.org/patents) or the IEC list of patent declarations
received (see https://patents.iec.ch).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and expressions
related to conformity assessment, as well as information about ISO's adherence to the World Trade
Organization (WTO) principles in the Technical Barriers to Trade (TBT) see www.iso.org/iso/foreword.html.
In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee
SC 27, Information security, cybersecurity and privacy protection.
This fifth edition cancels and replaces the fourth edition (ISO/IEC 15408-1:2022), which has been technically
revised.
The changes are as follows:
— the terminology has been reviewed and updated: the definitions of multi-assurance security target and
multi-assurance PP-Configuration have been added, the definition of multi-assurance evaluation has been
improved for accuracy, and the term sub-TOE security functionality has been removed;
— the package conformance claim for security targets, protection profiles and PP-Modules, respectively,
has been reviewed and aligned with ISO/IEC 18045;
— the specification of multiple PP-Modules Bases has been improved for accuracy;
— several errors, mistakes and typos have been corrected, including references to clauses of the standard.
A list of all parts in the ISO/IEC 15408 series can be found on the ISO and IEC websites.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.

© ISO/IEC 2024 – All rights reserved
vi
ISO/IEC DIS 15408-1:2024(en)
Legal notice
The governmental organizations listed below contributed to the development of this version of the Common
Criteria for Information Technology Security Evaluations. As the joint holders of the copyright in the Common
Criteria for Information Technology Security Evaluations (called CC), they hereby grant non-exclusive license
to ISO/IEC to use CC in the continued development/maintenance of the ISO/IEC 15408 series of standards.
However, these governmental organizations retain the right to use, copy, distribute, translate or modify CC
as they see fit.
Australia The Australian Signals Directorate
Canada Communications Security Establishment
France Agence Nationale de la Sécurité des Systèmes d'Information
Germany Bundesamt für Sicherheit in der Informationstechnik
Japan Information-technology Promotion Agency
Netherlands Netherlands National Communications Security Agency
New Zealand Government Communications Security Bureau
Republic of Korea National Security Research Institute
Spain Centro Criptológico Nacional
Sweden FMV, Swedish Defence Materiel Administration
United Kingdom National Cyber Security Centre
United States The National Security Agency and the National Institute of Standards and Technology

© ISO/IEC 2024 – All rights reserved
vii
ISO/IEC DIS 15408-1:2024(en)
Introduction
The ISO/IEC 15408 series permits comparability between the results of independent security evaluations
by providing a common set of requirements for the security functionality of IT products and for assurance
measures applied to these IT products during a security evaluation. These IT products may be implemented
in hardware, firmware, or software.
The evaluation process establishes a level of confidence that the security functionality of these IT products
and the assurance measures applied to these IT products meet these requirements. The evaluation results
may help consumers to determine whether these IT products fulfil their security needs.
The ISO/IEC 15408 series is useful as a guide for the development, evaluation and/or procurement of IT
products with security functionality.
The ISO/IEC 15408 series is intentionally flexible, enabling a range of evaluation approaches to be applied
to a range of security properties of a range of IT products. Therefore, users of the standard are cautioned to
exercise care that this flexibility is not misused. For example, using the ISO/IEC 15408 series in conjunction
with unsuitable evaluation methods/activities, irrelevant security properties, or inappropriate IT products,
can result in meaningless evaluation results.
Consequently, the fact that an IT product has been evaluated has meaning only in the context of the security
properties that were evaluated and the evaluation methods that were used. Evaluation authorities are advised
to carefully check the products, properties, and methods to determine that an evaluation provides meaningful
results. Additionally, purchasers of evaluated products are advised to carefully consider this context to
determine whether the evaluated product is useful and applicable to their specific situation and needs.
The ISO/IEC 15408 series addresses the protection of assets from unauthorized disclosure, modification,
or loss of use. The categories of protection relating to these three types of failure of security are commonly
called confidentiality, integrity, and availability, respectively. The ISO/IEC 15408 series may also be
applicable to aspects of IT security outside of these three categories. The ISO/IEC 15408 series is applicable
to risks arising from human activities (malicious or otherwise) and to risks arising from non-human
activities. The ISO/IEC 15408 series may be applied in other areas of IT but makes no claim of applicability
in these areas.
Certain topics, because they involve specialized techniques or because they are somewhat peripheral to IT
security, are considered to be outside the scope of the ISO/IEC 15408 series. Some of these are identified below:
a) the ISO/IEC 15408 series does not contain security evaluation criteria pertaining to administrative
security measures not related directly to the IT security functionality. However, it is recognized that
significant security can often be achieved through or supported by administrative measures such as
organizational, personnel, physical, and procedural controls;
b) the ISO/IEC 15408 series does not address the evaluation methodology under which the criteria should
be applied;
NOTE 1 The baseline methodology is defined in ISO/IEC 18045. ISO/IEC 15408-4 can be used to further derive
evaluation activities and methods from ISO/IEC 18045.
c) the ISO/IEC 15408 series does not address the administrative and legal framework under which the
criteria may be applied by evaluation authorities. However, it is expected that the ISO/IEC 15408 series
is intended to be used for evaluation purposes in the context of such a framework;
d) the procedures for use of evaluation results in accreditation are outside the scope of the ISO/IEC 15408
series. Accreditation is the administrative process whereby authority is granted for the operation of an
IT product (or collection thereof) in its full operational environment including all of its non-IT parts. The
results of the evaluation process are an input to the accreditation process. However, as other techniques
are more appropriate for the assessments of non-IT related properties and their relationship to the IT
security parts, accreditors must make separate provisions for those aspects;
e) the subject of criteria for the assessment of the inherent qualities of cryptographic algorithms is
not covered in the ISO/IEC 15408 series. In the case that independent assessment of mathematical

© ISO/IEC 2024 – All rights reserved
viii
ISO/IEC DIS 15408-1:2024(en)
properties of cryptography is required, the evaluation scheme under which the ISO/IEC 15408 series is
applied shall make provision for such assessments.
The following notes appears in other parts of the ISO/IEC 15408 series and in ISO/IEC 18045 to describe the
use of bold and italic type in those documents. This document does not use those conventions, but the notes
have been retained for alignment with the rest of the series.
NOTE 1 This document uses bold type to highlight hierarchical relationships between requirements. This
convention calls for the use of bold type for all new requirements.
NOTE 2 For security functional requirements, the use of italics denotes assignment and selection items.
NOTE 3 For security assurance requirements, special verbs relating to mandatory evaluation activities are
presented in bold italic type face.

© ISO/IEC 2024 – All rights reserved
ix
DRAFT International Standard ISO/IEC DIS 15408-1:2024(en)
Information security, cybersecurity and privacy protection —
Evaluation criteria for IT security —
Part 1:
Introduction and general model
1 Scope
This document establishes the general concepts and principles of IT security evaluation and specifies the
general model of evaluation given by various parts of the standard which in its entirety is meant to be used
as the basis for evaluation of security properties of IT products.
This document provides an overview of all parts of the ISO/IEC 15408 series. It describes the various parts
of the ISO/IEC 15408 series; defines the terms and abbreviations to be used in all parts of the standard;
establishes the core concept of a Target of Evaluation (TOE); describes the evaluation context and describes
the audience to which the evaluation criteria is addressed. An introduction to the basic security concepts
necessary for evaluation of IT products is given.
This document introduces:
— the key concepts of protection profiles (PP), PP-Modules, PP-Configurations, packages, security targets
(ST), and conformance types;
— a description of the organization of security components throughout the model;
— the various operations by which the functional and assurance components given in ISO/IEC 15408-2 and
ISO/IEC 15408-3 can be tailored through the use of permitted operations;
— general information about the evaluation methods given in ISO/IEC 18045;
— guidance for the application of ISO/IEC 15408-4 in order to develop evaluation methods (EM) and
evaluation activities (EA) derived from ISO/IEC 18045;
— general information about the pre-defined Evaluation Assurance Levels (EALs) defined in
ISO/IEC 15408-5;
— information in regard to the scope of evaluation schemes.
2 Normativ
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

Loading comments...

This May Also Interest You

CEN
EN ISO/IEC 27019:2025(Main)
Information security, cybersecurity and privacy protection - Information security controls for the energy utility industry (ISO/IEC 27019:2024)
SIST EN ISO/IEC 27019:2026

This document provides information security controls for the energy utility industry, based on ISO/IEC 27002:2022, for controlling and monitoring the production or generation, transmission, storage and distribution of electric power, gas, oil and heat, and for the control of associated supporting processes.

  • Draft
    47 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 19896-1:2025(Main)
Information security, cybersecurity and privacy protection - Requirements for the competence of IT security conformance assessment body personnel - Part 1: Overview and concepts (ISO/IEC 19896-1:2025)
SIST EN ISO/IEC 19896-1:2026

This document establishes an organized set of concepts and relationships to understand the competency requirements for information security conformance-testing and evaluation specialists, thereby establishing a basis for shared understanding of the concepts and principles central to the ISO/IEC 19896 series across its user communities.

  • Draft
    16 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/TR 18241:2025(Main)
Privacy management in products and services - Biometric access control products and services
SIST-TP CEN/TR 18241:2026

This document contains recommendations on how to integrate the principle of ‘data protection and privacy by design’
during the entire lifecycle of biometric access-control products and services, in order to achieve ‘data protection and
privacy by default’.
Biometric facial recognition for access control is covered by this document. Biometric facial recognition for surveillance is
covered by CEN/CLC/JTC 13 TR ‘Video surveillance’.
This document specifies recommendations for the management of data protection and privacy by design in biometricaccess-
control products and services. This document extends ISO/IEC 27552. This document applies to aspects of data
protection and privacy by design. This document is not applicable to non-biometric aspects of access control, or to aspects
not relating to data protection or privacy.

  • Draft
    12 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 19896-3:2025(Main)
Information security, cybersecurity and privacy protection - Requirements for the competence of IT security conformance assessment body personnel - Part 3: Knowledge and skills requirements for evaluators and reviewers according to the ISO/IEC 15408 series and ISO/IEC 18045 (ISO/IEC 19896-3:2025)
SIST EN ISO/IEC 19896-3:2026

This document provides the specialized requirements for individuals to demonstrate competence in performing IT product security evaluations and reviews according to the ISO/IEC 15408 series and ISO/IEC 18045.
NOTE            It is possible that evaluators and testers belong to bodies operating under ISO/IEC 17025 and reviewers belong to bodies operating under ISO/IEC 17065.

  • Draft
    49 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 27701:2025(Main)
Information security, cybersecurity and privacy protection - Privacy information management systems - Requirements and guidance (ISO/IEC 27701:2025)
SIST EN ISO/IEC 27701:2025

This document specifies requirements for establishing, implementing, maintaining and continually improving a privacy information management system (PIMS).
Guidance is also provided to assist in the implementation of the requirements in this document.
This document is intended for personally identifiable information (PII) controllers and PII processors holding responsibility and accountability for PII processing.
This document is applicable to all types and sizes of organizations, including public and private companies, government entities and not-for-profit organizations.

  • Standard
    73 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 27706:2025(Main)
Information security, cybersecurity and privacy protection - Requirements for bodies providing audit and certification of privacy information management systems (ISO/IEC 27706:2025)
SIST EN ISO/IEC 27706:2025

This document specifies requirements and provides guidance for bodies providing audit and certification of a privacy information management system (PIMS) according to ISO/IEC 27701, in addition to the requirements contained within ISO/IEC 17021-1.
The requirements contained in this document are demonstrated in terms of competence and reliability by bodies providing PIMS certification. The guidance contained in this document provides additional interpretation of these requirements for bodies providing PIMS certification.
NOTE       This document can be used as a criteria document for accreditation, peer assessment or other audit processes.

  • Standard
    33 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/CLC/TS 18072:2025(Main)
Requirements for Conformity Assessment Bodies certifying Cloud Services
SIST-TS CEN/CLC/TS 18072:2025

This TS provides requirements and ISO/IEC 17065 interpretations for Conformity Assessment Bodies (CABs) assessing Cloud Services
This TS is intended to be used by the National Accreditation Bodies (NABs), as well as CABs.

  • Technical specification
    45 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN 18037:2025(Main)
Guidelines on a sectoral cybersecurity assessment
SIST EN 18037:2025

This document contains guidelines to be used in the process of drafting requirements of cybersecurity certification schemes for sectoral ICT services and systems. It includes all steps necessary to define, implement and maintain such requirements.

  • Standard
    65 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
EN ISO/IEC 27555:2025(Main)
Information security, cybersecurity and privacy protection - Guidelines on personally identifiable information deletion (ISO/IEC 27555:2021)
SIST EN ISO/IEC 27555:2025

This document contains guidelines for developing and establishing policies and procedures for deletion of personally identifiable information (PII) in organizations by specifying:
—    a harmonized terminology for PII deletion;
—    an approach for defining deletion rules in an efficient way;
—    a description of required documentation;
—    a broad definition of roles, responsibilities and processes.
This document is intended to be used by organizations where PII is stored or processed.
This document does not address:
—    specific legal provision, as given by national law or specified in contracts;
—    specific deletion rules for particular clusters of PII that are defined by PII controllers for processing PII;
—    deletion mechanisms;
—    reliability, security and suitability of deletion mechanisms;
—    specific techniques for de-identification of data.

  • Standard
    34 pages
    English language
    sale 10% off
    e-Library read for
    1 day
CEN
CEN/CLC ISO/IEC/TS 23532-2:2024(Main)
Information security, cybersecurity and privacy protection - Requirements for the competence of IT security testing and evaluation laboratories - Part 2: Testing for ISO/IEC 19790 (ISO/IEC/TS 23532-2:2021)
SIST-TS CEN/CLC ISO/IEC/TS 23532-2:2025

This document complements and supplements the procedures and general requirements found in ISO/IEC 17025:2017 for laboratories performing testing based on ISO/IEC 19790 and ISO/IEC 24759.

  • Technical specification
    35 pages
    English language
    sale 10% off
    e-Library read for
    1 day
  • Technical specification
    35 pages
    English language
    sale 10% off
    e-Library read for
    1 day