Skip to main content

An Introduction to ISO 15408

Tamara Wilhite is a technical writer, industrial engineer, mother of two, and published sci-fi and horror author.

ISO standard 15408 outlines the common criteria for information technology security evaluation, in short, how you compare the IT security against industry standards. How many parts are there to ISO 15408? What does ISO 15408 say?

While biometric security isn't required per ISO 15408, dual factor authentication often is.

While biometric security isn't required per ISO 15408, dual factor authentication often is.

ISO Standard 15048

ISO 15408-1 sets the general model used for evaluating IT security. What are the objectives of an IT security system? What are the requirements of an IT security system? What specifications should be used?

ISO 15408-2 outlines the security functional requirements for individual components of the information technology system. ISO 15408-2 gives suggestions on how to create security requirements when there are not an existing set of functional requirements.

ISO 15408-3 sets the standard for security assurance requirements. How do you evaluate Protection Profiles, called PPs for short? How do you evaluate Security Targets or STs? ISO 15408-3 describes how to do this. ISO 15408-3 also created Evaluation Assurance Levels or EALs. Evaluation Assurance Levels are a common criteria scale for targets of evaluation.

Terminology Used in ISO 15408

A protection profile is a generic type of security device. Examples of protection profiles include authentication tokens and firewalls. A security target is specific type of security device. A security target would be an RSA brand authentication token or a firewall wired router. The TOE is a specified model of the product or configuration that must be security tested.

Product developers must prove that a specific device they created, the Target of Evaluation, meets the security requirements for the protection profile for their class of device. TOE security requirements are broken down into functional requirements and security assurance requirements.

A router with a built in firewall has a higher EAL rating than one without.

A router with a built in firewall has a higher EAL rating than one without.

Scroll to Continue

Evaluation Assurance Levels

What is EAL? Evaluation Assurance Levels or EALs are defined in ISO 15408-3.

Evaluation Assurance Levels range from one to seven, with one being the lowest and seven being the highest in terms of the information security protection level offered.

Evaluation Assurance Level 1 means that it has been functionally tested. EAL or Evaluation Assurance Level 2 products have been structurally tested. Evaluation Assurance Level 3 items have had the item security tested and found to meet ISO 15048 security levels with minimal changes.

Evaluation Assurance Level 4 items have had significant independent security testing. The product may have been re-engineered to meet ISO information security standards or the developer is willing to make changes to the product to meet ISO security standards.

Evaluation Assurance Level 5 means that the item must meet very high security standard and has been independently tested from the development stage. This level is called semi-formally designed and tested.

Evaluation Assurance Level 6 (EAL 6) means that the product is designed for high security risk applications and has had additional information security protections built in. This level of EAL generally increases the cost of the product. Evaluation Assurance Level 7 or EAL 7 is called “formally verified design and tested”. The product was evaluated both in the design phase and the development stage to offer very high levels of protection.

ISO 24759 gives the test requirements set by the ISO for cryptographic modules. ISO 18043 gives the standards for the selection, installation and operations of intrusion detection systems, also called IDS.

ISO 27004 outlines the process of creating measures to assess how effective information security management system and controls are.

ISO standard 31000 is the general set of standards for risk management. ISO 27005 is the standard specifically intended for information security risk management. ISO Guide 73 gives the definitions of vocabulary terms used in all risk management standards by the ISO.

Related Articles