Wikipedia: Common Criteria is a framework in which
- computer system users can specify their security functional and assurance requirements,
- vendors can then implement and/or make claims about the security attributes of their products, and
- testing laboratories can evaluate the products to determine if they actually meet the claims.
- Documents are available from the main site.
- To search for certified products, one can start here.
- List of laboratories is here.
- Tools used for testing.
- ISO Standards
- ISO/IEC 15408-1:2009 Evaluation criteria for IT security — Part 1: Introduction and general model
- ISO/IEC 15408-2:2008 Evaluation criteria for IT security — Part 2: Security functional components
- ISO/IEC 15408-3:2008 Evaluation criteria for IT security — Part 3: Security assurance components
Important concept is Evaluation Assurance Level (EAL):
- EAL1: Functionally Tested
- EAL2: Structurally Tested
- EAL3: Methodically Tested and Checked
- EAL4: Methodically Designed, Tested, and Reviewed
- EAL5: Semiformally Designed and Tested
- EAL6: Semiformally Verified Design and Tested
- EAL7: Formally Verified Design and Tested
Implementation Cost and effort
The following figure related to costs is taken from wikipedia