Common Criteria, main links

Wikipedia: Common Criteria is a framework in which

  • computer system users can specify their security functional and assurance requirements,
  • vendors can then implement and/or make claims about the security attributes of their products, and
  • testing laboratories can evaluate the products to determine if they actually meet the claims.




  • Documents are available from the main site.
  • To search for certified products, one can start here.
  • List of laboratories is here.
  • Tools used for testing.
  • ISO Standards
  • ISO/IEC 15408-1:2009 Evaluation criteria for IT security — Part 1: Introduction and general model
  • ISO/IEC 15408-2:2008 Evaluation criteria for IT security — Part 2: Security functional components
  • ISO/IEC 15408-3:2008 Evaluation criteria for IT security — Part 3: Security assurance components


Important concept is Evaluation Assurance Level (EAL):

  • EAL1: Functionally Tested
  • EAL2: Structurally Tested
  • EAL3: Methodically Tested and Checked
  • EAL4: Methodically Designed, Tested, and Reviewed
  • EAL5: Semiformally Designed and Tested
  • EAL6: Semiformally Verified Design and Tested
  • EAL7: Formally Verified Design and Tested

Implementation Cost and effort

The following figure related to costs is taken from wikipedia

Common Criteria evaluation costs

This entry was posted in ISO, Security Certifications, Security Standardization and Practises, Security Training, Awareness and Reports. Bookmark the permalink.

Comments are closed.