One of the most respected standards for evaluating the security of IT products is ISO 15408, also known as the Common Criteria for Information Technology Security Evaluation. This blog post will delve into the intricacies of ISO 15408 certification and its importance in the realm of cybersecurity. Here, you can also find a comprehensive ISO 15408 certification checklist that you can download for free.

Understanding ISO 15408 Certification

ISO 15408 certification, or Common Criteria certification, is an international standard for computer security certification. It provides a framework for evaluating security features and capabilities of IT products and systems. The certification process involves rigorous testing and evaluation to ensure that a product meets specific security requirements.

ISO 15408 vs ISO 27001

While both standards focus on information security, they serve different purposes:

• ISO 15408 is product-oriented, evaluating the security features of specific IT products or systems.
• ISO 27001 is process-oriented, focusing on an organization’s overall information security management system (ISMS).

The Common Criteria Evaluation Process

The Common Criteria evaluation process is a comprehensive and structured approach to assessing the security of IT products. It involves several key steps:

1. Protection Profile (PP) Development: This optional step involves creating a document that outlines security requirements for a specific type of product.
2. Security Target (ST) Creation: The vendor develops a detailed document describing the product’s security features and the intended evaluation level.
3. Evaluation: An accredited testing laboratory conducts a thorough assessment of the product against the security claims made in the ST. This includes:
4. Documentation review
5. Functional testing
6. Vulnerability analysis
7. Design and implementation assessment
8. Validation: The evaluation results are reviewed and validated by the certification body.
9. Certification: If successful, a certificate is issued, and the product is added to the certified products list.

The evaluation security level is determined by the Evaluation Assurance Level (EAL), ranging from EAL1 to EAL7, with higher levels indicating more rigorous evaluation. Each EAL corresponds to a specific set of security assurance requirements that must be met.

Benefits of Common Criteria Certification

Obtaining Common Criteria certification offers several significant advantages:

• Enhanced Product Security: The rigorous evaluation process helps identify and address potential vulnerabilities, resulting in a more secure product.
• Increased Customer Trust: Certification provides independent verification of a product’s security claims, boosting customer confidence.
• Competitive Advantage: Certified products often have an edge in markets where security is a critical factor.
• Global Recognition: Common Criteria is recognized in over 30 countries, facilitating international market access.
• Regulatory Compliance: Many government and industry regulations require or prefer Common Criteria certified products.
• Structured Development: The certification process encourages a security-focused approach to product development from the outset.
• Continuous Improvement: Regular re-evaluations for maintaining certification promote ongoing security enhancements.

Common Criteria Certification List

Many organizations maintain a Common Criteria certification list of evaluated products. These lists serve as valuable resources for organizations seeking secure IT solutions. Some notable certification bodies and their lists include:

• National Information Assurance Partnership (NIAP) in the United States: Maintains the Product Compliant List (PCL)
• BSI Certification Body in Germany: Publishes the BSI-DSZ-CC (German Scheme Certification Report) list
• CSEC Certification Body in Sweden: Offers the Swedish Certification Body for IT Security (CSEC) Certified Products List
• Common Criteria Portal: Provides a comprehensive list of certified products from multiple countries

These lists typically include details such as the product name, vendor, certification date, protection profile (if applicable), and the achieved Evaluation Assurance Level (EAL).

ISO/IEC 15408 Compliance

Achieving ISO/IEC 15408 compliance involves adhering to the standard’s requirements throughout the product development lifecycle. This includes:

1. Security Functional Requirements (SFRs): Implementing specific security features as defined in the Common Criteria.
2. Security Assurance Requirements (SARs): Providing evidence of the proper implementation and testing of security features.
3. Documentation: Developing comprehensive documentation including:
4. Security Target (ST)
5. Functional specification
6. Design documentation
7. Test plans and results
8. Development Environment: Maintaining a secure development environment and following secure coding practices.
9. Configuration Management: Implementing robust configuration management processes to ensure the integrity of the evaluated product.
10. Delivery and Operation: Establishing secure procedures for product delivery and providing guidance for secure operation.
11. Vulnerability Assessment: Conducting thorough vulnerability analyses and penetration testing.
12. Life Cycle Support: Providing ongoing support and security updates throughout the product’s lifecycle.

Free ISO 15408 Certification Checklist

To assist organizations in their journey towards ISO 15408 certification, we have created a comprehensive ISO 15408 certification checklist. This checklist covers all the essential steps and requirements for obtaining certification. You can download this checklist for free and customize it to your organization’s specific needs, making the certification process more manageable and structured.

Download ISO 15408 Certification Checklist

Security Assurance Standards

ISO 15408 is just one of many security assurance standards available. Understanding the landscape of security standards can help organizations choose the most appropriate ones for their needs:

• FIPS 140-2/3: Focuses on cryptographic modules, often required for government use in the United States and Canada.
• Common Criteria Protection Profiles: Provide predefined sets of security requirements for specific product types, such as firewalls or operating systems.
• PCI DSS: Specific to the payment card industry, ensuring secure handling of cardholder data.
• ISO 27001: Focuses on overall information security management systems within organizations.
• NIST SP 800-53: Provides a comprehensive set of security controls for federal information systems in the United States.
• SOC 2: Focuses on service organizations’ controls relevant to security, availability, processing integrity, confidentiality, and privacy.
• GDPR: While not strictly a security standard, it imposes significant data protection and privacy requirements in the European Union.

Each of these standards serves different purposes and may be more or less relevant depending on an organization’s specific needs, industry, and geographical location. Often, compliance with multiple standards is necessary to meet various regulatory and market requirements.

Trio: Enhancing Your Security Posture

As organizations strive to meet rigorous security standards like ISO 15408, robust tools become essential. Trio, our mobile device management solution, can play a crucial role in helping organizations maintain a secure IT environment. By providing comprehensive device management capabilities, Trio supports organizations in:

• Implementing security policies across all devices
• Monitoring and reporting on device security status
• Quickly responding to security incidents

These features can significantly contribute to meeting many of the security requirements outlined in ISO 15408.

We invite you to experience how Trio can enhance your organization’s security posture by trying our free demo. With Trio, you’ll be better equipped to navigate the complex landscape of security certifications and standards.

Conclusion

ISO 15408 certification, also known as Common Criteria, stands as a crucial benchmark in the realm of IT security. As we’ve explored, this certification offers numerous benefits, from enhanced product security to increased market competitiveness. While the process may be rigorous, the resulting assurance in product security is invaluable in today’s threat landscape.

Organizations seeking to strengthen their security posture should seriously consider pursuing ISO 15408 certification for their IT products. Remember, our free ISO 15408 certification checklist is available to help guide you through this process.

As you embark on your security enhancement journey, consider how tools like Trio can support your efforts. By providing robust mobile device management capabilities, Trio can help you maintain a secure IT environment that aligns with many ISO 15408 requirements. We encourage you to try Trio’s free demo and experience firsthand how it can contribute to your organization’s security strategy.

In an era where cyber threats are constantly evolving, standards like ISO 15408 and tools like Trio are not just beneficial—they’re essential. Take the next step in securing your IT products and infrastructure today.