The attack landscape has changed. The 2022 version adds requirements for side-channel attacks (timing, power analysis) and updatable products (how to handle automatic updates). An old PDF will miss these.
Searching for this document is the first step toward understanding how to evaluate everything from biometric systems to network switches. But finding the right PDF, understanding its three parts, and applying it to a real-world certification project is complex. iso iec 15408 pdf
Enter , more commonly known as the Common Criteria (CC) . This is the international gold standard for evaluating the security of IT products. For procurement officers, security architects, and compliance managers, the hunt often begins with three words: "ISO IEC 15408 PDF" . The attack landscape has changed
| Level | Name | Description | Best For | | :--- | :--- | :--- | :--- | | | Functionally Tested | Basic review of security functions. | Low-value assets, legacy systems. | | EAL2 | Structurally Tested | Requires design information and testing. | Commercial off-the-shelf (COTS) products. | | EAL3 | Methodically Tested & Checked | Development environment controls. | Moderate risk environments. | | EAL4 | Methodically Designed, Tested, & Reviewed | The most common level. Requires formal design and vulnerability analysis. High-value commercial products. | | | EAL5 | Semi-formally Designed & Tested | Rigorous engineering methods. | Military/comms systems in high-risk scenarios. | | EAL6 | Semi-formally Verified Design & Tested | Structured design, covert channel analysis. | Extreme risk (defense, aerospace). | | EAL7 | Formally Verified Design & Tested | Mathematical proofs of security. | Nuclear command & control, top-secret crypto. | Searching for this document is the first step
EAL7 vs. EAL4 does not mean the product is "more secure" against hackers. It means the development process was more rigorous. A poorly configured EAL5 product is less secure than a well-administered EAL2 product.