ISO 15408 Certification
Information Security, Cybersecurity
What is ISO 15408 Certification?
ISO/IEC 15408, commonly known as the Common Criteria (CC), is an international standard for evaluating and certifying the security properties of information technology products and systems. It provides a framework for specifying security requirements and for evaluating the extent to which products and systems meet those requirements. The goal of the Common Criteria is to establish a common set of criteria for evaluating the security features of IT products, allowing for more consistent and reliable security evaluations across different products and vendors.
The Common Criteria defines a structured approach to security evaluation, including:
Security Functional Requirements (SFRs): These specify the security functions that a product or system must perform. Examples include access control, cryptography, and auditing.
Security Assurance Requirements (SARs): These specify the assurance measures that need to be taken to ensure that the security functions are implemented correctly and operate as intended. Examples include development processes, testing procedures, and documentation requirements.
Protection Profiles (PPs): These are documents that specify sets of security requirements for specific types of products or systems. PPs provide a standardized way to define security requirements for different types of IT products and systems.
Security Targets (STs): These are documents that specify how a particular product or system meets the security requirements specified in a Protection Profile. STs are used as the basis for security evaluations.
Benefits of ISO 15408 Certification
Assurance of Security
Certification provides assurance that the evaluated product or system meets internationally recognized security standards. This assurance is particularly valuable in environments where security is critical, such as government agencies, financial institutions, and healthcare organizations.
Interoperability
Common Criteria certification ensures that certified products and systems have been evaluated against a common set of security requirements. This facilitates interoperability between different products and systems, allowing them to work together seamlessly in complex IT environments.
Global Recognition
ISO/IEC 15408 certification is internationally recognized, making it easier for vendors to market their products and for users to assess the security of those products. This global recognition enhances the credibility of certified products and systems in the marketplace.
Compliance
Certification may be required by regulatory bodies, industry standards, or contractual agreements for certain applications or environments. Achieving Common Criteria certification helps vendors and users demonstrate compliance with these requirements.
Risk Management
By selecting products and systems that have undergone rigorous security evaluations, organizations can mitigate security risks and protect sensitive information from unauthorized access, disclosure, or modification.
Continuous Improvement
The certification process encourages vendors to improve the security of their products and systems by identifying and addressing security vulnerabilities and weaknesses. This ongoing commitment to security enhances the overall quality and reliability of certified products.
Who can get ISO 15408 Certification?
A product or system that has successfully completed testing and validation can receive ISO 15408 Common Criteria Certification. The extent to which the IT product or system has been assessed for compliance with ISO 15408 Common Criteria is measured using Evaluation Assurance Levels (EALs).
Product Vendors
Companies that develop and sell software, hardware, or integrated systems, such as operating systems, network devices, security appliances, and applications, can seek certification for their products.
System Integrators
Organizations that integrate multiple products and components into larger systems or solutions can apply for certification for the entire system or solution.
Government Agencies
Government agencies may seek certification for products or systems used to store, process, or transmit sensitive or classified information.
Service Providers
Companies that provide managed security services, cloud services, or other IT services may seek certification for their service offerings.
Software Developers
Developers of custom software or bespoke solutions for specific applications or industries can apply for certification for their software products.
Hardware Manufacturers
Manufacturers of hardware components, such as microprocessors, cryptographic modules, or smart cards, can seek certification for their products.
Consulting Firms
Firms that provide consulting services related to information security, compliance, and risk management may assist clients in preparing for and obtaining certification.
Any Organization Concerned with Data Security
Any company concerned with data security as it relates to financial reporting processes may choose to pursue SOC 1 certification to demonstrate the effectiveness of controls related to financial data processing and reporting accuracy.
Validity of ISO 15408 Certification?
ISO/IEC 15408 certification, commonly known as Common Criteria certification, typically remains valid for 3 years. After this initial certification period, organizations may undergo a reevaluation or recertification process to renew the certification.
What is the Role of Shamkris?
Task
Output
Gap Assessment
Gap Report
Technical Review
UAPT & Remedies
Preparation of Documents
Policy, Procedures, Formats, Checklist
Training
Awareness & Internal Audit
Implementation
Record Generation, Review of Implementation of ISO 15408
Third Party Audit / Assessment
NCR Closure & Issued Certification
Annual Support
Monthly / Quarterly / Half Year / Yearly
Issuing Authority of ISO 15408 Certification
FAQ
ISO/IEC 15408, also known as Common Criteria (CC), is an international standard for evaluating and certifying the security properties of information technology products and systems. Common Criteria certification provides assurance that a product or system meets specified security standards.
Any organization or entity that develops, manufactures, or sells information technology products or systems can apply for Common Criteria certification. This includes product vendors, system integrators, government agencies, service providers, software developers, hardware manufacturers, and consulting firms.
The certification process typically involves preparation, evaluation, certification, and maintenance. Organizations prepare documentation, such as a Security Target (ST), undergo evaluation by an accredited testing laboratory, receive a certification report if the product or system meets the security requirements, and maintain compliance over time.
Common Criteria certification typically remains valid for a period of three to five years. After this initial certification period, organizations may need to undergo a reevaluation or recertification process to renew the certification.
Common Criteria certification offers several benefits, including assurance of security, interoperability, global recognition, compliance with regulations, risk management, competitive advantage, continuous improvement, and customer confidence.
ISO/IEC 15408 certification is not mandatory for all products or systems. However, it may be required by regulatory bodies, industry standards, or contractual agreements for certain applications or environments.