Shamkris Global Group

ISO 15408 Certification

Information Security, Cybersecurity

What is ISO 15408 Certification?

ISO/IEC 15408, commonly known as the Common Criteria (CC), is an international standard for evaluating and certifying the security properties of information technology products and systems. It provides a framework for specifying security requirements and for evaluating the extent to which products and systems meet those requirements. The goal of the Common Criteria is to establish a common set of criteria for evaluating the security features of IT products, allowing for more consistent and reliable security evaluations across different products and vendors.

The Common Criteria defines a structured approach to security evaluation, including:

Security Functional Requirements (SFRs): These specify the security functions that a product or system must perform. Examples include access control, cryptography, and auditing.

Security Assurance Requirements (SARs): These specify the assurance measures that need to be taken to ensure that the security functions are implemented correctly and operate as intended. Examples include development processes, testing procedures, and documentation requirements.

Protection Profiles (PPs): These are documents that specify sets of security requirements for specific types of products or systems. PPs provide a standardized way to define security requirements for different types of IT products and systems.

Security Targets (STs): These are documents that specify how a particular product or system meets the security requirements specified in a Protection Profile. STs are used as the basis for security evaluations.

Benefits of ISO 15408 Certification

Assurance of Security

Certification provides assurance that the evaluated product or system meets internationally recognized security standards. This assurance is particularly valuable in environments where security is critical, such as government agencies, financial institutions, and healthcare organizations.

Interoperability

Common Criteria certification ensures that certified products and systems have been evaluated against a common set of security requirements. This facilitates interoperability between different products and systems, allowing them to work together seamlessly in complex IT environments.

Global Recognition

ISO/IEC 15408 certification is internationally recognized, making it easier for vendors to market their products and for users to assess the security of those products. This global recognition enhances the credibility of certified products and systems in the marketplace.

Compliance

Certification may be required by regulatory bodies, industry standards, or contractual agreements for certain applications or environments. Achieving Common Criteria certification helps vendors and users demonstrate compliance with these requirements.

Risk Management

By selecting products and systems that have undergone rigorous security evaluations, organizations can mitigate security risks and protect sensitive information from unauthorized access, disclosure, or modification.

Continuous Improvement

The certification process encourages vendors to improve the security of their products and systems by identifying and addressing security vulnerabilities and weaknesses. This ongoing commitment to security enhances the overall quality and reliability of certified products.

Who can get ISO 15408 Certification?

A product or system that has successfully completed testing and validation can receive ISO 15408 Common Criteria Certification. The extent to which the IT product or system has been assessed for compliance with ISO 15408 Common Criteria is measured using Evaluation Assurance Levels (EALs).

Product Vendors

Companies that develop and sell software, hardware, or integrated systems, such as operating systems, network devices, security appliances, and applications, can seek certification for their products.

System Integrators

Organizations that integrate multiple products and components into larger systems or solutions can apply for certification for the entire system or solution.

Government Agencies

Government agencies may seek certification for products or systems used to store, process, or transmit sensitive or classified information.

Service Providers

Companies that provide managed security services, cloud services, or other IT services may seek certification for their service offerings.

Software Developers

Developers of custom software or bespoke solutions for specific applications or industries can apply for certification for their software products.

Hardware Manufacturers

Manufacturers of hardware components, such as microprocessors, cryptographic modules, or smart cards, can seek certification for their products.

Consulting Firms

Firms that provide consulting services related to information security, compliance, and risk management may assist clients in preparing for and obtaining certification.

Any Organization Concerned with Data Security

Any company concerned with data security as it relates to financial reporting processes may choose to pursue SOC 1 certification to demonstrate the effectiveness of controls related to financial data processing and reporting accuracy.

Validity of ISO 15408 Certification?

ISO/IEC 15408 certification, commonly known as Common Criteria certification, typically remains valid for 3 years. After this initial certification period, organizations may undergo a reevaluation or recertification process to renew the certification.

What is the Role of Shamkris?

Task

Output

Gap Assessment

Gap Report

Technical Review

UAPT & Remedies

Preparation of Documents

Policy, Procedures, Formats, Checklist

Training

Awareness & Internal Audit

Implementation

Record Generation, Review of Implementation of ISO 15408

Third Party Audit / Assessment

NCR Closure & Issued Certification

Annual Support

Monthly / Quarterly / Half Year / Yearly

Issuing Authority of ISO 15408 Certification

Shamkris and Gaas Logo
Approved Agency
Approved Agency

FAQ

ISO/IEC 15408, also known as Common Criteria (CC), is an international standard for evaluating and certifying the security properties of information technology products and systems. Common Criteria certification provides assurance that a product or system meets specified security standards.

Any organization or entity that develops, manufactures, or sells information technology products or systems can apply for Common Criteria certification. This includes product vendors, system integrators, government agencies, service providers, software developers, hardware manufacturers, and consulting firms.

The certification process typically involves preparation, evaluation, certification, and maintenance. Organizations prepare documentation, such as a Security Target (ST), undergo evaluation by an accredited testing laboratory, receive a certification report if the product or system meets the security requirements, and maintain compliance over time.

Common Criteria certification typically remains valid for a period of three to five years. After this initial certification period, organizations may need to undergo a reevaluation or recertification process to renew the certification.

Common Criteria certification offers several benefits, including assurance of security, interoperability, global recognition, compliance with regulations, risk management, competitive advantage, continuous improvement, and customer confidence.

ISO/IEC 15408 certification is not mandatory for all products or systems. However, it may be required by regulatory bodies, industry standards, or contractual agreements for certain applications or environments.