The PDF is your checklist. The "Evaluation Methodology" (a separate but related document) tells you exactly how to prove a product meets FAU_GEN.1 (Audit data generation).
[ Protection Profile (PP) ] --> Defines industry/user needs │ ▼ [ Security Target (ST) ] --> Vendor's specific product implementation │ ▼ [ Target of Evaluation (TOE) ] --> The actual product being tested
The Definitive Guide to ISO/IEC 15408: Understanding the Common Criteria for IT Security Evaluation iso iec 15408 pdf
Why keep this massive, expensive, glacial PDF alive? Because it represents the only honest attempt at structured distrust . The Common Criteria does not believe you. It does not trust the developer, the integrator, or the user. It demands that you show your work, in a language as close to math as English can get.
Developed by the United States Department of Defense. ITSEC: The European alternative used in the early 1990s. CTCPEC: The Canadian standard. The PDF is your checklist
This public link is valid for 7 days and shares a thread, including any personal information you added. This link or copies made by others cannot be deleted. If you share with third parties, their policies apply. Can’t copy the link right now. Try again later.
The standard is famously dense. The full runs hundreds of pages, divided into three main parts: Because it represents the only honest attempt at
Define the security behavior of the product (e.g., encryption, access control).
The standard is divided into multiple parts, typically found as a series of PDF documents. The most recent major revision is ISO/IEC 15408:2022 Common Criteria portal Part 1: Introduction and General Model
If you want to understand how to apply these standards to your own products, I can: Draft a mock Security Target (ST) outline Compare ISO 15408 with FIPS 140-3 Which aspect of the standard Share public link