Home > Glossary > Certified Information Systems Security Professional > Common Criteria (ISO/IEC 15408)

📖 What is Common Criteria (ISO/IEC 15408)?

Common Criteria (ISO/IEC 15408) is an international standard for evaluating the security claims of IT products. It uses a framework of Protection Profiles and Security Targets to define security requirements, allowing customers to compare products based on standardized evaluation levels.

🥋 Sensei Says:

"Pay close attention to the term 'Evaluation Assurance Level (EAL).' The higher the EAL, the more rigorous the testing and verification process was."

📚 Certification: Certified Information Systems Security Professional (CISSP)

🔑 What are the Key Concepts of Common Criteria (ISO/IEC 15408)?

▸ Protection Profiles (PP) define a set of security requirements for a specific category of IT products, allowing users to specify their needs.
▸ Security Targets (ST) are created by vendors to describe how a specific product meets the requirements of a Protection Profile.
▸ Evaluation Assurance Levels (EAL 1-7) indicate the depth and rigor of the evaluation process, not the overall security strength of the product.
▸ The Target of Evaluation (TOE) refers to the specific hardware, software, or firmware being analyzed during the Common Criteria certification process.
▸ Common Criteria provides a standardized language for vendors and consumers to communicate security claims and verification results across different international borders.

🎯 How does Common Criteria (ISO/IEC 15408) appear on the CISSP Exam?

You may be asked to identify the correct document a vendor provides to prove their product meets a specific industry standard. In this case, you must distinguish between the Protection Profile and the Security Target.

A scenario might describe a procurement process where a company requires a product with a high level of testing rigor. You will need to select the appropriate Evaluation Assurance Level (EAL) to satisfy this requirement.

❓ Frequently Asked Questions

Does a higher EAL score guarantee that a product is more secure than one with a lower score?

No. EAL measures the confidence in the evaluation process, not the security effectiveness. A product with EAL 2 and a very strict Protection Profile may be more secure than an EAL 5 product with a weak profile.

What is the primary difference between a Protection Profile and a Security Target?

A Protection Profile is a generic set of requirements for a product category (e.g., 'Smart Cards'), whereas a Security Target is a product-specific claim made by a vendor to meet those requirements.

Related Terms from Certified Information Systems Security Professional

Firewall Data Owner Incident Response Data Sovereignty Qualitative Risk Assessment Least Privilege

📝 Related Study Guides

Study Guide 10 min read

How to Pass the CISSP Exam: A Realistic 2026 Study Plan

To pass the CISSP, you must transition from a technical mindset to a managerial one, focusing on risk management and policy over implementation. Success requires a 3-6 month study plan covering all eight domains, using adaptive practice exams to identify gaps and mastering the "mile wide, inch deep" breadth of the CBK.

Career Guide 10 min read

CISSP Experience Requirements: How to Get Your Waiver in 2026

To earn the CISSP, you need five years of cumulative, paid work experience in two or more of the eight CISSP domains. You can obtain a one-year waiver through a four-year college degree or approved professional certifications. Those lacking full experience can become an Associate of ISC2 after passing the exam.

Deep Dive 8 min read

Kerberos Authentication Explained for the CISSP Exam

Kerberos is a ticket-based authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography. It utilizes a trusted third party called the Key Distribution Center (KDC) to issue tickets, enabling Single Sign-On (SSO) and preventing replay attacks through the use of synchronized timestamps.