This lists the Evaluation Assurance Levels (EAL) from EAL1 to EAL7.
Open the PDF. It is not a document; it is a cathedral of paranoia. Millions of words, structured like a medieval summa, attempt to do something that feels almost arrogant: to freeze the concept of trust into a mathematical skeleton.
We scroll past the title page. ISO/IEC 15408: Information technology — Security techniques — Evaluation criteria for IT security. The language is passive, sterile. But beneath the bureaucratic veneer is a quiet scream: How do you know the machine is not lying to you?
Part 1: The Grammar of Fear
The first section introduces the Target of Evaluation (TOE). Not "the software." Not "the firewall." The TOE. A term so clinical it could describe a specimen under a microscope. This is the first deep truth of 15408: you cannot secure everything. You must draw a circle in the sand. Inside the circle is order; outside is chaos, the Operational Environment. The document implicitly admits its own failure—it only judges the artifact, never the human holding it.
Then come the Security Functional Requirements (SFRs). A library of verbs for an imagined apocalypse. FAU_GEN.1 (Security audit data generation). FDP_ACC.1 (Subset access control). Each alphanumeric code is a tiny legal contract between silicon and spirit. They read like spells. If you recite FIA_UAU.1 (Timing of authentication) correctly, you might ward off the demon of credential replay. iso iec 15408 pdf
Part 2: The Assurance Labyrinth
Part 2 is where the PDF grows teeth. Evaluation Assurance Levels (EALs) from 1 to 7. A ladder of ontological commitment.
To read the EAL7 requirements is to stare into an abyss. They demand that the system's design be proven correct in a mathematical logic system. This is not engineering. This is metaphysics. The PDF asks: Can truth be compiled?
Part 3: The Protection Profiles
Part 3 gives the document its soul. Protection Profiles (PPs) are user-side manifestos. Instead of vendors saying "look at my cool firewall," a government says: "We need a Collaborative Protection Profile for Network Devices." They define the problem before the solution exists. This lists the Evaluation Assurance Levels (EAL) from
This inverts capitalism. Normally, you build, then sell. Here, you define the cage, then ask who can grow inside it. A PP for a Smart Card is a different universe than a PP for a Database Management System. The PDF becomes a library of species of paranoia—each suited to a different predator.
The Hidden Tragedy: The Gap Between the PDF and Reality
But the deepest cut of ISO/IEC 15408 is what it cannot capture. It evaluates the product, not the process. You can have an EAL5+ certified operating system, installed by an intern who leaves the root password on a sticky note. The PDF has no clause for exhaustion, for laziness, for the moment a developer pushes a hotfix at 2 AM without re-evaluating the security target.
Furthermore, the document is a fossil. By the time a product is evaluated (a process taking 12–24 months), the threat landscape has evolved. The PDF describes a world of static, enumerable threats. But we live in a world of zero-days, of side-channels, of AI-generated exploits that do not fit into the Class FIA (Identification and Authentication) taxonomy.
Conclusion: The Beautiful Failure
Why keep this massive, expensive, glacial PDF alive? Because it represents the only honest attempt at structured distrust. The Common Criteria does not believe you. It does not trust the developer, the integrator, or the user. It demands that you show your work, in a language as close to math as English can get.
When you download iso_iec_15408-2022.pdf (roughly 15 MB of compressed suspicion), you are not downloading a standard. You are downloading a confession: that absolute security is impossible, but accountability is not. The document is a monument to the idea that before you can trust a machine, you must first prove, in the dry, unforgiving syntax of a standard, that you have thought of every way it could betray you.
And even then, the PDF quietly admits: You probably missed one.
Would you like a practical summary of the key sections, or a guide on how to read this standard for a specific product evaluation?
If you are in the US, you can buy through ANSI; in the UK, via BSI; in Germany, via DIN. Prices are similar to ISO, but members may receive discounts. Open the PDF