What is Common Criteria?

Common Criteria (CC) is the international standard for evaluating the security of IT products, formally published as ISO/IEC 15408. It provides a framework for specifying security requirements and evaluating whether products meet those requirements through independent testing by accredited laboratories.

Summary: Common Criteria (ISO/IEC 15408) is the international standard for IT security evaluation, with certificates mutually recognised across 31 CCRA nations.

Key facts

• Formal name: Common Criteria for Information Technology Security Evaluation (ISO/IEC 15408)
• Standard parts: Part 1 (introduction & model), Part 2 (functional components), Part 3 (assurance components)
• Companion methodology: Common Evaluation Methodology (ISO/IEC 18045, CEM)
• Assurance scale: EAL1 (functionally tested) through EAL7 (formally verified)
• Mutual recognition: Common Criteria Recognition Arrangement (CCRA), ~31 member nations
• Key artefacts: Security Target (ST), Protection Profile (PP), Target of Evaluation (TOE), Certification Report

How Common Criteria works

Under CC, products are tested by accredited evaluation labs against defined security requirements called Security Targets. These Security Targets optionally conform to Protection Profiles, which are standardized sets of requirements for a product category (e.g., smart cards, firewalls, operating systems).

Evaluations are performed at one of seven Evaluation Assurance Levels (EAL1 through EAL7), and successful products receive certificates from national scheme bodies.

Key concepts

• Security Target (ST) - A document describing the security properties and requirements of the product being evaluated
• Protection Profile (PP) - A template of security requirements for a category of products, independent of any specific implementation
• Evaluation Assurance Level (EAL) - A numerical grade (1-7) indicating the depth and rigor of the evaluation
• Target of Evaluation (TOE) - The product or system being evaluated

National certification schemes

CC evaluations are conducted by accredited labs (called ITSEFs - IT Security Evaluation Facilities) and certificates are issued by national scheme bodies, including:

• BSI (Germany) - Bundesamt für Sicherheit in der Informationstechnik
• ANSSI (France) - Agence nationale de la sécurité des systèmes d’information
• NIAP (USA) - National Information Assurance Partnership
• CCCS (Canada) - Canadian Centre for Cyber Security
• OCSI (Italy) - Organismo di Certificazione della Sicurezza Informatica

Mutual recognition (CCRA)

Through the Common Criteria Recognition Arrangement (CCRA), certificates are mutually recognized across 31 member nations. This means a product certified in one CCRA member country is accepted in all other member countries, avoiding the need for duplicate evaluations.

Why CC matters

Common Criteria certification is often required for products used in government, defense, and regulated industries. It provides an independent, standardized assessment of a product’s security claims, giving procurement teams and compliance officers a basis for trust.

See also

• Evaluation Assurance Levels (EAL) — how the EAL1–EAL7 grades measure evaluation rigor.
• Protection Profiles (PP) — standardized security requirements for product categories.
• Certification Schemes Overview — the national bodies that issue CC certificates.
• Common Criteria Certification Process Explained — a step-by-step walkthrough of a CC evaluation.