ArtsAutosBooksBusinessEducationEntertainmentFamilyFashionFoodGamesGenderHealthHolidaysHomeHubPagesPersonal FinancePetsPoliticsReligionSportsTechnologyTravel

An Introduction to ISO 15408

Updated on July 8, 2020
tamarawilhite profile image

Tamara Wilhite is a technical writer, industrial engineer, mother of two, and published sci-fi and horror author.

ISO standard 15408 outlines the common criteria for information technology security evaluation, in short, how you compare the IT security against industry standards. How many parts are there to ISO 15408? What does ISO 15408 say?

While biometric security isn't required per ISO 15408, dual factor authentication often is.
While biometric security isn't required per ISO 15408, dual factor authentication often is. | Source

ISO Standard 15048

ISO 15408-1 sets the general model used for evaluating IT security. What are the objectives of an IT security system? What are the requirements of an IT security system? What specifications should be used?

ISO 15408-2 outlines the security functional requirements for individual components of the information technology system. ISO 15408-2 gives suggestions on how to create security requirements when there are not an existing set of functional requirements.

ISO 15408-3 sets the standard for security assurance requirements. How do you evaluate Protection Profiles, called PPs for short? How do you evaluate Security Targets or STs? ISO 15408-3 describes how to do this. ISO 15408-3 also created Evaluation Assurance Levels or EALs. Evaluation Assurance Levels are a common criteria scale for targets of evaluation.

Terminology Used in ISO 15408

A protection profile is a generic type of security device. Examples of protection profiles include authentication tokens and firewalls. A security target is specific type of security device. A security target would be an RSA brand authentication token or a firewall wired router. The TOE is a specified model of the product or configuration that must be security tested.

Product developers must prove that a specific device they created, the Target of Evaluation, meets the security requirements for the protection profile for their class of device. TOE security requirements are broken down into functional requirements and security assurance requirements.

A router with a built in firewall has a higher EAL rating than one without.
A router with a built in firewall has a higher EAL rating than one without. | Source

Evaluation Assurance Levels

What is EAL? Evaluation Assurance Levels or EALs are defined in ISO 15408-3.

Evaluation Assurance Levels range from one to seven, with one being the lowest and seven being the highest in terms of the information security protection level offered.

Evaluation Assurance Level 1 means that it has been functionally tested. EAL or Evaluation Assurance Level 2 products have been structurally tested. Evaluation Assurance Level 3 items have had the item security tested and found to meet ISO 15048 security levels with minimal changes.

Evaluation Assurance Level 4 items have had significant independent security testing. The product may have been re-engineered to meet ISO information security standards or the developer is willing to make changes to the product to meet ISO security standards.

Evaluation Assurance Level 5 means that the item must meet very high security standard and has been independently tested from the development stage. This level is called semi-formally designed and tested.

Evaluation Assurance Level 6 (EAL 6) means that the product is designed for high security risk applications and has had additional information security protections built in. This level of EAL generally increases the cost of the product. Evaluation Assurance Level 7 or EAL 7 is called “formally verified design and tested”. The product was evaluated both in the design phase and the development stage to offer very high levels of protection.

Related IT Security Standards

ISO 24759 gives the test requirements set by the ISO for cryptographic modules. ISO 18043 gives the standards for the selection, installation and operations of intrusion detection systems, also called IDS.

ISO 27004 outlines the process of creating measures to assess how effective information security management system and controls are.

ISO standard 31000 is the general set of standards for risk management. ISO 27005 is the standard specifically intended for information security risk management. ISO Guide 73 gives the definitions of vocabulary terms used in all risk management standards by the ISO.


Submit a Comment

No comments yet.


This website uses cookies

As a user in the EEA, your approval is needed on a few things. To provide a better website experience, uses cookies (and other similar technologies) and may collect, process, and share personal data. Please choose which areas of our service you consent to our doing so.

For more information on managing or withdrawing consents and how we handle data, visit our Privacy Policy at:

Show Details
HubPages Device IDThis is used to identify particular browsers or devices when the access the service, and is used for security reasons.
LoginThis is necessary to sign in to the HubPages Service.
Google RecaptchaThis is used to prevent bots and spam. (Privacy Policy)
AkismetThis is used to detect comment spam. (Privacy Policy)
HubPages Google AnalyticsThis is used to provide data on traffic to our website, all personally identifyable data is anonymized. (Privacy Policy)
HubPages Traffic PixelThis is used to collect data on traffic to articles and other pages on our site. Unless you are signed in to a HubPages account, all personally identifiable information is anonymized.
Amazon Web ServicesThis is a cloud services platform that we used to host our service. (Privacy Policy)
CloudflareThis is a cloud CDN service that we use to efficiently deliver files required for our service to operate such as javascript, cascading style sheets, images, and videos. (Privacy Policy)
Google Hosted LibrariesJavascript software libraries such as jQuery are loaded at endpoints on the or domains, for performance and efficiency reasons. (Privacy Policy)
Google Custom SearchThis is feature allows you to search the site. (Privacy Policy)
Google MapsSome articles have Google Maps embedded in them. (Privacy Policy)
Google ChartsThis is used to display charts and graphs on articles and the author center. (Privacy Policy)
Google AdSense Host APIThis service allows you to sign up for or associate a Google AdSense account with HubPages, so that you can earn money from ads on your articles. No data is shared unless you engage with this feature. (Privacy Policy)
Google YouTubeSome articles have YouTube videos embedded in them. (Privacy Policy)
VimeoSome articles have Vimeo videos embedded in them. (Privacy Policy)
PaypalThis is used for a registered author who enrolls in the HubPages Earnings program and requests to be paid via PayPal. No data is shared with Paypal unless you engage with this feature. (Privacy Policy)
Facebook LoginYou can use this to streamline signing up for, or signing in to your Hubpages account. No data is shared with Facebook unless you engage with this feature. (Privacy Policy)
MavenThis supports the Maven widget and search functionality. (Privacy Policy)
Google AdSenseThis is an ad network. (Privacy Policy)
Google DoubleClickGoogle provides ad serving technology and runs an ad network. (Privacy Policy)
Index ExchangeThis is an ad network. (Privacy Policy)
SovrnThis is an ad network. (Privacy Policy)
Facebook AdsThis is an ad network. (Privacy Policy)
Amazon Unified Ad MarketplaceThis is an ad network. (Privacy Policy)
AppNexusThis is an ad network. (Privacy Policy)
OpenxThis is an ad network. (Privacy Policy)
Rubicon ProjectThis is an ad network. (Privacy Policy)
TripleLiftThis is an ad network. (Privacy Policy)
Say MediaWe partner with Say Media to deliver ad campaigns on our sites. (Privacy Policy)
Remarketing PixelsWe may use remarketing pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to advertise the HubPages Service to people that have visited our sites.
Conversion Tracking PixelsWe may use conversion tracking pixels from advertising networks such as Google AdWords, Bing Ads, and Facebook in order to identify when an advertisement has successfully resulted in the desired action, such as signing up for the HubPages Service or publishing an article on the HubPages Service.
Author Google AnalyticsThis is used to provide traffic data and reports to the authors of articles on the HubPages Service. (Privacy Policy)
ComscoreComScore is a media measurement and analytics company providing marketing data and analytics to enterprises, media and advertising agencies, and publishers. Non-consent will result in ComScore only processing obfuscated personal data. (Privacy Policy)
Amazon Tracking PixelSome articles display amazon products as part of the Amazon Affiliate program, this pixel provides traffic statistics for those products (Privacy Policy)
ClickscoThis is a data management platform studying reader behavior (Privacy Policy)