Global Market Access: Nemko Group AS Testing Services

Common Criteria Explained: ISO/IEC 15408 & 18045 for IT Security

Written by Trond Sollie | June 28, 2021

Concerning evaluation of Information Technology Security, the criteria required to conduct IT security evaluations are contained in the Common Criteria Part 1 - 3 (ISO/IEC 15408), accompanied by the ‘Common Methodology’ (ISO/IEC 18045).

This provides an internationally accepted framework for such evaluations and details commonly accepted criteria for the design, development and evaluation of IT equipment with regard to cyber security considerations. Government agencies and corporations worldwide refer to this a prerequisite for the procurement of IT equipment.

In brief, an evaluation in accordance with the ‘Common criteria’ consists of two quality assurance aspects:

The first is an assessment of security assurance requirements (SARs), that is, a review of the processes undertaken during the development and evaluation of a given IT system or device to assess compliance with the prescribed security functionality, which depends on the intended use of the product and its anticipated risk conditions.

The second is the evaluation assurance level (EAL) where the depth and rigor of the evaluation process itself is assessed. EALs range from EAL 1, representing the most basic level of cyber security assessment, to EAL 7, representing the most rigorous process to verify the claimed level of cyber security. As EAL only concerns the evaluation process itself a higher EAL does not necessarily mean that a device is more secure. Nemko offers the necessary evaluation (EAL1-5) as well as guidance for clients who need to demonstrate compliance with the ‘Common Criteria’ for their products.


For further information and/or request for services in this area, please contact
Geir.Langemyr@nemko.com