Jump to the main content

ISO | IEC 15408 - Common Criteria

A Member in Good Standing of TIC Council | TÜV®

ISO/IEC 15408 - Common Criteria


Introduction of Common Criteria

The Common Criteria for Information Technology Security Evaluation (CC), and the companion Common Methodology for Information Technology Security Evaluation (CEM) are the technical basis for an international agreement, the Common Criteria Recognition Arrangement (CCRA), which ensures that:

  • Products can be evaluated by competent and independent licensed laboratories so as to determine the fulfilment of particular security properties, to a certain extent or assurance.
  • Supporting documents, are used within the Common Criteria certification process to define how the criteria and evaluation methods are applied when certifying specific technologies.
  • The certification of the security properties of an evaluated product can be issued by a number of Certificate Authorizing Schemes, with this certification being based on the result of their evaluation.
  • These certificates are recognized by all the signatories of the CCRA.

Certification Procedure

PlanSite VisitETR and CRTACSL reviews ST andprepares EPP.TACSL holds kick-offmeeting, developer andCB attends it.Developer submits ST.CB reviews EPP.CB reviews site visit plan.TACSL develops site visitplan.TACSL performs site visit.CB reviews ETR.TACSL prepares ETR.CB prepares CR.TACSL and developercomment on CR.Review DocsTestCloseDeveloper providesevaluation documents.CB reviews ORs.TACSL reviewsdocuments and preparesORs.TACSL develops testplan.TACSL performs test, CB oversight test.CB reviews test plan.CB sends formalcertificate.CB and developerattend meeting.TACSL hostsclosedown meeting.TestCloseReview DocsPlanSite VisitETR and CR


  • Developer submits ST.
  • TACSL reviews ST andprepares EPP.
  • CB reviews EPP.
  • TACSL holds kick-offmeeting, developer andCB attends it.

Review Docs

  • Developer providesevaluation documents.
  • TACSL reviewsdocuments and prepares ORs.
  • CB reviews ORs.

Site Visit

  • TACSL develops site visitplan.
  • CB reviews site visit plan.
  • TACSL performs site visit.


  • TACSL develops testplan.
  • CB reviews test plan.
  • TACSL performs test, CB oversight test.

ETR and CR

  • TACSL prepares ETR.
  • CB reviews ETR.
  • CB prepares CR.
  • TACSL and developer comment on CR.


  • CB sends formal certificate.
  • TACSL hosts closedown meeting.
  • CB and developer attend meeting.

Our Services

  • 1. Approach to Common Criteria

    • Workshop on training of Common Criteria
      • General model
      • Security functional and assurance components
      • Protection profiles
    • Scoping of Target of Evaluation (TOE)
      • Analysis of components of targeted product
      • Optimize the scope of product for evaluation
    • Gap analysis
      • Analysis of current situation of product
      • Analysis of current situation of site and process
      • Gap analysis report
    • Consulting on Security Target (ST) preparation
      • Interpretation of requirement of ST
      • Demo of each part of ST
      • Guide and review customer’s ST
  • 2. Prepare Evaluation Evidences

    • Workshop on Common Criteria documentation
      • CC required documentation in each class
      • How to write documents in CC
    • Consulting on meeting security requirements and improvement of security features
      • Analysis of security functional requirement of TOE
      • Review and improvement of security features
    • Consulting on establishment of secured development process and product life-cycle management
      • Analysis of process and life-cycle management
      • Security controls improvement
    • Consulting on site security enhancement
      • On-site audit of development sites
      • Findings and suggestions of site security
  • 3. Evaluate TOE

    • Documentation review and feedback
      • Quick review of documents and instant feedback
      • Detailed review of documents and formal comments
    • Vulnerability assessment and penetration testing
      • Vulnerability analysis based on different level of attack potentials
      • Actual penetration testing of attack potentials
    • Evaluation observation reports
      • Observation reports approved by CB for each class
      • Explanation of observation reports
  • 4. Certification

    • Evaluation Technical Report to certification body
      • Prepare final Evaluation Technical Report (ETR)
      • Get ETR approved by CB
    • Support on certification process of certification body
      • Multiple meetings with CB during different phases of evaluation
      • Procedural work of certification process

Your Benefits

  • Showing your customers and business partners that your product meets the required level of security.
  • Comprehensive evaluation reports highlighting potentials for improvement.
  • Certification recognized all over the world.
  • Lower cost and higher efficiency compared to European evaluation facilities.

Contact Form

  •  | Print
to top