EN ISO/IEC 15408-3:2026
(Main)Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 3: Security assurance components (ISO/IEC 15408-3:2026)
Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 3: Security assurance components (ISO/IEC 15408-3:2026)
This document specifies the security assurance requirements of the ISO/IEC 15408 series. It includes the individual assurance components from which the evaluation assurance levels and other packages contained in ISO/IEC 15408-5 are composed, and the criteria for evaluation of Protection Profiles (PPs), PP-Configurations, PP-Modules and Security Targets (STs).
Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre - Evaluationskriterien für IT-Sicherheit - Teil 3: Komponenten für die Vertrauenswürdigkeit der Sicherheit (ISO/IEC 15408-3:2026)
Sécurité de l'information, cybersécurité et protection de la vie privée - Critères d'évaluation pour la sécurité des technologies de l'information - Partie 3: Composants d'assurance de sécurité (ISO/IEC 15408-3:2026)
Le présent document spécifie les exigences d'assurance de sécurité de la série ISO/IEC 15408. Il comprend les éléments d'assurance individuels à partir desquels sont composés les niveaux d'assurance de l'évaluation et les autres paquets contenus dans l'ISO/IEC 15408-5, ainsi que les critères d'évaluation des profils de protection (PP), des configurations de PP, des modules de PP et des cibles de sécurité (ST).
Informacijska varnost, kibernetska varnost in varstvo zasebnosti - Merila za vrednotenje varnosti IT - 3. del: Komponente za zagotavljanje varnosti (ISO/IEC FDIS 15408-3:2026)
General Information
- Status
- Not Published
- Publication Date
- 26-May-2026
- Technical Committee
- CEN/CLC/TC 13 - Cybersecurity and Data Protection
- Current Stage
- 6055 - CEN Ratification completed (DOR) - Publishing
- Start Date
- 01-May-2026
- Completion Date
- 01-May-2026
Relations
- Effective Date
- 12-Feb-2026
- Effective Date
- 22-May-2024
Overview
EN ISO/IEC 15408-3:2026 is a key international standard developed by CEN, focusing on information security, cybersecurity, and privacy protection. As Part 3 of the ISO/IEC 15408 series (commonly known as the Common Criteria for Information Technology Security Evaluation), this document specifies the security assurance components used in the evaluation of IT security. It details the individual assurance components that form the basis for Evaluation Assurance Levels (EALs) and other security assurance packages referenced in ISO/IEC 15408-5.
This standard provides criteria for the evaluation of Protection Profiles (PPs), PP-Configurations, PP-Modules, and Security Targets (STs) - foundational elements in formal IT security evaluations for a broad range of digital assets.
Key Topics
Security Assurance Components
The standard defines assurance components that measure how thoroughly a system or product’s security requirements are specified, designed, and tested. These components are structured into classes, families, and individual elements.Evaluation Assurance Level (EAL) Foundation
EN ISO/IEC 15408-3:2026 outlines the building blocks from which EALs are constructed. These EALs are widely used to communicate the rigor of security evaluations to stakeholders and customers.Criteria for Protection Profiles and Security Targets
The standard sets out the methodology and criteria for developing and evaluating PPs, PP-Modules, PP-Configurations, and STs. This ensures a consistent approach to specifying and assessing security in IT products and systems.Component Structure & Dependencies
Assurance components are systematically organized, with clear descriptions, objectives, application notes, and dependencies, supporting modular evaluation and efficient reuse of security specifications.
Applications
IT Product Certification
Product developers use the standard to define and demonstrate the security assurance of software, hardware, and embedded systems during product certification processes under recognized Common Criteria schemes.Risk Management
Organizations and IT professionals rely on assurance components to select products and solutions that meet specific risk management and regulatory requirements regarding cybersecurity and privacy.Procurement and Compliance
Government and regulated industries reference security assurance levels and Protection Profiles defined using EN ISO/IEC 15408-3 in procurement specifications, ensuring products meet rigorous security expectations.Development of Protection Profiles (PPs)
Security architects and analysts use the criteria when drafting PPs for families of products, promoting standardization, comparability, and transparency across the IT security landscape.Security Target (ST) Preparation
Vendors and solution providers utilize the detailed criteria for constructing Security Targets, tailoring assurance arguments to particular products and operational environments.
Related Standards
EN ISO/IEC 15408-1: Information security - Evaluation criteria for IT security - Part 1: Introduction and general model
Outlines the general principles and model underlying the security evaluation process.EN ISO/IEC 15408-2: Information security - Evaluation criteria for IT security - Part 2: Security functional components
Specifies the requirements for security functionality in IT systems.EN ISO/IEC 15408-5: Information security - Evaluation criteria for IT security - Part 5: Pre-defined packages
Provides ready-to-use packages of functional and assurance requirements.ISO/IEC 18045: Information security techniques - Methodology for IT security evaluation
Details the processes and activities for conducting security evaluations in line with the ISO/IEC 15408 series.
By providing a consistent and internationally recognized framework for specifying and assessing security assurance, EN ISO/IEC 15408-3:2026 enables organizations to improve IT security, demonstrate compliance, and gain customer trust within ever-evolving threat landscapes. For those involved in product development, assurance certification, or procurement, aligning with this standard is essential for demonstrating robust information security, cybersecurity, and privacy protection.
Get Certified
Connect with accredited certification bodies for this standard
BSI Group
BSI (British Standards Institution) is the business standards company that helps organizations make excellence a habit.
Bureau Veritas
Bureau Veritas is a world leader in laboratory testing, inspection and certification services.
DNV
DNV is an independent assurance and risk management provider.
Sponsored listings
Frequently Asked Questions
EN ISO/IEC 15408-3:2026 is a draft published by the European Committee for Standardization (CEN). Its full title is "Information security, cybersecurity and privacy protection - Evaluation criteria for IT security - Part 3: Security assurance components (ISO/IEC 15408-3:2026)". This standard covers: This document specifies the security assurance requirements of the ISO/IEC 15408 series. It includes the individual assurance components from which the evaluation assurance levels and other packages contained in ISO/IEC 15408-5 are composed, and the criteria for evaluation of Protection Profiles (PPs), PP-Configurations, PP-Modules and Security Targets (STs).
This document specifies the security assurance requirements of the ISO/IEC 15408 series. It includes the individual assurance components from which the evaluation assurance levels and other packages contained in ISO/IEC 15408-5 are composed, and the criteria for evaluation of Protection Profiles (PPs), PP-Configurations, PP-Modules and Security Targets (STs).
EN ISO/IEC 15408-3:2026 is classified under the following ICS (International Classification for Standards) categories: 35.030 - IT Security. The ICS classification helps identify the subject area and facilitates finding related standards.
EN ISO/IEC 15408-3:2026 has the following relationships with other standards: It is inter standard links to ISO/IEC 15408-3:2026, EN ISO/IEC 15408-3:2023. Understanding these relationships helps ensure you are using the most current and applicable version of the standard.
EN ISO/IEC 15408-3:2026 is available in PDF format for immediate download after purchase. The document can be added to your cart and obtained through the secure checkout process. Digital delivery ensures instant access to the complete standard document.
Standards Content (Sample)
SLOVENSKI STANDARD
oSIST prEN ISO/IEC 15408-3:2024
01-november-2024
Informacijska varnost, kibernetska varnost in varovanje zasebnosti - Merila za
vrednotenje varnosti IT - 3. del: Komponente za zagotavljanje varnosti (ISO/IEC
DIS 15408-3:2024)
Information security, cybersecurity and privacy protection - Evaluation criteria for IT
security - Part 3: Security assurance components (ISO/IEC DIS 15408-3:2024)
Informationssicherheit, Cybersicherheit und Schutz der Privatsphäre -
Evaluationskriterien für IT-Sicherheit - Teil 3: Komponenten für die Vertrauenswürdigkeit
der Sicherheit
Sécurité de l'information, cybersécurité et protection de la vie privée - Critères
d'évaluation pour la sécurité des technologies de l'information - Partie 3: Composants
d'assurance de sécurité (ISO/IEC DIS 15408-3:2024)
Ta slovenski standard je istoveten z: prEN ISO/IEC 15408-3
ICS:
35.030 Informacijska varnost IT Security
oSIST prEN ISO/IEC 15408-3:2024 en,fr,de
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
oSIST prEN ISO/IEC 15408-3:2024
oSIST prEN ISO/IEC 15408-3:2024
DRAFT
International
Standard
ISO/IEC
DIS
15408-3
ISO/IEC JTC 1/SC 27
Information security, cybersecurity
Secretariat: DIN
and privacy protection —
Voting begins on:
Evaluation criteria for IT security —
2024-08-19
Part 3:
Voting terminates on:
2024-11-11
Security assurance components
Sécurité de l'information, cybersécurité et protection de la vie
privée — Critères d'évaluation pour la sécurité des technologies
de l'information —
Partie 3: Composants d'assurance de sécurité
ICS: ISO ics
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
BE CONSIDERED IN THE LIGHT OF THEIR
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
NATIONAL REGULATIONS.
RECIPIENTS OF THIS DRAFT ARE INVITED
TO SUBMIT, WITH THEIR COMMENTS,
NOTIFICATION OF ANY RELEVANT PATENT
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Reference number
© ISO/IEC 2024
ISO/IEC DIS 15408-3:2024(en)
oSIST prEN ISO/IEC 15408-3:2024
DRAFT
ISO/IEC DIS 15408-3:2024(en)
International
Standard
ISO/IEC
DIS
15408-3
ISO/IEC JTC 1/SC 27
Information security, cybersecurity
Secretariat: DIN
and privacy protection —
Voting begins on:
Evaluation criteria for IT security —
2024-08-19
Part 3:
Voting terminates on:
2024-11-11
Security assurance components
Sécurité de l'information, cybersécurité et protection de la vie
privée — Critères d'évaluation pour la sécurité des technologies
de l'information —
Partie 3: Composants d'assurance de sécurité
ICS: ISO ics
THIS DOCUMENT IS A DRAFT CIRCULATED
FOR COMMENTS AND APPROVAL. IT
IS THEREFORE SUBJECT TO CHANGE
AND MAY NOT BE REFERRED TO AS AN
INTERNATIONAL STANDARD UNTIL
PUBLISHED AS SUCH.
This document is circulated as received from the committee secretariat.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL,
© ISO/IEC 2024
TECHNOLOGICAL, COMMERCIAL AND
USER PURPOSES, DRAFT INTERNATIONAL
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
STANDARDS MAY ON OCCASION HAVE TO
ISO/CEN PARALLEL PROCESSING
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
BE CONSIDERED IN THE LIGHT OF THEIR
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
POTENTIAL TO BECOME STANDARDS TO
WHICH REFERENCE MAY BE MADE IN
or ISO’s member body in the country of the requester.
NATIONAL REGULATIONS.
ISO copyright office
RECIPIENTS OF THIS DRAFT ARE INVITED
CP 401 • Ch. de Blandonnet 8
TO SUBMIT, WITH THEIR COMMENTS,
CH-1214 Vernier, Geneva
NOTIFICATION OF ANY RELEVANT PATENT
Phone: +41 22 749 01 11
RIGHTS OF WHICH THEY ARE AWARE AND TO
PROVIDE SUPPORTING DOCUMENTATION.
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland Reference number
© ISO/IEC 2024
ISO/IEC DIS 15408-3:2024(en)
© ISO/IEC 2024 – All rights reserved
ii
oSIST prEN ISO/IEC 15408-3:2024
ISO/IEC DIS 15408-3:2024(en)
Contents Page
Foreword .x
Introduction .xii
1 Scope . 1
2 Normative references . 1
3 Terms, definitions and abbreviated terms . 1
4 Overview . 5
5 Assurance paradigm . 6
5.1 General .6
5.2 ISO/IEC 15408 series approach .6
5.3 Assurance approach .6
5.3.1 General .6
5.3.2 Significance of vulnerabilities .6
5.3.3 Cause of vulnerabilities .7
5.3.4 ISO/IEC 15408 series assurance .7
5.3.5 Assurance through evaluation .7
5.4 ISO/IEC 15408 series evaluation assurance scale .8
6 Security assurance components . 8
6.1 Overview .8
6.2 Assurance class structure .8
6.2.1 General .8
6.2.2 Class name .8
6.2.3 Class introduction .9
6.2.4 Assurance families .9
6.3 Assurance family structure .9
6.3.1 General .9
6.3.2 Family name .9
6.3.3 Family objectives .9
6.3.4 Component levelling .10
6.3.5 Family application notes .10
6.3.6 Assurance components .10
6.4 Assurance component structure .10
6.4.1 General .10
6.4.2 Component name .10
6.4.3 Component objectives . .11
6.4.4 Component application notes .11
6.4.5 Component dependencies .11
6.4.6 Assurance elements .11
6.5 Assurance elements . 12
6.6 Component taxonomy . 12
7 Class APE Protection Profile (PP) evaluation .12
7.1 Introduction . 12
7.2 Conformance claims (APE_CCL) .14
7.2.1 Objectives .14
7.2.2 Conformance claims (APE_CCL.1) .14
7.3 Extended components definition (APE_ECD) .16
7.3.1 Objectives .16
7.3.2 Extended components definition (APE_ECD.1) .16
7.4 PP introduction (APE_INT) .17
7.4.1 Objectives .17
7.4.2 PP introduction (APE_INT.1) .17
7.5 Security objectives (APE_OBJ) .17
7.5.1 Objectives .17
© ISO/IEC 2024 – All rights reserved
iii
oSIST prEN ISO/IEC 15408-3:2024
ISO/IEC DIS 15408-3:2024(en)
7.5.2 Component levelling .17
7.5.3 Security objectives for the operational environment (APE_OBJ.1) .18
7.5.4 Security objectives (APE_OBJ.2) . .18
7.6 Security requirements (APE_REQ) .19
7.6.1 Objectives .19
7.6.2 Component levelling .19
7.6.3 Direct rationale security requirements (APE_REQ.1) .19
7.6.4 Derived security requirements (APE_REQ.2) . 20
7.7 Security problem definition (APE_SPD) . 22
7.7.1 Objectives . 22
7.7.2 Security problem definition (APE_SPD.1) . 22
8 Class ACE Protection Profile Configuration evaluation .22
8.1 Introduction . 22
8.2 PP-Module conformance claims (ACE_CCL) .24
8.2.1 Objectives .24
8.2.2 PP-Module conformance claims (ACE_CCL.1) .24
8.3 PP-Configuration consistency (ACE_CCO) . 25
8.3.1 Objectives . 25
8.3.2 PP-Configuration consistency (ACE_CCO.1) . 26
8.4 PP-Module extended components definition (ACE_ECD). 29
8.4.1 Objectives . 29
8.4.2 PP-Module extended components definition (ACE_ECD.1) . 29
8.5 PP-Module introduction (ACE_INT) . 30
8.5.1 Objectives . 30
8.5.2 PP-Module introduction (ACE_INT.1) . 30
8.6 PP-Module consistency (ACE_MCO) .31
8.6.1 Objectives .31
8.6.2 PP-Module consistency (ACE_MCO.1) .31
8.7 PP-Module security objectives (ACE_OBJ) .32
8.7.1 Objectives .32
8.7.2 Component levelling .32
8.7.3 PP-Module security objectives for the operational environment (ACE_OBJ.1) .32
8.7.4 PP-Module security objectives (ACE_OBJ.2) . 33
8.8 PP-Module security requirements (ACE_REQ) . 34
8.8.1 Objectives . 34
8.8.2 Component levelling . 34
8.8.3 PP-Module direct rationale security requirements (ACE_REQ.1) . 34
8.8.4 PP-Module derived security requirements (ACE_REQ.2) . 35
8.9 PP-Module security problem definition (ACE_SPD) .37
8.9.1 Objectives .37
8.9.2 PP-Module security problem definition (ACE_SPD.1) .37
9 Class ASE Security Target (ST) evaluation .37
9.1 Introduction .37
9.2 Conformance claims (ASE_CCL) . 39
9.2.1 Objectives . 39
9.2.2 Conformance claims (ASE_CCL.1) . 39
9.3 Consistency of composite product Security Target (ASE_COMP) .41
9.3.1 Objectives .41
9.3.2 Component levelling .41
9.3.3 Application notes .41
9.3.4 Consistency of Security Target (ST) (ASE_COMP.1) .42
9.4 Extended components definition (ASE_ECD) .42
9.4.1 Objectives .42
9.4.2 Extended components definition (ASE_ECD.1) .43
9.5 ST introduction (ASE_INT) .43
9.5.1 Objectives .43
9.5.2 ST introduction (ASE_INT.1) . 44
9.6 Security objectives (ASE_OBJ) .45
© ISO/IEC 2024 – All rights reserved
iv
oSIST prEN ISO/IEC 15408-3:2024
ISO/IEC DIS 15408-3:2024(en)
9.6.1 Objectives .45
9.6.2 Component levelling .45
9.6.3 Security objectives for the operational environment (ASE_OBJ.1) .45
9.6.4 Security objectives (ASE_OBJ.2) .45
9.7 Security requirements (ASE_REQ). 46
9.7.1 Objectives . 46
9.7.2 Component levelling .47
9.7.3 Direct rationale security requirements (ASE_REQ.1) .47
9.7.4 Derived security requirements (ASE_REQ.2). 48
9.8 Security problem definition (ASE_SPD) . 49
9.8.1 Objectives . 49
9.8.2 Security problem definition (ASE_SPD.1) . 50
9.9 TOE summary specification (ASE_TSS) . 50
9.9.1 Objectives . 50
9.9.2 Component levelling . 50
9.9.3 TOE summary specification (ASE_TSS.1) .51
9.9.4 TOE summary specification with architectural design summary (ASE_TSS.2) .51
10 Class ADV Development .52
10.1 Introduction .52
10.2 Security architecture (ADV_ARC) .57
10.2.1 Objectives .57
10.2.2 Component levelling .57
10.2.3 Application notes .57
10.2.4 Security architecture description (ADV_ARC.1) . 58
10.3 Composite design compliance (ADV_COMP) .59
10.3.1 Objectives .59
10.3.2 Component levelling .59
10.3.3 Application notes .59
10.3.4 Design compliance with the base component-related user guidance, ETR for
composite evaluation and report of the base component evaluation authority
(ADV_COMP.1) . 60
10.4 Functional specification (ADV_FSP) . 60
10.4.1 Objectives . 60
10.4.2 Component levelling .61
10.4.3 Application notes .61
10.4.4 Basic functional specification (ADV_FSP.1) . 63
10.4.5 Security-enforcing functional specification (ADV_FSP.2) . 64
10.4.6 Functional specification with complete summary (ADV_FSP.3) . 65
10.4.7 Complete functional specification (ADV_FSP.4) . 66
10.4.8 Complete semi-formal functional specification with additional error
information (ADV_FSP.5). 66
10.4.9 Complete semi-formal functional specification with additional formal
specification (ADV_FSP.6). 68
10.5 Implementation representation (ADV_IMP) . 69
10.5.1 Objectives . 69
10.5.2 Component levelling . 69
10.5.3 Application notes . 69
10.5.4 Implementation representation of the TSF (ADV_IMP.1) .70
10.5.5 Complete mapping of the implementation representation of the TSF (ADV_IMP.2) .71
10.6 TSF internals (ADV_INT) .71
10.6.1 Objectives .71
10.6.2 Component levelling . 72
10.6.3 Application notes . 72
10.6.4 Well-structured subset of TSF internals (ADV_INT.1) . 72
10.6.5 Well-structured internals (ADV_INT.2) . 73
10.6.6 Minimally complex internals (ADV_INT.3) .74
10.7 Formal TSF model (ADV_SPM). 75
10.7.1 Objectives . 75
© ISO/IEC 2024 – All rights reserved
v
oSIST prEN ISO/IEC 15408-3:2024
ISO/IEC DIS 15408-3:2024(en)
10.7.2 Component levelling . 75
10.7.3 Application notes . 75
10.7.4 Formal TSF model (ADV_SPM.1) .76
10.8 TOE design (ADV_TDS) . 77
10.8.1 Objectives . 77
10.8.2 Component levelling . 77
10.8.3 Application notes . 77
10.8.4 Basic design (ADV_TDS.1) . 79
10.8.5 Architectural design (ADV_TDS.2) . 80
10.8.6 Basic modular design (ADV_TDS.3) . 81
10.8.7 Semi-Formal modular design (ADV_TDS.4) . 82
10.8.8 Complete semi-formal modular design (ADV_TDS.5) . 83
10.8.9 Complete semi-formal modular design with formal high-level design
presentation (ADV_TDS.6) . 84
11 Class AGD Guidance documents .85
11.1 Introduction . 85
11.2 Operational user guidance (AGD_OPE) . 86
11.2.1 Objectives . 86
11.2.2 Component levelling . 86
11.2.3 Application notes . 87
11.2.4 Operational user guidance (AGD_OPE.1) . 87
11.3 Preparative procedures (AGD_PRE) . 88
11.3.1 Objectives . 88
11.3.2 Component levelling . 88
11.3.3 Application notes . 88
11.3.4 Preparative procedures (AGD_PRE.1) . 89
12 Class ALC Life-cycle support .89
12.1 Introduction . 89
12.2 CM capabilities (ALC_CMC) .91
12.2.1 Objectives .91
12.2.2 Component levelling . 92
12.2.3 Application notes . 92
12.2.4 Labelling of the TOE (ALC_CMC.1) . 92
12.2.5 Use of the CM system (ALC_CMC.2) . 93
12.2.6 Authorization controls (ALC_CMC.3) . 94
12.2.7 Production support, acceptance procedures and automation (ALC_CMC.4) . 95
12.2.8 Advanced support (ALC_CMC.5) . 97
12.3 CM scope (ALC_CMS) . 99
12.3.1 Objectives . 99
12.3.2 Component levelling . 99
12.3.3 Application notes . 99
12.3.4 TOE CM coverage (ALC_CMS.1) . 99
12.3.5 Parts of the TOE CM coverage (ALC_CMS.2) . 100
12.3.6 Implementation representation CM coverage (ALC_CMS.3) . 101
12.3.7 Problem tracking CM coverage (ALC_CMS.4) . 101
12.3.8 Development tools CM coverage (ALC_CMS.5) . 102
12.4 Integration of composition parts and consistency check of delivery procedures (ALC_
COMP) . 103
12.4.1 Objectives . 103
12.4.2 Component levelling . 103
12.4.3 Application notes .
...