ISO 15408 Common Criteria Consultancy

ISO 15408 Common Criteria Consultancy

The most important standard used to identify and document security levels for information technology products is the TS ISO / IEC 15408 standard, also known as the Common Criteria. Thanks to this standard, the guarantee level is determined according to the security function of a product or system.

Common criteria are the work to be done before and during product evaluation and a number of documents that need to be submitted to the Common Criteria laboratory. Common Criteria to be taken prior to these studies, which are the final result document, should be examined in accordance with the precise common criteria of the product with consulting service. The consulting service guides architectural design, final product end-user documentation and testing processes to ensure that all the processes are carried out, the safety features of the product are clarified and the conditions are met according to common criteria. In this sense, the process of product development is very important.

Assessing and documenting Common Criteria is a lengthy and time-consuming process. It is important that counseling is selected from experienced and expert persons in order to facilitate and speed up this process. During the preparation of the documentation, the Common Criteria must use the definitions contained in the standard books through their own terminology, and these definitions must be adapted to the product or the product. Briefly, the titles provided are listed below.

  • Preparing the Security Target document
  • Observation of security related issues in product design
  • Preparation of design documents
  • Preparation of functional specification test documents
  • Preparing Life Cycle Documents
  • Preparing guide documents
  • Predicting openness analysis and detection of openness

After the decision to receive the consultancy service is made, a kick-off meeting is held with the participation of all stakeholders and a formal start is made for the work. Then the mutual work starts according to the work plan shared by the Consultant. If there is no Protection Profile of the product, the products that are similar to the product to be evaluated are searched from the products that have been evaluated before on the portal site. If a product evaluation that meets the individual evaluation is not available, the product to be evaluated in accordance with the required Safety Guarantee Level is examined in the bilateral negotiations. Work is then continued according to the following work steps. In this process, the consultant follows the technical and administrative processes with the laboratory and executes the business calendar and laboratory calendar management together with the company. In this process, the consultant will master both the product and the discipline of common criteria for the customer.

The work done in the consulting process is divided into 5 work packages. Each of these work packages also corresponds to work breakdowns made by the laboratory and certification authority during the Common Criteria evaluation.

Each business package has specific business steps and output is produced at the end of these steps.

The business packages will not change regardless of the level of security (EAL-Evaluation Assurance Level) the product applies for certification. However, there may be changes in work steps and outcomes in the work package.

The following tablature shows Business Packs, Business names and outputs for a certification at the EAL 2 level commonly used in Common Criteria certifications.


Work to be done for EAL 2 level consulting process and output to be produced

Work Package

Work Package Name

Output to be produced


Security Target Document Preparation

1- Security Target Document


Design Document Preparation

2- Design Document

Functional Specification Document Preparation

3- Functional Specification Document

Security Architectural Document Preparation

4- Security Architectural Document


Setup and User Guide Document Preparation

5- Installation and User's Guide Documentation


Preparation of Configuration Management Plan Document

6- Configuration Management Plan Document

Delivery Document Preparation

7- Delivery Document


Making Product Tests and Saving Informally

8- Test Registration Forms

Formal Product Test Records and Preparation of Test Scope and Depth Documentation for Common Criteria

9- Tests and Test Scope Document