The ISO/IEC 15408 family is split into three distinct parts. When you search for an "ISO IEC 15408 PDF," you are actually looking for three separate documents:
Crucial Distinction: ISO/IEC 15408 is often confused with ISO/IEC 18045 (the Common Evaluation Methodology, or CEM). While 15408 defines what to evaluate, 18045 defines how to evaluate it. You will need both for full compliance.
Using the templates in Part 1 of the PDF, you write a Security Target (ST) . This document is the contract between you and the evaluator. It lists: iso iec 15408 pdf
The lab performs independent functional testing based on the ST you wrote. They also conduct penetration testing to ensure no obvious "back doors" exist. The PDF (Part 2) lists specific tests for functions like "FAU_GEN.1" (Audit data generation).
If you are a CISO purchasing a new firewall, request the vendor’s "Security Target" (ST) PDF. Do not just ask for the EAL level. Using the ISO/IEC 15408 framework, you can compare two firewalls side-by-side by seeing which SFRs (from Part 2 of the PDF) they actually passed. The ISO/IEC 15408 family is split into three distinct parts
You may wonder if you should invest time in 15408 or shift to newer frameworks.
The trend is integration – not replacement. The latest ISO IEC 15408 PDF includes guidance for agile and continuous integration/continuous delivery (CI/CD), proving that the standard is evolving rather than dying. Crucial Distinction: ISO/IEC 15408 is often confused with
The International Organization for Standardization (ISO) sells the official PDF. As of 2025, a single part of the standard costs approximately 138 to 198 CHF (Swiss Francs). The entire set (Parts 1, 2, and 3) will cost over 500 CHF.
The standard is divided into three distinct parts. When searching for the "PDF" of this standard, one must typically acquire three separate documents:
ISO/IEC 15408-2: Security Functional Components
ISO/IEC 15408-3: Security Assurance Components