ISO/IEC INTERNATIONAL STANDARD 15408-5 First edition 2022-08 Information security, cybersecurity and privacy protection Evaluation criteria for IT security - Part 5: Pre-defined packages of security requirements Sécurité de I'information, cybersecurité et protection de la vie privee- - Criteres d'évaluation pour la sécurité des technologies de I'information - Partie 5: Paquets prédéfinis d'exigences de sécurité Reference number IEC IS0/IEC 15408-5:2022(E) ISO @ IS0/IEC 2022 IS0/IEC 15408-5:2022(E) COPYRIGHT PROTECTED DOCUMENT IS0/IEC2022 All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either IsO at the address below or ISo's member body in the country of the requester. ISO copyright office CP 40i : Ch. de Blandonnet 8 CH-1214 Vernier, Geneva Phone: +41 22 749 01 11 Email: [email protected] Website: www.iso.org Published in Switzerland ii @IS0/IEC2022-Allrightsreserved IS0/IEC 15408-5:2022(E) Contents Page Foreword. ..V Introduction. ..vi 1 Scope. ..1 2 Normative references 3 Terms and definitions 4 Evaluation assurance levels .2 4.1 .2 Family name 4.2 Evaluation assurance level overview 4.2.1 General 2 Relationship between assurances and assurance levels .2 4.2.2 4.3 Evaluationassurancelevelobjectives 4 .5 4.4 Evaluation assurance levels... .5 4.4.1 General 4.4.2 Evaluation assurance level 1 (EAL1) - Functionally tested .5 4.4.3 Evaluation assurance level 2 (EAL2) —Structurallytested .6 4.4.4 Evaluation assurance level 3 (EAL3) — Methodically tested and checked .7 4.4.5 Evaluation assurance level 4 (EAL4) - Methodically designed, tested and reviewed 9 4.4.6 Evaluation assurance level 5 (EAL5) Semi-formally verified designed 10 andtested 4.4.7 Evaluation assurance level 6 (EAL6) - Semi-formally verified design and 11 tested 4.4.8 Evaluation assurance level 7 (EAL7) - - Formally verified design and tested.. 5 Composed assurance packages (CAPs) .14 5.1 .14 Familyname 5.2 Composed assurance package (CAP) overview.. ..15 .. 15 5.2.1 General ..15 5.2.2 Relationship between assurances and assurance packages 5.3 ..16 Composed assurance package (CAP) objectives... 5.4 Packages in the CAP family. .18 5.4.1 Composition assurance package A - Structurally composed ..18 5.4.2 Composition assurance package B Methodically composed 19 5.4.3 Composition assurance package C Methodically composed, tested and .20 reviewed Composite product package ..21 6 6.1 Package name 21 6.2 21 Packagetype 6.3 Package overview. 21 6.4 Objectives. .22 6.5 Security assurance components ..22 Protection profile assurances ..22 Family name .22 7.1 7.2 PPA family overview. 22 7.3 PPA family objectives. 23 PPA packages 23 7.4 7.4.1 Protection profile assurance package Direct rationale PP 23 Protection profile assurance package .24 7.4.2 Standard Security target assurances .24 8 8.1 Family name 24 8.2 STA family overview. .25 8.3 STA family objectives iii IS0/IEC2022-Allrightsreserved