The 28th Common Criteria Users Forum (CCUF) Workshop held in Songdo, South Korea on 20 October 2025 brought together global experts to discuss the ongoing evolution of ISO/IEC 15408 (Evaluation Criteria for IT Security) and ISO/IEC 18045 (Methodology for IT Security Evaluation).
The session, presented by Kwangwoo Lee, Liaison Officer for CCUF and ISO/IEC JTC 1 SC 27/WG 3, provided a detailed update on key standardisation efforts shaping international cybersecurity evaluation frameworks.
Key Developments
Ongoing Revisions of ISO/IEC 15408 & 18045
Work continues to refine terminology, strengthen evaluation consistency, and improve alignment with emerging technologies. The next Final Draft International Standard (FDIS) ballot is scheduled to begin after 24 October 2025.
Errata and Interpretation Updates
The CC:2022/CEM:2022 Release 1 Errata (Version 1.1)—finalised in July 2024—addresses clarifications and interpretation points, ensuring uniform application of the standards across evaluation bodies.
TR 22216 Revision Underway
Updates to ISO/IEC TR 22216:2022 will align the guidance document with the revised ISO/IEC 15408 and 18045 series, incorporating new evaluation concepts such as composite evaluation and multi-assurance models.
emerging focus areas
AI and Next-Generation Evaluations
Ongoing projects—PWI 25240 and PWI 25543—are exploring how existing evaluation frameworks can extend to AI-based systems, cloud-based products, and IP soft processors.
New work items include:
ISO/IEC 26160: Evaluation of AI functionality within the 15408/18045 framework
ISO/IEC 25959: Application of attack potential to deep-learning technologies
Collaborative Standards Development
CCUF encourages continued participation from member countries and industry experts to shape next-generation evaluation criteria for security and trustworthiness in IT systems.
The revisions to ISO/IEC 15408 and 18045 represent a major step toward modernising global IT security evaluation, ensuring relevance for emerging technologies and evolving threat models.
C-PRAV monitors key international cybersecurity standard developments to keep manufacturers and stakeholders informed of evolving evaluation requirements.
