The certification process follows a strict lifecycle managed by a licensing scheme (e.g., NIAP in the USA, CESG in the UK, BSI in Germany).

A document specifying the exact security requirements a particular product meets, often used as the "contract" between the developer and evaluator. How to Access the PDF

But the deepest cut of ISO/IEC 15408 is what it cannot capture. It evaluates the product , not the process . You can have an EAL5+ certified operating system, installed by an intern who leaves the root password on a sticky note. The PDF has no clause for exhaustion, for laziness, for the moment a developer pushes a hotfix at 2 AM without re-evaluating the security target.