nerdexam
(ISC)2

CISSP · Question #1345

In the common criteria, which of the following is a formal document that expresses an implementation-independent set of security requirements?

The correct answer is C. Protection Profile (PP). In Common Criteria, a Protection Profile (PP) is an implementation-independent document that defines a standardized set of security requirements for a category of products or systems.

Submitted by hans_de· Mar 5, 2026Security Assessment and Testing

Question

In the common criteria, which of the following is a formal document that expresses an implementation-independent set of security requirements?

Options

  • AOrganizational Security Policy
  • BSecurity Target (ST)
  • CProtection Profile (PP)
  • DTarget of Evaluation (TOE)

How the community answered

(37 responses)
  • A
    8% (3)
  • B
    3% (1)
  • C
    86% (32)
  • D
    3% (1)

Why each option

In Common Criteria, a Protection Profile (PP) is an implementation-independent document that defines a standardized set of security requirements for a category of products or systems.

AOrganizational Security Policy

An Organizational Security Policy is a set of rules and practices defined by an organization to govern its security posture, not a formal Common Criteria document expressing implementation-independent requirements.

BSecurity Target (ST)

A Security Target (ST) is an implementation-dependent document that describes the security properties of a specific product or system (the TOE), making it the opposite of implementation-independent.

CProtection Profile (PP)Correct

A Protection Profile (PP) is a formal, implementation-independent document used in Common Criteria that specifies security requirements for a class of products without referencing a specific product. It allows consumers to define what security properties they need and vendors to build products that meet those needs. Because it is not tied to any specific implementation, multiple vendors can create products that satisfy the same PP.

DTarget of Evaluation (TOE)

A Target of Evaluation (TOE) refers to the actual product or system being evaluated under Common Criteria, not a formal document expressing security requirements.

Concept tested: Common Criteria Protection Profile implementation-independent security requirements

Source: https://www.commoncriteriaportal.org/cc/

Topics

#Common Criteria#Protection Profile (PP)#security requirements

Community Discussion

No community discussion yet for this question.

Full CISSP Practice