A Protection Profile (PP) identifies the security requirements for a particular information technology (IT) product category without specifying how the requirements are to be implemented. This is achieved by defining an implementation-independent set of security requirements and objectives for a class of IT products that meets specific consumer needs. It contains a statement of the security problem that a compliant product is intended to solve. A typical PP also includes an Evaluation Assurance Level (EAL) in its stated requirements.

An Australian Government agency may use a PP to specify security functionality required (as defined in the Information Security Manual) for a class of security products.

A product that successfully completes evaluation against the requirements defined within the PP will be certified as complying with the PP.

Australia and New Zealand, as signatories to the Common Criteria Recognition Arrangement (CCRA), mutually recognise PPs certified by other certificate producing CCRA Participants.
Australia has not certified a PP to date.  DSD is currently reviewing PP use for Australia and more information will be available soon.

Additional Links

Further information regarding PPs is available from the following links:

• Common Criteria [opens new window] lists CCRA Participants’ PPs;
• NIAP [opens new window] describes the US approach to PPs, and lists US PPs;
• CSE [opens new window] lists Canada's PPs; and
• CESG [opens new window] lists the UK's PPs.