The framework consists of four phases:
- In the context phase, the software system is described along with its desired security properties and assumptions. This is the basis for the rest of the evaluation and will be part of the public audit report.
- The threats phase deals with identifying possible attacks against the software system and the associated mitigating measures against these threats.
- In the implementation phase, the code and configuration of a software system is inspected.
- The verification phase looks at how the development organization verifies whether the implementation really is secure. This should not be confused with the assessment that an auditor performs on the implementation.
In each phase, developers create something that an auditor can assess. The exact developer actions and audit criteria are described within the controls.