HOME >> IT Security >> JISEC Home >> FAQ

| JISEC Home | Topics | Background | Scheme | Workflow | Promotion |
| Application | Assurance Continuity | Evaluation Facilities |
| Certified Products | Products in Evaluation | FAQ | Contact |


FAQ about Security Evaluation and Certification
(ISO/IEC 15408)

Last Updated 2010-09-09

1. Scheme and Standards

Q1-1. What is Security Evaluation and Certification?
Q1-2. What is the relationship among ISO/IEC 15408, Common Criteria and JIS X5070?
Q1-3. What is TCSEC and ITSEC?
Q1-4. What is the relationship with Information Security Management System (ISMS) based on ISO/IEC 27001(JIS  Q 27001、BS7799-2)?
Q1-5. What is CCRA?
Q1-6. Let me know the Security Target and Protection Profile.

 

2. Practical side of Evaluation and Certification

Q2-1. Let me know the procedure to take an evaluation and certification?
Q2-2. Let me know the certification body and evaluation Facility.
Q2-3. Let me know the term and cost for evaluation and certification.
Q2-4. When the consulting service is received from the evaluation organization, can the evaluation be received in the evaluation organization?
Q2-5. What is TOE?
Q2-6. What kind of products or systems can be a target of evaluation and certification?
Q2-7. If an existing product and a newly developing product is combined to one system, how is it evaluated and certified?
Q2-8. What is required for the evaluation?
Q2-9. How can I develop the Security Target?
Q2-10. What is EAL?
Q2-11. Who should decide EAL? (Developers? Procurement authority? users?)
Q2-12. What is Functional Requirements?
Q2-13. What is Assurance Requirements?

 

3. Application / Contract

Q3-1. Can venders other than Japan also apply to JISEC?
   

 

Q1-1. What is Security Evaluation and Certification?

A1-1:

For IT products and systems procured in the digital government, the use of a product evaluated its security according to international standards is recommended.
Effective on April 2004, IPA (Information-Technology Promotion Agency) has started to implement security evaluation/certification program (IT Security Evaluation and Certification Program) for IT related products to ensure Information security as the Certification Body which organization has been transferred from NITE (National Institute of Technology and Evaluation) as the Certificate Authorizing Participant in accordance with the CCRA , the ex-Certification Body.
This certification program gives certification for security evaluation of IT products and systems conducted by accredited evaluation bodies in accordance with JIS Q 17025:2000.

With regard to governmental procurement for electronic government and IT products and system installment for general businesses, this program aims to verify and certify the results of IT security evaluation conducted by accredited laboratories (evaluation bodies) in accordance with JIS Q 17025:2000.
Top Page

Q1-2. What is the relationship among ISO/IEC 15408, Common Criteria and JIS X5070?

A1-2:

These standards are same. (Regarding to Common Criteria, later than Version 2.1 are equivalent to other standards.)

CC project who develops CC and ISO/IEC JTC1/SC27/WG3 who is in charge of standardization of ISO/IEC 15408 have taken a liaison relation and are expected to be maintained a collaborative relationships.
Top Page

Q1-3. What is TCSEC and ITSEC?

A1-3:

TCSEC(Trusted Computer System Evaluation. Criteria)is issued in 1983 (revised in 1985)as the criteria for the procurement of computer systems to be used for the military purpose and affected the development of ITSC and CC, Europe. It was published as one of Rainbow Series and is frequently referred to as the Orange Book according to the color of cover page of the book.

ITSC stands for Information Technology Security Evaluation Criteria. Four countries, United Kingdom, Germany, France and Netherlands developed as European Uniform standard for evaluation and published V1.2 and started the formal operation in June 1991.
Top Page

Q1-4. What is the relationship with Information Security Management System (ISMS) based on ISO/IEC 27001(JIS Q  27001、BS7799-2)?

A1-4:

Each of them is an independent system respectively.
The security evaluation and the certification system based on ISO/IEC 15408 evaluate the implementation of the IT product and the system.
On the other hand, information security management system (ISMS) adaptability evaluation system based on ISO/IEC 27001 evaluates the operation management concerning the information security.

Top Page

Q1-5. What is CCRA?

A1-5:

Official name is Arrangement on the Recognition of Common Criteria Certificates in the Field of IT Security. It is also called Common Criteria Recognition Arrangement for short and is abbreviated to CCRA.

(1)

On October 5, 1998, a letter of agreement regarding to IT Security Evaluation and Certification based on Common Criteria was prepared and opened to the public.
At the same time, five countries of participating countries, Canada, France, Germany, United Kingdom and United States which have already started the operation of system signed up the MRA,then the frame work of International mutual recognition has started.
In October, 1999, Australia and New Zealand have joined.

By this agreement on mutual recognition, IT product evaluated and certified by one participating country based on CC is recognized by another participating country.
(2)

This mutual recognition agreement was revised in May 2005 and categorized participants into two groups, ‘Certificate authorizing participants (CAP) and Certificate consuming participants (CCP).
The former is the category of seasoned members.

The later is the category of nation that doesn’t implement the schemes in the country although accepts the IT products or systems that are certified in other country as the certified products or systems.

Previously, certification body must be a government agency, although a private association is admitted to be a certification body. In accordance with this revise, the name of agreement is also changed from “ Mutual Recognition Arrangement」” to “Common Criteria Recognition Arrangement.”

Six countries, Finland, Greece, Italy, Netherlands, Norway, Spain, joined to CCRA as CCP in May of that year. After that, Israel、Sweden, Austria, Turkey, Hungary, Czech republic joined as CCP. Japan joined CCRA as CAP in October 2003. Regarding to the latest information, please refer this page.

 

Top Page

Q1-6. Let me know the Security Target and Protection Profile.

A1-6:

The specification of Security Target and Protection Profile are defined in Appendix of ISO/IEC 15408 Part 1.  Please refer to the Appendix of CC Version 3.1 Part 1.

Top Page

Q2-1. Let me know the procedure to take an evaluation and certification?

A2-1:

  1. Preparation of evaluation documents such as Security Target (by the developer or by the sponsor).
  2. Evaluation request for Evaluation Facility.
  3. Contract with Evaluation Facility.
  4. Certification Application to Certification Body
  5. Evaluation Practice by Evaluation Body.
  6. Writing an evaluation report by Evaluation body.
  7. Certification by Certification Body.
Top Page

Q2-2. Let me know the certification body and evaluation Facility.

A2-2:

Certification body is IPA.
Regarding to the certification of IT products and systems, please refer “IT Security Evaluation and Certification Scheme”.
To offer the service as the evaluation facility, it is necessary to be authorized by the accreditation body (NITE) and to be approved by the certification body (IPA).
Currently (as of April. 2008), following four facilities are accredited as the evaluation facilities formally.

(1)

Information Technology Security Center Evaluation Department

(2)

Electronic Commerce Security Technology Laboratory Inc. Evaluation Center
(3) Mizuho Information & Research Institute, Inc. Center for Evaluation of Information Security
(4) TÜV Informationstechnik GmbH Evaluation Body for IT-Security
   
Top Page

Q2-3. Let me know the term and cost for evaluation and certification.

A2-3:

Term and cost are different for each evaluation because of the size of TOE and EAL level is different for each case. For example, in case of EAL2, it takes four to six months at least. In case of EAL4, it could take more than twelve months.

It is required that expense for evaluation facility as well as the preparation of each evidence data specified by ST or CC, modification of documents occur during the evaluation, and tests using the real products or systems.
Depending on the size of TOE, the expense for evaluation facility is decided between the evaluation body and applicant.
In addition, the application fee for Certification Body is required.

Top Page

Q2-4. When the consulting service is received from the evaluation organization, can the evaluation be received in the evaluation organization?

A2-4:

The evaluation organization is prohibited from providing the consulting service as a general rule. It is admitted as a special case, when the evaluation organization, evaluator's independence and fairness can be maintained.

Top Page

Q2-5. What is TOE?

A2-5:

TOE stands for Target Of Evaluation.

A TOE is defined as a set of software, firmware and/or hardware possibly accompanied by guidance. While there are cases where a TOE consists of an IT product, this need not be the case. The TOE may be an IT product, a part of an IT product, a set of IT products, a unique technology that may never be made into a product, or a combination of these.

Scope of TOE functions and TOE external interface related to security function need to be strictly defined.
Top Page

Q2-6. What kind of products or systems can be a target of evaluation and certification?

A2-6:

Basically, IT product/system which has security functions, Software, Hardware, firmware can be a target of evaluation and certification.
ISO/IEC 15408 is standard to evaluate that security functions implemented to IT product /system can protect the information against the attack, objectively.

Therefore, the target of evaluation must be able to specify “information to be protected”, “threat (attack) to be confronted” and “environment to be applied”.
Top Page

Q2-7. If an existing product and a newly developing product is combined to one system, how is it evaluated and certified?

A2-7:

The scope of evaluation and certification is defined as TOE (Target of Evaluation) on Security Target (ST). To undergo an evaluation and certification takes expenses and time so that it needs to be studied the effective scope of evaluation and certification and decided the cost-benefit performance is best.

Top Page

Q2-8. What is required for the evaluation?

A2-8:

At evaluation, design documents, test documents, administrator’s guidance, user guidance, .evidence of configuration management and so on used for the actual development. The necessary documents vary from EAL level to EAL level.

Top Page

Q2-9. How can I develop the Security Target?

A2-9:

JISEC, Information Technology Security Center Evaluation Department and Electronic Commerce Security Technology Laboratory Inc. Evaluation Center (ECSEC) run various training courses to develop Security target .
For details, please contact each agency.

Top Page

Q2-10. What is EAL?

A2-10:

EAL stand for Evaluation Assurance Level.
EAL is the scale represents ascending levels of confidence that where IT product or system assure the security functional requirements defined by CC. It is packaged as the subset of each assurance requirements and hierarchically-divided in levels.
A CC evaluation is carried out against a set of pre-defined assurance levels, termed Seven levels from EAL1 to EAL7 is pre-defined in Part 3 of ISO/IEC 15408.
Higher level means the greater the degree of rigorous in assurance.

Note: Please note that EAL does not mean the strength of security functions.
For details on EAL, please refer CC Part3.
Top Page

Q2-11. Who should decide EAL? (Developers? Procurement authority? users?)

A2-11:

It all depends. In some cases, developers decide it, in another occasion, procurement authority or users can decide it.

Top Page

Q2-12. What is Functional Requirements?

A2-12:

Functional Requirements is the requirements regarding security functions that products and systems should implement. On the part 2 of ISO/IEC 15408, the functional requirements are provided as 11 major classes.

Top Page

Q2-13. What is Assurance Requirements?

A2-13:

Assurance Requirements are the requirements to seek confirmation that the security functions are certainly implemented. On the part 3 of ISO/IEC 15408, the assurance requirements are divided into 10 major classes and prescribed. (It is called as Assurance.

3. Application/Contract

Q3-1.Can venders other than Japan also apply to JISEC?

A3-1:

It is available. However, it is necessary to understand our scheme documents written in Japanese. Please consult the evaluation facility described in the list of Evaluation Facilities about the support for the application.

Top Page