Enhancing information security
Last Updated:Jul 19, 2022
The assurance continuity is the mechanism that the certification can be maintained if it can be confirmed that the changes do not impact on the evaluated security functions though the certified product is upgraded by bug fixings, or manual amendments.
Assurance Continuity recognizes that as changes are made to a certified TOE or its environment, evaluation work previously performed need not be repeated in all circumstances. Assurance Continuity therefore defines an approach to minimizing redundancy in IT Security evaluation, allowing a determination to be made as to whether independent evaluator actions need to be re-performed.
As a result, Assurance Continuity enabled developers to provide assured products to the IT consumer in a timely and efficient manner.
The developer should report that it doesn't impact the assured level of security at all by one or more changes to TOE recognized as an Impact Analysis Report. It is necessary to execute an enough inspection with a technical background for that.
If the assurance continuity is repeated several times, please confirm there is no impact in not only the difference from the last changed TOE but also the change in total from the original TOE.
Currently, the period for acceptance of assurance continuity is specified "within five years after taking the certification with CCV3.1" in JISEC. However, the period is scheduled to be reviewed.
A developer can only submit an Impact Analysis Report to the same evaluation facility under which the original evaluation was conducted.
Creation of "Impact Analysis Report".
The applicant makes "Impact Analysis Report" to prove that the succession product doesn't influence to the assurance level of the certified TOE.
Please describe it according to the composition described in "Impact Analysis Report Preparation Guidance". The description forms other than the chapter composition are arbitrary and there is no fixed format.
Prior review of "Impact Analysis Report".
The certifying body confirms the validity of the assurance continuity before accepting the application.
The applicant requests a prior review of "Checklist for Assurance Continuity Application" (Addendum of "Impact Analysis Report") and "Impact Analysis Report" to the certified body.
Please send documents with information of the certification number to JISEC mail address when you request a prior review.
If there is no incompleteness in the above-mentioned documents submitted to the certifying body, the receipt number and the acceptance day are informed to the applicant.
Please note that you might have to resubmit the application form within the assigned timeframe, for reasons such as an incomplete form or a missing signature.