Enhancing information security

JISEC-Scheme Documentation

Last Updated:Dec 2, 2024

Scheme documentation is regularly revised by JISEC.
Note that the latest versions of the forms should be used (CCM-02-A, CCM-03-A).
It is important to understand the contents of the latest Scheme documentation for your application procedures.

Revision of JISEC Scheme Documentation (Effective on December 15, 2023)

 In order to improve the operation of this Scheme, the related procedures and guidance have been partially revised with the aim of complying with the CCRA documents as follows. This revision came into effect on December 15, 2023.

1. Scheme documents and guidance, etc., for revision
・IT Security Evaluation and Certification Scheme Document (CCS-01)
・Organization and Operational Manual for IT Security Certification Body (CCM-01)
・Requirements for IT Security Certification (CCM-02)
・Operating Procedure for IT Security Certification Services (CCM-01-A)
・Guidance on IT Security Certification (CCM-02-A)

2. Changes to applications for Certificate Validity
On September 30, 2021、the CCRA document “Certificate Validity: Operating Procedures v1.0” has been issued, which prescribes the requirements in related to the Certificate Validity. Based on this CCRA document, the validity period will be written down on the Certificate (certification date plus 5 years).
As a transitional measure, when the product area is “Hardware (smart cards, etc.)” and the certified TOE had been certified prior to September 30, 2021, on which this CCRA document was issued, then September 30, 2026 (i.e., 5 years after the certification date) shall be set as the certificate validity date.

3. Changes to extending the Certificate Validity
The CCRA document “Assurance Continuity: CCRA Requirements v3.0” has been issued, which prescribes the Assurance Continuity paradigm. Based on this CCRA document, Assurance Continuity is defined as “a paradigm that defines Maintenance and Re-assessment and recognizes the previous evaluation in order to reuse the applicable previous evaluation results in the case a certified TOE or its environments are changed.” The term “Assurance Continuity” under the current Scheme had been changed to “Maintenance.” At the same time, the deadline of a maintenance application had been changed from “two years after the certification date” to “three months prior to the certification validity date.”
In addition, based on this CCRA document, the “Re-assessment” procedure had been introduced. Re-assessment means to confirm that the certified TOE has not been changed, but changes in the attacks landscape need to be assessed to check if the TOE still reaches the same level of resistance as initially certified. The certificate validity can be extended by using the Re-assessment procedure.

4. Changes to the Application documents <Forms (CCM-02-A)>
In accordance with the partial revision of the Scheme Documentation, the following application documents have been changed, and the Application for Re-assessment form has been added.
・Application for Maintenance:(CCM-02-A) Form 2
・Request for Withdrawal of Application:(CCM-02-A) Form 7
・Request for Reissuing Certificate, etc.:(CCM-02-A) Form 9
・Request for Publication of English Version of Certification Report and ST:(CCM-02-A) Form 18
・Request for Preliminary Review of Maintenance:(CCM-02-A) Form 20
・Application for Re-assessment:(CCM-02-A) Form 23

Revision of JISEC Scheme Documentation (Effective from November 2023)

In order to improve the operation of this Scheme, the related procedures and guidance have been partially revised with the aim of promoting the digitization of procedures as follows. This revision came into effect on November 1, 2023.

1. Procedures and guidance for revision
・Operating Procedure for IT Security Certification Services (CCM-01-A)
・Guidance on IT Security Certification (CCM-02-A)
・Guidance on Approval of IT Security Evaluation Facility (CCM-03-A)

2. Changes to application procedures
Regarding the submission of application documents, the applicant and Evaluation Facility may submit the documents in electronic form (Note 1), and paper documents are not required (Note 2).
Note 1: A digital signature using a digital certificate under the organization’s name issued by a public Certification Authority is required.
Note 2: “The documentation indicating the corporate entity” shall still be submitted in original. 

3. Changes to issuing a Certificate, etc.
A Certificate, etc., will be issued as electronic data with a digital signature. Issuing a Certificate, etc., in writing as before is available upon request.

4. Changes to concluding a contract
The contract method of a Non-Disclosure Agreement to be concluded with the applicant has became an electronic contract introduced by IPA. If it is difficult for the applicant to conclude an electronic contract, it is still possible to conclude a contract in writing.

IT Security Evaluation and Certification Scheme Documentation

The following documents explain the Scheme Document, Organization and Operational Manual, Requirements for the applicant, Guidance on application procedures and Operating procedures in this Scheme.

For all relevant parties under this Scheme

Document / Overview
  • CCS-01
  • This Scheme Document prescribes "IT Security Evaluation and Certification Scheme" and basic matters related to this Scheme that need to be complied with by suppliers and users of IT products and systems as well as personnel engaged in the operation of this Scheme.
Contents
  • Purpose of the Scheme
  • Definition of Terms
  • Structure of the Scheme
  • Overview of Evaluation and Certification
  • Overview of Evaluation and ST Confirmation
  • Rights and Obligations of Applicants
  • Suspension or Revocation of Certification and ST Confirmation
  • Miscellaneous Provisions

For applicants, Evaluation Facility

Document / Overview
Contents
  • Certification Application Preparations
  • Procedures for a Certification Application and Corrections during Application
  • Overview of Evaluation and Certification
  • Assurance Continuity
  • Suspensions and Revocations of Certification
  • Miscellaneous Procedures after Acquiring Certification
  • Succession of Certification
  • Handling Complaints about a Certified Product
  • Use for the "Certification Mark"

For Evaluation Facility

Document / Overview
Contents
  • Approval of Evaluation Facility
  • Approval of Evaluator Qualification

For Certification Body

Document / Overview
  • CCM-01
    • Organization and Operational Manual for IT Security Certification Body(PDF:475 KB)
    • Updated 2024-4-30
    • This Operational Manual prescribes policies and procedures for operating organization and certification services as the Certification Body under the IT Security Evaluation and Certification Scheme in accordance with ISO/IEC 17065 "Conformity assessment-Requirements for bodies certifying products, processes and services (JIS Q 17065)."
Contents
  • Matters that Need to be Complied with by Personnel Engaged in the Operation of Certification Services
  • Advisory boards for the operation of certification services (Management Committee, Technical Committee, Certification Committee, and Hardware Certification Committee)
  • Certification Services
  • ST Confirmation Services
  • Internal Audit
Document / Overview
Contents
  • Handling services for Reception and Acceptance of Certification Application / Certification / Assurance Continuity / Changing Records
  • Suspension or Revocation of Certification and ST Confirmation
  • Preparation and Publication of Standards and Guidance, etc.
  • Internal Audit / Document Management
Effective versions of the external documents
  • The following lists the effective version of the external documents listed in the CCM-01-A Appendix. For the effective versions of CC/CEM (standard number "CCMB"), please refer to the following CC/CEM page.
  • CC/CEM(English and Japanese)
  • ISO/IEC 17025:2017
    General requirements for the competence of testing and calibration laboratories
  • JIS Q 17025:2018
    General requirements for the competence of testing and calibration laboratories(Japanese version)
  • ISO/IEC 17065:2012
    Conformity assessment — Requirements for bodies certifying products, processes and services
  • JIS Q 17065:2012
    Conformity assessment — Requirements for bodies certifying products, processes and services(Japanese version)
Document / Overview
Contents
  • Operating Procedure for Reception and Acceptance of Application
  • Operating Procedure for Approval of Evaluator Qualification and Changes
  • Operating Procedure for Approval of IT Security Evaluation Facility and Changes
Document / Overview
Contents
  • Appointment of a Technical Manager, etc.
  • Qualification Standards, Procedure for Registration, Management, Education and Training Programs of Certifiers, and Committees

Procedures for Certification Application and Relevant Documents

The following procedures explain the items needed for the certification application. The applicants are required to understand and follow the notes and instructions below when submitting application forms.

Contact information

For further inquiries on the Scheme Documentation, please contact to the following:

JISEC Administrative staff, IT Security Center,
Information-technology Promotion Agency, Japan

  • E-mail

    jisec-receiptアットマークipa.go.jp

Change log