Enhancing information security
Last Updated:Mar 24, 2025
This page offers you information to understand the outline of the workflow of IT Security Evaluation and Certification.
The working processes of IT Security Evaluation and Certification consist of the following four steps.
Necessary preparations for submitting an application for Evaluation and Certification
Examination of the evaluation deliverables followed CEM.
Review of adequacy of the evaluation.
Publication on the JISEC Web.
To apply the certification, the applicant should be clarifying the purpose and the range of evaluation beforehand. If it is not considered enough, unnecessary expense and the man-hour are spent in the course of the evaluation and the certification.
To determine the suitability of the scope of TOE for evaluation and EAL.
To describe the Security Target.
To arrange the schedule.
To identify the deliverables needed to support the evaluation.
The range and EAL (Evaluation Assurance Level) of TOE (Target of Evaluation) are specified.
The range of TOE and EAL are related within the range of the test.
In a word, the more the range of test extends, the more cost and time for evaluation are spent.
The evaluation period may be extended greatly by going upstream on the process in the evaluation when the maturity of ST is low at the application stage. It is necessary to complete ST at the first stage of the evaluation. The evaluation is executed based on completed ST.
Besides IT product or IT system of target for evaluation, evidential materials such as design documents used for the development, test related documents, administrator's guide, user's guide and so on are required to be evaluated.
Necessary materials are different according to EAL.
Make a rough schedule taking the preferred time to get the certification in consideration, whether it is before its release or after the release.
It is necessary to consider the allocation of development resource to evaluation support work and the influence of mutually work delay in design and certification, if you plan the acquisition of certification in parallel with development.
Assume that items pointed out as a problem at the evaluation phase, for instance, when the vulnerability is found and it feed back to the development, may affect the development schedule.
To determine the suitable evaluation facility for your TOE evaluation, in consideration of the area of specialty of evaluators or evaluation facilities, schedule, evaluation fee and so on.
Confirm the EAL that the evaluation facility is approved and check the type of TOEs that the evaluation facility has experienced.
Select the evaluation facility after adjusting the schedule and cost.
Make a contract with the evaluation facility including NDA.
The purpose of the evaluation is to determine whether the TOE Security design is suitable, whether the TOE Security Functions fulfill the Security Requirements described on the TOE design and whether the TOE is developed based on the TOE design and free from exploitable vulnerabilities.
An applicant should submit Evaluation Deliverables in a timely manner to the Evaluation Facility concerned pursuant to the predetermined schedule of delivery.
The Certification Body verifies the validity of the evaluation according to CC/CEM.
Mar 24, 2025
The "First Time Applicant" pages have been combined into one page as "Evaluation and Certification Processes".