Enhancing information security

JISEC-First Time Applicant - Evaluation and Certification Processes

Last Updated:Oct 4, 2010

1 Preparation Step

1.2 Determination of Evaluation Facility

  • To determine the suitable evaluation facility for your TOE evaluation, in consideration of the area of specialty of evaluators or evaluation facilities, schedule, evaluation fee and so on.

  • Confirm the EAL that the evaluation facility is approved and check the type of TOEs that the evaluation facility has experienced.

  • Select the evaluation facility after adjusting the schedule and cost.

  • Make a contract with the evaluation facility including NDA.

1.3 Application for Certification

  • An applicant should remit an application fee.
  • To submit one copy of each of the following application forms and two copies of ST to the Certification Body.
    • ・Application for Certifications (Form 1)
    • ・Evidence showing the corporate entity
    • ・Written Oath (Form3)
    • ・ST (two copies)
    • ・List of the evaluation deliverables
    • ・Nondisclosure Agreement (Form 12-1)
    • ・Request for Publication of "In Evaluation"
    • ・(Form 11, according to the request)
  • In addition, following documents must be submitted to the Certification Body by the Evaluation Facility.
    • ・Evaluation Work Plan (Form 4)
    • ・Checklist for Impartiality and Independence of Evaluation (Form 5)
  • Please refer to "Application" for more details.

1.4 Kickoff Meeting

  • The aim of the Kickoff Meeting is to agree the suitability of proposed TOE for evaluation, to discuss the evaluation and certification process for the TOE and the schedule, and to clear the concerns.

2 Evaluation Work Step

The purpose of the evaluation is to determine whether the TOE Security design is suitable, whether the TOE Security Functions fulfill the Security Requirements described on the TOE design and whether the TOE is developed based on the TOE design and free from exploitable vulnerabilities.

The following activities are included;

  • Confirmation of the ST.
  • Confirmation of the Evaluation Deliverables.
  • Evaluation of the TOE, including analysis and testing;
  • Production of any Observation Reports (ORs) by the evaluation Facility and response to the ORs by the applicant;
  • Site visit;
    (An applicant should accept the site visit of the Evaluation Facility and the Certification Body.)
  • Production of the Evaluation Technical Report (ETR) by the evaluation Facility.

An applicant should submit Evaluation Deliverables in a timely manner to the Evaluation Facility concerned pursuant to the predetermined schedule of delivery.

Evaluation deliverables may include:

  • Items of hardware, firmware or software which constitute the TOE itself;
  • Items of hardware, firmware or software which constitute
  • the TOE platform(s);
  • Supporting TOE documentation;
  • Guidance documentation;
  • Access to the development site;
  • Supporting Evaluator Test;
  • Technical support.

3 Certification Work Step

The Certification Body verifies the validity of the evaluation according to CC/CEM.

3.1 Certification Review

  • The Certification Body reviews the ETR. When any problem is identifies with them, the Certification Body issues Certification Review to the Evaluation Facility.
  • An applicant should confirm the ETR and take any necessary measures in case the applicant finds any incorrect information or misapprehension in the report, in consultation with the Evaluation Facility and request for corrective action.

3.2 Certification Report

  • The Certification Body issues the Certification Report which is the summary of the Evaluation technical Report on the TOE as well as the matters confirmed in the verification process for the Evaluation technical Report.

3.3 Certificate

  • The Certification Body issues the Certificate to prove the results of an evaluation.

4 Publication Step

4.1 Publish to the Web

  • According to an applicant request, the information of certified product (ST, Certification Report and Certificate) can be listed on JISEC web site and CCRA web site as specified by the application.