The Italian Certification Body for Commercial IT Systems/Products


The new Italian Evaluation and Certification Scheme was established by a Prime Minister Decree on 30 October 2003. Such a decree states: “the ISCOM (Istituto Superiore delle Comunicazioni e delle Tecnologie dell’Informazione – Department of the Ministry of Communication) is the Italian Certification Body for security evaluation of commercial IT systems and products”.
Up to now in Italy we had a Scheme for the evaluation and certification of products dealing with classified information, under the control of the ANS (National Security Authority). Under this Scheme the ISCOM gained experience in evaluation activities working as evaluation facility (Ce.Va.) Within the new Scheme for commercial applications, the ISCOM is the Certification Body (OCSI – Organismo di Certificazione della Sicurezza Informatica). In this framework, the OCSI has different tasks. The first one is the accreditation of new evaluation facilities under the commercial Scheme: in the accreditation procedure the ISO 17025 compliance is verified together with an inspection visit on the facility candidate site and a technical examination of the evaluators to check their familiarity with the international evaluation criteria.
Other important activities of OCSI are:

•  Definition of national Evaluation and Certification procedures according to the international criteria (CC/ITSEC)
•  Production of Guide Lines for implementing the procedures
•  Approval of Evaluation Plans and registration of the Evaluation in the Scheme
•  Approval of Final Evaluation Reports
•  Issuing of Certification Reports and Certificates
•  Training and qualification of Certificators, Evaluators and Assistants
•  Spreading the Information Technology Security Culture to publicize the contents and procedures of National Scheme
•  Linking to Foreign Certification Bodies

In particular, the following Guide Lines has been approved on 17 February 2005:
• LGP1: Overview of the Scheme
• LGP2: Accreditation of Facilities (LVS)
• LGP3: Evaluation/Certification Procedures
• LGP4: Evaluation Activities (CEM)
• LGP5: Evaluation Work Plan
• LGP6: Production of PP and ST
• LGP7: Glossary of Terms
Finally, estimating that some new facilities will be accredited by the end of 2005, the new Italian Certification Body (OCSI) scheduled to start-up its operational activities, i.e. the first evaluations and certifications, between end of 2005 and beginning of 2006.