Home Technology What happens when you get a Common Criteria certification?

What happens when you get a Common Criteria certification?

Common Criteria certification

Common Criteria certification is an internationally recognized certification in cybersecurity. Its popularity is growing every year for eligible IT products and systems. In our article below, we provide insight into this topic.

We will discuss:

What is Common Criteria and CCRA?
How can your business benefit from Common Criteria certification?
What are the main steps of the Common Criteria certification process?

What is Common Criteria and CCRA?

Common Criterion is a framework of internationally recognized and scalable cybersecurity certification requirements (ISO 15408 is its equivalent as a standard). Common Criteria certification guarantees that the related IT product’s evaluations were conducted to consistently high standards, in a rigorous, standardized, and repeatable manner.

Common Criteria and its companion, the Common Methodology for Information Technology Security Evaluation (CEM) are the technical basis for the Common Criteria Recognition Arrangement (CCRA).

CCRA is a global agreement that guarantees:

  • Common Criteria evaluation must be performed by a competent and independent licensed Testing Laboratory.
  • Based on the results of their evaluation, a range of Certificate Authorizing Schemes can provide certification of an assessed product’s security attributes.
  • Supporting documents are used throughout the Common Criteria evaluation process to clarify how the criteria and evaluation procedures are utilized when assessing and certifying specific technologies.
  • Common Criteria certifications are accepted by all CCRA member countries which means currently 31 nations.

How can your business benefit from Common Criteria certification?

In 2021, a total of 411 IT products and systems got Common Criteria certification globally, which shows an increasing trend, however, it is important to remember that because of its complexity, it is not suitable for all types of IT products and developers.

The most important advantages that your business can gain from Common Criteria certification include:

Improved security: earning certification requires passing a series of tests that can expose any weak points that you missed, meaning you can correct them before releasing the product.

Saving costs: Uncovering and resolving vulnerabilities before a product is released to the market, helps to avoid costly post-release modifications.

Stay competitive: it’s the best way to compete with existing products that already earned certification.

Expanded business opportunities: it makes your product a conceivable option for governments and government agencies that require Common Criteria certification.

Internationally recognized certification: Common Criteria certification is accepted by all 31 CCRA countries, therefore, eliminating the disadvantages of duplicated cybersecurity product evaluations and security profiles.

What are the main steps of a Common Criteria certification process?

The Common Criteria certification process is a complex method with numerous factors. We collected the main steps and procedures of OCSI (the Italian scheme) below:

Before starting the Common Criteria evaluation

  1. Choose your Lab:  As the first step of the Common Criteria certification process, you need to choose a competent and accredited Testing Laboratory.
  2. Choose the National Scheme: Common Criteria Certificate Authorizing Schemes were established by 17 different countries. Therefore these nations invented their own national programs, norms, legislation, and Certification Bodies (i.e. Evaluation Authority).
  3. Pick an EAL level: Before submitting the application to the Certification Body, the Evaluation Assurance Level (EAL) must be selected. The level specifies the security levels against which the Target of Evaluation (TOE) is evaluated. There are seven different levels.
  4. Prepare the Security Target: The next step of the Common Criteria certification process is to prepare the Security Target (ST) which is an implementation-dependent statement of security needs for a specific identified TOE.
  5. Prepare the Evaluation Work Plan: At this stage, the Evaluation Work Plan must be prepared by the Common Criteria Test Laboratory and approved by the Certification Body (CB).

During the evaluation

This stage of the Common Criteria certification process usually starts with a kickoff meeting organized by the Certification Body where multiple related topics are discussed. Access to relevant evaluation resources (e.g., developer documents, TOE, etc.) for the Evaluators is critical to properly and effectively carrying out the Evaluation Activities. Two important reports are created by the Testing Laboratory: the Activity Reports and the Observation Report.

How does the process end and what happens after?

When the evaluation process is finalized, the Laboratory produces the Evaluation Technical Report (ETR). The Report contains all of the Evaluators’ assessments and verdicts from the evaluators. Depending on the National Scheme’s or CB’s own conditions, the Certification Body provides a draft Common Criteria Certification Report (CR) typically 30 days after the ETR is approved, which is given to the Sponsor and the Test Laboratory for validation. Once both parties have confirmed the document, CB issues the Certification Report usually within thirty days, depending on the National Scheme or CB.

Upon the successful Evaluation, the Certification Body issues the Common Criteria Certification.


Cyber​​security has become one of the most important topics nowadays, since most of our devices and tools at work and in our homes are connected to networks, including the Internet. Compliance with international cybersecurity standards and regulations, including Common Criteria certification, is of paramount importance for the safety of networks and the online space.