Who are we?
The acquisition of an ICT security product that will handle classified national information or sensitive information must be preceded by a process of verification that the security mechanisms implemented in the product are adequate to protect such information.
The evaluation and certification of an ICT security product is the only method available of assessing and certifying a product's ability to handle information securely. In Spain, this responsibility is assigned to the National Cryptologic Centre (CCN) through pdf Royal Decree 421/2004, 12th March (355 KB) in its Article 1 and Article 2.1, which establishes " setting up the Certifcation Body for the National Evaluation Scheme and Certification of Information Technology Security, to be applied to products and systems in its feld”
The National Cryptologic Centre (CCN) receives multiple queries from different government agencies on what products they should use to protect their systems from Information and Communication Technologies (ICT). In this respect, the OC carries out three types of Certification depending on the security aspects being evaluated, although always referring to STIC products and systems:
Certification Body (OC) is done in accordance with the Evaluation and Certification Regulation of Information technologies Security and approved by the Order pdf PRE/2740/2007, September 19th (825 KB) and in the public procedures of the Scheme established by the OC.
For both the Cryptologic Certification and the TEMPEST certification, the Certification Body bases on its own criteria and methodology.
The OC undergoes through an internal audit and an external audit every year. The internal audit is firstly carried out by CNI personnel (not belonging to the CCN) to check that the certification activity is following the rules and procedures set in each case.
The external audit is run by the National Accreditation Entity (ENAC), according to the ISO 17065, and it is necessary so that the OC maintains the accreditation as a product certification entity.