How to certificate a product

Before purchasing an ICT security product that is going to handle classified national information or sensitive information, a process should be run to check that the product’s security mechanisms are suitable to protect this information.  Evaluation and certification of an ICT security product is the only objective way of being able to assess and confirm a product's capability to handle information securely.

The Certification Body (CB) certifies security for Information Technology products and systems, according to the Regulation for Evaluation and Certification of Information Technology Security, approved by order PRE/2740/2007, of 19 September, after considering evaluation reports issued by the approved laboratories, among other proof, carried out in compliance with the criteria, methods and standards for assessing security mentioned in the Ministerial Order.

Certification procedure:

  1. The applicant should contact one of the three approved laboratories in the National Evaluation and Certification Framework for Information Technology Security. (See Approved Laboratories)
  2. The laboratory will evaluate the subject and will issue the Certification Body with a technical evaluation report.
  3. Based on this report, if appropriate, the Certification Body director will draw up a Certification Report using the results and conclusions from the evaluation, and subsequent monitoring, which will be sent to the certification applicant for information purposes.
  4. The certification application decision will state the scope of the certification that has been awarded, the date that this certification comes into force and how long it will last.


The whole product is not certified, just the product's security functional features up to a certain level, specifically, the functional feature specified by the Declaration of Security, a document that should be attached to the certification application form to be able to start the process.