The Certification Body certifies the security of information technology products in accordance with the procedure established in the Fifth Title, and following the evaluation standards, criteria and methodology listed in the Sixth Title of the cited IT security evaluation and certification regulations.
This certification is the final step of an evaluation process for which the security functions of a product or system (objective of the evaluation) are evaluated, according to a methodology (also a standard), and is performed by an authorized and technically qualified independent laboratory. The objective is to check that the target being evaluated executes the security functions correctly and effectively as stated in the corresponding documentation. The security certification of a product or system implies the recognition of a variety of characteristics and properties contained in the Security Statement. However, the security certification of a product or system does not imply the suitability acknowledgement for every scenario or implementation scope of application. Other circumstances should be taken into account in order to assess its suitability, such as the restrictions set forth in the Security Statement for the correct interpretation of the certificate.
The OC/CCN has been operating since 2004 with several evaluation standards for ICT security, including the Common Criteria (ISO-15408), which is the most internationally renowned. This standard is used for the certifications of products to be used in the Spanish eGovernment. This standard defines assessment levels between EAL7 and EAL1, being the CCRA international agreement the one that covers the mutual recognition of certificates between levels EAL1 to EAL2.
The pdf Royal Decree 3/2010 (1.10 MB) of January 8, which regulates the National Security Framework – ENS- in the field of eGovernment, states in its article 18 that security products with the appropriate security certification will be positively valued for their acquisition by public administration. This certification should comply with international norms and standards, and the OC/CCN will determine the criteria to be followed, depending on the intended use of the product, on the evaluation level, and on other security certifications required by regulations.