Javascript doesn't seem to be switched on - Some parts of this FMV web site don't function optimal without javascript, check your browser's settings.

This website use cookies. Cookies are used to ensure that the website function in the best way possible. If you continue without changing the settings in your computer you allow cookies to be used. Learn more about cookies and how they are used on this website.


This is where you are now:

Start / Our activities / CSEC - The Swedish Certificati… / Evaluation and certification

Evaluation and certification

The cornerstone of the Scheme is the process of evaluation and certification, whereby security evaluations are carried out by licensed IT Security Evaluation Facilities (ITSEF) and certifications are carried out by the Certification Body.


Evaluation is the assessment of an IT product or a protection profile against the Common Criteria using the Common Methodology for Information Technology Evaluation (called the Common Methodology or CEM) to determine whether or not the security claims on the product or protection profile are justified.


Certification is the formal approval of an IT product or protection profile based on the result of the evaluation, and is performed by the Certification Body. The certification will result in a certification report (CR), and for successful certifications, a certificate will be issued for the IT product or protection profile.

Roles within the Scheme

  1. Sponsor
  2. Developer
  3. ITSEF
  4. Certification Body


The Sponsor is the organisation that pays for the evaluation, applies to the Certification Body for certification, contracts with the ITSEF, and arranges for Developer participation. The Sponsor and the Developer may be the same.

The Sponsor has a formal agreement with the ITSEF for the evaluation and with the Certification Body for the certification.

The Sponsor ensures that the evaluator and the certifier are provided with evaluation evidence, training, and access to facilities in a timely manner and in accordance to the Scheme. This may require an agreement with the Developer, as well.

In some instances, more than one Developer may be involved in an evaluation, for example, in cases where subcontractors are involved in the development of an IT product, or where different organisations are responsible for developing different components of the product. Under such circumstances, it is essential for the Sponsor to ensure the cooperation of all parties.

The obligations of the Sponsor in an evaluation are detailed in Scheme publication SP-002 Evaluation and Certification.

SP-002 Evaluation and Certification (pdf)


The Developer is the organisation that produces the product to be certified. The Developer, which may be the same as the Sponsor, is responsible for supporting the evaluation by making evaluation evidence available.

If the Developer is distinct from the Sponsor, it may be necessary that the Developer and the Sponsor agree how to support the evaluation. At higher evaluation levels, extensive Developer documentation is required; if this documentation evidence is not delivered as scheduled, the entire evaluation could come to a stop.

The obligations of the Developer in an evaluation are detailed in Scheme publication SP-002 Evaluation and Certification.

SP-002 Evaluation and Certification (pdf)


An Evaluation Facility licensed by the Certification Body to operate under the Scheme is called an ITSEF. The ITSEF is responsible for the assessment of the protection profile or the target of evaluation by performing the evaluator actions required by the Common Methodology and the Scheme.

An evaluator working for an ITSEF requests all necessary evaluation evidence from the Sponsor or the Developer. The evaluator also may request other support, such as training by the Developer, or clarifications or advice from the certifier assigned to the evaluation by the Certification Body.

The evaluator produces the evaluation reports that are submitted to the Certification Body, such as single evaluation reports (SER) and final evaluation report (FER).

An ITSEF must:

  • observe all rules of the Scheme as laid down in the Scheme documentation and interpreted by the Certification Body
  • be accredited by an authorised accreditation body, in accordance with ISO/IEC 17025 (formerly, ISO Guide 25) or be directly appointed by the government
  • ensure that the status of each of its individual evaluators is recognised by the Certification Body
  • keep the Certification Body informed about the progress of ongoing evaluations and about any changes that might influence its ability to fulfil the requirements of the Scheme

The ITSEF is subject to supervision by both the Certification Body and the accreditation body as appropriate to ensure that it meets its obligations.
The ITSEF and the Certification Body must be independent organisations.

Further details of the obligations for ITSEFs are found in Scheme publication SP-004 Licensing of Evaluation Facilities.

SP-004 Licensing of Evaluation Facilities (pdf)

Certification Body

The Certification Body provides independent confirmation of the validity of evaluation results by overseeing the evaluation process. This oversight is performed by certifiers working for the Certification Body.

The certifier oversees an evaluation by reviewing the single evaluation reports and the final evaluation reports produced by the evaluator, by witnessing the evaluator's site visits, and by witnessing the testing of the product. The results are documented as technical oversight reports (TOR). The certifier also may provide support to the evaluator regarding Scheme matters, interpretations of the Common Criteria, etc.

To ensure uniform application of the Common Criteria, the Certification Body itself is being reviewed and audited according to the rules and regulations for accreditation as well as according to the regulations for applicable arrangements on mutual recognition of Common Criteria certificates. The use of interpretations to document clarifying statements made by the Certification Body is aimed at ensuring consistent and uniform use of the Common Criteria and the Scheme rules.

1. Evaluation contract between the sponsor and developer

  • Evaluation and certification of a product of the assurance level EAL 2 or higher requires the involvement of the developer
  • These evaluations requires that the evaluation company (ITSEF) is given access to technical product documentation that the developer owns

2. Ordering the evaluation

  • The sponsor contacts the evaluation company who will carry out the evaluation
  • Together with the evaluation company, the sponsor provides evidence for the Certification Application

3. Ordering the certification

  • Once the Certification Application with relevant data is completed, the sponsor sends these to CSE
  • CSEC reviews the application and delivers a tender to the sponsor
  • Based on the terms of the tender, the sponsor then orders a certification

4. Product with describtion

  • The developer (or sponsor) delivers the product to the evaluation company
  • For EAL 2 or higher, the developer will deliver evaluation documentation to the evaluation company

5. Evaluation reports

  • The evaluation company carries out the evaluation according to the evaluation methodology and documentation in the certification scheme
  • The results of the activities are documented and reported to CSEC

6. Reviewed reports

  • CSEC monitors the evaluation and conducts independent reviewes of the results of the evaluation
  • The results of the review and monitoring are reported to the evaluation company for eventual measures

7. Certification Report

  • Based on the Final Evaluation Report from the evaluation company, CSEC compiles a Certification Report
  • If the product meets the specified requirements, CSEC issues a certificate

Hint about this page

Fill in the form to send a link to this page.

Fields marked with * are compulsory.

* The field is compulsory

Published: 2011-11-22 14:31. Changed: 2017-09-13 10:28. Responsible: Show e-mail address.

Dag Ströman


Dag Ströman

Head of CSEC
Phone:+46 8 782 40 00

External links

Links open in new window.

  1. atsec information security
  2. Combitech

Common Criteria

CC is an international standard used for independent evaluation of IT security.