Implementing the “Common criteria” for cyber security evaluation of IT products

Concerning evaluation of Information Technology Security, the criteria required to conduct IT security evaluations are contained in the Common Criteria Part 1 - 3 (ISO/IEC 15408),  accompanied by the ‘Common Methodology’ (ISO/IEC 18045).

This provides an internationally accepted framework for such evaluations and details commonly accepted criteria for the design, development and evaluation of IT equipment with regard to cyber security considerations. Government agencies and corporations worldwide refer to this a prerequisite for the procurement of IT equipment.

In brief, an evaluation in accordance with the ‘Common criteria’ consists of two quality assurance aspects:

The first is an assessment of security assurance requirements (SARs), that is, a review of the processes undertaken during the development and evaluation of a given IT system or device to assess compliance with the prescribed security functionality, which depends on the intended use of the product and its anticipated risk conditions.

The second is the evaluation assurance level (EAL) where the depth and rigor of the evaluation process itself is assessed. EALs range from EAL 1, representing the most basic level of cyber security assessment, to EAL 7, representing the most rigorous process to verify the claimed level of cyber security. As EAL only concerns the evaluation process itself a higher EAL does not necessarily mean that a device is more secure. Nemko offers the necessary evaluation (EAL1-5) as well as guidance for clients who need to demonstrate compliance with the ‘Common Criteria’ for their products.

For further information and/or request for services in this area, please contact

Written by Trond Sollie
For more than 30 years, Sollie has worked with conformity assessment activities in various industrial contexts, both in Norway and internationally. He has been paramount in building relationships across organisations and borders. He has also been active in the management of the international IECEE/CB scheme for many years. Until recently, he was Board Chairman of the Norwegian standards body NEK and President of the Norwegian IEC National Committee and IECEE Member Body. He is currently an NEK Board Member and a member of the IEC-CAB (Conformity Assessment Board). He also provides consulting to authorities/bodies of several countries on conformity assessment matters. Nemko has benefitted from Sollie’s expertise, network and enthusiasm for more than three decades. Prior to his role as a senior advisor for Nemko, he was a Senior Vice President, responsible for international cooperation. He has been instrumental in developing the successful Nemko Direct programs that offer clients worldwide market access for their products, within both the electrical and telecommunications/radio product areas.

Subscribe to our newsletter!