- Is used to formulate security requirements on IT security
- Is used for impartial evaluation of IT security
- Has an international recognition by the leading countries in IT security
- Is formally standarised as ISO/IEC 15408
- Is developed in close cooperation between IT security authorities in several countries
- Is considered mandatory for IT products in critical infrastructures in several countries
- Is applied in several sectors such as defense, finance, healthcare, transport and communication
What does CSEC do?
- Operates and administrates rules for evaluation of IT security in products and systems according to the CC
- License facilities that evaluate IT security in products and systems according to these rules
- Supervise these facilities and support them in the evaluation process
- Certifies products used by the Swedish Defense among others
- Collaborates internationally with other certification bodies and safety authorities
- Promote better knowledge of CC and why CC should be used as a framework for evaluation IT security products and systems
Certificates may be subject for mutual recognition according CCRA (Common Criteria Recognition Arrangement), EA MLA (The EA Multilateral Agreement), and SOGIS-MRA (Senior Officials Group Information Systems Security - Mutual Recognition Arrangement).
International CC collaboration - CCRA
CSEC represents Sweden within CCRA as the national certification body and signatory. In these roles CSEC collaborates in the international development of CC, and provides Sweden´s vote when new countries applies for membership in the organisation.
European collaboration - SOGIS-MRA
CSEC represent Sweden in the European Organisation SOGIS-MRA. The organisation is based on mutual recognition of certificates issued by the member states.
The Cooperation Group for Information Security - SAMFI
CSEC is a part of SAMFI. This group consists of Swedish authorities with special assignments in the field of Information Security.
The Swedish Board for Accreditation and Conformity Assesment - Swedac
Swedac is a state agency that examines and accredits businesses or organisations based on global standards. In 2008 CSEC was accredited as Sweden's national Certification Body for IT Security in products and systems according to the Common Criteria, CC. Swedac performs regular oversights to ensure that CSEC holds the standard that forms the basis for accreditation.
An update of the Swedish scheme has been published and will be valid from the 14th of October 2019. The update has version 1.23. The update contains the following changes:
- The evaluator has to send a list of supporting documents with the application and evaluation reports.
- Irrelevant documents are removed as requirements in an application for Certificate Maintenance.
- Added an EAL4-only clause. A paragraph explaining that it is only allowed to put the cryptographic implementation in the environment at EAL4 and above, or if the implementation is fully evaluated by the evaluation as if it were part of the TOE, is also added.
- Minor editorial changes are made in several documents.
Changes has been added to the following documents:
Links to the documents can be found below.
Current release note
Certification scheme - Scheme Publications
You will find documents with detalied information about rules and processes, and requirements on the different parties in the certification system.