The purpose of the Certification Scheme is, amongst other things, to cover the authorities' and the industry's need for a cost-effective and efficient security evaluation and certification of IT products. All assessments are carried out by an independent third party. This will help strengthen confidence in and improve the level of security in IT products.
Other important goals of the Scheme are:
- to increase the IT security level in the public sector
- to make assurance to e-commerce and other communication nationally and internationally
- to contribute to make the Norwegian IT industry more competitive abroad
- to simplify the procurement by trust to the fact that predefined evaluation assurance levels are met.
Common Criteria (CC)
Under the Norwegian Certification Scheme, impartial third-party assessment of IT security in products is performed in accordance with the internationally recognized standard Common Criteria (CC) or equivalent to ISO/IEC 15408.
CC is used in evaluating the security features of IT products and systems. It defines a framework for supervising evaluations, a syntax for specifying the security requirements to be met and a methodology for evaluating these requirements. CC is used by authorities and other organizations around the world to assess the security of IT products, and is often set as a prerequisite when procuring IT products in, for example, critical infrastructures.
Actors in the certification programme
This is the company that owns the product that is to be evaluated and certified.
The sponsor is the one who orders and finances the independent evaluation of the product.
The IT Security Evaluation Facilities (ITSEFs)
The ITSEF evaluates the product in accordance with the Common Criteria and in accordance with specified criteria for the Scheme.
The ITSEF must act impartially and neutrally. SERTIT licenses the evaluation facility in the programme according to specific criteria. The companies must, amongst other things, be accredited as a sampling laboratory in accordance with ISO/IEC 17025, and must carry out a trial evaluation to show understanding of the standard Common Criteria and the Common Evaluation Methodology.
The certification body
In its role as a certification body, SERTIT examines and approves the evaluation laboratory's reports, prepares a certification report and issues a certificate.
Mutual recognition of certificates
As a member of the international event CCRA and the European agreement SOGIS MRA, Norway has committed itself to recognizing certificates in accordance with specified terms from other certificate-producing members.
The current conditions for mutual recognition of certificates under CCRA can be found here.
The current conditions for mutual recognition of certificates under SOGIS MRA can be found here.
For further details, see SD 001E: The Norwegian Certification Scheme.