Common Criteria (CC) assessment scheme

Common Criteria (CC) is an internationally recognized certification scheme that provides formal recognition that a product meets its Information Assurance (IA) requirements.

It provides assurance that a developer’s claims about the security features of their product are valid and have been independently tested against recognized criteria.

Products are tested against a protection profile which defines how they should operate. Products must either:

  • Claim conformance to a collaborative protection profile
  • Claim conformance to a UK endorsed national protection profile
  • Be categorized under one of the SOG-IS IT technical domains, with the agreement of NCSC

Commercial Evaluation Facilities (CLEF) provider

Security evaluations are carried out by independent Commercial Evaluation Facilities (CLEFs). BSI Cybersecurity and Information Resilience is an approved CLEF.

Common criteria assessment steps

During the assessment we will work through three core stages involving the following tasks:


  • Review the security target
  • Produce an Evaluation Work Programme (EWP)
  • Task start-up review
  • Set-up test environment
  • Maintenance of technical records


  • Review security target
  • Evaluation (including functional testing and penetration testing)
  • Producing observation reports
  • Attend evaluation progress reviews

Reporting and close out

  • Reporting the details results of the evaluation
  • Drafting the certification report
  • Completing close out documentation and supporting the return of customer equipment

These steps will be carried out for your chosen product. Your certification will only apply to the version of a product that was assessed, although assurance maintenance plans can extend for the certificate as the product evolves.