The technical evaluation of a product is generally performed by BSI-accredited and -licensed evaluation facilities, which the applicant can choose from freely. In addition to the BSI, the evaluation facilities are also available to provide advice on every aspect of the process.
In principle, yes. If the relevant system is made up of individual products from various manufacturers, the manufacturers may submit a joint certification application, or separate coordinated applications.
For IT systems, certification in accordance with the IT-Grundschutz Catalogues may also be relevant. The IT-Grundschutz Catalogues contain recommendations for standard security safeguards for typical IT systems. The goal of these IT-Grundschutz recommendations is to achieve a solid and reliable security level for IT systems through the appropriate application of organisational, personal, infrastructure and technical common security safeguards.
Recognition agreements have been concluded between the BSI and certain private German certification bodies. Certificates that meet the requirements of these recognition agreements are recognised by the BSI.
To prevent the same product being certified multiple times in different countries, an agreement has been reached to mutually recognise IT security certificates -- provided that they are based on Information Technology Security Evaluation Criteria (ITSEC) or Common Criteria (CC) -- under certain circumstances.
An agreement (Common Criteria Recognition Agreement) regarding the mutual recognition of IT security certificates and protection profiles based on Common Criteria (CC) up to and including evaluation assurance level EAL 4 has been signed by the national bodies of the following countries: Australia, Canada, Finland, France, Germany, Greece, Italy, Netherlands, New Zealand, Norway, Spain, UK, USA, Israel, Sweden, Austria, Hungary and Turkey.
The 1998 agreement on the mutual recognition of IT security certificates based on the European ITSEC (SOGIS-MRA) was expanded to cover the mutual recognition of IT security certificates based on CC up to and including evaluation assurance level EAL7.
You can look up the national bodies of the countries that are signatories to the respective agreements in document
Deutsche IT-Sicherheitszertifikate (BSI-7148), 27.03.2020.
It is possible for crypto-mechanisms to be certified as part of a product's security function. The certification body can provide details.
The certification process usually certifies the latest product version. This process determines exactly which parts of the product are relevant to security and which are not. The BSI must be notified of every change that results in a new product version. If this new version needs to be certified, a new application for a certificate must be submitted to the BSI. If the changes only affect parts that are not relevant to security, i.e. that do not have a direct impact on any security feature (device drivers, for example), there is no need to trigger a re-evaluation. Otherwise, only the modified parts and their interfaces are examined in a re-certification process.
Even an EAL1, the lowest level of certification under the Common Criteria is a valuable statement for the end user regarding the security of the product being used, one which is based on processes that go far beyond the standard product tests, as described in the technical journals.
The earlier the certification starts in the development stage of a product, the more cost-effective and time-saving the process can be. Initial discussions with the BSI prior to submitting an application are free of charge. The amount of cost involved depends on the desired evaluation assurance level (EAL) [number]. The scope of the security features and complexity of the product also have a significant role to play. Testing laboratories usually prepare an accurate cost estimate for the evaluation during a pre-evaluation phase. At the end of the process, the BSI imposes certification costs on a time and material basis according to the Regulations on Ex-parte Costs (Kostenverordnung), although these represent only a fraction of the total costs (evaluation and certification).
The manufacturer will frequently have its own additional costs to bear, since it needs to make sure that the development documentation meets the Common Criteria requirements.
Certification should be applied for as early as possible, in order to allow the security criteria to be appropriately applied during the development of the product. There are many advantages of certification occurring alongside development. It is, however, possible for already completed products to be certified.
All intensive and high-quality audits take a certain amount of time. However, having the certification running parallel to the product development, which is the most common way for audits to be processed by the BSI, can sharply reduce the time required. The necessary audit steps take place step-by-step in parallel to the product development. The certificate is therefore almost always available before the market release.
Certificates are available in the following areas
IT security certifications: Certification is performed according to internationally recognised IT security criteria, for example the Common Criteria (ISO/IEC 15408). This criteria is used to evaluate a wide range of products and systems. One main prerequisite is, however, that the security properties confirmed in the certificate at the end of the procedure are in keeping with the observance of confidentiality, availability and integrity. For more details, see our section on certification.
Profile certifications: Protection profiles enable user groups and manufacturers to stipulate security requirements typical for the product class and specific services. The inclusion of protection profiles during the product development phase facilitates their evaluation, and allows the resulting products to meet the specific demands of the users effectively. Protection profiles can also be evaluated and certified.
IT-Grundschutz: Since the IT-Grundschutz catalogue is a recognised set of criteria for IT security, the BSI has developed a certification scheme for IT-Grundschutz. This means that an IT-Grundschutz certificate can be used to document that all relevant security measures from the IT-Grundschutz catalogue have been implemented for the IT system under consideration. Click here for more information on the IT-Grundschutz certificate.
Confirmations (digital signatures): For digital signatures, a certificate is required as confirmation from a trustworthy third party to prove that the cryptographic key used to generate the digital signature really belongs to the signatory. Click here for more information on digital signatures.
Approvals: IT products to be used for the transmission and processing of government classified information require approval by the BSI. Applications for approval of IT products can only be submitted by public authority users.
Any IT product that includes security functions relating to confidentiality, availability or integrity of data, i.e. hardware,, software or a combination of the two can be audited and certified for compliance with the requirements. Examples include: PC security products, operating systems, databases, firewalls, chip card readers, smart cards, (hardware and software), products for securing data transfers, digital route recorders and many more. For almost all of these examples, products have already be audited for compliance with the CC.
Normally the manufacturer submits a certification application for an IT security product/system to the BSI. However, it is also possible for a distributor to submit a certification application. The distributor must confirm the cooperation of the manufacturer in writing.
Security criteria are written in very abstract terms, precisely because they must be applicable to any possible products.
The certification of an IT product/system is supported by
The publication 'Hinweise für Hersteller und Vertreiber' (7138)
The leaflet 'BSI-Sicherheitszertifikate'
Information on the BSI website
Consulting discussions, carried out by the BSI's certification bodies
Training from evaluators and manufacturers
Example documentation for manufacturer documents
Security criteria
Guides to IT security on the basis of the Common Criteria
The following information on certification is available for users:
