Certification and approval in data processing - two perspectives on tested security

If you deal with the development and use of security products, you will inevitably come across the terms “certification” and “approval” of such a solution.

The two terms are often used interchangeably to emphasize a quality claim in the requirement or in the implementation. However, there are some differences in detail, which will be explained below.

Certification according to a standard

Certification is based on the specifications and requirements of a defined standard and is therefore a conformity assessment. Concise examples are the “Common Criteria” or FIPS-140-2 (ISO/IEC 19790).

The security solution is subjected to a formalized evaluation in accordance with the methodology on which the standard is based. In an evaluation according to “Common Criteria”, the implementation of the security solution is tested based on a basic assumption, a defined security performance. This examination includes not only the technology itself, but also the surrounding design, process and organizational landscape used to create the solution.

Such a procedure is usually accompanied by accredited test centers and the certificate is issued by a certification body. In Germany, the Federal Office for Information Security (BSI) performs this role with regard to the Common Criteria.

In the event of a positive outcome, the certificate certifies that the security solution examined has been developed and implemented in accordance with the requirements of the standard. A certification (e.g. according to “Common Criteria”) has international validity. It is linked to the tested product version.

Approval as operating license

An approval permits the use of the security solution in the processing of information that has an official need for protection with regard to its confidentiality, comparable to an operating license for air, rail or motor vehicles.

The approval is therefore a national matter that regulates the use of security products for processing “officially classified information (classified information, VS)” of a certain level of confidentiality.

In recent decades, the approval procedure itself has evolved from an individual assessment of previously strongly hardware-based solutions to a more complex and formal procedure that now also sheds more light on the boundary conditions under which the solution is created. In this respect, it is not surprising that the approval methodology in Germany is strongly based on that of the “Common Criteria”.

Here too, the procedure is generally accompanied by accredited test centers and approval is granted by the BSI as the national security authority. It is in turn linked to the product version examined.

Conclusion for users of certifications and approvals

Both a successful certification and a successful approval provide a security solution with a robust quality assessment regarding the integrated security performance.

Users of security solutions that process classified information of a certain classification level in Germany are legally obliged to use products approved by the BSI. There is no “choice” for them. However, successful certification according to “Common Criteria” is an indication that the manufacturer would also pass an approval procedure.

All other users have the option of using both certified and approved solutions to secure confidential data processing in order to rely on a proven security performance.

SPIRIT/21’s experience in the use of both certified and approved solutions can provide you, our customer, with assistance in making such decisions.