TR·EN

Work With Us →

// COMMON CRITERIA CONSULTING

End-to-end process guidance for ISO/IEC 15408 evaluation.

Consulting for the evaluation of IT product security under the international mutual recognition agreement (CCRA) framework.

Start the Process →
EAL Levels

// WHY KRITERA

Among the few CC consultants in Turkey

ISO/IEC 15408 evaluation is a complex 9-18 month journey. Kritera has successfully delivered projects from EAL2 through EAL4+.

01

EAL2 – EAL4+ Experience

Completed evaluations in domestic HSM, smart card, cryptographic module and firewall product lines.

02

TSE Accredited Lab Connection

Close working experience with TÜRKAK accredited evaluation labs such as TSE and Beam Teknoloji. Coordinated communication throughout.

03

Manufacturer Workshop

Security Target preparation hand-in-hand with your engineering team — not just docs, but a defensible reflection of the product’s real architecture.

// PROCESS

Common Criteria evaluation journey

MONTH 1

Target Definition

EAL selection (business goal + budget + time), Protection Profile (PP) selection or custom Security Target design.

MONTH 2-3

Security Target (ST)

ST preparation — TOE (Target of Evaluation) definition, security problem definition, security objectives, functional security requirements (SFR), assurance (SAR) level.

MONTH 3-6

Development Evidence

Development process documents (ADV), test documentation (ATE), guidance (AGD), life cycle (ALC), vulnerability analysis (AVA).

MONTH 6-9

Lab Evaluation

Accredited lab’s trial tests, document review, Q&A cycles. Kritera coordinates these cycles.

MONTH 9-12

Certification

Lab’s final report, approval by Certification Authority (TSE in Turkey), issuance of CC certificate, listing in CCRA.

// PITFALLS

Five most costly mistakes in the CC process

40% of CC certificate applicants in Turkey fail on the first attempt. The five most common mistakes:

Wrong EAL choice

Aiming for EAL2 when the market competes at EAL4+ (or vice versa). Solution: market + budget + time analysis.

Generic ST writing

Copy-paste Security Target — rejected at lab. Solution: Defensible ST based on the product’s REAL security architecture.

Misaligned development process

ALC documents don’t reflect the actual SDLC. Solution: Make SDLC CC-compatible before certification starts.

Insufficient test evidence

ATE_FUN test artifacts missing, not repeatable. Solution: Automated test framework, version-controlled test evidence.

Superficial vulnerability analysis

AVA_VAN treated like a checklist. Solution: Real vulnerability discovery via penetration testing analogy, systematic remediation.

// CONTACT

CC evaluation roadmap for your product

Free pre-assessment for EAL selection, scope, duration and cost.

iletisim@kritera.com