The Digitalist Team
August 27, 2020

How to Choose Your Common Criteria Evaluation and Test Laboratory


min reading time

IT vendors often use the Common Criteria (CC) framework for providing clients assurance that their products comply to international standards for information security. To verify claims that a product complies to CC standards, you need to submit your product to evaluation through a testing laboratory.

Choosing a testing laboratory is an essential part of CC compliance. It is also a challenging process as the lab that you choose may impact whether or in how much time you gain the CC certificate for your product. Here are a few questions to ask yourself when choosing your common criteria evaluation and testing laboratory:

What is the lab’s track record of successful evaluations?

As the evaluation process is time-consuming, you should ensure that the lab you choose has a long record of successful evaluations. A successful evaluation is completed on time and on budget. It should also result in the desired CC certificate for your product. Choosing a lab with only a few evaluations may increase the risk of delays, keeping you from releasing your product on time.

Does the laboratory help evaluate different CC schemes?

Depending on the markets you plan to reach with your product, you may need to obtain multiple certificates. For example, you may require evaluations for CC certification through the US via NIAP CCEVS or in Europe via SOGIS member schemes. The right testing laboratory should have the qualifications to pursue the certifications that you require.

Does the laboratory have experience with similar technologies?

If a testing laboratory specializes in  a certain product sector,, they may not have the knowledge needed for evaluating IT security-related products. Always inquire about past evaluations and determine whether the laboratory has experience evaluating  products in an efficient way.

Does the laboratory offer suggestions for improving products?

The best evaluation laboratories go beyond basic cybersecurity testing. They provide detailed reports of their evaluations’ findings and help identify potential issues with your product. This may include issues that impact performance or user experience. The lab that you work with should also provide copies of their evaluation reports. Your designers or developers may require the insight provided by the report to address any weaknesses. Choosing a laboratory which provides readiness assessment services and consultancy is always a good choice.

What accreditation and credentials does the laboratory possess?

After asking these questions, you should inquire about the laboratory’s accreditation and credentials. Find out if they are accredited to complete CC evaluations that meet domestic and international standards. As with any service, we recommend that you compare options before choosing a testing laboratory. Remember to inquire about the experience of the lab and their ability to pursue the certifications that you require.

You can check CCLab’s accreditations and client references at

CCLab has great experience with 20+ successful CC evaluation projects delivering some of them within 4 months.

Entering the European market you may need a laboratory like CCLab which is accredited under the Italian scheme (OCSI) and has qualified evaluators working under the German scheme (BSI) as well.

To avoid the top 5 Common Criteria Evaluation mistakes please check the following video:

Related news