The acquisition of an ICT security product that will handle classified national information or sensitive information must be preceded by a process of checking that the security mechanisms implemented in the product are adequate to protect such information.
The evaluation and certification of an ICT security product is the only objective means to assess and accredit the ability of a product to handle information securely. In Spain, this responsibility is assigned to the National Cryptologic Centre (CCN) through RD 421/2004 of 12 March.
This Certification Body (OC), in relation to the functional certification of IT security, is articulated by means of the Regulation on the Evaluation and Certification of Information Technology Security, approved by Order PRE/2740/2007, of 19 September, supplemented by its own internal regulations adapted to the requirements necessary to be recognised both at national level, according to the UNE-EN ISO/IEC 17065 standard, and at international level, in accordance with the "Common Criteria Certificate Recognition Agreement" (CCRA), as an ICT security certification body.
For cryptological certification and for TEMPEST certification, the Certification Body is based on its own criteria and methodologies.
An internal and an external audit of the OC is conducted annually. The internal audit is carried out by personnel of the CNI (not belonging to the CCN), to verify that the certification activity is carried out in accordance with the rules and procedures established in each case.
The external audit is carried out by the National Accreditation Body (ENAC), according to the corresponding ISO standard, and is necessary for the CO to maintain accreditation as a product certification body.