Short interview

What are the Common Criteria?

13th July 2017

Against the backdrop of an increasingly networked world and the need for ever greater security in the field of IT, the Common Criteria (CC) are growing in importance. In a short interview, Markus Wagner from TÜViT explains what this term actually means and how IT products, components and systems are becoming safer thanks to CC.

#explore: What are the Common Criteria?

Markus Wagner: Common Criteria, in the IT sector often simply shortened to CC, are an international security standard for software and hardware products. In plain language this means that these criteria for IT Security are valid throughout almost the entire world. The Common Criteria describe various functional safety requirements in order to achieve previously specified security objectives. At the same time, the Common Criteria define requirements for testing which ensure that the security of the tested product can be trusted.

A handful of countries – including Germany, the USA and Great Britain – established the Common Criteria as early as 1998. Many others have taken over the standards over the years. For the clear aim of the Common Criteria is to ensure the highest possible level of IT security all over the world.

„Around 50 inspectors have been engaged in evaluation and investigation of software and hardware security according to these international standards.“

Markus Wagner

 #explore: The term ‘EAL Levels’ is always coming up in connection with Common Criteria. What does this mean?

Markus Wagner: EAL is the abbreviation for Evaluation Assurance Level, which refers to the security evaluation level. The EAL levels each contain a specified set of tests which have to be performed in order to gain certification according to Common Criteria. The higher the level, the more demanding the precise requirements for the test methods and the scope and depth of testing, enhancing the trust in the tested software and hardware. The main objective at all levels is analysis of possible security gaps and weaknesses, and the testing can last for several months.

#explore: Where do the Common Criteria touch the work of TÜViT?

Markus Wagner: We are one of the leading international providers in this area – and the German Federal Office for Information Security – BSI – already recognised TÜViT as a test institute for security evaluations more than 25 years ago. TÜViT has also been accredited in the Japanese Certification Scheme since 2007 for evaluations based on the Common Criteria.

Several departments now carry out work connected with the Common Criteria: since 1991 around 50 inspectors have been engaged in evaluation and investigation of software and hardware security according to these international standards. In addition, our IT security experts create security profiles for many different areas – including, for example, biometric systems, e-health, smart metering and database management systems on behalf of the BSI or other interest groups. TÜViT also offers workshops for IT companies and supports them in creation of in-house security specifications and manufacturer documentation.


Since 2012, Markus Wagner has been responsible for IT security evaluations as project manager at TÜViT. Markus has a degree in commercial information technology, and he specialises in Common Criteria.

In addition to his main subjects of digital signatures, smart meter gateways and database management systems, Wagner also works on technical rules and regulations on behalf of the BSI. In addition he advises various manufacturers as to how the functional safety requirements of the CC have to be implemented in connection with security evaluations.