Sorry, you need to enable JavaScript to visit this website.
Skip to main content

Australasian Information Security Evaluation Program (AISEP)

Information security evaluation

The Australasian Information Security Evaluation Program (AISEP) evaluates and certifies ICT products for use in Australian and New Zealand government agencies to protect official information and communications systems. The results of successful evaluations are published on the Evaluated Products List (EPL) and the internationally-recognised Common Criteria (CC) Portal.

What the AISEP provides

The AISEP provides the framework for licensed commercial evaluation facilities, called Australasian Information Security Evaluation Facilities (AISEFs), to conduct security evaluations of IT products and systems. We oversee AISEP product testing by licensed commercial evaluation facilities.

We certify the results of the evaluation tasks performed under the program and publish the results on the EPL.

How to get a product evaluated

All evaluations must be recommended by an Australian or New Zealand government agency in accordance with the recommendation process.

Advice on requesting an ACSC evaluation is also available for developers and distributors of ICT products.

AISEP interpretations

Sometimes AISEP stakeholders need additional interpretation or clarification about our accepted IT security evaluation criteria or AISEP publications. This process is called an AISEP request for interpretation. Further detail is provided in the AISEP Policy Manual (PDF). Our current interpretations are:

Common Criteria documentation

The Common Criteria Recognition Arrangement (CCRA) is an international agreement of information security evaluation programs to mutually recognise certified products on each of their certified products lists

The guiding documentation for the CCRA is:

International partners

The Common Criteria Recognition Arrangement (CCRA) was established in 1998 for each international partner of the arrangement to recognise a Common Criteria certificate awarded by a certificate-authorising participant. Initially the CCRA comprised Canada, France, Germany, the United Kingdom and the United States. It now includes 26 nations. Australia and New Zealand joined the CCRA in 1999.

Consumers can be confident that each certificate-authorising participant of the CCRA ensures that evaluations are performed to high and consistent standards. This arrangement for recognising standards of IT security certification between member countries is called mutual recognition and eliminates the need for duplicating an evaluation.

This agreement is currently limited to the first two security levels of the CC, EAL1 to EAL2, without cryptographic functionality. Certifications governed by this arrangement are treated as being included on the ASD Evaluated Products List (EPL). Products certified above CC EAL2 by another CCRA scheme are considered, in terms of fulfilling Information Security Manual (ISM) requirements, to be at CC EAL2 assurance level.

Caveats may relate to the use of some products within Australian and New Zealand government agencies. This applies particularly to products employing cryptography, which require an additional review by ASD called an ASD Cryptographic Evaluation.

July 10th, 2018