The ISO/IEC-27001 certification process takes place in several stages. The first step is to review all the documentation and guidelines currently in place for a system. Documentation is usually directly based on the requirements of the standard, but it is not necessary. Organizations can set their own standards as long as all aspects of the standard are covered. The second stage effectively tests the effectiveness of existing policies. The third step is to reassess the organization to ensure that it continues to meet the requirements. This third step keeps companies informed over time if safety management system standards change. This certification process is based on an iterative control plan: the Common Criteria define a protection profile (PP), a specification independent of the implementation of safety requirements and protective measures of a product that could be built. The common Criteria terminology for the degree of review of the product to be tested is the Evaluation Assurance Level (EAL). EALs range from EA1 (functional tests) to EA7 (detailed tests and formal design verification).
The Common Criteria-AH refers to the product to be tested. A security target (ST) is a list of security requirements for a particular IT security product. In addition, Common Criteria describe an intermediate grouping of security requirement components as a package. The term functionality in the Common Criteria refers to standardized and well-understood functional security requirements for computer systems. These functional requirements are organized around TCB entities that include physical and logical commands, startup and recovery, reference mediation, and privileged states. DITSCAP applies to the Office of the Secretary of Defense (OSD), military divisions, the Chairman of the Joint Chiefs of Staff, Combatant Commands, the Inspector General of the Ministry of Defense (IG, DoD), the Defense Services and doD Field Activities (hereinafter referred to in summary as “the DoD Components”), their contractors and agents. It also applies to the acquisition, operation and maintenance of a doD system that collects, stores, transfers or processes unclassified or classified information. It applies to any IT or information system life cycle, including the development of new IT systems, the integration of IT systems into an infrastructure, the integration of IT systems outside the infrastructure, the development of prototype IT systems, the reconfiguration or updating of existing and old systems. . . .