At European level, the "Information Technology Security Evaluation Criteria – ITSEC" entered into force on 3 March 1998, in the context of the EU agreement on mutual recognition in relation to the certificates for ITSEC evaluation.

In contrast to the Orange Book, ITSEC distinguishes between functionality and assurance. For the definition of suitable functional requirements, the ITSEC, partially modelled on the Orange Book, offer predefined sample classes (functionality classes).

On the subject of assurance, a distinction is made between correctness and effectiveness. One key aspect of effectiveness is an assessment of the strength of the mechanisms, graded as low, medium and high. For assessing the level of assurance in terms of correctness, six hierarchal evaluation levels, E1 to E6, are defined. E1 marks the lowest level, E6 the highest. The strength of the mechanisms and the evaluation levels are explained in the leaflet and ITSEC itself in more detail.

The evaluation includes an audit and assessment of the security properties of an IT product in accordance with the specified IT security criteria, guided by the evaluation handbook - "Information Technology Security Evaluation Methodology – ITSEM".

ITSEC are no longer subject to an update or maintenance process, and are now only in use for specific, isolated cases.

Further and more detailed information about the topic of IT security criteria:

• List of products certified on the basis of ITSEC
• ITSEC German (PDF)
• ITSEC English (PDF)
• ITSEM German (PDF)
• ITSEM English (PDF)