In accordance with the BSI Establishment Act, the Federal Office for Information Security (BSI) is assigned the task of issuing security certificates for information technology products (systems or components). Product certification is completed on the basis of an application by the manufacturer or a distributor.

The certification process encompasses the technical testing (evaluation) of the product in accordance with the security criteria as generally recognised or as published by the BSI. Testing is typically carried out by a testing laboratory accredited by the BSI.
This accreditation is issued following the completion of a successful accreditation process.

Each evaluation, which aims to ensure the application of a uniform methodology and procedure, receives support from employees at the certification body. The test reports from the testing laboratories are approved by employees of the certification body. This approval involves a comparison of the evaluations with evaluations from other certification processes.

The results of the certification process are documented in a certification report. This report includes the security certificate (as a summarised evaluation) as well as the detailed certification report. The certification report includes a description of the certified product from a security perspective, the details of the evaluation process and explanatory notes for the user.

The certificates and certification report issued are published by the certification body if publication is consented to by the applicant.

In order to avoid multiple certifications of the same product in different countries, a mutual recognition arrangement for IT security certificates - assuming these are based on ITSEC (Information Technology Security Evaluation Criteria) or Common Criteria (CC) - has been agreed under certain conditions.