Audit of development and production environments

If IT products are certified in accordance with the Common Criteria IT security standard or EMVCo, audits of development and production environments represent an integral part of the evaluation process. The product-independent certification of these sites enables the reuse in various product evaluation procedures and thereby contributes to the reduction of costs. For many years now, TÜViT has been successfully carrying out site audits for production and development environments.


Objective of a site certification

A site certification serves to examine the implemented measures in order to ensure the integrity and confidentiality of the IT products developed/produced there. Sites can also be certified independently of IT products. This means that manufacturers of security products have the option of reusing these site certificates in a subsequent certification procedure for their IT products (such as chip cards or smart cards).

Our services at a glance

Our IT security experts assist you during the audit and certification process. After the evaluation of the manufacturer's documents for the description of the security measures implemented at the site concerned, we conduct an audit which serves as the basis for the certification. Here, the following aspects are taken into account:

  • configuration management / production flow control systems
  • security organization
  • personal security (including visitors)
  • physical security measures (buildings, development and production areas)
  • security in the process flows
  • retention and storage, transport and destruction of data and documents
  • data backup
  • emergency plans
  • delivery procedures

Typical sites which are suitable for site certifications:

  • mask houses
  • wafer production sites
  • assembly sites
  • distribution warehouses

Your benefits at a glance

  • cost reduction: once a site is certified, the products manufactured there for your clients do not need any further product-specific security audits for this site
  • time savings: the site certificate can be directly reused for further evaluation processes for IT products (such as chip cards)
  • proof of trust for your market positioning
  • quality assurance and improvement of your security infrastructure

Dr. Patrick Bödeker

Head of Department Hardware Evaluation

+49 201 8999-618
Fax : +49 201 8999-666

Further services

Evaluation Body for IT Security

With its evaluation body for IT security, TÜViT is one of the world's leading providers of testing services for IT products and systems. The evaluation body has been recognized by the German Federal Office for Information Security (BSI) since 1991 and accredited by the DAkkS, the German Accreditation Body, according to DIN EN ISO/IEC 17025.
Read more

Common Criteria

Globally-recognized security evaluations for IT components, products and systems: TÜViT is one of the world's leading testing service providers for Common Criteria. With our 50 licensed evaluators, we have successfully completed over 600 evaluation projects according to CC (from EAL1 to EAL7).
Read more


Hardware tests for more security: Hardware security modules or chip cards are used for the protection of sensitive data. TÜViT evaluates these IT products and their components in accordance with recognized international security standards and performs the necessary penetration tests in its own hardware test laboratory.
Read more


Making software subsequently secure is always complicated and expensive. This is why it is important to consider the subject of IT security at the beginning and throughout the entire life cycle within the framework of a Common Criteria (CC) evaluation.
Read more

Technical Guidelines of the BSI

Security for government applications and health data: TÜViT is recognized by the German Federal Office for Information Security (BSI) as an evaluation body for Technical Guidelines (TR).
Read more

FIPS 140-3

Testing of crypto modules and crypto algorithms: The TÜViT test laboratory is approved by the National Institute of Standards and Technology (NIST, USA) for testing and validation according to FIPS PUB 140-3.
Read more

Electronic Payments

Components that are used within electronic payment systems must fulfil specific security standards and require corresponding approvals. TÜViT performs these approval procedures in its capacity as an accredited security assessor.
Read more


The FIDO Alliance has developed open standards especially for authentication solutions, allowing manufacturers to objectively demonstrate the security of their products. As a security laboratory accredited by the FIDO Alliance, TÜViT is entitled to perform corresponding evaluations.
Read more


TÜViT carries out security assessments throughout the entire product life cycle process in accordance with the NESAS standard. This enables us to offer network equipment manufacturers a complete audit and testing portfolio from a single source.
Read more