Common Criteria and High ENS: why they matter in IAM

The importance of certifications such as Common Criteria and HIGH ENS can be illustrated with a simple analogy: Imagine an army looking to upgrade its bulletproof vests; all manufacturers promise that their product is safe, but how can you verify that it offers real protection and that the vest truly delivers on the seller’s promises? Products that have passed rigorous testing and hold certifications proving their effectiveness will have a clear advantage. And this is precisely what platforms certified to Common Criteria and ENS High offer.

Today, organizations face pressure from two sides: tightening regulations and threats that evolve at a pace that reduces the margin for error to zero. In this scenario, certifications become a decisive asset, because they allow organizations to address both pressures: demonstrating compliance during audits and, at the same time, reducing exposure to incidents by choosing a platform whose security measures have been validated through rigorous testing.

Next, we’ll discuss what the Common Criteria and HIGH ENS entail in a sector as critical to security as IAM management, and why these certifications are key to ensuring that sovereignty, resilience, and compliance in IAM move beyond mere words and become reality.

HIGH ENS and common criteria: two foundations for trust in IAM

An IAM platform that holds both Common Criteria and ENS ALTO certifications instills immediate trust. Why? Because it is known to have undergone rigorous evaluation processes and to have evidence that can be certified by third parties. The organization implementing it, therefore, gains confidence in its identity management systems, its governance, and its resilience.

There is no uncertainty during audits, nor is it necessary to compare marketing claims or conduct extensive testing, because the evidence regarding the level of security is irrefutable.

When applied to the context of identity management, these certifications imply the following:

• Common Criteria is considered by many to be the most rigorous standard for IT security products. Recognized in more than 30 countries and based on the ISO/IEC 15408 standard, obtaining this certification in the identity management category validates the robustness of the solution’s technical architecture, while also verifying its secure development and operational reliability. 
• The ENS is a security framework established in Spain that is required of public administrations and their suppliers. In the case of ENS Alto, the requirements are stricter, as the process is designed for the highest category in terms of security needs. When applied to identity management solutions, this certification guarantees that the platform is ready to protect digital assets with validated and auditable measures.

An IAM platform certified under Common Criteria and ENS ALTO demonstrates that it has the necessary foundations to protect access, even in the most demanding environments. This advantage is further amplified when the platform also offers centralized identity management.

What high ENS and Common Criteria bring to an IAM platform

• Security: Both certifications confirm that the solution’s security controls have been tested and validated as capable of thwarting advanced cyberattacks.
• Evidence: Both are independent certifications that require tangible proof that the platform has the necessary security measures in place.
• Auditability: A platform with both certifications reduces response time during audits.
• Development and operational requirements: The certifications verify that the product has been designed with security natively integrated into its development and deployment.

Why Common Criteria and high ENS make a difference in regulated sectors

Certifications turn vendor evaluation into an objective process: with objective and verifiable criteria and without the need for internal audits, it is possible to ensure the resilience, security, and sovereignty of the chosen solutions, in addition to regulatory compliance. 

At a time when incidents involving third parties are at record levels (61% of organizations have been exposed to this type of incident), regulations are becoming increasingly strict regarding supplier risk management requirements.

In this context, the goal for CISOs and security professionals is clear: to find tools that enable them to comply with regulatory requirements while simultaneously closing security gaps and achieving full control over identities. 

At Soffid, we don’t just talk about compliance—we lead the way. That’s why Soffid’s IAM management solutions stand out in the European market: we are the only European technology company with both ENS HIGH Level and Common Criteria EAL2 + ALC CCL certifications.

Want to know what specific guarantees these certifications provide for your environment? Contact us and tell us about your situation, and we’ll show you how Soffid delivers where others only make promises.