Your customers are asking for your product to go through a security validation. You have begun evaluating your options, have started to develop a strategy, and have decided that this is not a task you can handle on your own. Your first step will be to talk to an expert consultant.
But how do you choose one?
This answer is not as easy as it may seem, but this choice can quite literally mean the difference between success and failure in your validation efforts. You need to make the right choice.
When evaluating your options, there are several factors to consider:
- Does the consultant have experience with your product technology? Not all product technologies are the same, and having a consultant with experience in your particular area ensures that they have the experience with and an understanding of how these products go through validations.
- Do they have a staff with diverse experience, or is this an independent consultant? Engaging a consultant with a staff allows them to apply a broader base experience to your project. Additionally, your project timeline is not dependent upon one person who may get busy, sick, or otherwise distracted.
- Do they have experience in multiple countries? Particularly for a security validation like Common Criteria, there are differences in how evaluations are done in different schemes. Understanding these differences can be critical to making sure all possible validation paths are explored fully.
- Are they a testing laboratory? A common misconception is that hiring a company that will test the requirements is the best option to help you meet them. Testing laboratories are very skilled and talented at what they do. However, their point of view is necessarily limited to the countries they are accredited in. They generally don’t work with other testing laboratories or in other countries. This will limit the options they are able to explore for your validations.
- Will the consultant provide you with references from other clients for whom they have done validation consulting?
We frequently work with customers who have gone down a certification path that was chosen based on the limited experience of an unqualified consultant, rather than the best possible path for that customer. Make sure you consider the full experience of your validation consultant to ensure you are getting the best possible advice and representation throughout the process.