Consultant

Also known as: Common Criteria Assessor, Security Certification Consultant, IT Security Compliance Specialist

See 314 live Consultant jobs

Role Overview

Are you a meticulous professional with a deep understanding of IT security standards and a passion for ensuring product compliance? The role of a Consultant specializing in Common Criteria is paramount in today's highly regulated and security-conscious digital landscape. This position involves guiding organizations through the complex process of evaluating and certifying their IT products against the rigorous Common Criteria for Information Technology Security Evaluation (ISO/IEC 15408) standard.

Common Criteria is the international standard for IT security certification, providing a framework for evaluating the security claims of IT products. As a Consultant in this field, you will be instrumental in helping vendors achieve this crucial certification, thereby enhancing their product's credibility, market access, and trustworthiness among customers who demand high levels of security assurance. The demand for skilled Common Criteria professionals is steadily growing as more governments and enterprises mandate certified products for their critical infrastructure and sensitive data handling.

This is a specialized yet highly rewarding career path for individuals who thrive on technical detail, analytical problem-solving, and strategic compliance. If you possess a keen eye for security vulnerabilities, a strong grasp of evaluation methodologies, and the ability to translate complex technical requirements into actionable plans, this role offers a significant opportunity to impact product security and contribute to a safer digital world.

Key Responsibilities

  • Conduct thorough security evaluations of IT products against Common Criteria protection profiles (PPs) and security targets (STs).
  • Develop and document detailed test plans and procedures to verify the security functionality of target products.
  • Perform hands-on testing of hardware, software, and firmware to identify vulnerabilities and ensure adherence to security requirements.
  • Analyze evaluation results, identify deviations from security requirements, and provide clear, actionable recommendations for remediation.
  • Collaborate with product development teams to guide them through the Common Criteria certification process, from initial planning to final submission.
  • Assist clients in developing and refining their Security Targets (STs) and Protection Profiles (PPs) to accurately reflect product security claims and target environments.
  • Interpret and apply relevant ISO/IEC standards and guidance documents throughout the evaluation lifecycle.
  • Prepare comprehensive evaluation reports, including findings, evidence, and conclusions, for submission to certification bodies.
  • Stay abreast of the latest Common Criteria interpretations, updates, and emerging security threats.
  • Provide expert advice and training to clients on Common Criteria requirements and best practices.
  • Manage multiple evaluation projects concurrently, ensuring adherence to timelines and budgets.
  • Interface with national and international certification bodies (e.g., NCSA, BSI, ANSSI) on behalf of clients.

Required Skills

Technical Skills

Common Criteria (ISO/IEC 15408) standard expertise Understanding of Protection Profiles (PPs) and Security Targets (STs) Security testing methodologies and techniques Cryptography and its application in IT security Network security protocols and architecture Operating system security principles (Linux, Windows, macOS) Secure software development lifecycle (SSDLC) principles Familiarity with various hardware and software architectures Risk assessment and threat modeling Penetration testing and vulnerability analysis

Soft Skills

Analytical thinking and problem-solving Excellent written and verbal communication Attention to detail and accuracy Project management and organizational skills Client relationship management Ability to work independently and as part of a team

Tools & Technologies

Common Criteria Evaluation Tools (e.g., CCRA tools) Vulnerability Scanners (e.g., Nessus, Qualys) Network Analysis Tools (e.g., Wireshark) Static and Dynamic Application Security Testing (SAST/DAST) tools Fuzzing tools Version Control Systems (e.g., Git) Documentation and Reporting Software (e.g., Microsoft Office Suite, LaTeX)

Seniority Levels

A Junior Common Criteria Consultant typically possesses 1-3 years of experience in IT security, compliance, or a related technical field. Their primary focus is on supporting senior consultants in performing evaluations. This includes assisting with test plan execution, data collection, and basic analysis under supervision. They will learn to interpret Common Criteria documents, understand the structure of PPs and STs, and begin to develop proficiency in using evaluation tools.

Expected responsibilities for a junior role include setting up test environments, running predefined test scripts, documenting test results accurately, and identifying potential security weaknesses based on established guidelines. They are expected to have a foundational understanding of IT security principles and a strong eagerness to learn the intricacies of the Common Criteria standard. Clear communication and meticulous record-keeping are essential at this level.

Junior consultants often have a background in computer science, cybersecurity, or information technology. While formal Common Criteria training is beneficial, a strong aptitude for technical details and a commitment to professional development are key. Entry-level salaries for this role typically range from $50,000 to $75,000 USD annually, depending on location and specific qualifications.

Frequently Asked Questions

What is Common Criteria and why is it important?
Common Criteria (CC), formally ISO/IEC 15408, is an international standard for the evaluation and certification of IT security. It provides a standardized framework for assessing the security claims of IT products, ensuring they meet specific security requirements. CC certification is crucial for products intended for use in environments where high levels of security assurance are required, such as government agencies, defense sectors, and critical infrastructure, as it provides a trusted assurance of security capabilities and helps in market access.
What are Protection Profiles (PPs) and Security Targets (STs)?
Protection Profiles (PPs) are generic documents that define a set of security requirements for a class of IT products (e.g., firewalls, smart cards). They represent the security needs of a particular user community. Security Targets (STs) are specific documents created by a vendor for their product, detailing the security claims and functionalities that the product offers, and how it meets the requirements of a chosen PP or its own unique security objectives. A consultant helps in developing and aligning these documents.
What kind of IT products can be evaluated under Common Criteria?
A wide range of IT products can be evaluated, including operating systems, network devices (routers, firewalls), cryptographic modules, databases, smart cards, secure hardware modules, security software (antivirus, intrusion detection systems), and even some embedded systems. The key is that the product must have defined security functionalities that can be evaluated against the standard.
What is the role of a Certification Body?
A Certification Body (CB) is an independent, accredited organization responsible for overseeing the Common Criteria certification process. They review the evaluation reports, ensure that the evaluation was conducted according to the CC standards, and ultimately issue the official CC certificate if all requirements are met. Examples include the National Security Agency (NSA) in the US, the BSI in Germany, and ANSSI in France.
What are the typical steps in a Common Criteria evaluation?
The typical steps include: 1. Planning (defining scope, selecting PPs/STs). 2. Evaluation (hands-on testing, analysis of documentation). 3. Reporting (compiling the evaluation report). 4. Certification (submission to the CB for review and approval). 5. Maintenance (ongoing assurance activities).
Is formal training required to become a Common Criteria Consultant?
While formal training is highly recommended and beneficial, it's not always strictly mandatory. Many consultants gain expertise through on-the-job training and experience. However, accredited courses and certifications in Common Criteria evaluation are increasingly valued and can significantly enhance a consultant's credibility and career prospects.
What is the job market outlook for Common Criteria Consultants?
The job market for Common Criteria Consultants is strong and growing. As cybersecurity threats evolve and regulatory requirements for secure IT products increase globally, there is a consistent demand for professionals who can guide vendors through the rigorous CC certification process. This demand is particularly high in sectors like government, defense, finance, and healthcare.

Salary Range

$50k - $150k /year

Based on global market data. Salaries vary significantly by location, experience, and company size.

Career Path

1
Senior Common Criteria Consultant
2
Principal Common Criteria Consultant
3
Technical Director, Security Assurance
4
Certification Body Manager
5
IT Security Architect
6
Product Security Lead

Ready to apply?

We have 314 Consultant positions open right now.

Find Consultant Jobs