Friday, April 1, 2016

The Vatican Signs the ISO/IEC 15408 International Recognition Arrangement (I2RA)

Recognizing the need for secure IT products in all regions of the world, and in support of an internationally agreed Arrangement allowing for the mutual recognition of independently evaluated and validated information technology (IT) products, the Vatican has decided to sign the ISO/IEC 15408 International Recognition Arrangement (I2RA) and has started to validate the security evaluations of IT products.

Vatican City

The I2RA was established in 1996 and was used as the basis for mutually accepting certificates for the assurance of IT products. At that time it was in competition with another arrangement called the Common Criteria Recognition Arrangement (CCRA), which some nations viewed as the more attractive option.

The I2RA signatories therefore started a process to weaken the CCRA thus strengthening the importance and influence of the I2RA. Finally this process was successful.

The Vatican has announced that it has joined the existing signatories to the I2RA as the first Certificate Authorizing member. This provides much needed value to the existing certificate-consuming members1 of the arrangement.

atsec's Vice President, Fiona Pattinson stated:

"Convincing the Vatican to join this hitherto little known Arrangement has been a long term goal of atsec. Drawing from our long experience in helping nation-states to establish validation schemes under the now obsolete CCRA it seemed natural to help the Vatican to establish an evaluation and validation Scheme within the I2RA in order to continue to support those developers that wish to demonstrate to assurance-consumers that their products offer a modicum of assurance in their security functionality."

The Vatican has set up its own evaluation facility that analyzes IT products for compliance with ISO/IEC 15408 in context with divine security principals and a newly established policy that eliminates security flaws using a new vulnerability assessment and mitigation technology named 'exorcism'. Details of this technology have not been published but the Vatican has stated that this technology has been very successful in the past for projects performed in other areas.

Objections came from several Intelligence Agencies who stated that international mutual recognition of evaluations not performed under their control, and resulting in the eradication of a large number of vulnerabilities, may have a negative influence on their ability to perform the work they are supposed to do. They also objected to the use of 'supernatural' assessment methods claiming to provide a high level of assurance.

Some Voodoo priests in the Caribbean have announced that they are also considering setting up a security evaluation and validation scheme and will potentially convince their countries to join the I2RA.

1 including Atlantis, Caledonia, Tantooine, Dagobah, Rivendell, Gondor, Equestria, Estovakia, Grand Fenwick, Krakozhia, Loompa Land, Moldavia and Molvanîa, Oceania, Qumar, Rohan, Shangri-La, Republic of Tirania, and the United Federation.


  1. Sign me up! Are they strict conformance or exact?

  2. I believe that the Vatican's policy mentions "Religious Conformance". However this term is not defined in ISO/IEC 15408.

  3. I tried doing an informal trial run based on their previous evaluation projects, but every machine I have shuts down after the holy water test. They just spark, hiss, smoke, and smell of sulfur. Do you know if they will be accepting feedback on their process? As it stands I'm unsure if I passed.

  4. Daniel,
    This is a problem that we often encounter when developers try to run their own tests. My bet is that you are not accredited to ISO/IEC 17025 and are not following the correct calibration process.

    How did you calibrate the holy water? We found that the published method did not meet all the requirements of ISO/IEC 18045 and so developed our own lab procedure for calibration. In our lab we boil one (U.S.) cup of the water, at sea-level for 255 minutes before applying it to the machine.

    We have had this revised procedure accepted during an independent audit.


Comments are moderated with the goal of reducing spam. This means that there may be a delay before your comment shows up.