The assurance provided by a Common Criteria certificate is related to the date of issuance of the certificate and the evaluated configuration of the product. In cases where patches or updates have been subsequently issued by the developer, the user should investigate the changes involved as part of their normal risk management process and decide whether there is sufficient justification to warrant departing from the certified configuration by applying the patch/update.

Products where the vendor has an ongoing assurance continuity programme (involving discussion of changes with their certification body and re-evaluation where necessary) or an evaluated flaw remediation process will provide a much greater level of continuing assurance.