<![CDATA[The information technology product security certification policy in Indonesia is implemented based on BSSN Regulation 15 of 2019 concerning the Indonesian Common Criteria Scheme (SCCI). The products used in data processing should be certified for its security to guarantee information security. However, almost three years since the regulation was implemented, effect on information security has not been achieved. The focus of this study is to analyse the influence of the implementation of information technology product security certification policy on the effectiveness of information security assurance in Indonesia. Policy implementation was analysed using the theory of Edward III. Edward III's policy implementation model consists of 4 variables: communication, resources, disposition, and bureaucratic structure. Effectiveness consists of 3 variables: goal achievement, adaptation, and integration. This study used the mixed-method approach. The findings showed that simultaneously communication, resources, disposition, and bureaucratic structure have a significant effect and very strong correlation on effectiveness. From these results, it can be recommended to develop a policy communication strategy that is more effective in providing information to the public, make a timeframe and concrete target for resources variable, establish communication, coordination, and consensus with the public and private sectors to achieve a willingness and commitment to implement an IT product security certification policy, and set a timeframe and concrete targets regarding the formation of an organization that has the duties, functions and authority of IT product security certification, business processes and organizational implementation procedures.]]>
