Although quantum communication systems are being deployed on a global scale, their realistic security certification is not yet available. Here we present a security evaluation methodology for a complete quantum communication system. We have subdivided the system into seven layers based on a hierarchical order of information flow, and categorised its known implementation imperfections by hardness of protection and practical risk. To illustrate the use of our methodology, we report security evaluation results of a sub-carrier wave quantum key distribution system and the follow-up interactions between the manufacturer and the security evaluation team. This has led to improvements in the system security. We hope our method enters future standards for quantum cryptography.