The Common Criteria Evaluation Assurance Level (EAL) is a globally recognized standard used to assess how thoroughly a technology product such as software, or a security device has been evaluated for security.
It doesn’t measure how secure the product is in real life. Instead, it shows the amount of effort that security experts have invested in reviewing its features. There are seven EAL levels, ranging from EAL 1 (basic testing) to EAL 7 (most rigorous and detailed). These levels help users and organizations make informed decisions when choosing secure IT products.
What Does Common Criteria Mean?
Common Criteria, officially known as ISO/IEC 15408, is a set of international standards that guide the security evaluation of IT systems and products. Over 30 countries accept and follow these guidelines. Security evaluators use these standards to test a product’s design, development, and security functions. After completing the assessment, they issue a certification that confirms the product meets specific security requirements.
Understanding the Evaluation Assurance Level (EAL)
The Evaluation Assurance Level (EAL) is at the core of the Common Criteria certification. It indicates how thoroughly a product has been tested not how secure it is by default. There are seven EAL levels.
A Simple Look at the Seven EAL Levels
Here’s a breakdown of each level and what it includes:
- EAL 1: Functionally Tested
Basic checks ensure the product behaves as expected. It’s fast and simple, suited for low-risk use. - EAL 2: Structurally Tested
Involves reviewing the internal design with some developer support. It adds confidence without major effort. - EAL 3: Methodically Tested and Checked
Requires deeper design analysis and independent testing. Good for medium-risk systems. - EAL 4: Methodically Designed, Tested and Reviewed
Includes design documentation, code reviews, and vulnerability testing. Often used in commercial and government systems. - EAL 5: Semi-Formally Designed and Tested
Adds more planning and structured design methods. Suitable for high-assurance systems like smart cards. - EAL 6: Semi-Formally Verified Design and Tested
Involves advanced testing and design verification. Recommended for high-security environments. - EAL 7: Formally Verified Design and Tested
The most rigorous level. Uses math-based models and strict procedures. Applied in highly sensitive systems, such as military-grade security.
Why the Common Criteria Evaluation Assurance Level Matters?
The EAL system gives organizations a shared language to discuss security assurance.
Here’s why it’s valuable:
- Builds Trust: Buyers know the product has undergone formal security checks.
- Supports Decision-Making: Companies can select an EAL level based on their risk tolerance and use case.
- Enables Comparison: For example, two firewalls with different EALs can be compared based on how deeply each was tested.
- Globally Accepted: Thanks to the Common Criteria Recognition Arrangement (CCRA), many countries recognize EAL certifications up to Level 4.
The Evaluation Process Step-by-Step
The evaluation process involves several key stages:
- Define the Product (Target of Evaluation): The company clearly describes what part of the system will be tested.
- Choose the EAL: The developer selects a level that matches the product’s risk and function.
- Write a Security Target: This document outlines the product’s purpose, security needs, and expected behavior.
- Use a Protection Profile (if available): This is a pre-defined template used for specific product types, such as firewalls or authentication tokens.
- Work with a Certified Lab: A third-party testing lab performs the tests and reviews all documentation.
- Get Certified: Once all checks are complete, a certification authority approves the product with an assigned EAL.
What a Common Criteria EAL Doesn’t Guarantee?
While the EAL system is extremely helpful, it’s important to recognize its limitations:
- It doesn’t guarantee total security.
- It doesn’t test every possible real-world scenario.
- It only checks the documented features not how the product performs outside its stated function.
Despite these limitations, EAL offers a consistent way to assess how thoroughly a product has been reviewed.
Who Uses Common Criteria Evaluation Assurance Levels?
The EAL system is used across both public and private sectors:
- Government Agencies: To protect sensitive national infrastructure and communications.
- Tech Companies: To show their commitment to security and meet global standards.
- Banks and Financial Services: To manage secure transactions and customer data.
- Businesses and Consumers: Many unknowingly rely on EAL-certified products when using secure apps or hardware.
Tips for Developers and Buyers
- For Developers
- Choose your EAL level early in product planning.
- Use existing protection profiles to save time and cost.
- Be prepared to fully document your design, security goal and testing results.
- For Buyers
- Look for the EAL certification label when selecting products.
- Match the EAL level to your security needs for example, EAL 1 for personal use or EAL 4+ for critical infrastructure.
- Visit the official Common Criteria product list to verify certification status.
Final Thoughts
The Common Criteria Evaluation Assurance Level provides a clear, structured way to understand how well a product’s security has been reviewed. From basic checks to the most formal verification, the EAL system gives governments, businesses and users a trusted benchmark.
While it doesn’t promise total protection, it builds confidence and standardizes the testing process, helping everyone make smarter security decisions. In a world of growing cyber threats, that kind of assurance is more important than ever.
