Every organization needs a way to measure the security features of their technology systems. But how can anyone be sure that a given product is truly equipped to handle threats? This is where Evaluation Assurance Levels (EAL) come into play.

EALs provide a structured approach to assess the thoroughness and rigor of security testing applied to IT products. By understanding these levels, businesses can make better decisions when selecting software or systems to secure their most sensitive data.

Let’s dive into what the Evaluation Assurance Levels are, how they work, and why they matter for organizations that rely on certified security solutions.

What is the Evaluation Assurance Level?

The Evaluation Assurance Level (EAL) is a standardized scale designed to measure the depth and rigor applied during the security testing and evaluation of an IT product. This concept stems from the Common Criteria (CC)—an internationally recognized framework that provides guidelines for evaluating the security features of IT systems.

EALs are primarily used by developers, vendors, government agencies, and organizations that rely on IT products to protect sensitive data. By achieving a specific EAL certification, a product demonstrates that it has undergone a thorough and structured evaluation, which is particularly important for products used in high-security environments, such as government, military, or financial institutions.

The EAL certification is assigned after a rigorous evaluation process conducted by independent testing laboratories. This process depends on each level, but it can involve assessing design documentation, conducting functional testing, and performing penetration testing to determine how well a product meets its security claims.

While it might seem like a higher EAL means better security, it’s important to note that the Evaluation Assurance Level does not directly measure a product’s security strength. Instead, it represents how thoroughly the product has been tested against pre-defined security requirements. In other words, EALs tell you how much confidence you can have that the product performs as claimed.

Each level within the EAL scale requires progressively more rigorous testing and evaluation processes, but no level guarantees that the product itself is impervious to all attacks.

Common Criteria: The foundation of EAL

Common Criteria (CC, or  ISO/IEC 15408) is an international standard established to help evaluate the security functionality of IT products. It provides a way for security vendors to have their products independently evaluated by third-party labs. These labs assess how well a product meets its specified security requirements, ensuring that organizations purchasing or deploying these systems can have confidence in their ability to manage security threats.

The Common Criteria Recognition Arrangement (CCRA), a global agreement involving over 30 countries, allows for mutual recognition of certifications. This means that a product certified in one country is accepted in others, and it was one of the main reasons for establishing CC in the first place. CC emerged in the late 1990s with the goal of unifying several national security standards from the U.S., Canada, and Europe into a single, global framework.

Recommended reading

The 5 Industries Most Vulnerable to Cyber Attacks in 2024

What is a Security Target?

Before we dive into each Evaluation Assurance Level, it's important to discuss a key element of the Common Criteria: the Security Target (ST). The Security Target is a document that outlines the specific security features and assurances that a product must meet to be evaluated against a particular EAL.

In essence, it defines what the product is supposed to protect and how it is designed to do so. The Security Target is central to the evaluation process because it guides the entire testing effort, ensuring that the evaluation focuses on the product’s intended security functionality. Each EAL level corresponds to a set of requirements detailed in the Security Target, and the evaluators check whether these requirements have been met.

Recommended reading

14 Steps for a Solid Digital Transformation Strategy in 2024

How do Evaluation Assurance Levels work?

The Evaluation Assurance Level framework consists of seven levels, ranging from EAL1 (the lowest level) to EAL7 (the highest). Each level builds upon the previous one and defines the depth of testing and analysis that a system has undergone.

These levels don’t just apply to security software but also hardware and even entire systems, ensuring a broad range of products can be assessed.

Let’s walk through what each of these seven levels represents.

EAL1: Functionally tested

At EAL1, a product undergoes basic testing to confirm that it functions as intended. This level is the most basic form of security evaluation. It ensures that the product does what it claims to do but doesn’t require an in-depth analysis of its security architecture.

What it entails:

• Testing verifies that the system or product functions according to its specifications.
• No detailed investigation of potential vulnerabilities is performed.
• Suitable for environments where the risk of sophisticated attacks is low.

While this level might seem minimal, it can be useful for systems where functionality is more important than detailed security verification, such as non-critical software used in low-risk environments.

EAL2: Structurally tested

EAL2 introduces a more detailed evaluation, including some independent testing and a review of the system’s design. At this level, developers provide more information about how their product was built, allowing evaluators to conduct a slightly more rigorous assessment than in EAL1.

What it entails:

• Independent testing starts, offering a deeper look into the design.
• Structural information is available to evaluators, providing better insight into how the system is built.
• Some vulnerability analysis is performed, but it remains limited in scope.

EAL2 allows for a slightly higher level of assurance because evaluators can now review parts of the system’s design to verify that security features are in place and functioning correctly. This is especially useful in environments with moderate risks, but extensive security is not required.

EAL3: Methodically tested and checked

At EAL3, the evaluation becomes more methodical, involving a deeper dive into the system's design and development processes. Testing includes analyzing the product’s architecture and potential points of vulnerability.

What it entails:

• Methodical checks and analyses of the system's architecture and functions.
• More comprehensive independent testing.
• Developers must provide in-depth information about how security was considered during design.
• Design documentation is thoroughly reviewed.
• Vulnerability analysis is more in-depth, addressing both known and potential security risks.

This level of assurance is suited for environments where security is a concern and there is a higher risk of exposure to threats. EAL3 certifications are often sought for systems that manage sensitive data or operate in moderately secure environments.

Recommended reading

10 Compliance Standards to Achieve IT Security And Privacy

EAL4: Methodically designed, tested, and reviewed

EAL4 is where the testing becomes notably rigorous. At this level, evaluators closely examine the design and conduct comprehensive testing. This level of evaluation is typical for systems that require high levels of assurance.

What it entails:

• Design and implementation are evaluated together.
• Extensive testing and review of the system’s internal structure.
• Security features are tested thoroughly to ensure they meet the specified requirements.
• Vulnerability analysis covers a wider range of potential threats.

EAL4 is commonly used for commercial products where security is important but does not require the highest levels of assurance. This level balances the cost of evaluation and the level of security assurance provided.

EAL5: Semiformally designed and tested

At EAL5, the evaluation starts focusing on the use of formal methods during the design phase. This level is suitable for products that require a substantial degree of security, such as those used in government or defense.

What it entails:

• Developers use formal methods to design the security architecture.
• Evaluators conduct a more detailed review of the product’s development process.
• Security features are tested and analyzed with greater depth than in previous levels.

EAL5 is typically used for products where a high level of security is required, such as government or defense systems. At this stage, evaluators can demonstrate that the product’s security architecture is sound and resistant to various threats.

EAL6: Semiformally verified design and tested

EAL6 involves more extensive verification methods, including detailed design analysis and testing. This level offers a higher assurance than EAL5 and is intended for systems where strong security against advanced threats is required.

What it entails:

• The design is thoroughly verified using formal methods.
• Both the design and implementation are rigorously tested.
• Vulnerability analysis covers advanced threats, such as targeted attacks.

EAL6 certifications are reserved for products and systems requiring high assurance against advanced threats. This level is often used in critical infrastructure or other systems that could be exposed to nation-state actors or other highly sophisticated adversaries.

EAL7: Formally verified design and tested

EAL7 is the highest level of evaluation and is reserved for systems that require the utmost assurance of security. At this stage, every aspect of the system is formally verified and tested to an extreme degree. Very few products or systems achieve this level due to the high cost and complexity of the evaluation.

What it entails:

• The design is fully verified using formal methods.
• Every part of the system undergoes exhaustive testing and analysis.

This level is reserved for environments where any security breach could have catastrophic consequences, such as military or national security systems. It's meant to ensure that they are virtually impervious to cyber threats.

Recommended reading

What is the Difference Between Assessment and Audit?

How to choose the right Evaluation Assurance Level for your organization's software

Having an understanding of EALs allows you to make informed decisions when selecting software, hardware, or security protocols. Whether you’re choosing software for a business or government system, knowing the EAL of a product gives you a better sense of its trustworthiness.

Selecting the appropriate Evaluation Assurance Level depends on your organization’s security needs and the environment in which your system operates. Lower EALs, such as EAL1 and EAL2, may be sufficient for small businesses with minimal exposure to cyber threats. In contrast, larger corporations or government agencies handling highly sensitive information are more vulnerable to cyber-attacks and require products certified at EAL4 or higher.

Key factors to consider when selecting an Evaluation Assurance Level:

• Threat environment: Assess the potential risks and types of attacks your system may face.
• Security requirements: Define the level of security needed for your operations.
• Cost vs. benefit: Higher EALs often come with increased costs due to the rigorous testing required.

The relationship between EAL and compliance

• Assurance and trust:
  Achieving a specific EAL verifies that a product meets defined security criteria. This is crucial for organizations needing to demonstrate compliance with regulations that mandate certain security standards. For instance, financial institutions may require products with higher EALs to comply with industry regulations.
• Risk Management: 
  Organizations can use EAL assessments as part of their risk management strategy. By selecting products with appropriate EALs based on their risk profile, organizations can ensure they are using systems that have undergone sufficient scrutiny to mitigate potential vulnerabilities.
• Regulatory alignment: 
  Many regulatory frameworks specify minimum security requirements that align with certain EALs. For example, sectors dealing with sensitive data, such as healthcare or finance, may dictate that only products certified at a certain EAL can be used within their systems to comply with laws like HIPAA or SOX.

Final words

Security is a top priority for any organization that handles sensitive data. From banking applications to military systems, it’s critical that products are evaluated for their ability to protect against threats. Evaluation Assurance Levels play a central role in determining how well a product has been tested for vulnerabilities.

Evaluation Assurance Levels provide a clear framework for understanding the security testing and verification of IT systems. Organizations should evaluate their specific needs, threat environment, and budget when selecting a product with the right EAL.