What Is EAL? Security Definition
On This Page
Quick Definition
EAL stands for Evaluation Assurance Level. It is a way to rank how carefully a security product has been tested. The scale goes from EAL1, which is basic testing, to EAL7, which is extremely detailed testing. A higher EAL means more confidence that the product will protect against attacks.
Commonly Confused With
Common Criteria is the overall framework and standard (ISO/IEC 15408) that defines how security evaluations are performed. EAL is a specific rating within that framework. Common Criteria includes many concepts like Protection Profiles, Security Targets, and evaluation methodology, while EAL is just one part of the output.
Think of Common Criteria as the entire building code, and EAL as the final inspection grade on a specific house.
A Protection Profile defines a set of security requirements for a category of products (like a firewall or a smartcard). EAL is the level of assurance at which a particular product is evaluated against its Security Target, which may or may not be based on a PP. The PP does not specify the EAL, but the product's evaluation uses a chosen EAL.
A Protection Profile is like a recipe for a cake (requirements for a type of product). The EAL is like the grade you get for following the recipe correctly (how well you proved you followed it).
The Security Target is a document written by the vendor that describes the security features of their specific product and the EAL level they are claiming. The ST references the Protection Profile if applicable. The ST is the actual document that the evaluation lab uses to test the product. EAL is the level of assurance achieved based on that ST.
The Security Target is like the detailed blueprint of a house. The EAL is like the inspection report confirming the house was built according to that blueprint with a certain level of scrutiny.
FIPS 140 is a U.S. government standard for cryptographic modules. It assesses the physical and logical security of encryption hardware and software. While both FIPS and Common Criteria evaluate security, FIPS focuses specifically on cryptography, whereas Common Criteria covers any security functionality. A product can have both a FIPS certification and an EAL rating.
FIPS is like a specialized safety rating for car brakes. EAL is like a general safety rating for the entire car.
Must Know for Exams
EAL is a core concept for the ISC2 CISSP exam, particularly within Domain 3: Security Architecture and Engineering. The CISSP exam requires you to understand the Common Criteria and the EAL scale, including the differences between each level and what type of assurance each provides. You will not need to memorize every detail of every EAL level, but you must know the general progression from EAL1 (functionally tested) to EAL7 (formally verified) and the trade-offs involved.
In the CISSP exam, EAL questions often appear as part of a larger scenario about product selection or security evaluation. For example, you might be given a scenario where a government agency needs to select an operating system for a classified system. The question will ask which EAL level is appropriate. You need to recognize that EAL5 or higher is typically required for high-security government environments. You will also need to understand that EAL4 is often the highest practical level for commercial products due to cost and complexity.
Another common question type involves understanding that a product's EAL rating does not guarantee it is secure. The exam may present a trap where a product with EAL6 is selected for a specific use case, but the Security Target only covered a narrow scope of functionality. The correct answer will point out that the EAL rating must be evaluated in context of the security target and protection profile. This aligns with the CISSP's emphasis on critical thinking and not just rote memorization.
For other exams, such as CompTIA Security+, EAL is covered at a lighter supporting level. You should know the basic concept that higher EAL means more rigorous testing, but you will not be expected to differentiate between EAL4 and EAL5. For the SANS GIAC certifications, EAL may appear in the context of evaluating security products for acquisition. The GIAC exams often focus on practical application, so you might need to interpret a product's EAL certificate and determine if it meets your organization's requirements.
In the exam, be prepared for questions that test your understanding of the Common Criteria terminology. You should know what a Target of Evaluation (TOE) is, what a Security Target (ST) is, and what a Protection Profile (PP) is. You should also know that EAL is not a measure of security but a measure of assurance. The CISSP exam in particular will test your ability to apply this knowledge in realistic scenarios, not just to recall definitions.
Simple Meaning
Think of EAL like a restaurant health inspection rating. A restaurant with a rating of A has been inspected and meets basic cleanliness standards. A restaurant with a rating of 100 out of 100 has been examined in much greater detail, every ingredient is checked, every surface is tested for bacteria, and every employee's hygiene is verified. You would trust the 100-rated restaurant more for a high-risk meal, but it also cost much more to get that rating.
EAL works the same way for security products like firewalls, encryption software, or operating systems. The Common Criteria standard, which is an international agreement on how to evaluate security, defines seven levels of assurance. EAL1 means the product was tested just enough to show it works as advertised. EAL7 means the product was designed, built, and tested using formal mathematical proofs and extreme scrutiny.
Most commercial products you buy are evaluated at EAL2, EAL3, or EAL4. Government and military systems often require EAL5 or higher. The key point is that a higher EAL does not necessarily mean the product is more secure in practice, it means the product has been more thoroughly verified to meet its security claims. A simple padlock that is EAL4 certified is still not as secure as a bank vault, but you know exactly how well it resists picking and cutting because of the testing.
In the IT world, when you see a product advertised as "EAL4+ certified," it means that the product has passed a structured set of tests conducted by an accredited laboratory. The testing covers things like how the product handles user authentication, how it protects data, and how it recovers from failures. The EAL rating helps you compare products, but you must also check what specific security features were actually tested, because two products with the same EAL may have been evaluated against completely different security requirements.
Full Technical Definition
The Evaluation Assurance Level (EAL) is a category ranking defined within the Common Criteria for Information Technology Security Evaluation (ISO/IEC 15408). It provides an increasingly rigorous set of assurance requirements that a product, known as a Target of Evaluation (TOE), must satisfy to claim a specific level. The levels range from EAL1 (functionally tested) to EAL7 (formally verified design and tested).
Each EAL corresponds to a specific package of assurance requirements drawn from Part 3 of the Common Criteria standard. These requirements include areas such as configuration management, delivery and operation, development, guidance documents, life-cycle support, security testing, vulnerability analysis, and assurance maintenance. A product does not simply "pass" an EAL, it must undergo evaluation by a licensed Common Criteria Testing Laboratory (CCTL) against a Security Target (ST) document that describes the product's security functionality and the claimed EAL.
The actual evaluation process involves several phases. First, the vendor develops the product and writes the Security Target. Then, the CCTL reviews the design documentation, source code, and functional tests. The lab performs its own independent testing to confirm that the product behaves as described. For higher EALs (EAL5 and above), formal models and semiformal or formal design representations are required. The entire process can take months or years and cost hundreds of thousands of dollars.
It is critical to understand that EAL does not measure the absolute security of a product. Rather, it measures the rigor of the evaluation process. A product evaluated at EAL4 may actually be more secure than an EAL6 product if the EAL6 product's Security Target specifies only a narrow set of security functions. The specific Security Target and the Protection Profile (a set of security requirements for a type of product) define what was tested. For example, an EAL4+ operating system might have passed testing for user authentication and access control, while an EAL5 firewall might only have been tested for packet filtering rules.
In practice, most enterprise security products are evaluated at EAL2, EAL3, or EAL4. EAL4 is often the highest level that is economically feasible for commercial products, because EAL5 and above require significant design formality and cost. Government agencies, especially in defense and intelligence, often mandate EAL5 or EAL6 for systems handling classified information. The Common Criteria Recognition Arrangement (CCRA) allows evaluations performed in one participating country to be recognized by others, which simplifies international procurement.
Common criteria evaluations also involve the concept of an Evaluation Assurance Level augmented, often written as EALx+, where the plus indicates additional assurance requirements beyond the base level. For example, EAL4+ might include added vulnerability analysis or penetration testing. Security professionals evaluating products for procurement should always review the actual Security Target and the evaluation report, not just the EAL number, to understand exactly what was tested and what was not.
Real-Life Example
Imagine you are buying a child safety seat for your car. You go to a store and see two models. One says it was "tested according to federal safety standards." The other says it was "independently crash-tested at 35 mph, 40 mph, and 45 mph with multiple dummies, and the full test reports are available online." The first seat might be fine, but you have more confidence in the second one because you know exactly how thoroughly it was tested.
EAL works like those crash test ratings. The safety seat is like a security product. The testing laboratory is like the crash test facility. The federal safety standard is like a Protection Profile, it defines what the seat must do (protect the child). The EAL rating tells you how hard the lab tried to verify that the seat meets that standard. EAL1 would be like a simple check that the seat has straps and buckles. EAL4 would be like multiple crash tests at different speeds, durability tests, and material inspections. EAL7 would be like using computer simulations to predict every possible crash scenario and then testing each one.
When you buy that car seat, you might not know exactly how safe it is, but the EAL rating gives you a sense of how carefully it was checked. If you are driving on a bumpy road at low speed, a basic seat might be fine. But if you are driving a race car at 200 mph, you want the most thoroughly tested seat possible. In IT, the environment determines what EAL you need. For a home router, EAL2 is plenty. For a military satellite control system, EAL7 might be required.
Why This Term Matters
EAL matters because it provides a standardized way to evaluate and compare the security of IT products. Without EAL, every vendor could claim their product is "secure" using different, often meaningless, metrics. EAL gives security professionals a common language to discuss assurance. When you are responsible for selecting firewalls, operating systems, or encryption modules for an organization, knowing the EAL rating helps you make informed procurement decisions.
In practical IT contexts, EAL ratings are especially important for regulated industries. Government agencies, financial institutions, and healthcare organizations often have compliance requirements that mandate certain EAL levels for specific systems. For example, the U.S. Department of Defense might require that any operating system used on classified networks be evaluated at EAL4 or higher. A company bidding on a government contract must ensure their products carry the correct EAL certification, otherwise they cannot be used.
EAL also matters because the evaluation process itself improves product quality. The rigorous documentation and testing required for even EAL2 forces vendors to fix security issues they might have otherwise overlooked. The vulnerability analysis phase of evaluation often uncovers flaws that the vendor then patches. So even if a product is never sold into a market that requires EAL certification, the development discipline from preparing for evaluation can benefit all users.
EAL is a key part of the risk management process. A security architect evaluating a product for an enterprise network can look at the EAL rating as one factor in the overall risk assessment. A product with EAL4 gives higher assurance than one with EAL2, which might justify a lower level of additional compensating controls. However, it is important to remember that EAL is not a guarantee of security, it is a measure of assurance. A product can earn a high EAL and still have devastating vulnerabilities if those vulnerabilities were not covered by the Security Target.
How It Appears in Exam Questions
EAL questions on the CISSP exam often take the form of scenario-based questions where you must select the appropriate EAL level for a given situation. For example, a question might describe a company that needs to select a firewall for a low-risk internal network. The correct answer would be EAL2 or EAL3, because those levels provide adequate assurance for a low-risk environment without excessive cost. Another question might describe a military system handling classified data, and the correct answer would be EAL5 or higher.
Another common pattern is the "what is wrong with this situation" question. The exam might present a scenario where an organization selects an EAL7 product believing it is inherently more secure than an EAL4 product from a different vendor. The question will ask you to identify the flaw in this reasoning. The correct answer is that the EAL rating depends on the specific Security Target, and the EAL7 product may have been evaluated against a much narrower set of requirements, making it potentially less secure in practice than the EAL4 product with a broader Security Target.
Questions may also ask you to interpret the meaning of a product's certification. For example, a product might be listed as "EAL4+ certified." The exam may ask what the "+" means. The answer is that it indicates the product meets additional assurance requirements beyond the base EAL4 package, such as added vulnerability analysis. You might also see questions about the Common Criteria Recognition Arrangement (CCRA) and which countries recognize each other's evaluations.
There are also questions about the evaluation process itself. You might be asked which party performs the evaluation (an accredited independent laboratory), who defines the Security Target (the vendor), and who develops the Protection Profile (often a consortium or government agency). These questions test your understanding of the roles and responsibilities in the Common Criteria framework.
Finally, some questions test your knowledge of the specific EAL levels. You might need to know that EAL1 involves only functional testing, EAL2 includes vulnerability analysis, EAL3 adds environmental controls, EAL4 requires structured design, EAL5 requires semiformal design, EAL6 requires semiformal verification, and EAL7 requires formal verification. However, you will not need to memorize these in extreme detail, focus on the high-level progression and the key differences between the lower (1-4) and higher (5-7) levels.
Study CISSP
Test your understanding with exam-style practice questions.
Example Scenario
You are the security architect for a medium-sized financial services company. The company handles customer bank account data and must comply with financial regulations. You need to purchase a new database encryption product to protect sensitive data at rest. Your compliance team tells you that any encryption product used must have a minimum EAL4 certification.
You receive three proposals. Product A is an EAL4+ certified encryption module from a well-known vendor. The certification report shows it was tested against a Protection Profile for database encryption, and the testing included vulnerability analysis, configuration management, and structured design review. Product B is an EAL6 certified encryption module from a smaller vendor. The certification report shows it was tested against a much narrower Protection Profile that only covered the encryption algorithm itself, not the key management or integration with the database. Product C is EAL2 certified but costs significantly less.
Which product do you choose? At first glance, Product B with EAL6 seems superior. But because the Security Target was narrow, it provides less assurance for your actual use case than Product A. Product A's EAL4+ certification covered the full scope of database encryption, including key management, secure storage, and integration interfaces. Product C's EAL2 is below your compliance minimum, so it is out. The correct choice for your organization is Product A.
This scenario illustrates the most important exam lesson about EAL: always evaluate the certification in context of the specific security requirements. Never assume a higher EAL means better protection. In the exam, you will see similar scenarios where the key to the correct answer is reading the details about what was actually tested, not just the EAL number.
Common Mistakes
Thinking that a higher EAL always means a more secure product.
EAL measures the rigor of testing, not the breadth of security functions. A product with EAL6 may have been tested only for a single narrow feature, while an EAL4 product may have been tested for a wide range of security functions.
Always check the Security Target and Protection Profile to see what was actually evaluated, not just the EAL number.
Assuming that EAL certification applies to the entire product.
EAL certification applies only to the specific version and configuration of the product as it was evaluated. A different version or a different configuration may not have the same assurance level.
Verify that the exact product version and configuration you are using matches the evaluated configuration in the certification report.
Confusing EAL with a security rating like a grade.
EAL is not a grade of how secure a product is. It is a statement about how thoroughly the product was tested. A product can have a high EAL and still have security vulnerabilities in areas not covered by the evaluation.
Think of EAL as a measure of assurance, not security. Use it as one of many factors in your product selection process.
Believing that EAL1 is useless or meaningless.
EAL1 is a legitimate level that confirms the product has been functionally tested. For low-risk or non-critical environments, EAL1 can provide adequate assurance at low cost.
Match the EAL level to the risk level of the environment. Low risk can use lower EAL. High risk requires higher EAL.
Assuming that all Common Criteria evaluations are the same across countries.
While the Common Criteria Recognition Arrangement allows mutual recognition, some countries may require additional national schemes or have different interpretations. Not all evaluations are automatically accepted everywhere.
Check the specific certification scheme and mutual recognition arrangements for the country where you plan to deploy the product.
Exam Trap — Don't Get Fooled
{"trap":"The exam may present a product with an EAL7 rating and ask whether it should be selected for a high-security environment. Learners often fall for this because a higher EAL number seems better.","why_learners_choose_it":"Learners memorize that higher EAL = more rigorous testing, and they assume that more rigorous testing must equal better security.
They do not consider that the scope of testing may be narrow.","how_to_avoid_it":"Always ask: what Security Target was the product evaluated against? Look for clues in the question about the scope of evaluation.
If the question emphasizes a narrow scope, the correct answer may be to choose a product with a lower EAL but broader scope."
Step-by-Step Breakdown
Define the Security Target
The vendor determines what security features their product will include and writes a Security Target (ST) document. The ST describes the security functions, the intended environment, and the claimed EAL level. This document is the foundation for the entire evaluation.
Select the EAL Level
The vendor chooses which EAL level they want to pursue, based on the target market, cost, and required assurance. Lower levels (EAL1-EAL4) are common for commercial products. Higher levels (EAL5-EAL7) require significantly more rigorous design and testing.
Submit to an Accredited Laboratory
The vendor contracts an accredited Common Criteria Testing Laboratory (CCTL) to perform the evaluation. The lab is independent and must be approved by the national certification body. The lab reviews the ST to ensure it is complete and unambiguous.
Review Design and Documentation
The lab reviews the product's design documentation, source code, and other artifacts to ensure they meet the assurance requirements for the claimed EAL. For higher EALs, semiformal or formal design representations are required. The lab checks for consistency and completeness.
Perform Independent Testing
The lab conducts its own functional and penetration tests on the product. They verify that the product behaves as described in the ST and that it is resistant to attacks within the scope of the evaluation. For higher EALs, more rigorous vulnerability analysis is performed.
Produce the Evaluation Technical Report
After testing, the lab writes an Evaluation Technical Report (ETR) that details the findings, including any vulnerabilities discovered, how they were resolved, and the final determination of whether the product meets the claimed EAL. The ETR is submitted to the national certification body for validation.
Receive Certification
If the certification body approves the evaluation, the product receives a certificate confirming the EAL level. The certificate is published in a database and is recognized by other countries under the Common Criteria Recognition Arrangement (CCRA). The vendor can then market the product with the EAL certification.
Practical Mini-Lesson
The Evaluation Assurance Level is a cornerstone of security product procurement and risk management. As a security professional, you will often be asked to evaluate whether a product's EAL certification meets your organization's security requirements. The first step is to locate the product's certificate and read the associated Security Target (ST). The ST is usually available on the vendor's website or through the Common Criteria portal. Do not rely solely on the EAL number; you must understand the scope.
When reviewing an ST, look for the Security Functional Requirements (SFRs) that were evaluated. For example, if you need a firewall that enforces access control lists and logs traffic, ensure those SFRs are listed in the ST. If the ST only covers packet filtering but not logging, the EAL rating does not guarantee the logging works correctly. Also check the assurance requirements to see what level of vulnerability analysis was performed. For EAL2, the vulnerability analysis is basic. For EAL4, it includes a systematic search for vulnerabilities. For EAL6, it includes a thorough analysis with formal methods.
In practice, many product vendors list an EAL rating but do not make the ST easily accessible. This is a red flag. A legitimate evaluation always produces a public certification report and ST. You can search the Common Criteria portal (commoncriteriaportal.org) to verify the certification. If a product claims EAL4 but you cannot find the certificate, do not trust the claim.
When deploying an evaluated product, it is critical to use it in the exact configuration that was evaluated. The evaluation covers specific hardware, firmware, software versions, and configurations. If you change any setting or apply a patch, the assurance may no longer be valid. The product's security guidance documentation (another evaluation deliverable) will describe the evaluated configuration. Always follow that guidance.
One common pitfall is that the evaluation only covers a specific version. If the vendor releases a major update, the new version may not be certified. You must track the certification status of each version you deploy. Some organizations require that all security products maintain valid certifications, so they will only purchase products with current certificates. Security professionals should work with procurement and legal teams to include certification requirements in vendor contracts.
Finally, remember that EAL is just one factor. Combine it with other assurance measures like penetration testing, vulnerability scanning, and vendor reputation. A product that is EAL4 certified but has known unpatched vulnerabilities in its core functionality is still a risk. Use EAL as part of a holistic security assessment, not as a shortcut to skip other evaluation steps.
Memory Tip
EAL: Each Assurance Level increases rigor. 1 is basic test, 4 is commercial standard, 7 is mathematically proven. Think of it like a safety inspection scale for your product.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
Related Glossary Terms
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
Frequently Asked Questions
What is the highest EAL level?
The highest level is EAL7, which involves formally verified design and testing. It is rarely used in commercial products because of the extreme cost and complexity.
Do I need an EAL certified product for my small business?
Probably not. EAL certification adds significant cost to products. For most small businesses, using well-known, updated products from reputable vendors is sufficient. EAL is more relevant for government, military, and regulated industries.
Can a product lose its EAL certification?
Yes, if the product is significantly changed or if a vulnerability is discovered that was missed during evaluation, the certification can be withdrawn. Always check that the product you are using has a current certificate.
Is EAL the same as Common Criteria?
No. Common Criteria is the overall standard. EAL is one specific rating within that standard. Common Criteria also includes Protection Profiles, Security Targets, and evaluation methodology.
How long does an EAL evaluation take?
It varies depending on the EAL level and product complexity. EAL2 might take a few months, while EAL4 can take a year or more. EAL5 and above can take multiple years.
Does a higher EAL guarantee the product is vulnerability-free?
No. EAL certification only covers the specific security functions and vulnerabilities that were part of the evaluation. New vulnerabilities can be discovered after certification. It is a measure of assurance, not a guarantee of security.
Summary
Evaluation Assurance Level (EAL) is a critical concept in security architecture that provides a standardized way to measure the rigor of security testing for IT products. The scale from EAL1 to EAL7 allows organizations to select products that match their risk tolerance and compliance requirements. However, the most important lesson for both professionals and exam takers is that a higher EAL does not automatically mean a product is more secure. You must always examine the Security Target to understand what was actually tested.
In the CISSP and other security exams, EAL questions test your ability to apply this concept in realistic scenarios. You need to know the general progression of the levels, understand the roles of the Security Target and Protection Profile, and recognize common traps like assuming higher EAL equals better security. Practical application involves reviewing certification reports, using products in their evaluated configurations, and integrating EAL into a broader risk management process.
For security professionals, EAL is a valuable tool for product procurement and risk assessment. By understanding its strengths and limitations, you can make informed decisions that balance cost, assurance, and real-world security needs. Always remember that EAL is about assurance, not absolute security, and use it as one component of a comprehensive security evaluation.