Security architectureIntermediate17 min read

What Is Evaluation assurance level? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

An Evaluation assurance level (EAL) is a number from 1 to 7 that tells you how rigorously a security product has been tested. It is part of the Common Criteria international standard. The higher the number, the more detailed and strict the testing process was. It helps buyers compare the security of different products.

Commonly Confused With

Evaluation assurance levelvsProtection Profile (PP)

A Protection Profile defines a set of security functional requirements for a product category, like 'firewall' or 'smart card'. EAL defines the assurance level, how much testing and verification was done. You cannot have an EAL without a PP, but a PP can exist without an EAL rating.

PP for a firewall might require it to block certain IP addresses. EAL4 for that same firewall means the manufacturer proved through testing that it does block those IP addresses reliably.

Evaluation assurance levelvsSecurity Target (ST)

The Security Target is a document written by the product vendor that describes the product's security claims and the protection profile it claims to meet. It can reference a specific EAL. So the ST is the vendor's statement, the PP is the template, and the EAL is the final rating after evaluation.

The vendor writes an ST that says 'This smart card meets PP-003 and we want EAL4 evaluation.' After testing, the lab assigns EAL4.

Evaluation assurance levelvsCommon Criteria (CC)

Common Criteria is the overall framework and standard (ISO 15408) that includes both Protection Profiles and Evaluation assurance levels. EAL is just one component of CC. Learners often use 'Common Criteria' and 'EAL' interchangeably, but CC is the whole system.

Common Criteria is like the building code. EAL is the inspection grade you get after following the code. You can't have the grade without the code.

Must Know for Exams

The term Evaluation assurance level appears in several major certification exams, including CompTIA Security+, CompTIA CySA+, CISSP, and the Certified Information Systems Auditor (CISA) exam. In CompTIA Security+, EAL is covered under domain 3 (Security Architecture and Engineering), specifically in the context of system assurance and trust models. You might see a question that asks which EAL level is typically considered the highest practical level for commercial products, with the correct answer being EAL4.

In the CISSP exam, EAL falls under domain 3 (Security Architecture and Engineering) as well, within the subdomain of security models and evaluation criteria. The exam expects you to know the difference between the evaluation (EAL) and the protection profile (PP), the PP defines what security features a product should have, while the EAL defines how thoroughly those features are tested. A typical question might present a scenario where a government agency needs a product for classified data and asks which EAL would be appropriate.

For CySA+, the focus is more on applying EAL in a threat intelligence context. You might be asked to interpret a product's EAL rating in a risk assessment scenario. For example, if a vendor claims EAL2 for their firewall, you would know that the firewall has been functionally tested but only lightly checked for vulnerabilities.

The key exam takeaway is that EAL is about assurance, not about the specific security functions. Many exam traps try to confuse learners into thinking a higher EAL means the product is more secure in an absolute sense. The correct understanding is that a higher EAL means you have more confidence that the product meets its stated security requirements. Learners should memorize the scale: EAL1 through EAL7, and know that EAL4 is the top practical level for most commercial products.

Simple Meaning

Think of Evaluation assurance levels like the safety ratings for cars. When you buy a car, you might see its crash-test rating, a 5-star car has been through tougher tests than a 3-star car. EAL works the same way but for computer security products like firewalls, encryption software, or smart cards.

A product rated EAL1 has been looked at very lightly. The testers just checked if the product works as described and if there are any obvious security holes. It is the minimum level of assurance, like a car that passed a basic brake test but nothing else. As the levels go up, the testing becomes much more demanding. EAL4 means the product was designed with security in mind, and the testing covered both the design documents and the actual product. EAL7 is the absolute top level, where every piece of code and every design detail has been independently verified, and the product has been proven secure against the most advanced attacks.

The important thing to understand is that EAL does not measure how secure a product is in absolute terms. It measures how much confidence you can have that the product meets its security claims. A product that aims for EAL4 might still have vulnerabilities, but you can trust that the vendor followed a strict process to avoid them. This is why government agencies and large companies often require products with a certain EAL rating before they will buy them, they need that extra assurance that the product is trustworthy.

Full Technical Definition

Evaluation assurance levels are defined by the Common Criteria for Information Technology Security Evaluation (ISO/IEC 15408). They represent a scale from EAL1 (functionally tested) to EAL7 (formally verified design and tested). Each level requires a deeper and more rigorous evaluation of the product's security functional requirements (SFRs) and security assurance requirements (SARs).

At EAL1, the evaluation is minimal. It consists of a functional test of the product against its security target (ST) and a review of its documentation. The evaluator checks that the product does what it claims and that there are no obvious vulnerabilities. This level is suitable for products where security is not a major concern but some assurance is still needed.

EAL2 through EAL4 add structural testing and independent vulnerability analysis. EAL2 requires the vendor to provide design information and test results. EAL3 introduces security engineering controls at the development level. EAL4, the highest level that is still economically practical for most commercial products, requires a complete design specification and a methodical security architecture. At EAL4, the evaluator checks that the product has been designed following secure development practices, such as configuration management and security testing throughout the lifecycle.

EAL5 through EAL7 are much more demanding and are typically only used for products that must withstand determined or highly sophisticated attacks. EAL5 requires semiformal design and testing with modular security policy enforcement. EAL6 adds a semiformal verification of the design and more rigorous analysis of vulnerabilities. EAL7 requires a formal model of the security policy, a formal design specification, and a complete independent verification that the product's implementation matches that formal model. This level is extremely expensive and time-consuming to achieve, and only a handful of products have ever earned it.

In practice, most commercial products target EAL2 or EAL4, because achieving higher levels is costly and often unnecessary. However, government and military procurement contracts often mandate specific EAL levels for certain categories of products.

Real-Life Example

Imagine you are building a new house and you want to make sure it is secure. You hire a security inspector to check everything. At the lowest level, the inspector just walks through the house once, checks that all the windows close, and gives you a basic report. That is like EAL1, quick, cheap, and only catches obvious problems.

Now imagine you want a more thorough inspection. The inspector returns multiple times, checks the locks on every door, tests the alarm system, and looks at the building plans to make sure the walls are thick enough. They also bring a lockpicking expert to see if the locks are easy to bypass. By the end, you have a detailed report with photos and measurements. That is like EAL4, thorough, covers the design and the actual construction, and gives you real confidence.

For a really high level of assurance, you hire an entire team. They live on-site for months. They review every blueprint, check every nail, and run simulations of burglars trying every possible attack. They even disassemble the locks to verify that the internal mechanisms match the manufacturer's diagrams. At the end, they produce a formal proof that the house cannot be broken into under normal conditions. That is like EAL7, extremely expensive but gives you near-certainty.

In the IT world, customers who buy security products often look for a specific EAL rating just like you would look for a high safety rating when buying a car seat or a fireproof safe. The rating tells you how much testing was done, not that the product is perfect, but that it is trustworthy enough for your needs.

Why This Term Matters

Evaluation assurance levels matter because they provide a standardized way for organizations to assess the trustworthiness of security products. Without EAL, every buyer would have to independently test each product, which is expensive and impractical. EAL allows you to compare products from different vendors using a common scale.

In practical IT terms, if your company needs to process classified government data, you may be legally required to use products that have achieved a certain EAL rating. For example, many U.S. government contracts specify EAL4 or higher for cryptographic modules or access control systems. Missing that requirement could make your entire system non-compliant and lead to loss of contracts or legal penalties.

EAL also matters because it forces vendors to follow secure development practices. To achieve a higher EAL, a company must document its design decisions, test thoroughly, and maintain a clear audit trail. This benefits all of their customers, even those who do not need the formal rating, because the overall quality of the product improves.

For IT professionals, understanding EAL helps when selecting products for security-sensitive environments. If you are building a public-facing web application, you might not need an EAL4 database, but if you are securing a bank's internal transaction system, you probably do. Knowing what EAL means helps you make informed procurement decisions and justify your choices to management or auditors.

How It Appears in Exam Questions

Exam questions on Evaluation assurance levels most commonly come in three forms: scenario-based, definition, and comparison.

Scenario-based questions present a situation like: "Your company is procuring a firewall for a system that handles confidential medical records. The vendor offers a product with EAL2 certification. What is the best assessment of this product's suitability?" The correct answer would be that EAL2 provides only basic functional testing and may not be rigorous enough for sensitive data, so you should look for a higher EAL like EAL4. A common distractor is that EAL2 is insufficient because it does not include vulnerability analysis.

Definition questions are straightforward: "Which of the following is the highest Evaluation assurance level that is currently achievable?" The answer is EAL7.

Comparison questions ask you to distinguish EAL from other concepts. For example: "Which of the following terms describes the set of security requirements a product must meet, rather than the level of testing done?" The answer is Protection Profile (PP). Another common comparison is between EAL and Common Criteria itself, EAL is the assurance level, while Common Criteria is the full evaluation framework.

Some questions test the number of EAL levels. "How many Evaluation assurance levels are defined in the Common Criteria?" Answer: seven. A distractor might be five or six.

Also, be prepared for questions that ask which EAL is most commonly required for commercial off-the-shelf (COTS) products in government contracts. The answer is EAL4. Occasionally, a question will test EAL5 or EAL6 for very high-security environments like military systems.

Practise Evaluation assurance level Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

The Australian Department of Defense needs to buy a new identity management system to control access to its classified network. The RFP states that all security products must achieve at least EAL4 certification according to the Common Criteria. Three vendors respond. Vendor A offers a system with EAL2, which they say is sufficient because it has passed all functional tests. Vendor B offers a system with EAL4 but at a higher cost. Vendor C offers a system with EAL5 but with a very long delivery time.

As the security assessor on the evaluation team, you must recommend which vendor to choose. You know that EAL2 only covers functional testing and a basic document review, it does not include any independent vulnerability analysis. That is not enough for a system that will handle classified defense data. EAL5 would be ideal, but the long delivery time means the project would miss its deadline. EAL4 is the perfect balance: it includes design specification review, security engineering controls, and methodical vulnerability analysis. You recommend Vendor B.

Later, during the evaluation, you discover that Vendor C's EAL5 product was actually evaluated against an outdated protection profile that does not include modern authentication requirements. This is a crucial detail, the EAL rating is only meaningful if it is tied to a current and relevant protection profile. You update your recommendation to include a clause requiring the selected product to be evaluated against the latest PP. This scenario shows that EAL alone is not enough; you must also check the PP and the evaluation date.

Common Mistakes

Thinking that EAL measures absolute security strength.

EAL does not measure how secure a product is compared to others. It only measures how much confidence you have that the product meets its own security claims. A product with EAL1 could have strong encryption, but you have less proof that it works correctly.

Always think of EAL as a confidence level, not a security score. Higher EAL means you trust the product more, not that it is necessarily stronger.

Believing that EAL7 is impossible or never used.

EAL7 is achievable and has been awarded to a few products, especially in high-security government or military contexts. It is rare but not impossible. Learners often assume the top level is theoretical.

Learn that EAL7 is the highest level, requires formal verification, and exists in practice for niche, ultra-high-security products.

Confusing EAL with Protection Profile (PP).

The Protection Profile defines what security functions the product must have (like encryption or access control). The EAL defines how thoroughly those functions are tested. They work together but are separate concepts.

Remember: PP = what, EAL = how well.

Assuming that all products with the same EAL are equally trustworthy.

Two products can both have EAL4 but be evaluated against different protection profiles. One might be for a firewall, the other for a database. Their security functions are different, so you cannot directly compare their security.

Always check the protection profile and the evaluation date alongside the EAL rating.

Exam Trap — Don't Get Fooled

{"trap":"On the CompTIA Security+ exam, a question might present a scenario where a product has EAL5 certification and ask if that product is automatically more secure than a product with EAL4.","why_learners_choose_it":"Learners see the higher number and assume 'more secure' equals 'better'. The exam relies on this gut reaction to trap them."

,"how_to_avoid_it":"Remember that EAL is about the rigor of testing, not the security strength. A product with EAL5 might only have basic encryption, while an EAL4 product could have military-grade encryption. The correct answer is that you cannot determine which is more secure based solely on EAL."

Step-by-Step Breakdown

1

Define the Protection Profile

The product developer or a standards body writes a Protection Profile (PP) that lists the security features the product must have. This is the baseline requirement.

2

Write the Security Target

The vendor writes a Security Target (ST) document that describes how their specific product meets the PP and what EAL level they are aiming for.

3

Select the evaluation lab

The vendor hires an accredited, independent Common Criteria testing laboratory. The lab must be approved by the national certification body.

4

Conduct the evaluation at the chosen EAL level

The lab performs a series of tests and reviews following the requirements of the targeted EAL. For EAL4, this includes design document review, functional testing, vulnerability analysis, and configuration management checks.

5

Produce the evaluation report

The lab writes a detailed report summarizing the tests performed, any vulnerabilities found, and a final verdict on whether the product meets the claimed EAL.

6

Certification decision

A national certification body (like the NSA in the US or BSI in Germany) reviews the evaluation report. If satisfied, they issue a certificate stating the product achieves the claimed EAL.

7

Maintenance and re-evaluation

The certification is not permanent. If the vendor updates the product, they may need to re-evaluate to maintain the EAL rating. Periodic re-evaluations are sometimes required.

Practical Mini-Lesson

In real-world IT work, you will rarely need to achieve an EAL certification yourself, that is the vendor's job. But understanding EAL helps you make smarter procurement decisions and communicate with auditors and compliance officers.

When evaluating a vendor's EAL claim, always check three things: the protection profile it was evaluated against, the date of certification, and whether the product has been re-evaluated after major updates. A product that achieved EAL4 in 2015 but has had many software updates since may no longer meet that level. Some vendors will advertise an old EAL rating even if the current version is different.

Another practical point: EAL ratings are expensive to achieve. A vendor may target EAL2 or EAL3 for a product that could technically reach EAL4, just to save money. That does not mean the product is bad, but it means you have less proof of its security. For critical systems, pay the premium for a higher EAL.

In configuration management, EAL can affect how you apply patches. If you patch a certified product, you may invalidate its certification. You then have to decide whether to accept the risk of using an uncertified patched version or wait for the vendor to release a certified update. This is a real challenge in high-security environments.

Finally, be aware that some EAL ratings are only available for hardware or firmware, not pure software. For example, a software-only encryption tool cannot achieve EAL5 or above because those levels require formal verification of hardware implementation details.

Memory Tip

Remember 'EAL = Every Assurance Level is higher' and the scale 1 to 7. EAL4 is the practical peak.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Frequently Asked Questions

Can I get EAL certification for my product as an individual developer?

It is very unlikely. EAL certification requires an accredited testing lab, and the process is expensive and time-consuming. It is typically done by large vendors for enterprise products.

Is EAL4 better than EAL2 for all purposes?

Not necessarily. If you only need basic functionality for a low-risk environment, EAL2 is sufficient and cheaper. EAL4 is better when you need high assurance, such as for regulated or sensitive systems.

Does a higher EAL mean the product is faster or more reliable?

No. EAL only covers security assurance. It says nothing about performance, usability, or reliability in non-security aspects.

How long does an EAL certification last?

It is typically valid for a few years, but it depends on the national certification body. If the product is significantly updated, the certification may need to be re-evaluated.

Can I trust a product that has no EAL rating?

Maybe, but you have no independent verification of its security claims. For critical systems, you should prefer products with an EAL rating or other independent evaluation.

What is the difference between EAL and FIPS 140-2?

FIPS 140-2 is a U.S. standard specifically for cryptographic modules. EAL is a broader framework for all security functions. A product can have both certifications.

Summary

Evaluation assurance levels are a core part of the Common Criteria international standard for security testing. They range from EAL1 (basic functional testing) to EAL7 (formally verified design). The level indicates the depth and rigor of the evaluation, not the absolute strength of the security features. For most commercial products, EAL4 is the highest practical level.

Understanding EAL is important for IT professionals who select, procure, or manage security products. It helps you make informed decisions based on independent validation rather than vendor claims. In certification exams, you will encounter EAL questions in CompTIA Security+, CISSP, CySA+, and CISA. The most common traps involve confusing EAL with Protection Profiles, or assuming a higher EAL automatically means a more secure product.

The key takeaway is that EAL is about trust and confidence. A higher EAL gives you stronger evidence that the product does what it says. When studying for exams, memorize the seven levels, know that EAL4 is the common practical limit, and understand the difference between evaluation (EAL) and requirements (PP).