Planning and scopingIntermediate25 min read

What Does Target of evaluation Mean?

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

The Target of Evaluation (TOE) is the thing being tested for security. It can be a piece of software, a hardware device, a network, or an entire system. Evaluators check whether the TOE meets a list of security rules, like a report card for safety. This concept is important for certifications like Common Criteria and helps organizations trust that a product is secure enough for their needs.

Commonly Confused With

Target of evaluationvsSecurity Target

The Security Target (ST) is a document that specifies the security requirements and the TOE itself. It is a written blueprint. The TOE is the actual product described in that blueprint. The ST is created before evaluation; the TOE is evaluated against it. They are not interchangeable.

Think of the ST as a recipe and the TOE as the cake. The recipe describes what the cake should be, but the cake itself is what you taste and test.

Target of evaluationvsOperational Environment

The operational environment includes all the external factors that affect the TOE's security, such as users, physical locks, network connections, and other systems. The TOE is the system under evaluation itself. The evaluation assumes certain environmental conditions, but the environment is not part of the TOE.

If you evaluate a smart lock, the lock itself is the TOE. The wall it is mounted on and the person using it are part of the operational environment.

Target of evaluationvsEvaluation Assurance Level

The Evaluation Assurance Level (EAL) is a rating (e.g., EAL1 to EAL7) that indicates the depth and rigor of the evaluation. The TOE is the product being rated. Two different products can have the same EAL, but they are different TOEs.

A car getting a 5-star safety rating is like an EAL. The specific make and model of the car is the TOE. The rating tells you the level of safety, but the car itself is what you drive.

Must Know for Exams

For IT certification exams, especially those covering security concepts, the Target of Evaluation is a fundamental term that appears in several contexts. The most common exam directly related to TOE is the CompTIA Security+ exam, particularly under domain 4 (Security Operations) and domain 5 (Security Program Management and Oversight). Questions may ask you to identify the TOE in a scenario, define its components, or understand its role in the evaluation process. For instance, you might be given a scenario where a company wants to evaluate a new firewall for compliance. The question could ask: 'What is the target of evaluation?' with options like 'the network,' 'the firewall hardware and software,' 'the user manual,' or 'the physical security'. The correct answer is the firewall hardware and software, because that is the product being assessed against security requirements.

In the (ISC)² Certified Information Systems Security Professional (CISSP) exam, the TOE appears within the Security Assessment and Testing domain (Domain 6). Candidates are expected to understand how to define scope for security assessments, which is directly analogous to defining the TOE. A CISSP question might present a scenario where a third-party assessment is being conducted, and ask what should be included in the scope (i.e., the TOE). The answer might include the system, its interfaces, data flows, and supporting infrastructure. The CISSP exam covers the Common Criteria and its evaluation assurance levels, all of which revolve around the concept of a TOE. Understanding TOE helps candidates differentiate between the system under test and the operational environment.

The Certified Ethical Hacker (CEH) exam also touches on the TOE concept, particularly in the context of penetration testing authorization and scope definition. Before any ethical hack, the tester must define the target systems (the TOE) to avoid legal issues. Exam questions might ask about obtaining written authorization that specifies the target IPs, systems, and applications. This is essentially defining the TOE in practical terms.

For ISO/IEC 27001 Lead Auditor exams, the TOE corresponds to the scope of the audit. The exam may ask candidates to determine whether a particular process or location is within the audit scope, which is equivalent to defining the TOE. Knowing how to draw boundaries and defend them is crucial for passing.

In the GIAC certifications, such as GSEC or GCIH, understanding the TOE helps in interpreting evaluation reports and understanding the limitations of certifications. Exam questions might present a scenario where a vendor claims Common Criteria EAL4 certification for a product, and the candidate must identify which components were included in the TOE to assess whether the certification applies to their environment.

Because the TOE is a foundational concept in security evaluation, it appears in multiple exam objectives across various certifications. Candidates should be prepared to recognize the term, define it, and apply it to practical scenarios. The exam questions are typically not overly complex but require precise understanding of the boundary. Common pitfalls include confusing the TOE with the security target or the evaluation methodology. Remember: the TOE is the product itself, not the document describing it.

Simple Meaning

Think of the Target of Evaluation as the item you are taking for a safety inspection. Imagine you have a new car, and you want to make sure it is safe to drive on highways. The car itself is the TOE. The inspection process involves checking the brakes, airbags, seatbelts, and engine. The inspectors have a checklist of safety requirements that the car must meet, such as stopping distance and crash test ratings. If the car passes all checks, it gets a safety certificate, meaning it is trustworthy for driving. In IT, the TOE could be a firewall, an operating system, a smart card, or even a whole cloud service. The security requirements come from a standard, like Common Criteria, or from an organization’s own rules. Evaluators look at the TOE's design, source code, documentation, and behavior under attack. They also examine the environment in which the TOE operates, such as the network or physical location. This ensures that the product can resist threats like hacking, data theft, or unauthorized access. The goal is to give buyers confidence that the product does what it claims to do securely. Without a clear TOE, evaluation would be vague, like trying to inspect a car without knowing which car you are inspecting. So, defining the TOE precisely is the first and most important step in any security evaluation.

For example, if a company wants to use a new encryption tool to protect customer data, they would first define the TOE as that specific encryption software running on a particular version of Windows with a specific set of settings. They would then hire an evaluator to test it against requirements like FIPS 140-2. If the encryption tool passes, the company knows it meets security standards. The TOE can be a single component, such as a cryptographic module, or a whole system, such as a database server with its operating system, applications, and network. The scope must be carefully defined to avoid confusion. For instance, if the evaluation includes the operating system but not the network hardware, then any security failure caused by the network would not be the TOE's fault. So, defining the TOE boundary is critical. The Target of Evaluation is the central object of a security assessment, the thing under the microscope. It is the foundation upon which all testing, analysis, and certification are built.

Full Technical Definition

In the context of security evaluation and certification, particularly under frameworks like the Common Criteria for Information Technology Security Evaluation (ISO/IEC 15408), the Target of Evaluation (TOE) is defined as a set of software, firmware, and/or hardware possibly accompanied by guidance. The TOE is the subject of the evaluation, meaning all security functional requirements (SFRs) and security assurance requirements (SARs) are applied to this specific entity. The TOE includes not only the product itself but also its guidance documentation, such as administrator and user manuals, and the operational environment (if specified). The evaluation process involves verifying that the TOE meets the security target (ST), which is a document that specifies the security requirements and the security functionality of the TOE.

The TOE is typically described in terms of its boundary, what is included and what is excluded from the evaluation. This boundary is delineated in the Security Target document. The TOE may include hardware, software, firmware, and supporting infrastructure like network connections or physical security measures. For example, a TOE could be a smartcard operating system with its embedded applications, or it could be a full network firewall appliance including its hardware, operating system, and management software. The evaluation of a TOE follows a structured methodology that includes analysis of design documents, source code review, functional testing, penetration testing, and vulnerability analysis. The Common Criteria defines seven Evaluation Assurance Levels (EALs), from EAL1 (functionally tested) to EAL7 (formally verified design and tested). Each EAL specifies a set of SARs that the TOE must satisfy. For higher EALs, more rigorous analysis and testing are required.

In practice, the TOE is often a composite product, such as a virtual private network (VPN) gateway that includes hardware, operating system, VPN software, and management tools. The evaluation must consider all these components together. The evaluator also examines the TOE's guidance documentation to ensure that it can be securely configured and operated. The evaluator checks the TOE's security functions, such as access control, authentication, audit logging, and cryptographic operations. The evaluation process is typically performed by an accredited laboratory, such as those under the Common Criteria Evaluation and Validation Scheme (CCEVS) in the United States. The result is a certification that the TOE meets its claimed security requirements under specified assumptions about its operational environment. This certification is recognized across countries that are signatories to the Common Criteria Recognition Arrangement (CCRA). The concept of TOE is also used in other security evaluation frameworks, such as the Federal Information Processing Standards (FIPS) 140 series for cryptographic modules, where the module is the TOE. In FIPS 140-2, the TOE is a set of hardware, software, and/or firmware that implements approved cryptographic algorithms and is tested against specified security requirements.

in the context of ISO/IEC 27001 and other management system standards, the concept of TOE is analogous to the scope of the audit, the specific processes, systems, and locations that are assessed. In penetration testing or vulnerability assessments, the TOE is the target network, application, or server being tested. Accurate definition of the TOE prevents scope creep and ensures that the evaluation results are meaningful. A poorly defined TOE can lead to gaps in security coverage or wasted resources. Therefore, defining the TOE is a critical step in any security evaluation project.

Real-Life Example

Imagine you are buying a used car from a dealer, and you want to be sure it is safe. The car itself is your Target of Evaluation. You bring it to a trusted mechanic who has a checklist: brake pads thickness, tire tread depth, engine performance, airbag functionality, and seatbelt condition. The mechanic does not look at the radio or the paint color, because those are not important for safety. The mechanic is only evaluating the car's safety features. Similarly, in IT, when a company wants to buy a new firewall, they define the firewall device as the TOE. The evaluation might focus on its ability to block malicious traffic, authenticate users, and log events. The color of the case or the brand of the power cord is irrelevant. The evaluation is strictly about the security functions that matter to the buyer.

Now suppose the mechanic finds a problem with the brakes. That would mean the car (the TOE) fails the evaluation. The dealer would need to fix the brakes before the car can pass. In IT, if a firewall fails an evaluation because of a vulnerability, the vendor must fix the flaw and resubmit. The analogy also helps with defining the boundary. If the car has a trailer hitch, but the hitch is not part of the safety evaluation (because you are not towing anything), then the hitch is outside the TOE. If the hitch were broken, it would not affect the car's safety certificate. In IT, if you evaluate a web application but exclude the database server from the TOE, then a vulnerability in the database would not be considered a failure of the TOE. The boundary must be explicit.

Another real-life parallel is a food safety inspection at a restaurant. The restaurant's kitchen is the TOE. The health inspector checks for clean surfaces, proper food storage temperatures, handwashing stations, and pest control. They do not check the color of the walls or the music playing. The restaurant is only evaluated on food safety. If it passes, it gets a public health certificate. Similarly, an IT product that passes a security evaluation receives a certificate that can be shown to customers. This builds trust. Without defining the kitchen as the TOE, the inspection would be meaningless. Where does the dining area start and end? Is the parking lot included? Defining the TOE ensures the inspection is focused and fair. So, whether it is a car, a kitchen, or a firewall, the Target of Evaluation is the central item being judged against a specific set of criteria.

Why This Term Matters

Understanding the Target of Evaluation matters because it is the foundation of any security assessment, certification, or audit. Without a clear definition of what is being evaluated, the entire process loses credibility and efficiency. For IT professionals, knowing how to define a TOE is essential when planning security projects, purchasing new technology, or preparing for compliance audits. For example, if a company must achieve FedRAMP certification for a cloud service, they must clearly define the system boundary as the TOE. This boundary determines which components are subject to testing, documentation, and continuous monitoring. If the boundary is drawn incorrectly, the certification might not cover critical parts, leaving the organization exposed to risk.

the TOE concept helps in communication between vendors, evaluators, and customers. When a vendor claims that their product is certified, they must specify the exact TOE version and configuration. A customer can then compare this against their own requirements. For instance, a bank looking to purchase an encryption system can check that the system's TOE includes the same operating system version they use. This avoids mismatches. In regulated industries like healthcare or finance, using evaluated products is often mandatory. The TOE definition provides the legal and technical basis for that compliance.

For IT managers, defining the TOE early in the procurement process saves time and money. It forces the team to consider what is actually needed from a security standpoint and eliminates unnecessary features from the evaluation scope. It also helps in creating realistic test plans and resource allocation. If the TOE is too broad, the evaluation becomes expensive and slow. If it is too narrow, the evaluation may miss critical security functions. Therefore, mastering the concept of TOE is a key skill for security architects, risk managers, and anyone involved in security certification projects. It brings clarity, accountability, and trust to the evaluation process.

How It Appears in Exam Questions

In certification exams, questions about the Target of Evaluation typically fall into several patterns: scenario-based, definition-based, and application-based. Scenario-based questions give a narrative about a security evaluation project and ask the candidate to identify the TOE. For example: 'A company wants to evaluate a new VPN gateway for compliance with FIPS 140-2. The gateway includes hardware, proprietary firmware, and management software. What is the target of evaluation?' The correct answer is the entire gateway including hardware, firmware, and software. Distractors might include 'only the hardware,' 'only the firmware,' or 'the network cabling.' The key is recognizing that the TOE includes all components necessary for the security function.

Definition-based questions are straightforward: 'What is a Target of Evaluation in the context of Common Criteria?' Candidates should select the answer that describes it as the product or system being evaluated against security requirements. These questions test basic memorization, but they also assess understanding that the TOE is defined in the Security Target. A more advanced version might ask: 'Which document defines the Target of Evaluation?' The answer is the Security Target (ST).

Application-based questions require candidates to think about scope. For instance: 'An organization is evaluating a web application as part of a security assessment. The application runs on a server with a database backend. Which of the following should be included in the target of evaluation?' Options might include the web application only, the web server and application, the whole infrastructure, or nothing. The correct choice depends on the purpose of the evaluation. If the evaluation is for the application code only, then the TOE is the application. But if it is for a full system certification, the TOE includes the server OS, database, and application. Candidates must read the scenario carefully to determine what is being assessed.

Another common question type involves interpreting evaluation results. Example: 'A vendor states that their product achieved Common Criteria EAL4 certification. What does this imply about the product?' The candidate must understand that the certification applies only to the specific TOE configuration evaluated. Any changes to hardware, software, or configurations invalidate the certification. This tests the understanding of the TOE's binding to a specific version and environment.

Troubleshooting questions about TOE are less common but can appear. For example: 'During a security evaluation, the evaluator discovers that the system fails a requirement because of a configuration setting. The vendor argues that the setting is part of the operational environment, not the TOE. How should this be resolved?' The answer depends on the Security Target. If the setting is included in the TOE boundary, then it is a failure. If it is outside, it is not. This tests the candidate's ability to apply the concept of boundary definition.

In multiple-choice questions, common distractors include: 'Security Target,' 'Evaluation Assurance Level,' 'Security Functional Requirements,' and 'Operational Environment.' Candidates should remember that the TOE is the actual system or product being evaluated, not a document or a level. Also, be careful with wording like 'target system' or 'system under test' which are synonyms in some contexts. Practice differentiating these terms. Finally, some exams include performance-based questions where candidates must drag and drop components into a TOE boundary diagram. Knowing which components are inside and outside the TOE is essential for such tasks.

Practise Target of evaluation Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Imagine you are an IT security analyst at a mid-sized company called TechGuard. The company wants to purchase a new endpoint protection platform (EPP) to secure its 500 employees' laptops. Before buying, the Chief Information Security Officer (CISO) asks you to evaluate the product thoroughly to ensure it meets the company's security policies. You decide to use a formal evaluation framework similar to Common Criteria. First, you define the Target of Evaluation (TOE). The EPP product consists of the central management console (installed on a Windows Server), the agent software installed on each laptop, and the cloud-based threat intelligence database. You also include the administrator guide and the user guide in the TOE. You exclude the laptops' operating systems and the network infrastructure because those are considered the operational environment. The TOE is clearly documented in a Security Target-like document. You then hire an external evaluation lab to test the product.

The evaluation lab performs tests to verify that the EPP can detect malware, block malicious URLs, and quarantine infected files. They also test the management console's authentication and role-based access control. They review the source code for common vulnerabilities. During testing, they find a weakness: the management console does not properly sanitize input from administrator accounts, allowing an SQL injection attack. This is a flaw in the TOE, because the management console is part of the product being evaluated. The vendor is notified and releases a patch. After the patch, the TOE passes all requirements. TechGuard receives a certification report stating that the EPP version 4.2 (with specific patch level) meets the security requirements. Two years later, TechGuard wants to upgrade to version 5.0. The old certification no longer applies because the TOE has changed. A new evaluation must be performed. This scenario illustrates the importance of defining the TOE precisely from the start. Without that clear boundary, the evaluation would have been unfocused, and the patch might not have been applied correctly. It also shows that certification is tied to a specific TOE version.

Common Mistakes

Thinking the Target of Evaluation is the same as the Security Target document.

The Security Target (ST) is a document that describes the security requirements and the TOE. The TOE is the actual product or system being evaluated, not the paper describing it.

Remember: The ST talks about the TOE. The TOE is the thing being tested.

Including the entire organizational network in the TOE when the evaluation is only for a single application.

If the TOE is too broad, the evaluation becomes unnecessarily complex and expensive. It may also include components that are not relevant to the security function being assessed.

Define the TOE as narrowly as possible while still covering all security-relevant components of the product. Only include what is necessary to meet the security requirements.

Assuming that a certification applies to all versions and configurations of a product.

A certification is specific to a particular version of the TOE with a defined configuration. Any change in version or configuration can alter the security properties and invalidate the certification.

Always check the exact version and configuration listed in the certification report. Do not assume that a newer version is automatically compliant.

Confusing the Target of Evaluation with the operational environment.

The operational environment includes the people, physical controls, external systems, and processes surrounding the TOE but not part of it. The evaluation focuses on the TOE itself, though some environmental assumptions are considered.

Draw a clear boundary. The TOE is the system or component being evaluated. Everything else, like user behavior and external networks, is the environment.

Omitting guidance documentation from the TOE.

Guidance documents (user manuals, administrator guides) are part of the TOE because they contain instructions for secure configuration and operation. Flawed guidance can lead to insecure use.

Include all relevant documentation as part of the TOE during evaluation, especially if the product's security depends on correct configuration.

Exam Trap — Don't Get Fooled

{"trap":"A question presents a scenario where a company evaluates a 'firewall' and asks for the TOE. Among the options is 'the network administrator' or 'the network traffic'. Learners pick 'network traffic' because they think the evaluation is about traffic inspection."

,"why_learners_choose_it":"Learners confuse the purpose of the evaluation with the TOE. They think that because the firewall inspects traffic, the traffic itself is being evaluated. This is wrong because the TOE is the device that does the inspection, not the data passing through it."

,"how_to_avoid_it":"Stick to the definition: the TOE is the product or system being tested. In a firewall evaluation, the firewall hardware and software are the TOE. The network traffic is what the firewall processes, but it is not under evaluation.

Focus on the physical or logical entity that is subjected to the testing process."

Step-by-Step Breakdown

1

Identify the Need for Evaluation

An organization realizes it needs a secure product, either for regulatory compliance, customer trust, or internal risk management. This triggers the evaluation process.

2

Define the Target of Evaluation (TOE)

Clearly specify the exact hardware, software, firmware, and documentation to be evaluated. This includes version numbers, configuration files, and any dependent components. Document this in a Security Target.

3

Establish the TOE Boundary

Draw a line around what is included and excluded. For example, the TOE might include the application and its database but exclude the operating system. This boundary defines responsibility for security.

4

Select Security Requirements

Choose the security functional requirements (SFRs) and security assurance requirements (SARs) that the TOE must meet. These are often based on a protection profile or organizational policy.

5

Conduct the Evaluation

An accredited lab performs tests, reviews code, examines documentation, and analyzes vulnerabilities. All activities are focused strictly on the TOE as defined.

6

Analyze Results and Remediate

If the TOE fails any requirement, the vendor must fix the issue and resubmit. This may involve patching, reconfiguring, or redesigning parts of the TOE.

7

Certify and Maintain

Once the TOE passes, a certificate is issued. The organization must track the certified TOE version and ensure any changes retrigger evaluation to maintain compliance.

Practical Mini-Lesson

When working in IT security, you will often need to define the Target of Evaluation for projects like product selection, certification, vulnerability assessments, and audits. The most practical skill is learning how to write a clear TOE description. Start with the product name, version, and build number. Then list all hardware components (e.g., model, firmware version), software components (e.g., operating system, libraries), and included documentation. Next, describe the boundaries: what is inside the TOE and what is outside. For instance, if you are evaluating a firewall, you might include the management console but exclude the network switches. Draw a diagram showing the TOE in relation to its environment. This helps everyone see the scope.

Another key practice is to use TOE definition to avoid scope creep in penetration tests. Before any test, write a scope document that defines the target IPs, applications, and systems. This is your TOE. The penetration tester cannot go beyond that. If the client later wants to test another system, that is a new TOE and requires a new authorization. This protects both the tester and the client legally and technically.

When purchasing certified products, always check the certification report for the exact TOE configuration. For example, a firewall might be certified with firmware version 6.0 running on specific hardware. If you run firmware version 6.1 on different hardware, the certification does not apply. You must either evaluate the new configuration or accept the risk.

In larger organizations, maintaining a TOE inventory is useful. Each certified product and its version should be tracked. When a vendor releases an update, the security team must assess whether the change affects the certification. If it does, the product might need re-evaluation or you must mitigate the change's impact. In composite evaluations where multiple products are combined (e.g., a database running on a secure operating system), each component can be a separate TOE, or they can be evaluated together as one combined TOE. This requires careful planning and understanding of dependencies.

What can go wrong? The most common problem is a poorly defined boundary. For example, if the TOE includes the web application but not the web server, then security flaws in the server could still break the application's security, but they would not be caught in the evaluation. This creates a false sense of security. Another risk is assuming that the evaluation covers all attack vectors. Even a certified TOE has assumptions about the environment. For instance, the TOE might assume physical security of the server room. If that assumption is false, the product may fail in reality. Therefore, always review the assumptions and operational environment constraints listed in the Security Target. Finally, documentation often becomes outdated. Ensure reference documents in the TOE are current and version-controlled. Outdated user guides can lead to misconfiguration and vulnerabilities even in a certified product.

Memory Tip

TOE = The Object Evaluated. Think of a 'toe', the one thing you put on the scale to weigh. The TOE is the single product being measured for security.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Frequently Asked Questions

Can a Target of Evaluation be a person?

No, a TOE is always a system, product, or component. People are part of the operational environment, not the TOE.

Does the Target of Evaluation include the network cables?

It depends on the scope. If the evaluation is for a hardware appliance, network cables are usually considered part of the environment. But if the evaluation includes physical security of the device, the cables might be included. Check the Security Target.

What happens if the TOE changes after certification?

The certification only applies to the specific version and configuration evaluated. Any changes may require a new evaluation or maintenance of certification. Some frameworks allow re-evaluation of changes only.

Is the Target of Evaluation the same as the 'system under test'?

Yes, in many contexts, system under test (SUT) is synonymous with TOE, especially in software testing and penetration testing. However, in formal security evaluation, TOE is the preferred term.

Can a TOE be composed of multiple products from different vendors?

Yes, that is called a composite TOE. For example, a database system running on a specific operating system can be evaluated together as one TOE. Each component may have its own certification, but the composite evaluation ensures they work securely together.

How do I find the TOE information for a certified product?

Look for the product's Security Target document or certification report, usually available on the vendor's website or the national certification body's database. These specify the exact TOE components and version.

Summary

The Target of Evaluation (TOE) is a foundational concept in information security evaluation, certification, and testing. It refers to the specific product, system, or component that is formally assessed against a set of security requirements. Clearly defining the TOE is the first and most critical step in any evaluation process, as it sets the scope, boundary, and focus for all subsequent work. The TOE includes not only the hardware and software but also relevant guidance documentation, and it must be described precisely with version numbers and configurations. Understanding the TOE is essential for IT professionals involved in security certification, compliance, procurement, and risk management.

For exam takers, the TOE appears in various certifications including CompTIA Security+, CISSP, CEH, and ISO 27001 auditor exams. You can expect scenario-based questions that ask you to identify the TOE, distinguish it from related concepts like the Security Target or operational environment, and apply boundary definitions. Common mistakes include confusing the TOE with its documentation, expanding the scope unnecessarily, or assuming certification covers all versions. The key takeaway is that the TOE is the actual thing being tested, not the plan or the environment. By mastering the concept, you will approach security evaluation questions with clarity and precision, improving your exam performance and your practical ability to manage security assessments.