Penetration TestJan Kahmen5 min read

Evaluation Assurance Level (EAL)

The Evaluation Assurance Level (EAL) is a numerical value that reflects the trustworthiness or security of an IT product or system.

Table of content

What is the Evaluation Assurance Level (EAL)?

The Evaluation Assurance Level (EAL) is a numerical value that indicates the trustworthiness or security of an IT product or system. It is an international scale developed under the Common Criteria (CC), an internationally recognized standard for evaluating the security of IT products.
The EAL, which ranges from 1 to 7 (plus three additional levels 6+, 6, 6+, and 7+), indicates the depth and rigor of the evaluation to confirm that a product or system meets its security requirements. Various security functions and measures are evaluated, such as user identification, access control, data transmission, and system integrity. A technical evaluation by Pentests must be carried out.
The higher the EAL rating, the more comprehensive and rigorous the security audit and the greater the confidence in the security of the product or system. An EAL of 1 represents the lowest level of security testing, while 7+ represents the highest level and must meet the most stringent requirements to ensure a very high level of confidence in security.
The EAL is awarded by independent accreditation bodies or IT security testing organizations according to the Common Criteria guidelines. It serves as an indicator of the security of IT products or systems and can be helpful in deciding whether to use IT solutions. However, the EAL should not be used as the sole criterion for assessing security, as other factors such as implementation and configuration also play an important role.

What is the Position of ISO 15408?

ISO 15408 is an international standard that describes and defines the Common Criteria (CC). It specifies the requirements for conducting security assessments of IT products and systems and defines the different EAL levels.
ISO 15408 specifies that the EAL rating must be assigned based on the security testing and evaluation performed. It also describes the specific requirements for each EAL level and indicates which security functions and measures must be tested at each level.
ISO 15408 ensures that the EAL rating is awarded consistently and objectively and that it can be used as a reliable indicator of the security of IT products and systems. It is regularly updated to meet ever-changing security requirements.

Why is Common Criteria Security Certification Useful?

  1. International standard: Common Criteria is an internationally recognized standard for evaluating the security of IT products. It is recognized by more than 26 countries worldwide and thus enables a uniform assessment of the security of products.
  2. Independent assessment: Common Criteria security certification is carried out by independent and accredited testing laboratories. This ensures that the assessment is objective and unbiased.
  3. Customer trust: Common Criteria certification enables manufacturers to strengthen their customers' trust in the security of their products. Customers can be confident that the products have been independently tested for security and meet international standards.
  4. Risk minimization: Common Criteria certification helps manufacturers identify and address potential security vulnerabilities and weaknesses in their products. This minimizes the risk of security incidents and improves the security of the products.
  5. Meeting requirements: In some industries, such as government or the military, Common Criteria certification is a requirement for the use of IT products. Certification enables manufacturers to meet these requirements and offer their products in these sectors.
  6. Continuous improvement: Common Criteria certification is not a one-time process, but requires regular reviews and updates. This encourages manufacturers to continuously improve the security of their products.
  7. Protection against liability claims: Common Criteria certification can also protect manufacturers from liability claims, as they can show that their products have been independently tested for security and meet international standards.
    Overall, Common Criteria security certification offers a range of benefits for manufacturers, customers and society as a whole by improving the security of IT products and increasing trust in them.

Contact

Curious? Convinced? Interested?

Schedule a no-obligation initial consultation with one of our sales representatives. Use the following link to select an appointment: