Common Criteria

Product developers for IT sector need to prove to customers that their products work properly and contain all the security features claimed by the manufacturers. To achieve this, they need an independent and objective laboratory which can test and certificate these IT products. Such laboratories should have a common language and criteria for the evaluation process.

For this purpose, Common Criteria Standards (CC) were established that based on TCSEC and ITSEC standards which later became ISO 15408 security standards that is affiliated with International Information Security Technologies Evaluation Standards in 1999 by the International Organization for Standardization (ISO). Common Criteria designates Evaluation Levels according to ISO 15408 methodology.

Common Criteria – Evaluation Levels
Products can be evaluated at different levels based on Common Criteria Evaluation Assurance Levels (EAL). There are seven EALs in Common Criteria. While EAL 7 is the highest level, EAL 1 is the lowest one. Higher assurance levels encompass lower assurance levels. When assurance levels get higher it means product’s reliability gets stronger against to security attacks. The assurance levels are;

EAL1 (Functionally Tested): It is applicable where some confidence in correct operation is required, but the threats to security are not viewed as serious. It will be of value where independent assurance is required to support the contention that due care has been exercised with respect to the protection of personal or similar information. EAL1 requires only a limited security target. It is sufficient to simply state the SFRs that the TOE must meet, rather than deriving them from threats, OSPs and assumptions through security objectives.1

EAL2 (Black Box - Structurally Tested):It requires the co-operation of the developer in terms of the delivery of design information and test results, but should not demand more effort on the part of the developer than is consistent with good commercial practice. As such, it should not require a substantially increased investment of cost or time. EAL2 is therefore applicable in those circumstances where developers or users require a low to moderate level of independently assured security in the absence of ready availability of the complete development record. Such a situation may arise when securing legacy systems, or where access to the developer may be limited.2

EAL3 (Methodically Tested and Checked):It permits a conscientious developer to gain maximum assurance from positive security engineering at the design stage without substantial alteration of existing sound development practices. EAL3 is applicable in those circumstances where developers or users require a moderate level of independently assured security, and require a thorough investigation of the TOE and its development without substantial reengineering. EAL3 is supported by grey test boxing as well.3

EAL4 (Methodically Designed, Tested, and Reviewed):It permits a developer to gain maximum assurance from positive security engineering based on good commercial development practices which, through rigorous, do not require substantial specialist knowledge, skills, and other resources. EAL4 is the highest level at which it is likely to be economically feasible to retrofit to an existing product line. EAL4 is therefore applicable in those circumstances where developers or users require a moderate to high level of independently assured security in conventional commodity TOEs and are prepared to incur additional security specific engineering costs. 4




EAL5 (Semiformally Designed and Tested):It permits a developer to gain maximum assurance from security engineering based upon rigorous commercial development practices supported by moderate application of specialist security engineering techniques. Such a TOE will probably be designed and developed with the intent of achieving EAL5 assurance. It is likely that the additional costs attributable to the EAL5 requirements, relative to rigorous development without the application of specialized techniques, will not be large. EAL5 is therefore applicable in those circumstances where developers or users require a high level of independently assured security in a planned development and require a rigorous development approach without incurring unreasonable costs attributable to specialist security engineering techniques.5


EAL6 (Semiformally Verified Design and Tested):It permits developers to gain high assurance from application of security engineering techniques to a rigorous development environment in order to produce a premium TOE for protecting high value assets against significant risks. EAL6 is therefore applicable to the development of security TOEs for application in high risk situations where the value of the protected assets justifies the additional costs.6  

EAL 7: It is applicable to the development of security TOEs for application in extremely high risk situations and/or where the high value of the assets justifies the higher costs.

1,2,3,4,5,6 Common Criteria for Information Technology Security Evaluation Part 3 : Security Assurance Components v3.1 r5