ISO/IEC 15408, also known as Common Criteria for Information Technology Security Evaluation, Common Criteria or CC, is an international standard for testing and confirming the system security.
Common Criteria supersedes the American TCSEC (Trusted Computer System Evaluation Criteria) or Orange Book from the Rainbow Series and European ITSEC (Information Technology Security Evaluation Criteria).
Common Criteria Evaluation Assurance Level
Common Criteria (CC) evaluation assurance levels (EALs):
- EAL1
- EAL2
- EAL3
- EAL4
- EAL5
- EAL6
- EAL7
Tricks to learn them:
- All contains “…tested…”
- 1 starts with “Functionally…”
- 2 starts with “Structurally…”
- 3-4 start with “Methodically…”
- 5-6 start with “Semi-formally…”
- 7 starts with “Formally…”
- 4-5 adds “…designed…”
- 6-7 adds “…verified…”
If you represent it as a table:
| EAL1 | Functionally | … | … | tested |
| EAL2 | Structurally | |||
| EAL3 | Methodogically | |||
| EAL4 | designed | |||
| EAL5 | Semi-formally | |||
| EAL6 | verified | |||
| EAL7 | Formally |
EAL1
EAL1 is functionally tested
EAL2
EAL2 is structurally tested.
EAL3
EAL3 is methodically tested and checked.
EAL4
EAL4 is methodically designed, tested and reviewed.
EAL5
EAL5 is semi-formally designed and tested.
EAL6
EAL6 is semi-formally verified, designed and tested.
EAL7
EAL7 is formally verified, designed and tested.
You might also be interested in…
External References
- Wikipedia community; “Common Criteria“; Wikipedia
- M. Chapman; “CISSP Study Guide 9th Edition”, chapter 8 “Principles of Security Models, Design and Capabilities”, section “Common Criteria”, pp. 337-340; Wiley, 2021