Choose PP-evaluated Products Over EAL-based Ones
Prefer products evaluated against protection profiles over those with EAL evaluations for procurement purposes.
Plain language
When choosing products to buy for your organisation, it's better to select those that have been evaluated using protection profiles rather than just a general evaluation level. This is important because it ensures the product meets specific security needs and standards, reducing the risk of security breaches that could expose sensitive data or disrupt operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for evaluated productsSection
Evaluated product procurementOfficial control statement
If procuring an evaluated product, a product that has completed a PP-based evaluation, including against all applicable PP modules (as well as a software bill of materials assessment if applicable), is selected in preference to one that has completed an EAL-based evaluation.
Why it matters
Opting for PP-evaluated products over EAL helps ensure required security functions are covered, reducing risk from incomplete evaluations.
Operational notes
Confirm purchases have PP-based certification for all applicable PP modules, and obtain/verify an SBOM assessment where relevant.
Implementation tips
- The procurement officer should prioritise purchasing products evaluated with protection profiles. They can do this by checking if suppliers provide certification documents that confirm the product has met specific security standards under these profiles.
- IT managers should make a list of products that need to be evaluated before purchasing. This ensures any software or hardware has the right certification to meet your organisation's security needs.
- Have a meeting with your IT team and procurement officers to review these lists and certifications together. This helps in making sure everyone understands what protection profiles cover and why it's crucial for the purchase.
- The procurement officer should compare products by looking at documentation from suppliers that indicate a protection profile evaluation. Ensure this documentation is part of the procurement process checklist.
- When a product is selected, IT and procurement need to archive the evaluation documents together. This keeps records organised, making it easy to verify that only properly evaluated products are in use during audits.
Audit / evidence tips
- AskThe procurement checklist for products GoodChecklist shows clear preference for PP-evaluated products over EAL evaluations
- GoodDocument clearly shows the product has undergone PP evaluation and it's up to date
- AskThem to explain how they verify evaluation standards before making a purchase GoodIs they understand the difference between PP and EAL evaluations and how they assess these during procurement
Cross-framework mappings
How ISM-0280 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.19 | ISM-0280 requires organisations to select PP-evaluated products in preference to EAL-evaluated products when procuring evaluated products | |
| Annex A 5.21 | ISM-0280 requires organisations to prefer procuring products that have completed Protection Profile (PP)-based evaluations (including app... | |
| handshake Supports (1) expand_less | ||
| Annex A 5.22 | ISM-0280 requires a procurement preference for PP-based evaluated products (and SBOM assessment where applicable) to improve assurance in... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.