Skip to Menu Skip to Search Contact Us Global Websites & Languages Skip to Content
US Flag

You are accessing SGS’s website from the USA.

Visit the US website instead

Stay on the global website and remember my choice

The SGS Internet of Things (IoT) Security Checked product testing and labeling program delivers the means for manufacturers and retailers to build trust into the IoT solutions they deliver into consumer markets worldwide. Consumers choosing products displaying the SGS IoT-Security Checked label get easy to read information that will help them in their buying decisions. Qualifying products have a label which clearly indicates that the item has been security assessed according to standardized recommendations relevant to its product category.

The depth of assessment and corresponding assurance level take into account the risk exposure of the application and how the product will be used.

We distinguish the assurance levels (basic, substantial and high) aligned with international regulations such as the EU Cybersecurity Act (EU CSA):

“To express the cybersecurity risk, a certificate may refer to three assurance levels (basic, substantial, high) that are commensurate with the level of the risk associated with the intended use of the product, service or process, in terms of the probability and impact of an incident. For example, a high assurance level means that the product that was certified has passed the highest security tests”

IoT testing approach illustration

Click the image to enlarge

The SGS IoT-Security Checked program delivers significant added value to manufacturers, retailers and consumers, and is based on broadly accepted cybersecurity standards and regulations relevant for consumer IoT devices such as:

  • ETSI EN 303 645
  • NISTIR 8259A
  • The UK IoT law currently in preparation
  • California State Bill SB-327 (requirements are not explicit in this regulation)

This allows region specific or upcoming standards to be referenced in a flexible manner. At the same time, security related to the device, relation to any mobile app and IoT backend platform located in the cloud are also considered during assessment.

The combination of a questionnaire/interview/review-based approach, backed by independent conformity testing (for lower assurance levels) or independent third party conformity and security assessments (for the high level assurance), allows the provision of conformity verdicts covering all standards for each assurance level.

Manufacturers and retailers benefit from this structure as it helps to keep costs under control for products with low risk exposure.

The IoT-Security Checked product testing and labeling program provides a competitive edge to manufacturers and retailers by allowing them to better market their investments in cybersecurity, while consumers get easy to read details on the cybersecurity of product when making buying decisions.

The product test program has four test levels, M0 to M3, with increasing level of assurance.

Product test program illustration

Click the image to enlarge

  • M0 and M1: a questionnaire/interview/review-based conformity assessment supported by a partial vulnerability scanning/testing campaign for products with low risk exposure:
    • Corresponds to assurance level “Basic”
  • M2: a fully independent conformity assessment and testing campaign, in grey-box setup, for products with medium risk exposure:
    • Corresponds to assurance level “Substantial”.
  • M3: a comprehensive conformity assessment and testing campaign, backed by a penetration and security robustness testing campaign, for products with high risk exposure:
    • Corresponds to assurance level “High”

On top we offer three further test levels targeting retailers:

  • R0: a questionnaire/review-based conformity assessment for products with low risk exposure:
    • Corresponds to assurance level “Basic”
  • R1 (Automated vulnerability scanning) and R2 (Common vulnerabilities testing), support retailers wanting to perform cybersecurity testing for batch samples in a black-box setup. Full standard conformity assessment coverage cannot be achieved for the test set-ups in R1 and R2.

Full standard coverage illustration

Click the image to enlarge

Products that have successfully passed the test campaign qualify to display the SGS IoT-Security Checked label. Details of the device tested, the standards applied, the tests carried out and their validity are accessible via the QR-Code or the approval number printed on the product label.

Search the database > 

Links

General Links