How to assess the cybersecurity of a consumer IoT device under the ETSI EN 303 645 scheme?


- March
Posted by: Javier Tallón
How to assess the cybersecurity of a consumer IoT device under the ETSI EN 303 645 scheme?

IoT devices are increasingly becoming part of consumers daily basis, devices like fitness watches, home automation devices, smart hubs, robot vacuum cleaners, dishwashers and dozens of other devices we use every day. Therefore, knowing that an IoT device meets certain cybersecurity standards is a relief for both the manufacturer and the consumer.

Because of this need, the ETSI EN 303 645 standard was developed. It was released in 2019, involving all stakeholders of the consumer IoT cybersecurity landscape and was developed with industry, academics, testing institutes and international government bodies. This standard has become a reference for securing IoT devices all over the world and is already used by several cybersecurity regulations.

How to carry out an evaluation under ETSI EN 303 645 standard?

The standard ETSI EN 303 645 is evaluated following the guidelines of ETSI TS 103 701,which describes how a conformity assessment is performed in a structured and comprehensive way. This will allow supplier organizations such as manufacturers, vendors or distributers to assess the compliance of their devices against ETSI EN 303 645. The technical specification that offers ETSI TS 103 701 helps to harmonize evaluation methodologies and support manufacturers, suppliers and implementers for their internal security processes.

Which actors are part in the evaluation process?

The evaluation process is not simple and can take several months of effort to be completed. For this reason, we recommend using a reputable laboratory.

There are three main actors involved in this process:

  • Supplier Organization (SO): Is basically the company that requires the services
  • (Optional) Consulting Firm (CF): The company in charge of preparing all the documentation (could be done by the client himself). This is the toughest part in the process when the SO Statement must be drafted.
  • Testing laboratory (TL): An independent entity that carries out the conformance assessment of a DUT. jtsec is an accredited laboratory by ETSI to perform evaluations based on ETSI TS 103 701, the assessment specification developed by ETSI that specifies conformance tests and methodology for assessing devices against EN 303 645. Once the SO Statement has been drafted, the evaluation can be started. The assessment can be scoped to cover the mandatory requirements in EN 303 635, or to also cover the additional recommendations in the standard.
  • Flowchart of the Certification Process for ETSI EN 303 645

    In this section we will highlight the most important stages in the certification process. With this graphic, the steps to be followed will become clearer.

    Source: ETSI TS 103 701

    Important documentation required in the process.

    There are some documents required to be carried out by the client or the consulting firm and some others by the lab.

  • SO statement: Is a document that includes the identification of the DUT (Device Under Test), the creation of the Implementation Conformance Statement (ICS) and the Implementation Extra Information for Testing (IXIT)
  • Implementation Conformance Statement (ICS):Statement made by the SO of the capabilities implemented in or supported by the DUT.
  • Assessment Report:Once the evaluation is done, the lab fills an assessment report which will include a verdict (pass, fail or inconclusive) for each of the provisions that apply to the device.
  • How can we help you achieving ETSI EN 303 645?

    We strive to smooth the process and make it as simple as possible, minimizing the workload for our clients. Our highlights:

  • First Spanish accredited ETSI EN 303 645 laboratory for consumer IoT (performing technical specifications ETSI EN 103 701)
  • Members of the SCCG (Stakeholder Cybersecurity Certification Group).
  • More than 60 cybersecurity evaluations carried out in 2022 and more than 45 cybersecurity professionals available.
  • ECSO members in the Working Group "Standardization, Certification and Supply Chain Management".
  • If you want more info do not hesitate to contact us and visit our ETSI EN 303 645 webpage.

    Javier Tallón/Technical Director

    Expert consultant on the Common Criteria standard, and other security assurance standards in the field of the information technology (FIPS 140-2, ITSEC, ISO 27K1, SOC 2, ENS...). Javier has served as an evaluator in the Spanish CB for the country major evaluation labs. As a consultant, he has successfully accompanied national and international companies in several certification processes (to EAL5+). His experience has led him to participate as a speaker at several conferences on computer security and certification (SuperSec, Cybercamp, Navaja Negra, International Common Criteria Conference, International Cryptographic Module Conference, EUCyberact Conference). He is also Cyber Security lecturer, giving classes of Secure Software Engineering at the University of Granada and is CISSP (Certified Information Systems Security Professional) and OSCP/OSCE (Offensive Security Certified Professional & Certified Expert) certified .

    In 2015 he begins to lay the foundations of what will be jtsec. He currently works as Technical Director of the evaluation lab and Chief Operations Officer (COO) of the Granada site from where the company develops most of the work. Recognized expert in various disciplines of cybersecurity (reversing, exploiting, web, ...), assumes the technical direction of most of the projects, directing and organizing the work of the team. He also leads the Research and Development area, encouraging the participation of the jtsec team in multiple Congresses.


    Send us your questions or suggestions!

    By sending your data you allow us to use it to resolve your doubts by sending you commercial information of interest. We will delete it when they are no longer necessary for this matter. Know your rights in our Privacy Policy.