For inquiries about GlobalPlatform or website assistance, contact secretariat@globalplatform.org.
Solving IoT Device Security at Scale
IoT security vulnerabilities continue to pose a risk to people, organizations and society. In response, new cybersecurity regulations and requirements are mandating stronger protection for IoT devices.
This is needed but also creates challenges as, to comply, device makers and non-security experts must identify and understand relevant security requirements, implement appropriate technology, and demonstrate the security features of their IoT devices.
The Problem
For an OEM, undertaking multiple security evaluations for a single IoT device increases costs, time to market and effort. This approach is unsustainable. In turn, it increases the risk that devices will be deployed without the appropriate levels of security.
The Solution
We need to make IoT device security economically viable for the entire value chain. The best way to achieve this is to address risks at the core by building IoT devices with platforms and components that have already been security certified.
The Result
By using certified components with in-built security assurances, device makers can integrate, manage and demonstrate security without incurring additional cost, effort, or time-to-market. This drives down the total cost of ownership, and provides assurance that devices are secure by default.
What is SESIP?
The Security Evaluation Standard for IoT Platforms (SESIP) is a methodology that reduces the cost, complexity and effort of security evaluation and certification.
It utilizes the concepts of composition and reuse, so that previously certified components can be used to build a device with in-built security assurances, without having to repeat the same evaluations in every targeted market.
The methodology maps to other standards and requirements from bodies including ETSI, ISO/IEC and NIST, which demonstrates a risk-based design approach and helps lower barriers to entry.
Reduce Costs
Save money by not having to pay for the same evaluation multiple times. SESIP certificates can be re-used to provide security evidence and meet multiple requirements.
Minimize Time & Effort
Implement and demonstrate security that is fit-for-purpose without having to become a security expert. SESIP-certified components provide in-built security assurances.
Grow Your Business
Seize market opportunities. SESIP lowers barriers to entry by simplifying compliance with regional and market requirements including, RED, CRA, US Trust Mark, Singapore CSA CLS, IEC 62443, ISO 21434.
Manage Risk
Demonstrate that a risk-based design approach has been taken when developing your IoT device. SESIP enables the identification, understanding and implementation of certified security requirements.
Demonstrate Value
Use security features to differentiate your products and empower your customers to make better, more informed decisions. SESIP provides evidence of security-by-default.
Quantifying the Benefits of SESIP
How can we measure the value of SESIP? Read our whitepaper to learn how the benefits of SESIP can be quantified in terms of the cost, effort, and duration of evaluations.
- SESIP has been adopted by CEN and CENELEC as a European Standard (EN 17927)
- Over 28 SESIP-certified products
- 6 licensed laboratories
- 1 Certification Body (and 3 more joining soon)
- Recognized and referenced by bodies including PSA Certified, National Institute of Standards & Technology (NIST) and Car Connectivity Consortium (CCC).
- Device makers – enhance the visibility of device security and ensure readiness to achieve certification in line with any schemes using SESIP.
- Solution vendors – demonstrate alignment with market requirements, use cases and regulations.
- Laboratories – become a SESIP-certified lab to provide your customers with an efficient and swift solution for IoT device certification.
- Certification Bodies – adopt the SESIP methodology and work with other Certification Bodies to ensure consistency of evaluations.
- Governments & Regulators – use the SESIP security evaluation methodology for public and private schemes to build trust in our digital economy.
Already adopting SESIP?
For companies that are not GlobalPlatform members but that would like to be kept informed about the latest GlobalPlatform SESIP developments and technical documents, and showcase their certified products in line with the SESIP trademark license agreement, GlobalPlatform has created a ‘SESIP Adopters’ community. View the agreement and apply here.
This document specifies requirements for the security evaluation of IoT platforms and parts thereof, including in particular a set of Security Functional Requirements, and the definition of Security Assurance Requirements packages that define five assurance levels. These requirements are based on the Common Criteria standard (ISO154080, v3.1), which it refines for the specific purpose of the evaluation of IoT platforms and parts thereof. The set of documents also includes the definition of a scheme based on these requirements, which defines managements rules such as the management of certificates and the accreditation of Certification Bodies and Laboratories.
A SESIP Profile defines the security requirements for a specific type of product, platform, or use case within the SESIP framework. It specifies the minimum set of security functional and assurance requirements that a product must implement to achieve a defined level of security against relevant threats in a particular operational environment. The profile also identifies the SESIP level(s) claimed and maps security requirements to the threats they are intended to mitigate, ensuring that products evaluated against the profile meet consistent and well-defined security expectations.
A SESIP Mapping is a structured way of linking the requirements of another security standard or regulation to the corresponding SESIP security requirements. It typically uses a mapping table that shows how the requirements of a target standard are fulfilled by SESIP Security Functional Requirements (SFRs), Security Assurance Requirements (SARs), or Security Process Packages (SPPs). This mapping helps demonstrate that a product evaluated using SESIP also meets the requirements of other frameworks or regulations.
SESIP Governance defines the framework and processes for operating the Security Evaluation Standard for IoT Platforms (SESIP) certification scheme under GlobalPlatform. It establishes the requirements, competencies, and accreditation criteria for Certification Bodies and Evaluation Laboratories. The governance model ensures that SESIP evaluations and certifications are conducted consistently, impartially, and with recognized technical expertise, enabling trust, cooperation between stakeholders, and mutual recognition of certification results across the ecosystem.
SESIP Adopters Community
For companies that are not GlobalPlatform members, but would like to be kept informed about the latest GlobalPlatform SESIP developments and technical documents, and showcase their certified products in line with the SESIP trademark license agreement, GlobalPlatform has created a “SESIP Adopters” community.
Joining the SESIP Adopter Program means:
- Your company can display the GlobalPlatform SESIP logo on your website
- You will receive SESIP-related communications from GlobalPlatform
- You will receive invitations to GlobalPlatform SESIP events
- You will receive specific offers related to GlobalPlatform events
- Your company name and logo will be displayed on the GlobalPlatform website as a SESIP Adopter
To become a SESIP Adopter, view the agreement and apply here.
Education
Access a library of free educational videos and whitepapers, to learn how SESIP can be used and the benefits it delivers.
Training
Learn about the SESIP methodology, its market applicability, composition, and Governance with our training for product vendors, regulators, scheme owners and labs.
The SESIP Committee
The SESIP Committee sets the strategy and delivers initiatives to support the adoption and recognition of SESIP as a worldwide, multi-vertical scheme for security evaluation.
SESIP Governance
GlobalPlatform members can join the Governance Working Group, which is responsible for harmonizing the applicability of SESIP and driving mutual recognition across public and private schemes.
Technical Documents
GlobalPlatform members can join the technical working group, to contribute to the creation of SESIP security profiles and mappings to other schemes, requirements and regulations.
Ecosystem Adoption
GlobalPlatform members can join the ecosystem adoption working group to drive awareness of, and engagement with, SESIP and its benefits through marketing and communications activity.
Participation Forms
The legal and technical forms applicable to each type of certification are provided below. For information on the procedures to be completed by a Certification Body or Laboratory to join the SESIP licensing program, read GlobalPlatform's SESIP Governance.
| Participation Forms | Product Vendor | Laboratory | Certification Body |
|---|---|---|---|
| GlobalPlatform SESIP Security Lab Agreement | |||
| Trademark License Agreement | |||
| GlobalPlatform SESIP Certification Body Relationship Agreement | |||
| GlobalPlatform SESIP Certification Body Request Form | |||
| GlobalPlatform SESIP Adopter Agreement |
Want to learn more about SESIP?
