SESIP: An optimized security evaluation methodology, designed for IoT devices

GlobalPlatform is here to support IoT device makers and certification bodies to adopt the Security Evaluation Standard for IoT Platforms (SESIP) methodology and establish their own IoT device security certification schemes.

SESIP provides a common and optimized approach for evaluating the security of connected products that meets the specific compliance, security, privacy and scalability challenges of the evolving IoT ecosystem.

GlobalPlatform is also aligning certification bodies and laboratories, to ensure comparable evaluations across the entire IoT ecosystem. GlobalPlatform welcomes engagement from certification bodies and laboratories.

CEN CENELEC has publicly cited its intention to adopt SESIP as a European Standard (prEN 17927). SESIP delivers greater efficiency, cost-savings and ensures defined assurance levels across a broad range of regulatory and security frameworks including ETSI, ISO/IEC and NIST, as well as specific, vertical regulations.

The growing number of IoT products and the complexity of these connected things introduces new challenges to the traditional security evaluation process. IoT products are made up of multiple components, which are developed by multiple players, many of which are new to security. A myriad of different regulations and certification frameworks create an added layer of complexity for the IoT vendors, developers and service providers tasked with demonstrating the security capability of their products.

A flexible and efficient security evaluation methodology is needed to address the unique complexities and challenges of the evolving IoT ecosystem and drive consistency across IoT certification schemes to bring greater trust.

From Complexity to Consistency: What is SESIP?

IoT products are far more complex than the products traditional security evaluation approaches address. SESIP recognizes this with a common security evaluation methodology that is designed specifically for the IoT platforms and platform parts on which these products are based. It addresses the need for a standardized approach that supports a broad range of regulatory and security frameworks, while at the same time providing a methodology that’s adaptable to the IoT environment and accessible to IoT developers who aren’t security experts.

SESIP:

• Delivers a flexible and efficient security evaluation methodology dedicated to addressing the complexity of the IoT ecosystem.
• Drives consistency by providing a common and recognized methodology that can be adopted across certification schemes.
• Reduces complexity, cost and time-to-market for IoT stakeholders by offering a methodology that’s mappable to other evaluation methodologies, and compliant with standards and regulations.
• Facilitates device certification, by composition of certified parts, and reuse of certification across different evaluations.
• Establishes a consistent and flexible way for IoT developers to demonstrate the security capability of their IoT products and service providers to select a product that matches their security needs.

GlobalPlatform has 20 years’ experience in establishing and managing security certification schemes. The organization is now supporting the IoT device security certification ecosystem with the adoption of the SESIP methodology. The objective is to build consistency across IoT certification schemes (regional or vertical) to facilitate product evaluation and certificate recognition.

• Device makers – can work with GlobalPlatform to enhance the security of their devices, which are built on a SESIP-certified platform part, to ensure readiness to achieve certification in line with any schemes using SESIP.
• Laboratories – can work with GlobalPlatform to improve the SESIP methodology and associated supporting documents to provide an efficient and swift solution for IoT device certification.
• Certification Bodies – can work with GlobalPlatform, integrate the SESIP methodology alongside their existing certification schemes and work with other certification bodies to ensure consistency of evaluations. This will bring greater trust to the IoT devices deployed within their country or region
• Solution vendors – benefit from the establishment of consistent SESIP security certification and the ability to demonstrate alignment with market requirements, use cases and regulations in an optimized way.
• IoT ecosystem – to answer security regulations, the IoT sector can use the SESIP methodology to efficiently define their security requirements and use SESIP laboratories and a SESIP certification body to establish their own schemes.

Improve your understanding of the SESIP methodology, key concepts including composition, and GlobalPlatform’s Governance model with our SESIP training course for:

• Product vendors, regulators, and scheme owners – learn how to become a GlobalPlatform SESIP Laboratory or Certification Body licensee.
• Labs – learn how to implement the evaluation methodology to support your SESIP projects and provide an efficient and swift solution for IoT device certification.

Learn more and book

Participation Forms

The legal and technical forms applicable to each type of certification are provided below. For information on the procedures to be completed by a Certification Body or Laboratory to join the SESIP licensing program, read GlobalPlatform's SESIP Governance.