The Security Evaluation Scheme for IoT Platforms (SESIP) provides a trustworthy assessment of the security of the IoT platforms, such that this can be re-used in fulfilling the requirements of various commercial product domains.

The security functionality provided by the platform is expressed using the catalog included. Commonly provided sets of functionality will be covered in SESIP profiles. Currently mappings for IEC 62443, Javacard, PP-0084, etc are under development.

There are currently four IoT Platform Assurance Levels operational in SESIP:

IoT Platform Assurance Level 1 (ITP1) is a self-assessment-based level. There is no independent check by the evaluators the platform actually implements the SFRs. 

IoT Platform Assurance Level 1+ (ITP1+) is a black-box penetration testing level. This is the highest level that can be applied to a closed-source platform without cooperation by the developer.

IoT Platform Assurance Level 2 (ITP2) is a traditional white-box vulnerability analysis. The evaluation is structured around a time-limited source code analysis combined with a time-limited penetration testing effort.

IoT Platform Assurance Level 3 (ITP3) is the traditional full CC evaluation against an EAL4+ALC_DVS.2+AVA_VAN.5 level. This level is intended for re-use of SOG-IS certified platforms, allowing those platforms to utilize the mappings from SESIP to specific commercial product domains. There is no stand-alone ITP3 evaluation possible under the current SESIP.

TrustCB is working with the following licensed lab for SESIP:

TrustCB has awarded the following labs with Candidate status, reflecting that confidence in the lab’s technical competence to perform SESIP evaluations, while full Licensing is pending:

  • Riscure B.V.
  • Delftechpark 49,
  • 2628 XJ Delft,
  • The Netherlands
  • Point of Contact: Pascal van Gimst
  • Email: [email protected]
  • Tel: +31 15 251 40 90
  • Web: www.riscure.com


SESIP Application

See SESIP Certificates