scope:

This Standard describes a methodology for assessing the product software and cybersecurity control maturity of an organization.

This Standard provides the evaluators and vendors a method to determine the control maturity of the organization and products/solutions being developed regardless of solution vertical. It covers the entire product system life cycle from conception to full commissioning and until the end of life. It supports effective executive business decisions that establish a comprehensive maturity model approach to cybersecurity.

This Standard is applicable to all IoT and related products/solutions.

In this Standard, "shall" is used to express a requirement, i.e., a provision that the user is obliged to satisfy in order to comply with the Standard; "should" is used to express a recommendation or that which is advised but not required; and "may" is used to express an option or that which is permissible within the limits of the Standard.

Notes accompanying clauses do not include requirements or alternative requirements; the purpose of a note accompanying a clause is to separate from the text explanatory or informative material.

Notes to tables and figures are considered part of the table or figure and may be written as requirements.

Annexes are designated normative (mandatory) or informative (non-mandatory) to define their intended application.