scope:

The present document specifies a conformance assessment methodology for consumer IoT devices, their relation to associated services and corresponding relevant processes against ETSI TS 103 645 [1]/ETSI EN 303 645 [2], addressing the mandatory and recommended provisions as well as conditions and complements of ETSI TS 103 645 [1]/ETSI EN 303 645 [2] by defining test cases and assessment criteria for each provision.

The present document intends to support suppliers or implementers of consumer IoT products in first-party assessment (self-assessment), user organizations in second party assessment, independent testing organizations in third party assessment and certification and conformance declaration scheme owners in operating harmonized schemes. Defining a certification or conformance declaration scheme is out of scope of the present document.

The present document intends to contribute to the protection of consumer IoT products against the most common cybersecurity threats. Multi-medium or highly targeted/sophisticated attacks and thus the invasive analysis of hard- and software modules is out of scope of the present document. The Test Scenarios (TSOs) are targeting basic effort regarding test depth and test circumference in accordance to ETSI TS 103 645 [1]/ETSI EN 303 645 [2] which addresses a baseline security level.

Due to the heterogeneity of consumer IoT devices, ETSI TS 103 645 [1]/ETSI EN 303 645 [2] and therefore the associated test groups in the present document are formulated in a generic manner. Thus, the present document does not describe specific tools or detailed step-by-step instructions. The test cases are intended to be performed by competent bodies that have the expertise to derive a suitable test plan.