The Security Evaluation Standard for IoT Platforms (SESIP), published by GlobalPlatform and by CEN CENELEC defines a standard for the trustworthy assessment of the security of the IoT platforms. It is designed to be efficient and able to be re-used in fulfilling the requirements of various commercial product domains. SESIP provides the technical basis for the TrustCB SESIP scheme. Both GlobalPlatform and by CEN CENELEC SESIP versions are supported by us.

The security functionality provided by the platform is expressed using the SESIP catalogue. Commonly provided sets of functionality have been published as SESIP profiles by organisations including GlobalPlatform and PSA Certified.

There are five Assurance Levels in SESIP, labelled and defined as:

• SESIP Assurance Level 1 (SESIP1); a self-assessment-based level. There is no independent check by the evaluators the platform actually implements the SFRs. SESIP1 provides a basic level of assurance.
• SESIP Assurance Level 2 (SESIP2); a black-box penetration testing level. The highest level that can be applied to a closed-source platform without cooperation by the developer. SESIP2 provides a moderate level of assurance.
• SESIP Assurance Level 3 (SESIP3); a traditional white-box vulnerability analysis. The evaluation is structured around a time-limited source code analysis combined with a time-limited penetration testing effort. SESIP3 provides a substantial level of assurance.
• SESIP Assurance Level 4 (SESIP4); originally in GP SESIP this was intended for re-use of SOG-IS certified platforms or platform parts by licensed evaluation laboratories, allowing those platforms to utilize the mappings from SESIP to specific commercial product domains. It can still be used for re-use of SOG-IS/EUCC certification, however CEN CENELEC has explicitly added SESIP-only evaluation methodology to the CEN CENELEC SESIP standard so SESIP-only SESIP4 and SESIP5 is possible.
• SESIP Assurance Level 5 (SESIP5); this level too was intended originally in GP SESIP for re-use of SOG-IS certified platforms or platform parts by licensed evaluation laboratories, allowing those platforms to utilize the mappings from SESIP to specific commercial product domains. With CEN CENELEC’s addition of the stand-alone evaluation methodology, a SESIP-only  CEN CENELEC SESIP5 evaluation certification is possible.

TrustCB is a GlobalPlatform member certification body issuing certificates in accordance with GlobalPlatform SESIP version, and under CEN CENELEC SESIP version.

TrustCB is working with the following licensed labs for the TrustCB SESIP scheme:

• Applus+ (Barcelona, Spain + Madrid, Spain)
• Brightsight (Delft, The Netherlands + Barcelona, Spain + Graz, Austria)
• DEKRA Testing and Certification (Madrid, Spain)
• ECSEC Laboratory Inc. (Tokyo, Japan)
• Keysight Technologies Netherlands Riscure (Delft, The Netherlands)
• Institute for Information Technology (Taipei City, Taiwan (R.O.C.))
• Serma Safety & Security (Pessac, France)
• TÜV Informationstechnik (Essen, Germany)

TrustCB has awarded the following labs with Candidate status, reflecting that confidence in the lab’s technical competence to perform SESIP evaluations, while full Licensing is pending:

• atsec information security AB (Sweden)
• Beijing Unionpay Card Technology Co., Ltd. (Beijing, China)
• CEA Leti (Grenoble, France)
• Thales SIX GTS France (Labege, France)
• UL (Leiden, The Netherlands)

Further details of the licensed labs can be found under Labs