SESIP — Security Evaluation Standard for IoT Platforms

SESIP, the Security Evaluation Standard for IoT Platforms, is a security certification methodology published by GlobalPlatform. It reuses Common Criteria structure and vocabulary but defines a distinct, lighter-weight assurance scheme tailored to constrained and fast-moving IoT products.

Key facts

• Authorizing body: GlobalPlatform publishes the SESIP specification and operates a central certificate registry; accredited certification bodies issue certificates
• Country / region: Global (used internationally; aligned with EUCC for recognition in Europe)
• Year established: Initial publication 2020; referenced by ETSI EN 303 645 and PSA Certified Level 4
• Product types: IoT platforms, microcontrollers, connectivity modules, operating systems, integrated devices
• CCRA status: Not a CCRA scheme; SESIP is recognized under EUCC as a state-of-the-art methodology for IoT
• Canonical portal: https://globalplatform.org/sesip/

Overview

SESIP defines five assurance levels (SESIP 1 to SESIP 5) corresponding to increasing depth of evaluation. SESIP 1 is self-assessment with review; SESIP 2 through 5 involve third-party laboratory evaluation with escalating attacker-potential coverage. The methodology reuses Security Targets, TSF, and SFR concepts familiar from Common Criteria, but simplifies documentation and emphasises reusable platform evidence for composite certification.

How evaluations work under this scheme

A vendor authors an ST against the SESIP-defined security functions catalogue. An accredited laboratory performs the required evaluation activities for the chosen SESIP level and produces a report. An accredited certification body issues the certificate, which is then registered in the SESIP public registry managed by GlobalPlatform. Certified components can be reused as secure platforms in larger SESIP evaluations through a composition model.

Notable product categories

• Secure IoT microcontrollers and system-on-chip products
• Connectivity modules (cellular, Wi-Fi, LoRa)
• IoT operating systems and secure element firmware
• Integrated IoT devices (sensors, smart meters, industrial control endpoints)

Relationship to CC baseline

SESIP leverages ISO/IEC 15408 vocabulary and aligns evaluation activities conceptually with the CEM, but it is a separate methodology with its own levels and requirements. Products can be tracked alongside CC certifications because SESIP STs declare security functions comparable to SFRs. Under EUCC, SESIP evaluations for IoT platforms can contribute to higher-level compositional certificates.

Where to find official records

• SESIP specification and registry: https://globalplatform.org/sesip/
• SESIP certified products: https://globalplatform.org/sesip-certified-products/
• NenkinTracker tracks SESIP certificates alongside CC, EMVCo, and PSA records.

See also: PSA Certified, EUCC, Glossary.