CYBERSECURITY CERTIFICATION - BUREAU VERITAS IoT CYBERSECURITY EVALUATION

To cover the wide range of IoT consumer devices, 3 classes of security requirements have been defined as part of the BV IoT certification scheme, leading to 3 different level of security and label.

Bureau Veritas has defined 5 IoT security Levels

Cyber security Testing and Certification Portfolio

These five levels have been developed to answer the market demand to:

Provide consumers with cybersecurity levels that can be compared
Address the current and impending regulations, such as the cybersecurity changes to the Radio Equipment Directive in Europe
State compliance with existing guidelines

Three classes of security requirements have been defined as part of the Bureau Veritas IoT cybersecurity certification scheme

Class 1: Basic Essential

Applies to the following products: • Smart light • Connected appliances • Washing machines • Wearables • Smart speaker • Environment sensors • smart button

5 days evaluation
Black Box
Public Documentation
Declaration
Vulnerability Scan

Class 2: Basic Advanced

Applies to the following products: • Connected children's toy • Smart home assistants • Smart Camera • Connected Thermostat / Smart Air Quality • Tracker • Smart Navigation System • Smart door bell • TV Home automation • Fridges

10 days evaluation
Grey Box
Internal Documentation
Security Function Testing

Class 3: Substantial Essential

Applies to the following products: • Connected safety-relevant products such as smoke detectors • Door Locks • Connected home automation and alarm systems • Smart Meters / Smart Thermometer • Blood pressure monitor • Drones

15 days evaluation
Grey Box
Additional and Deeper Evaluation
Security Function Testing
Basic Penetration Testing

ACCESS BUREAU VERITAS' CYBERSECURITY ESSENTIALS WEBINAR SERIES FOR FREE

Register Here for Instant Access

A total of 15 security categories have been defined representing the State of the Art in the matter of cybersecurity.

Security Categories for BV IoT Cybersecurity Evaluation Scheme

Cybersecurity Certification Process

The manufacturer chooses a class of requirements and submit the device to be assessed.
1. Class#1 : For IoT products that operate in a non-sensitive environment, in which the common usage is not security oriented. Limited impact if the object is hacked. Connected to a local network only. Limited or no private data
2. Class#2 : For objects that need a first level of security, which operate in a sensitive environment. Serious and visible impact in case of service disruption or significant financial impact. Unauthorized disclosure of information shall be expected to have a serious adverse (private or sensitive data). Indirect connection to the web (i.e. connected to the wifi home box)
3. Class#3 : Reserved for products that need a real security assurance (substantial security level). Safety, security or serious financial impact if the object is hacked. Direct connection to the web. Unauthorized disclosure of information shall be expected to have a critical adverse (very sensitive data. Disruption of access to this device shall be expected to have a critical adverse effect on the service or the user.
The manufacturer submit and Application Form to ask for the certification, which becomes the contract for the service.
Additional information (questionnaire, evidences) are requested to the device vendors as per described in the BV cybersecurity IoT certification scheme and the Bureau Veritas IoT device cybersecurity Evaluation Methodology
The Assessor verify the conformance of the devices to the selected requirements via testing, auditing or inspection
In case of successful evaluation the certificate is deliver to the manufacturer
Surveillance is performed for the Basic Advanced and Substantial Essential certificates

Get in touchwith us

First name

Last name

Email

Phone (e.g. +1 415-555-1234)

Company

Country / Territory

How can we help you?

Would you like to receive marketing communication from Bureau Veritas?

Yes

No

INFORMATION NOTICE TO DATA SUBJECTS
Your personal data are collected by Bureau Veritas Consumer Products Services Division (“BVCPS”), through its entity Bureau Veritas Hong Kong Limited (having its registered office at 1/F, Pacific Trade Centre, 2 Kai Hing Road, Kowloon Bay, Kowloon, Hong Kong), as well as the BVCPS affiliate(s) with which you had, have or will have a business relationship or that otherwise decide(s) which of your personal data is collected and how it is used.  A list of BVCPS affiliates is available at: BVCPS Locations (https://www.cps.bureauveritas.com/sites/g/files/zypfnx236/files/media/document/BVCPS%20Locations_20210611_for%20web.pdf)
Your personal data are subject to computer processing in order to respond to your requests and to provide you with additional information about BVCPS services, events or topics that may be of interest to you on the basis of your consent to the processing of your personal data for that purpose (by checking the box below).
Your personal data are intended for use by the relevant business departments of BVCPS and/or their service providers depending on the nature of your requests, as well as by BVCPS IT department.    Your personal data will be retained until the earlier of (a) one year after the last communication, or (b) your request to delete the personal data. 
Your personal data may be transferred outside the European Union, on the basis of your explicit consent, as the data subject, to the proposed transfer. By checking the box below, you are providing your explicit consent to the proposed transfer, with your acknowledgement of the possible risks of such transfer due to the absence of an adequacy decision pursuant to Article 45 of the General Data Protection Regulation of 27 April 2016 or of appropriate safeguards pursuant to Article 46 of the General Data Protection Regulation of 27 April 2016.
In accordance with the French Data Protection Act of 6 January 1978 as amended and the General Data Protection Regulation of 27 April 2016, you may have the right to access, rectify and erase any personal data concerning you, as well as the right to limit the processing, the right to oppose to the processing or the right to portability of your personal data. You have the right to withdraw your consent at any time by connecting to the site or application (https://personaldataprotection.bureauveritas.com). and unchecking the box dedicated to the collection of your consent. You also have the right to set out general and specific guidelines that define how you intend these rights to be exercised after your death. You can exercise your rights by e-mail at the following address: https://personaldataprotection.bureauveritas.com. Finally, you have a right to lodge a complaint to the Commission Nationale Informatique et Libertés (CNIL) or the relevant authorities in your country.
Fields marked with an asterisk must be filled in. Otherwise, BVCPS would not be able to respond to your requests and/or provide you with additional information.