We automate IoT cybersecurity compliance
Zealience Compliance Management Software (Z-CMS) automates documentation work required for ETSI EN 303 645, one of the best standards to prepare for IoT cybersecurity regulations (e.g. Radio Equipment Directive Delegated Act, Cyber Resilience Act and UK PSTI)
What is Z-CMS?
Zealience Compliance Management Software (Z-CMS) automates the generation of technical documentation required to demonstrate compliace with ETSI EN 303 645. This standard is regarded as one of the best standards for consumer and enterprise IoT product security compliance. Don't know where to start? Z-CMS assists and fast-tracks your compliance work in the following ways:
Automatically identify applicable requirements
At the beginning of your project, Z-CMS asks you simple questions about your target device in order to automatically identify applicable requirements (i.e., "provisions" in the ETSI EN 303 645's term). This scoping feature prevents you from wasting time on unnecessary work.
Simply answer 'Intelligent Q&A' to compile documentation
The major challenge of ETSI EN 303 645 is to document all the required information in
so-called "IXIT" forms. It requires deep technical knowledge and a lot of time. Imagine that
you have to flip through 250 pages of the standard to figure out how to fill it in!
Manufacturers typically spend more than a year for this activity alone.
Z-CMS makes this step easy and fast by providing comprehensive
intelligent Q&A (different questions are asked based on your previous answers) that you can simply
follow along. Rest assured that all the required information is captured and stored for you.
Immediately identify risks of non-compliance
As you work with Z-CMS, it automatically identifies risks of non-compliance
and highlights the reasons behind. This instant feedback allows you to address the risks early
on, minimizing the costs to remediate them later.
The image shown here demonstrates a typical example of Z-CMS' risk identification feature. When
you answer questions in a certain way that is considered a risk of non-compliance, it highlights
the risk immediately and explains the reasons behind. Z-CMS currently covers 50% of conceptal
tests. Of course, we are working to achieve 100% coverage.
Manage and remediate risks of non-compliance
Once the risks of non-compliance are identified, they are aggregated in a risk register. This offers a single place for you to track and review your compliance risks. As you continuously work on the compliance activities, the risk register can frequently change; you may add or delete risks in the risk register or update existing risks with new risk treatments in your effort to remediate them. Without automation, managing your risks can quickly be out of hand. Z-CMS thus provides a single place to manage your risks of non-compliance.
Generate technical documents with one click
With a click of a button, you can download the technical documentation required for ETSI EN 303 645 compliance
(i.e., ICS, IXIT, and risk register) as well as a tailor-made test plan for your device. You save 70% of manual typing thanks to Z-CMS' automation.
All the documents generated by Z-CMS are of high quality; the information is populated according
to the expectation of the standard. This results in complete and accurate documentation which
will ease and fasten the review work of the tester.
Scale your compliance work across your portfolio of devices
It is common that IoT manufacturers produce multiple types of devices. Even if their form
factors are different, they often share hardware or software components, making them almost
identical from the cybersecurity perspective. The concept of "reusability" across your
device portfolio is thus crucial for the timely completion of your compliance work.
With Z-CMS, you no longer have to create documentation for each device - you can declare information and assign it across your device portfolio. Thanks to this feature,
any new information or modification you make in Z-CMS is reflected in all the relevant devices.
This way, you will not waste time inputting and managing the same information twice, contributing
to the significant time saving.
Why ETSI EN 303 645?
Best interim standard to prepare for the upcoming EU regulations
There is growing consensus that ETSI EN 303 645 is the best interim standard to prepare for
the upcoming EU regulations. Despite its original focus on consumer IoT devices, many
manufacturers of non-consumer products are applying it successfully to prepare for the
regulations.
The relevance of the standard to the RED Delegated Act is confirmed by ETSI who published in
ETSI TS 103 929 a mapping
(*1)
between ETSI EN 303 645 and the essential requirements of the RED Delegated Act(*2).
The European Union Agency for Cybersecurity (ENISA) also concluded that "regarding the product-related
security requirements of the first list of CRA Annex I, the standard ETSI EN 303 645 has been
indicated to us as one of the most relevant"(*3).
Globally acknowledged as the best standard to demonstrate cybersecurity
ETSI EN 303 645 is well acknowledged globally and regarded as the reference standard for consumer IoT devices. Some countries have already introduced their own device security regulations, allowing manufacturers to use this standard to demonstrate compliance (e.g. UK Product Security and Telecommunications Infrastructure (PSTI)). Similarly, Finland's national consumer IoT certification scheme and Singapore’s national Cybersecurity Labelling Scheme are built on ETSI EN 303 645.