This guide is designed for organisations who are considering applying for, or are in the process of applying for, Guardian SecureApp™ certification. It explains in plain language what you need to do at each stage of the application process, what documents and information you need to prepare, and what to expect after you submit your application.
This guide is based on the Guardian SecureApp™ Scheme Rules (Annex A to GSA-PR-01) and the Procedure for Application Review, Contracting and Scope Definition (GSA-PR-07). Where any inconsistency exists between this guide and those documents, the Scheme Rules and procedures take precedence.
ℹ Who should read this guide?
- Organisations considering applying for Guardian SecureApp™ certification for the first time.
- Legal, compliance or security teams preparing documentation for a certification application.
- Product managers or technical leads responsible for the product being certified.
Before submitting an application, confirm that your organisation meets the following eligibility criteria:
- Your organisation is a legal entity (company, registered partnership, public body or equivalent) incorporated or registered in any jurisdiction.
- Your organisation owns, operates or has legal and technical control over the digital product you wish to certify.
- You can demonstrate authority to implement and maintain the security controls required by the Scheme.
- Your organisation is able and willing to provide accurate information, technical documentation, access to the product, and cooperation throughout the evaluation and surveillance process.
- The product you are submitting falls within the Scheme scope: web applications (Module A), SaaS / multi-tenant platforms (Module B), and/or APIs / microservices (Module C).
⚠ Important — When Applications May Be Declined
- Your product type falls outside the Scheme scope (e.g. purely physical products, IaaS infrastructure as a whole).
- An unresolvable conflict of interest exists between Guardian and your organisation.
- Legal, sanctions, export control or data-transfer restrictions prevent the evaluation from being conducted.
- Guardian does not have the evaluator competence or capacity available within a reasonable timeframe for your requested module(s) and assurance level.
The Scheme has three modules. Select the module(s) that match the architecture and exposure of the product you wish to certify:
| Module | When to Apply |
|---|---|
| Module A – Web Application Security | Your product has a browser-based user interface accessed over HTTP/HTTPS. Examples: customer portals, e-commerce platforms, management dashboards, web applications. |
| Module B – SaaS / Multi-Tenant Platform Security | Your product is a cloud-hosted subscription service with multiple clients sharing the platform. Examples: CRM/ERP SaaS, collaboration platforms, analytics platforms. |
| Module C – API / Microservices Security | Your product exposes programmatic interfaces for internal or external consumers. Examples: payment APIs, public developer APIs, internal microservices handling sensitive data. |
If your product includes elements of more than one module (e.g. a SaaS platform with a web admin console and exposed APIs), you may apply for two or three modules simultaneously. The certificate and public directory will clearly show all modules granted.
Certification is granted at one of three assurance levels. Use the table below to select the level that matches your product's risk profile:
| Assurance Level | Choose This Level If… |
|---|---|
| Level 1 – Basic | Your product is low-risk: informational content, internal tools, limited public exposure, non-sensitive data. Evaluation emphasis: baseline security verification and configuration review. |
| Level 2 – Enhanced | Your product is business-critical: authenticated user access, moderate data sensitivity, customer-facing transactions. Evaluation includes structured OWASP testing and SDL/SDLC review. |
| Level 3 – High | Your product is high-risk: financial services, payment processing, highly sensitive personal data, regulated sectors, significant business or societal impact. Evaluation includes penetration testing and threat modelling review. |
ℹ Not sure which level is right for you?
Contact Guardian at info@guardianuk.com for a no-obligation pre-application discussion. Our team will help you determine the most appropriate module(s) and assurance level for your product based on its architecture and risk profile. You may also upgrade your assurance level at a later stage if your product's risk profile increases.
Gathering the right documentation before you submit your application will significantly speed up the application review and reduce requests for clarification.
- Legal entity name, registered address, company registration number and authorised representative contact details.
- Product name, version or release family, and a brief description of what it does.
- Requested module(s) (A, B and/or C) and assurance level (1, 2 or 3).
- Description of the deployment model (e.g. cloud-hosted on AWS/Azure/GCP, on-premise, hybrid; deployment regions).
- High-level architecture diagram showing the product, its components, interfaces and external dependencies.
- Overview of key functionalities and data flows (a few paragraphs or a simple diagram is sufficient).
- List of external dependencies and third-party services (e.g. identity providers, payment gateways, third-party APIs).
- Description of your Secure Development Lifecycle (SDL/SDLC) practices, including how security is embedded in your development process.
- Description of your vulnerability management and patching process.
- Reference to any security policies, standards or frameworks you currently apply (e.g. ISO 27001, SOC 2).
- Recent penetration test report or vulnerability assessment report (within the last 12 months).
- Threat Analysis and Risk Assessment (TARA) or equivalent threat modelling documentation.
- Summaries of any major security incidents and the remediation actions taken.
- Evidence of existing certifications (ISO/IEC 27001, SOC 2, PCI DSS, etc.) that may provide supporting context.
- Previous evaluation or audit reports relevant to the product's security.
ℹ Tip: Existing Certifications Are Supporting Evidence Only
If your organisation holds ISO/IEC 27001, SOC 2, PCI DSS or similar certifications, these are welcome as supporting evidence during evaluation. However, they do not replace or reduce the product-level evaluation required under this Scheme. Certification decisions are based solely on conformity with Guardian SecureApp™ Scheme requirements.
Initial Enquiry (Optional but Recommended)
Contact Guardian at info@guardianuk.com to discuss your product and receive initial guidance on module selection, assurance level, indicative timeline and fees. This is free and places no obligation on you to proceed.
Submit Your Application
Complete and submit the Guardian SecureApp™ Application Form (GSA-F-28) along with the supporting documents listed in Section 4. Applications can be submitted by email to info@guardianuk.com.
Acknowledgement (within 2 working days)
Guardian will acknowledge receipt of your application within 2 working days and assign a unique Application Reference Number. You will receive an indicative timeline for the application review.
Application Review and Completeness Check (1–4 weeks)
Guardian reviews your application for completeness, eligibility, technical and organisational feasibility, resource availability and impartiality. If any information is missing, Guardian will contact you with a clear request for clarification, giving you typically 10–15 working days to respond.
Scope Definition and Contract
Once your application is accepted, Guardian works with you to finalise the precise scope of certification — the product boundaries, module(s), assurance level(s), exclusions and deployment context. The agreed scope is documented in the Certification Agreement which both parties sign before evaluation begins.
Evaluation Begins
After the contract is signed and fees are confirmed, your application is transferred to the evaluation team and the certification evaluation begins. See the Certification Process page for full details of the evaluation stages.
⏱ Indicative Timelines for the Application Stage
- Application complete upon submission: review typically completed within 1–2 weeks.
- Application requiring one round of clarifications: 3–4 weeks total.
- Application requiring multiple clarification rounds: 4–6 weeks total.
These timelines cover the application review phase only. Evaluation timelines are agreed separately during scope definition and vary based on product complexity and assurance level.
If Guardian is unable to accept your application, you will receive a written explanation of the reasons. Common reasons for refusal or deferral include:
- The product type falls outside the Guardian SecureApp™ Scheme scope;
- Required information or documents have not been provided despite clarification requests;
- An unresolvable conflict of interest exists;
- Guardian does not have the competence or capacity available for your requested module(s) and level within a reasonable timeframe;
- Legal or regulatory constraints prevent the evaluation from being conducted.
If your application is deferred, you will be given a reasonable timeframe to provide the required information. If your application is refused, you have the right to appeal the decision — see the Complaints and Appeals page for details.
Once certified, you must maintain the security controls and practices at least at the level demonstrated at the time of initial evaluation. Your key ongoing obligations are:
- Monitor vulnerabilities, threats and incidents affecting your certified product and implement timely corrective actions.
- Notify Guardian promptly of any significant changes to the product (new features, changes to architecture, hosting model or legal status).
- Report security incidents affecting the certified product, particularly those with confirmed or suspected data compromise.
- Cooperate fully with annual surveillance evaluations, providing access, documentation and personnel as required.
- Retain records of vulnerabilities, patches, incidents and changes for review during surveillance.
- Use the Guardian SecureApp™ certificate and mark only in accordance with the Scheme Rules and mark usage guidelines.
- Stop all use of the certificate, mark and related claims immediately if certification is suspended, withdrawn or expires.
- Participate in recertification evaluation before your 3-year certification cycle expires.