The Guardian SecureApp™ certification process is structured, transparent and follows a Type 5 scheme under ISO/IEC 17067. This means it includes an initial product evaluation, assessment of development practices, an independent certification decision, ongoing surveillance and periodic recertification.
The following entities are eligible to apply for certification:
- Legal entities (companies, registered partnerships, public bodies or equivalent) that own, operate or have legal and technical control over the product in scope;
- Organisations that can demonstrate authority to implement and maintain the security controls required by this Scheme;
- Organisations that are able and willing to provide full and accurate information, documentation, access and cooperation as required for evaluation and surveillance.
Individuals acting in a purely personal capacity are not eligible. Guardian may decline or defer an application where the product type falls outside the Scheme scope, impartiality cannot be effectively managed, or applicable legal restrictions prevent effective evaluation.
To initiate a certification application, organisations should contact Guardian Assessment Private Limited with:
- Legal entity details and contact information;
- Product identification and basic scope description;
- Requested module(s) (A/B/C) and assurance level(s) (1/2/3);
- High-level architecture diagrams and description of key functionalities and data flows;
- Description of hosting model and external dependencies;
- Security governance and SDL/SDLC overview;
- Previous security assessments (e.g. penetration test reports) where available.
Existing certifications such as ISO/IEC 27001, SOC 2 or PCI DSS may be submitted as supporting evidence and may be considered during evaluation planning, but do not remove or reduce the need for product-level evaluation under this Scheme.
Application Review and Scope Definition
Guardian reviews the application for eligibility, feasibility and impartiality. The agreed scope, module(s) and assurance level(s) are documented and confirmed in a formal contract before any evaluation activities commence. The scope statement defines the product, its boundaries, deployment context and any exclusions.
Technical Evaluation (Initial Evaluation)
The evaluation is conducted by qualified personnel against the applicable technical criteria (OWASP ASVS, OWASP API Security Top 10, OWASP Top 10, NIST frameworks). Evaluation activities may include:
- Vulnerability assessment and security testing;
- Penetration testing (required for Level 3; risk-based at Level 2);
- Architecture review and secure design assessment;
- Review of secure development lifecycle (SDL/SDLC) practices;
- Review of threat modelling and risk assessment documentation;
- Verification of vulnerability management, patching and logging practices;
- Sampling of functionalities, roles, data flows and interfaces.
Evaluations may be conducted on-site, remotely or through a hybrid approach, in line with the Scheme Rules and applicable IAF guidance on the use of ICT in evaluations.
Nonconformity Management
Any findings identified during evaluation are classified as:
| Finding Type | Description and Required Action |
|---|---|
| Major Nonconformity | A significant failure that prevents certification; must be fully resolved and verified before a positive certification decision can be made |
| Minor Nonconformity | A finding that does not prevent certification but requires a corrective action plan with defined deadlines to be agreed before certification is granted |
| Observation | A suggestion for improvement; does not affect certification decision but is recorded for the client's information |
Technical Review
An independent technical review of the evaluation findings and evidence is conducted by competent personnel who were not directly responsible for performing the evaluation. This review confirms the completeness, accuracy and adequacy of the evaluation before it proceeds to certification decision.
Certification Decision
The certification decision is made by an authorised Certification Decision Maker who is independent of the evaluation team. Certification is granted when:
- All applicable Scheme requirements have been evaluated for the module(s) and assurance level(s) in scope;
- All major nonconformities are closed and verified;
- Any remaining minor nonconformities are covered by an approved corrective action plan;
- The product demonstrates an overall level of security consistent with the intended assurance level;
- No unresolved impartiality or conflict of interest issues exist;
- All contractual and administrative requirements (including fees) have been fulfilled.
Certification shall be refused where major nonconformities remain unresolved, the applicant provides false or misleading information, or legal/regulatory constraints prevent an impartial evaluation.
Certificate Issuance and Public Directory
Upon a positive certification decision, a formal certificate of conformity is issued. The certificate includes: the certified product identification and scope, the module(s) and assurance level(s) granted, the certificate issue date and validity period, a statement of conformity, and a reference to the public directory. The certified product is also listed in the Guardian SecureApp™ Public Certified Products Directory.
Annual Surveillance
Guardian conducts at least one surveillance evaluation per year during the certification cycle to verify that the certified product continues to meet Scheme requirements. Surveillance is risk-based and considers the assurance level, nature of the product, history of nonconformities, incidents and changes. Certified clients are required to maintain conformity and cooperate fully with surveillance activities.
Recertification (Every 3 Years)
A recertification evaluation is conducted before the expiry of the 3-year certification cycle. Recertification includes a comprehensive review of the product's security posture, considers cumulative knowledge from all previous evaluations, and verifies continued suitability of the scope, module(s) and assurance level(s). Failure to complete recertification within the defined timeframe results in expiry or withdrawal of certification.
Guardian may initiate a special (unplanned) evaluation where:
- A critical or high-impact security incident suggests potential loss of conformity;
- A major or critical change to the product cannot be adequately addressed within planned surveillance;
- Reliable complaints or regulatory concerns raise doubt about ongoing conformity;
- Requested or required by the Accreditation Body.
Certified clients are required to promptly inform Guardian of any changes or events that may affect the validity or scope of certification. Changes are classified as minor, major or critical, and the appropriate evaluation response is determined accordingly. Client obligations to report changes are defined in the Guardian SecureApp™ Scheme Rules.
Important
- Certification may be suspended, withdrawn or reduced in scope where a nonconformity with certification requirements is substantiated.
- Where certification is suspended or withdrawn, all formal certification documents, authorisations for use of marks and public directory entries are updated immediately to ensure no indication remains that the product continues to be certified.
- Clients are notified of the actions required to resolve suspension and restore certification.