Use this checklist to test whether a product is a covered consumer-grade relevant connectable product, verify the three smart-device security-standard controls, prepare the statement of compliance, and retain evidence for the required record period.
This is implementation support for product, security, legal, compliance, and supply-chain teams. It is supporting implementation planning and should be validated against jurisdiction-specific legal, contractual, and policy requirements before implementation.
Structured answer sets in this page tree.
Cited legal and guidance references.
The Cyber Security (Security Standards for Smart Devices) Rules 2025 apply the Cyber Security Act 2024 smart-device regime to consumer-grade relevant connectable products acquired in Australia by a consumer, unless an exclusion applies. Part 1 of the Rules commenced on 4 March 2025, and Part 2 and Schedule 1 commence on 4 March 2026. A useful compliance checklist should therefore start with scope, then test passwords, vulnerability-reporting publication, security-update support-period publication, statement contents, retention, and enforcement evidence.
Start every checklist record with the product facts that decide whether the Security Standards for Smart Devices Rules 2025 apply. The Rules cover relevant connectable products that are intended by the manufacturer for personal, domestic or household use or consumption, or are of a kind likely to be used that way, when the products will be acquired in Australia by a consumer.
Record any exclusion before testing controls. The Rules exclude desktop computers and laptops, tablet computers, smartphones, therapeutic goods, road vehicles, and road vehicle components from the consumer-grade relevant connectable product standard.
For in-scope products, test the product against the three Schedule 1 control areas. The checklist should produce evidence that passwords, security-issue reporting, and security-update support-period publication have been reviewed for the product hardware and relevant software.
The password check should cover passwords used with the product hardware, pre-installed software, and software that must be installed for the manufacturer's intended purposes. Passwords must be unique per product or defined by the user, and unique-per-product passwords must not be based on incremental counters, public information, serial numbers unless protected by accepted encryption or keyed hashing, or otherwise guessable in a way unacceptable as good industry practice.
The statement of compliance must be prepared by, or on behalf of, the manufacturer. Suppliers should not treat it as a marketing claim; it is the statutory record that accompanies supply and may be examined for compliance.
The statement should be checked against each required field before supply: product type and batch identifier, manufacturer and authorised-representative names and addresses, manufacturer declaration, compliance declaration, defined support period at issue date, signatory signature, signatory name and function, place of issue, and date of issue.
Use this Cyber Security Act 2024 checklist to route smart-device scope, security controls, statement-of-compliance fields, and retention evidence to accountable owners.
Convert the checklist into scoped questions, evidence fields, owner assignments, and review tasks.
Use Research Copilot to answer follow-up questions with cited Australian source material.
Review product scope, statement contents, retained evidence, and next compliance actions with Sorena.
A release-ready checklist should make it easy to respond if the Secretary or Minister uses the Act's compliance, stop, recall, publication, or examination powers. Keep evidence in a form that can show both product compliance and statement-of-compliance accuracy.
For recall readiness, the Rules allow publication of recall-notice details and consumer actions if an entity fails to comply with a recall notice. Product, support, and communications teams should therefore keep a current consumer-action draft for each covered product family.
"actions consumers are recommended to consider"
"Examination to assess compliance"