Use this workflow when a relevant connectable product may be supplied in Australia and the team needs a source-linked statement of compliance record.
The workflow follows the Cyber Security Act 2024 and Cyber Security (Security Standards for Smart Devices) Rules 2025 for scope, required statement fields, security-standard evidence, and five-year retention.
Structured answer sets in this page tree.
Cited legal and guidance references.
Australia's Cyber Security Act 2024 requires manufacturers to provide a statement of compliance for covered relevant connectable products, and requires suppliers to supply the product in Australia with that statement when the statutory conditions are met. The Smart Devices Rules make the workflow practical by defining the covered consumer-grade product class, the required statement fields, the security-standard evidence areas, and the five-year retention period.
Start with a product-scope record, not a generic compliance task. Record whether the product is internet-connectable or network-connectable, whether it will be acquired in Australia by a consumer, and whether the manufacturer is aware or could reasonably be expected to be aware of that Australian acquisition circumstance.
For the Smart Devices Rules, the covered class is consumer-grade relevant connectable products intended, or likely, for personal, domestic, or household use or consumption. Do not put excluded products into the statement workflow without a separate legal review.
The statement should not be signed until the manufacturer has evidence for the security standard in Schedule 1 of the Smart Devices Rules. Keep the evidence tied to the product type and batch identifier that will appear in the statement.
The evidence pack should show that passwords, security-issue reporting information, and security-update support information were checked for the product and supporting software covered by the manufacturer's intended purpose.
The statement of compliance must be prepared by, or on behalf of, the manufacturer. Treat the statement as a controlled release artifact: every required field should be present, traceable to evidence, and approved before the supplier uses it for Australian supply.
The workflow should block release when the product type, batch identifier, manufacturer details, authorised representative details, declarations, support period, signatory information, place of issue, or date of issue is missing.
The manufacturer record and supplier record are related but not identical. The manufacturer must provide the statement for supply of the product in Australia and retain a copy for the period specified in the Rules. The supplier must supply the product in Australia with the statement and retain a copy for the same specified period.
For consumer-grade relevant connectable products covered by the Smart Devices Rules, that retention period is five years. The retained record should include the final statement, approval trail, scope analysis, security-standard evidence, public support-period screenshots or page captures, and supplier handoff confirmation.
The Cyber Security Act allows an independent examination to assess whether a product complies with the security standard and whether the statement of compliance complies with section 16. The evidence workflow should therefore keep product, statement, and security-standard records aligned by product and batch.
When product design, firmware, bundled software, authorised representatives, security-update support period, or Australian supply channel changes, reopen the workflow and decide whether a new or updated statement and evidence pack is needed before further Australian supply.
Use this workflow to turn Cyber Security Act statement obligations into product-scope checks, required statement fields, security evidence requests, approval handoffs, and five-year retention records.
Build scoped product questions, evidence requests, and owner tasks for Australian statement-of-compliance readiness.
Use Research Copilot to check follow-up questions against the Act, Rules, and explanatory material.
Review product scope, statement fields, supplier handoffs, retention, and evidence gaps with Sorena.
"must not shorten the defined support period"
"whether the statement of compliance"