--- title: "Australia Smart Device Statement of Compliance Evidence Workflow" canonical_url: "https://www.sorena.io/artifacts/apac/australia-cyber-security-act/statement-of-compliance-evidence-workflow" source_url: "https://www.sorena.io/artifacts/apac/australia-cyber-security-act/statement-of-compliance-evidence-workflow" author: "Sorena AI" description: "Evidence workflow for preparing, supplying, and retaining statements of compliance under Australia's Cyber Security Act 2024 and Smart Devices Rules." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "Cyber Security Act 2024 statement of compliance" - "Smart Devices Rules evidence workflow" - "Australia relevant connectable product compliance" - "Cyber Security Act 2024" - "Smart Devices Rules" - "Statement of compliance" - "Australia" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # Australia Smart Device Statement of Compliance Evidence Workflow Evidence workflow for preparing, supplying, and retaining statements of compliance under Australia's Cyber Security Act 2024 and Smart Devices Rules. *Evidence Workflow* *Australia* *Smart devices* ## Statement of compliance evidence workflow Use this workflow when a relevant connectable product may be supplied in Australia and the team needs a source-linked statement of compliance record. The workflow follows the Cyber Security Act 2024 and Cyber Security (Security Standards for Smart Devices) Rules 2025 for scope, required statement fields, security-standard evidence, and five-year retention. Australia's Cyber Security Act 2024 requires manufacturers to provide a statement of compliance for covered relevant connectable products, and requires suppliers to supply the product in Australia with that statement when the statutory conditions are met. The Smart Devices Rules make the workflow practical by defining the covered consumer-grade product class, the required statement fields, the security-standard evidence areas, and the five-year retention period. ## Step 1: confirm the product is in the smart-device statement workflow Start with a product-scope record, not a generic compliance task. Record whether the product is internet-connectable or network-connectable, whether it will be acquired in Australia by a consumer, and whether the manufacturer is aware or could reasonably be expected to be aware of that Australian acquisition circumstance. For the Smart Devices Rules, the covered class is consumer-grade relevant connectable products intended, or likely, for personal, domestic, or household use or consumption. Do not put excluded products into the statement workflow without a separate legal review. - Product owner records the product type, batch or release identifier, intended use, connectivity model, and Australian supply channel. - Legal or regulatory counsel checks whether the Rules' excluded categories apply: desktop or laptop computers, tablet computers, smartphones, therapeutic goods, road vehicles, or road vehicle components. - Supply-chain or commercial owner records whether the product will be supplied in Australia and whether the supplier has the manufacturer statement before supply. - If the product is out of scope, preserve the scope analysis separately; do not issue a statement of compliance for a product that the evidence record has not classified. Sources for this answer: - [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/asmade/text?ref=sorena.io) - Supports the workflow trigger: relevant connectable products and the manufacturer and supplier obligations in sections 15 and 16. - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/asmade/text?ref=sorena.io) - Supports the consumer-grade product class, Australian consumer acquisition circumstance, and listed product exclusions. ## Step 2: collect evidence for the security standard before signing The statement should not be signed until the manufacturer has evidence for the security standard in Schedule 1 of the Smart Devices Rules. Keep the evidence tied to the product type and batch identifier that will appear in the statement. The evidence pack should show that passwords, security-issue reporting information, and security-update support information were checked for the product and supporting software covered by the manufacturer's intended purpose. - Security engineering records whether product passwords are user-defined or unique per product, and if unique per product, why they are not based on incremental counters, public information, or guessable derivations. - Vulnerability management records the published security-issue reporting point of contact and the promised acknowledgement and status-update process. - Product management records the defined support period for security updates as a period of time with an end date, plus the public location where consumers can see it. - Web or ecommerce owner records that required support-period information is published with consumer product information when the manufacturer offers supply through a website under its control. Sources for this answer: - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/asmade/text?ref=sorena.io) - Supports the three evidence areas in Schedule 1: passwords, reporting security issues, and defined support periods for security updates. - [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/asmade/text?ref=sorena.io) - Supports why the evidence pack must prove both product compliance and compliance with other manufacturer obligations in the security standard. ## Step 3: prepare the statement with the required fields The statement of compliance must be prepared by, or on behalf of, the manufacturer. Treat the statement as a controlled release artifact: every required field should be present, traceable to evidence, and approved before the supplier uses it for Australian supply. The workflow should block release when the product type, batch identifier, manufacturer details, authorised representative details, declarations, support period, signatory information, place of issue, or date of issue is missing. - Required identification fields: product type and batch identifier. - Required party fields: manufacturer name and address, one authorised representative, and each other authorised representative in Australia if any exist. - Required declarations: prepared by or on behalf of the manufacturer; in the manufacturer's opinion the product was manufactured in compliance with the security standard; and the manufacturer complied with other obligations in the security standard. - Required support and execution fields: defined support period at the date of issue; signature, name, and function of the manufacturer's signatory; place and date of issue. Sources for this answer: - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/asmade/text?ref=sorena.io) - Supports the required content of the statement of compliance in section 9 of the Rules. ## Step 4: assign role handoffs and retain the evidence for five years The manufacturer record and supplier record are related but not identical. The manufacturer must provide the statement for supply of the product in Australia and retain a copy for the period specified in the Rules. The supplier must supply the product in Australia with the statement and retain a copy for the same specified period. For consumer-grade relevant connectable products covered by the Smart Devices Rules, that retention period is five years. The retained record should include the final statement, approval trail, scope analysis, security-standard evidence, public support-period screenshots or page captures, and supplier handoff confirmation. - Manufacturer accountable owner: product compliance or regulatory owner who controls statement preparation and signatory approval. - Security accountable owner: engineering or product security owner who approves password, vulnerability-reporting, and security-update evidence. - Supplier accountable owner: channel, distribution, or commercial owner who confirms the statement accompanies Australian supply. - Records owner: compliance operations or legal operations owner who preserves the statement and evidence pack for five years and can retrieve them if requested for examination. Sources for this answer: - [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/asmade/text?ref=sorena.io) - Supports separate manufacturer and supplier obligations to provide or supply the statement and retain copies. - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/asmade/text?ref=sorena.io) - Supports the five-year retention period for statements of compliance under section 10 of the Rules. ## Step 5: keep the pack ready for regulator examination The Cyber Security Act allows an independent examination to assess whether a product complies with the security standard and whether the statement of compliance complies with section 16. The evidence workflow should therefore keep product, statement, and security-standard records aligned by product and batch. When product design, firmware, bundled software, authorised representatives, security-update support period, or Australian supply channel changes, reopen the workflow and decide whether a new or updated statement and evidence pack is needed before further Australian supply. - Index records by product type, batch identifier, manufacturer, supplier, issue date, defined support period, and evidence owner. - Preserve the final signed statement separately from draft working papers so the supplied statement is easy to retrieve. - Keep test evidence and public disclosure evidence alongside the statement so the product and statement can be reviewed together. - Escalate missing statement fields, unsupported security-standard declarations, shortened support-period language, or supplier use of a stale statement. Sources for this answer: - [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/asmade/text?ref=sorena.io) - Supports readiness for examination of both product compliance and statement compliance. - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/asmade/text?ref=sorena.io) - Supports change-review triggers tied to required statement fields and published security-update support periods. *Recommended next step* *Placement: after the evidence workflow* ## Turn smart-device statement evidence into assigned work Use this workflow to turn Cyber Security Act statement obligations into product-scope checks, required statement fields, security evidence requests, approval handoffs, and five-year retention records. - [Open Assessment Autopilot for smart devices](/solutions/assessment.md): Build scoped product questions, evidence requests, and owner tasks for Australian statement-of-compliance readiness. - [Review source-linked evidence](/solutions/research-copilot.md): Use Research Copilot to check follow-up questions against the Act, Rules, and explanatory material. - [Talk through implementation](/contact.md): Review product scope, statement fields, supplier handoffs, retention, and evidence gaps with Sorena. ## Primary sources - [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/asmade/text?ref=sorena.io) - Official Act source for relevant connectable product scope, manufacturer and supplier statement obligations, retention obligations, and examination powers. - Quote: "Obligation to provide and supply products with a statement of compliance" - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/asmade/text?ref=sorena.io) - Official Rules source for consumer-grade smart-device scope, required statement fields, Schedule 1 security-standard evidence areas, and five-year retention. - Quote: "Retention period for statement of compliance" ## Related Topic Guides - [Australia Cyber Security Act 2024 scope and definitions](/artifacts/apac/australia-cyber-security-act/scope-and-definitions.md): Grounded scope guide for Australia's Cyber Security Act 2024: relevant connectable products, consumer-grade smart devices, reporting business entities, ransomware payment reports, and SOCI overlap. - [Australia Cyber Security Act and SOCI Act overlap](/artifacts/apac/australia-cyber-security-act/security-of-critical-infrastructure-act-overlap.md): How the Australia Cyber Security Act overlaps with the Security of Critical Infrastructure Act for responsible entities, ransomware payment reporting, smart devices, and evidence records. - [Australia Cyber Security Act Applicability Test](/artifacts/apac/australia-cyber-security-act/applicability-test.md): Decide whether the Australia Cyber Security Act 2024 applies to a smart-device product, supplier, manufacturer, or ransomware payment reporting scenario. - [Australia Cyber Security Act Compliance Checklist](/artifacts/apac/australia-cyber-security-act/checklist.md): Concrete checklist items for Australian Cyber Security Act smart-device and ransomware duties, with SOCI and APRA CPS 234 evidence checks. - [Australia Cyber Security Act Compliance Guide](/artifacts/apac/australia-cyber-security-act/compliance.md): A source-linked compliance guide for Australia Cyber Security Act smart-device statements, ransomware payment reporting, incident coordination, and review-board readiness. - [Australia Cyber Security Act Deadlines and Compliance Calendar](/artifacts/apac/australia-cyber-security-act/deadlines-and-compliance-calendar.md): Calendar of grounded Australia Cyber Security Act milestones for ransomware reporting, smart-device security standards, statements of compliance, and statutory review. - [Australia Cyber Security Act FAQ](/artifacts/apac/australia-cyber-security-act/faq.md): Answers to Australia Cyber Security Act questions on smart device scope, statements of compliance, ransomware reports, enforcement notices, and incident review. - [Australia Cyber Security Act penalties and fines](/artifacts/apac/australia-cyber-security-act/penalties-and-fines.md): Grounded guide to Australia Cyber Security Act civil penalties, smart-device enforcement notices, ransomware reporting exposure, Board notice failures, and evidence records. - [Australia Cyber Security Act recordkeeping FAQ](/artifacts/apac/australia-cyber-security-act/faq/recordkeeping.md): What records to keep for Cyber Security Act 2024 smart-device statements, ransomware payment reports, and supported SOCI or APRA overlap checks. - [Australia Cyber Security Act Requirements](/artifacts/apac/australia-cyber-security-act/requirements.md): Australia Cyber Security Act requirements for smart-device security standards, statements of compliance, ransomware payment reports, notices, and evidence records. - [Australia Cyber Security Act Statement of Compliance Evidence](/artifacts/apac/australia-cyber-security-act/statement-of-compliance-evidence.md): Evidence guide for Australia Cyber Security Act smart-device statements of compliance: required fields, manufacturer and supplier records, five-year retention, and examination readiness. - [Australia Cyber Security Act templates](/artifacts/apac/australia-cyber-security-act/templates.md): Grounded template fields for Australia Cyber Security Act smart-device scope, statements of compliance, ransomware reports, notices, SOCI overlap, and records. - [Australia Cyber Security Act Timeline And Commencement Guide](/artifacts/apac/australia-cyber-security-act/timeline-and-commencement.md): Australia Cyber Security Act guidance for Timeline And Commencement, with practical decisions, evidence, edge cases, and external source citations. - [Australia Cyber Security Act vs EU Cyber Resilience Act](/artifacts/apac/australia-cyber-security-act/australia-cyber-security-act-vs-eu-cyber-resilience-act.md): Compare Australia's Cyber Security Act 2024 with the EU Cyber Resilience Act across smart-device duties, ransomware reporting, product-with-digital-elements scope, actors, records, and enforcement routes. - [Australia Cyber Security Act vs UK PSTI Act Guide](/artifacts/apac/australia-cyber-security-act/australia-cyber-security-act-vs-uk-psti-act.md): Compare Australia's Cyber Security Act 2024 smart-device, ransomware, and SOCI-adjacent obligations with the UK's PSTI connected-product regime. - [Australia ransomware payment reporting 72-hour duty](/artifacts/apac/australia-cyber-security-act/ransomware-payment-reporting-72-hours.md): Explain when Australia's Cyber Security Act 2024 requires a ransomware payment report, when the 72-hour clock starts, and what information the report must contain. - [Australia Smart Device Security Standards under the Cyber Security Act](/artifacts/apac/australia-cyber-security-act/smart-device-security-standards.md): Plain-English guide to Australia's Cyber Security (Security Standards for Smart Devices) Rules 2025: scope, passwords, vulnerability reporting, support periods, statements of compliance, and evidence records. - [CSA 2024 Ransomware Payment Reporting Workflow](/artifacts/apac/australia-cyber-security-act/ransomware-payment-reporting-workflow.md): Operational workflow for Australia Cyber Security Act 2024 ransomware payment reports: scope, 72-hour trigger, report fields, owners, evidence, and cited Act and Rules sources. - [CSA 2024 Ransomware Threshold & Report FAQ](/artifacts/apac/australia-cyber-security-act/faq/ransomware-payment-threshold-and-report-content.md): FAQ answer on Australia's Cyber Security Act ransomware payment reporting scope, $3 million turnover threshold, 72-hour trigger, report fields, and evidence. - [CSA 2024 Smart Device Applicability Test](/artifacts/apac/australia-cyber-security-act/smart-device-applicability-and-product-scope.md): Check whether a smart device is a consumer-grade relevant connectable product under Australia's Cyber Security Act and Smart Devices Rules. - [CSA 2024 Smart Device Statement of Compliance](/artifacts/apac/australia-cyber-security-act/statement-of-compliance-and-recordkeeping.md): What a smart-device statement of compliance must contain under Australia's Cyber Security Act 2024 and Smart Device Rules, who prepares and supplies it, how long to retain it, and how to prepare for examination. - [Cyber Security Act 2024 Smart Device Compliance Checklist](/artifacts/apac/australia-cyber-security-act/smart-device-compliance-checklist.md): Checklist for Australia Cyber Security Act 2024 smart-device scope, password controls, vulnerability reporting, security-update support periods, statements of compliance, retention, and evidence. - [Cyber Security Act 2024 Statements of Compliance FAQ](/artifacts/apac/australia-cyber-security-act/faq/statements-of-compliance.md): FAQ answer on Australian Cyber Security Act 2024 statements of compliance for smart devices, including scope, actors, required contents, retention, evidence, and citations. - [Cyber Security Act vs EU CRA: scope and obligations comparison](/artifacts/apac/australia-cyber-security-act/cyber-security-act-vs-eu-cyber-resilience-act.md): Compare Australia's Cyber Security Act 2024 with the EU Cyber Resilience Act across smart-device duties, ransomware reporting, product-with-digital-elements scope, actors, records, and enforcement routes. - [Cyber Security Act vs UK PSTI Act: device security obligations compared](/artifacts/apac/australia-cyber-security-act/cyber-security-act-vs-uk-psti-act.md): Compare Australia's Cyber Security Act 2024 smart-device, ransomware, and SOCI-adjacent obligations with the UK's PSTI connected-product regime. - [How do notices and recalls work under the Australia Cyber Security Act?](/artifacts/apac/australia-cyber-security-act/faq/notices-and-recalls.md): FAQ on Australia Cyber Security Act compliance notices, stop notices, recall notices, public notifications, owners, evidence fields, and grounded timing. - [How does the Australia Cyber Security Act overlap with the SOCI Act?](/artifacts/apac/australia-cyber-security-act/faq/security-of-critical-infrastructure-act-overlap.md): FAQ on when Australia Cyber Security Act ransomware reporting overlaps with SOCI critical infrastructure assets, responsible entities, and smart-device duties. - [Manufacturer, Importer, and Supplier Duties under Australia's Cyber Security Act 2024](/artifacts/apac/australia-cyber-security-act/faq/manufacturer-and-importer-obligations.md): Direct FAQ answer on Cyber Security Act 2024 smart-device duties for manufacturers, importers, and suppliers, including scope, statement records, exceptions, and citations. - [Smart Device Applicability: CSA 2024](/artifacts/apac/australia-cyber-security-act/smart-device-applicability-workflow.md): A source-linked workflow for deciding whether a connected product is covered by Australia's Cyber Security Act 2024 smart-device standard and what evidence to keep. - [SOCI overlap triage workflow for Australia Cyber Security Act](/artifacts/apac/australia-cyber-security-act/soci-overlap-triage-workflow.md): Triage SOCI Act overlap with Australia Cyber Security Act ransomware reporting and smart-device standards using separate owners, evidence, and source-linked scope checks. - [Which smart devices are in scope under Australia's Cyber Security Act 2024?](/artifacts/apac/australia-cyber-security-act/faq/smart-device-scope.md): FAQ on Cyber Security Act 2024 smart-device scope: relevant connectable products, consumer-grade criteria, exclusions, Australian consumer acquisition, and records to keep. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/apac/australia-cyber-security-act/statement-of-compliance-evidence-workflow