--- title: "Australia Cyber Security Act Statement of Compliance Evidence" canonical_url: "https://www.sorena.io/artifacts/apac/australia-cyber-security-act/statement-of-compliance-evidence" source_url: "https://www.sorena.io/artifacts/apac/australia-cyber-security-act/statement-of-compliance-evidence" author: "Sorena AI" description: "Evidence guide for Australia Cyber Security Act smart-device statements of compliance: required fields, manufacturer and supplier records, five-year retention, and examination readiness." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "Australia Cyber Security Act statement of compliance" - "smart device evidence" - "statement of compliance records" - "Cyber Security Smart Devices Rules" - "Australia Cyber Security Act" - "Statement of compliance" - "Smart device security" - "Evidence retention" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # Australia Cyber Security Act Statement of Compliance Evidence Evidence guide for Australia Cyber Security Act smart-device statements of compliance: required fields, manufacturer and supplier records, five-year retention, and examination readiness. *Evidence Guide* *Australia* *Smart-device statements* ## Australia Cyber Security Act Statement of Compliance Evidence For consumer-grade relevant connectable products, the evidence record should prove that the right product is in scope, the manufacturer prepared the statement, the required statement fields are complete, and the manufacturer or supplier can retain and produce the statement. Use this page to structure records for product launches, imports, supplier onboarding, retailer checks, and regulator examination readiness. This guidance is practical, source-linked, and should be validated against current legal and policy requirements before implementation. Australia's Cyber Security Act 2024 requires manufacturers and suppliers to handle statements of compliance for relevant connectable products when the product is in a regulated class and is expected to be acquired in Australia in the specified circumstances. The Smart Devices Rules set the statement fields and make the retention period five years for consumer-grade relevant connectable products. ## What statement-of-compliance evidence is in scope? Keep this evidence file focused on Part 2 smart-device duties, not ransomware reporting, critical-infrastructure obligations, privacy breach records, or general cyber controls. The trigger is a relevant connectable product that falls within the consumer-grade class covered by the Smart Devices Rules and will be acquired in Australia by a consumer. The minimum evidence set should tie one product type and batch identifier to the manufacturer, any authorised representatives, the applicable security standard, the manufacturer's compliance opinion, the defined support period at issue, and the signed place and date of issue. - Record the product type, batch identifier, model or SKU, intended consumer use, and any scope exclusion considered. - Identify whether the business is acting as manufacturer, supplier, importer, distributor, retailer, or marketplace for the Australian supply. - Keep the statement prepared by or on behalf of the manufacturer with the product launch or supplier onboarding record. - Store the statement beside the password, vulnerability-reporting, and defined-support-period evidence used to support the manufacturer's declaration. Sources for this answer: - [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/asmade/text?ref=sorena.io) - Supports the scope rule that manufacturers provide, and suppliers supply, statements for regulated relevant connectable products acquired in Australia. - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/asmade/text?ref=sorena.io) - Supports the consumer-grade smart-device scope and the required statement fields for this evidence record. ## Which statement fields should the evidence pack prove? The Smart Devices Rules specify the content of the statement of compliance. A useful evidence pack should therefore be field-by-field, rather than a generic compliance memo. For each statement, capture the source record that proves the field value, the person who approved it, and the version of product or support-period information used when the statement was issued. - Product identifiers: product type, batch identifier, model references, and the internal release or purchase-order record that links them. - Entity details: manufacturer name and address, authorised representative details, and each Australian authorised representative if any exists. - Declarations: confirmation that the statement was prepared by or on behalf of the manufacturer and records supporting the manufacturer's compliance opinion. - Support-period field: the defined support period for security updates at the date of issue, with evidence that the period was published and not shortened. - Execution fields: signature, signatory name and function, place of issue, date of issue, and approval workflow record. Sources for this answer: - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/asmade/text?ref=sorena.io) - Lists the required statement fields, including product, manufacturer, declarations, support period, signatory, place, and date. ## What technical evidence should support the manufacturer's declaration? The statement says whether, in the manufacturer's opinion, the product was manufactured in compliance with the security standard and whether the manufacturer met the other obligations in that standard. That opinion should be backed by technical records for the three security-standard areas in Schedule 1. The technical file does not need to be public, but it should be understandable to product security, legal, compliance, and supplier-management reviewers who may need to explain why the statement was accepted. - Password evidence: configuration records showing passwords are user-defined or unique per product and not guessable from public or product-identifier data. - Security-issue reporting evidence: the published reporting contact, acknowledgement and status-update process, language, access, fee, and personal-information checks. - Security-update evidence: the defined support period expressed with an end date, publication proof, and controls preventing unsupported shortening. - Release evidence: product firmware, companion app, software dependency, test, and approval records aligned to the batch or version named in the statement. - Exception evidence: a documented reason when a device, component, or software item is outside the covered consumer-grade smart-device class. Sources for this answer: - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/asmade/text?ref=sorena.io) - Supports the technical evidence categories because Schedule 1 covers passwords, security-issue reporting, and defined support periods. ## How long should manufacturers and suppliers retain records, and how should they prepare for examination? For consumer-grade relevant connectable products covered by the Smart Devices Rules, the statement-of-compliance retention period is five years. The Act applies retention duties to both the manufacturer that provides the statement and the supplier that supplies the product with it. Examination readiness matters because the Secretary may arrange an independent examination of the product, the statement, or both. Evidence should be retrievable by product and batch so the business can respond without rebuilding the file after a request arrives. - Manufacturer record: final statement, source technical file, signatory authority, defined-support-period evidence, issue date, and any authorised-representative details. - Supplier record: copy of the statement received, product and batch mapping, Australian supply channel, supplier acceptance check, and retention owner. - Retailer or distributor record: supplier communication, system field showing statement availability, and escalation route when a statement is missing or incomplete. - Five-year clock: retain the statement for the period specified in the Rules and avoid deleting supplier/manufacturer copies during product, vendor, or system migrations. - Examination pack: product sample or location, statement copy, manufacturer identity, tested security-standard requirements, and contact for notices or regulator requests. Sources for this answer: - [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/asmade/text?ref=sorena.io) - Supports manufacturer and supplier retention duties and the Secretary's power to request a product, statement, or both for examination. - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/asmade/text?ref=sorena.io) - Sets the statement-of-compliance retention period at five years for consumer-grade relevant connectable products. *Recommended next step* *Placement: after the evidence guidance* ## Build a statement-of-compliance evidence pack Use this Australia Cyber Security Act guide to assign statement fields, technical proof, supplier records, retention ownership, and examination-ready evidence inside Sorena. - [Scope smart-device products](/solutions/assessment.md): Turn product, batch, manufacturer, and supplier facts into assigned evidence questions. - [Check source-linked fields](/solutions/research-copilot.md): Use Research Copilot to verify statement fields, retention rules, and examination-readiness claims against cited sources. - [Review implementation records](/contact.md): Talk through statement ownership, supplier hand-offs, and missing evidence before products are supplied in Australia. ## Primary sources - [Cyber Security Act 2024](https://www.legislation.gov.au/C2024A00098/asmade/text?ref=sorena.io) - Primary Act source for manufacturer and supplier statement duties, retention obligations, and examination powers for relevant connectable products. - Quote: "statement of compliance with security standard" - [Cyber Security (Security Standards for Smart Devices) Rules 2025](https://www.legislation.gov.au/F2025L00276/asmade/text?ref=sorena.io) - Rules source for consumer-grade smart-device scope, required statement fields, technical security-standard areas, and five-year retention. - Quote: "Requirements for statement of compliance" ## Related Topic Guides - [Australia Cyber Security Act 2024 scope and definitions](/artifacts/apac/australia-cyber-security-act/scope-and-definitions.md): Grounded scope guide for Australia's Cyber Security Act 2024: relevant connectable products, consumer-grade smart devices, reporting business entities, ransomware payment reports, and SOCI overlap. - [Australia Cyber Security Act and SOCI Act overlap](/artifacts/apac/australia-cyber-security-act/security-of-critical-infrastructure-act-overlap.md): How the Australia Cyber Security Act overlaps with the Security of Critical Infrastructure Act for responsible entities, ransomware payment reporting, smart devices, and evidence records. - [Australia Cyber Security Act Applicability Test](/artifacts/apac/australia-cyber-security-act/applicability-test.md): Decide whether the Australia Cyber Security Act 2024 applies to a smart-device product, supplier, manufacturer, or ransomware payment reporting scenario. - [Australia Cyber Security Act Compliance Checklist](/artifacts/apac/australia-cyber-security-act/checklist.md): Concrete checklist items for Australian Cyber Security Act smart-device and ransomware duties, with SOCI and APRA CPS 234 evidence checks. - [Australia Cyber Security Act Compliance Guide](/artifacts/apac/australia-cyber-security-act/compliance.md): A source-linked compliance guide for Australia Cyber Security Act smart-device statements, ransomware payment reporting, incident coordination, and review-board readiness. - [Australia Cyber Security Act Deadlines and Compliance Calendar](/artifacts/apac/australia-cyber-security-act/deadlines-and-compliance-calendar.md): Calendar of grounded Australia Cyber Security Act milestones for ransomware reporting, smart-device security standards, statements of compliance, and statutory review. - [Australia Cyber Security Act FAQ](/artifacts/apac/australia-cyber-security-act/faq.md): Answers to Australia Cyber Security Act questions on smart device scope, statements of compliance, ransomware reports, enforcement notices, and incident review. - [Australia Cyber Security Act penalties and fines](/artifacts/apac/australia-cyber-security-act/penalties-and-fines.md): Grounded guide to Australia Cyber Security Act civil penalties, smart-device enforcement notices, ransomware reporting exposure, Board notice failures, and evidence records. - [Australia Cyber Security Act recordkeeping FAQ](/artifacts/apac/australia-cyber-security-act/faq/recordkeeping.md): What records to keep for Cyber Security Act 2024 smart-device statements, ransomware payment reports, and supported SOCI or APRA overlap checks. - [Australia Cyber Security Act Requirements](/artifacts/apac/australia-cyber-security-act/requirements.md): Australia Cyber Security Act requirements for smart-device security standards, statements of compliance, ransomware payment reports, notices, and evidence records. - [Australia Cyber Security Act templates](/artifacts/apac/australia-cyber-security-act/templates.md): Grounded template fields for Australia Cyber Security Act smart-device scope, statements of compliance, ransomware reports, notices, SOCI overlap, and records. - [Australia Cyber Security Act Timeline And Commencement Guide](/artifacts/apac/australia-cyber-security-act/timeline-and-commencement.md): Australia Cyber Security Act guidance for Timeline And Commencement, with practical decisions, evidence, edge cases, and external source citations. - [Australia Cyber Security Act vs EU Cyber Resilience Act](/artifacts/apac/australia-cyber-security-act/australia-cyber-security-act-vs-eu-cyber-resilience-act.md): Compare Australia's Cyber Security Act 2024 with the EU Cyber Resilience Act across smart-device duties, ransomware reporting, product-with-digital-elements scope, actors, records, and enforcement routes. - [Australia Cyber Security Act vs UK PSTI Act Guide](/artifacts/apac/australia-cyber-security-act/australia-cyber-security-act-vs-uk-psti-act.md): Compare Australia's Cyber Security Act 2024 smart-device, ransomware, and SOCI-adjacent obligations with the UK's PSTI connected-product regime. - [Australia ransomware payment reporting 72-hour duty](/artifacts/apac/australia-cyber-security-act/ransomware-payment-reporting-72-hours.md): Explain when Australia's Cyber Security Act 2024 requires a ransomware payment report, when the 72-hour clock starts, and what information the report must contain. - [Australia Smart Device Security Standards under the Cyber Security Act](/artifacts/apac/australia-cyber-security-act/smart-device-security-standards.md): Plain-English guide to Australia's Cyber Security (Security Standards for Smart Devices) Rules 2025: scope, passwords, vulnerability reporting, support periods, statements of compliance, and evidence records. - [Australia Smart Device Statement of Compliance Evidence Workflow](/artifacts/apac/australia-cyber-security-act/statement-of-compliance-evidence-workflow.md): Evidence workflow for preparing, supplying, and retaining statements of compliance under Australia's Cyber Security Act 2024 and Smart Devices Rules. - [CSA 2024 Ransomware Payment Reporting Workflow](/artifacts/apac/australia-cyber-security-act/ransomware-payment-reporting-workflow.md): Operational workflow for Australia Cyber Security Act 2024 ransomware payment reports: scope, 72-hour trigger, report fields, owners, evidence, and cited Act and Rules sources. - [CSA 2024 Ransomware Threshold & Report FAQ](/artifacts/apac/australia-cyber-security-act/faq/ransomware-payment-threshold-and-report-content.md): FAQ answer on Australia's Cyber Security Act ransomware payment reporting scope, $3 million turnover threshold, 72-hour trigger, report fields, and evidence. - [CSA 2024 Smart Device Applicability Test](/artifacts/apac/australia-cyber-security-act/smart-device-applicability-and-product-scope.md): Check whether a smart device is a consumer-grade relevant connectable product under Australia's Cyber Security Act and Smart Devices Rules. - [CSA 2024 Smart Device Statement of Compliance](/artifacts/apac/australia-cyber-security-act/statement-of-compliance-and-recordkeeping.md): What a smart-device statement of compliance must contain under Australia's Cyber Security Act 2024 and Smart Device Rules, who prepares and supplies it, how long to retain it, and how to prepare for examination. - [Cyber Security Act 2024 Smart Device Compliance Checklist](/artifacts/apac/australia-cyber-security-act/smart-device-compliance-checklist.md): Checklist for Australia Cyber Security Act 2024 smart-device scope, password controls, vulnerability reporting, security-update support periods, statements of compliance, retention, and evidence. - [Cyber Security Act 2024 Statements of Compliance FAQ](/artifacts/apac/australia-cyber-security-act/faq/statements-of-compliance.md): FAQ answer on Australian Cyber Security Act 2024 statements of compliance for smart devices, including scope, actors, required contents, retention, evidence, and citations. - [Cyber Security Act vs EU CRA: scope and obligations comparison](/artifacts/apac/australia-cyber-security-act/cyber-security-act-vs-eu-cyber-resilience-act.md): Compare Australia's Cyber Security Act 2024 with the EU Cyber Resilience Act across smart-device duties, ransomware reporting, product-with-digital-elements scope, actors, records, and enforcement routes. - [Cyber Security Act vs UK PSTI Act: device security obligations compared](/artifacts/apac/australia-cyber-security-act/cyber-security-act-vs-uk-psti-act.md): Compare Australia's Cyber Security Act 2024 smart-device, ransomware, and SOCI-adjacent obligations with the UK's PSTI connected-product regime. - [How do notices and recalls work under the Australia Cyber Security Act?](/artifacts/apac/australia-cyber-security-act/faq/notices-and-recalls.md): FAQ on Australia Cyber Security Act compliance notices, stop notices, recall notices, public notifications, owners, evidence fields, and grounded timing. - [How does the Australia Cyber Security Act overlap with the SOCI Act?](/artifacts/apac/australia-cyber-security-act/faq/security-of-critical-infrastructure-act-overlap.md): FAQ on when Australia Cyber Security Act ransomware reporting overlaps with SOCI critical infrastructure assets, responsible entities, and smart-device duties. - [Manufacturer, Importer, and Supplier Duties under Australia's Cyber Security Act 2024](/artifacts/apac/australia-cyber-security-act/faq/manufacturer-and-importer-obligations.md): Direct FAQ answer on Cyber Security Act 2024 smart-device duties for manufacturers, importers, and suppliers, including scope, statement records, exceptions, and citations. - [Smart Device Applicability: CSA 2024](/artifacts/apac/australia-cyber-security-act/smart-device-applicability-workflow.md): A source-linked workflow for deciding whether a connected product is covered by Australia's Cyber Security Act 2024 smart-device standard and what evidence to keep. - [SOCI overlap triage workflow for Australia Cyber Security Act](/artifacts/apac/australia-cyber-security-act/soci-overlap-triage-workflow.md): Triage SOCI Act overlap with Australia Cyber Security Act ransomware reporting and smart-device standards using separate owners, evidence, and source-linked scope checks. - [Which smart devices are in scope under Australia's Cyber Security Act 2024?](/artifacts/apac/australia-cyber-security-act/faq/smart-device-scope.md): FAQ on Cyber Security Act 2024 smart-device scope: relevant connectable products, consumer-grade criteria, exclusions, Australian consumer acquisition, and records to keep. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/apac/australia-cyber-security-act/statement-of-compliance-evidence