ETSI EN 303 645 ICS and IXIT evidence template

Start by separating three layers: the ETSI EN 303 645 provision, the ICS support decision for that provision, and the TS 103 701 IXIT information that explains the implemented mechanism or process. Do not turn IXIT fields into new EN 303 645 obligations; TS 103 701 uses IXIT information to support assessment against the EN provisions.

For ETSI EN 303 645 V2.1.1, Annex B provides an implementation conformance statement pro forma. It lets the user of the standard record whether a provision is supported, not supported, or not applicable, and it requires detail for implemented measures, non-support reasons, or not-applicable rationale. TS 103 701 then describes how the supplier organization provides ICS and IXIT to the test laboratory, which uses them to derive a test plan.

A useful evidence template should let a reviewer move from a public provision claim to the exact information the assessor will need. A compact register can do this without copying the standards into a spreadsheet.

Use the first columns to identify the provision and support decision, the middle columns to identify IXIT dependencies, and the final columns to record evidence, owner, version, and assessment result. This keeps public EN 303 645 claims separate from the TS 103 701 assessment mechanics that test laboratories use.

Treat ETSI EN 303 645 as the source for the consumer IoT security and data protection provisions. The standard is outcome-focused and covers devices connected to network infrastructure and their interactions with associated services, while associated services themselves are described as out of scope.

The template should make applicability visible before it asks for evidence. EN 303 645 recognizes that provision applicability depends on the device, and Provision 4-1 requires a justification for each recommendation considered not applicable or not fulfilled by the consumer IoT device.

Use ETSI TS 103 701 for the assessment side of the template. It defines the Device Under Test, Supplier Organization, Test Laboratory, assessment phases, conceptual and functional test concepts, IXIT pro forma, verdict handling, and external-evidence handling.

A strong template asks for enough IXIT detail to make grey-box testing possible. TS 103 701 says the IXIT is the basis for the grey-box testing methodology and provides design details for the test laboratory. It also warns that an inconclusive verdict may be assigned when incomplete or insufficient IXIT information prevents proper test execution.

Before using the template in a release review, procurement response, self-assessment, or test-lab handoff, run a consistency check across the ICS and IXIT rows. Most evidence problems appear when the support claim says one thing and the IXIT, user documentation, or functional behavior says another.

This review is also where teams should remove overclaims. TS 103 701 is explicit that defining a certification or conformance declaration scheme is out of scope, and that assessment schemes typically define additional requirements such as tester expertise, cryptographic requirements, and accepted third-party evidence.

Public guidance should not blur the standards. EN 303 645 gives the baseline consumer IoT provisions and ICS pro forma context; TS 103 701 gives the assessment methodology and IXIT pro forma context. Mixing them makes the page less useful to implementers and easier to challenge in procurement or assessment review.

Remove claims that the template itself proves conformance. A template can organize evidence and make assessment preparation more consistent, but the assessment result depends on the completed ICS, sufficient IXIT information, applied test groups, verdict rules, and any assessment-scheme requirements.