--- title: "ETSI EN 303 645 ICS and IXIT Evidence Template" canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-303-645/ics-and-ixit-evidence-template" source_url: "https://www.sorena.io/artifacts/global/etsi-en-303-645/ics-and-ixit-evidence-template" author: "Sorena AI" description: "Build a source-linked ICS and IXIT evidence template for ETSI EN 303 645 consumer IoT assessments, with clear separation between EN provisions and TS 103 701 test information." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "ETSI EN 303 645 ICS" - "ETSI TS 103 701 IXIT" - "consumer IoT evidence template" - "implementation conformance statement" - "IoT security assessment" - "ETSI EN 303 645" - "ICS" - "IXIT" - "ETSI TS 103 701" - "consumer IoT security" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # ETSI EN 303 645 ICS and IXIT Evidence Template Build a source-linked ICS and IXIT evidence template for ETSI EN 303 645 consumer IoT assessments, with clear separation between EN provisions and TS 103 701 test information. *Evidence Template* *GLOBAL* *ETSI EN 303 645* ## ETSI EN 303 645 ICS and IXIT evidence template A practical structure for turning EN 303 645 provision claims into ICS entries, IXIT information, and reviewable assessment evidence. Use this as implementation and assessment planning guidance. It is not a certification claim, operational guidance, or a substitute for the ETSI standards. Use this page when a consumer IoT team needs one evidence pack that connects ETSI EN 303 645 provision support decisions with the additional information a TS 103 701 assessment needs. The key distinction is simple: the ICS records what the supplier organization claims for the device under test, while the IXIT records the extra implementation and assessment-environment information that lets a test laboratory plan and perform appropriate test activities. ## What should the template separate? Start by separating three layers: the ETSI EN 303 645 provision, the ICS support decision for that provision, and the TS 103 701 IXIT information that explains the implemented mechanism or process. Do not turn IXIT fields into new EN 303 645 obligations; TS 103 701 uses IXIT information to support assessment against the EN provisions. For ETSI EN 303 645 V2.1.1, Annex B provides an implementation conformance statement pro forma. It lets the user of the standard record whether a provision is supported, not supported, or not applicable, and it requires detail for implemented measures, non-support reasons, or not-applicable rationale. TS 103 701 then describes how the supplier organization provides ICS and IXIT to the test laboratory, which uses them to derive a test plan. - Keep the route identity stable: one row per EN 303 645 provision or provision group, not one row per internal control. - Use ICS fields for support status and rationale: Yes, No, or N/A where the standard allows it, plus the detail needed to understand the decision. - Use IXIT fields for assessment inputs: mechanism descriptions, interfaces, update paths, user documentation, security guarantees, cryptographic details, process confirmations, and references to provided documents. - Use evidence fields for the actual artifacts: product documentation, design records, configuration exports, test outputs, vulnerability disclosure pages, update records, or external evidence references. Sources for this answer: - [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Source for consumer IoT baseline provisions and Annex B implementation conformance statement pro forma. - [ETSI TS 103 701 V2.1.1 cybersecurity assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Source for DUT, SO, TL, ICS, IXIT, assessment phases, verdicts, and external evidence concepts. *Recommended next step* *Placement: after practical guidance* ## Operationalize ETSI EN 303 645 assessment evidence Use this template structure to connect EN 303 645 provision decisions with TS 103 701 IXIT information, owners, evidence artifacts, and assessment review status. - [Open Assessment Autopilot for ETSI EN 303 645](/solutions/assessment.md): Convert provision claims, IXIT dependencies, and evidence gaps into accountable assessment tasks. - [Research ETSI EN 303 645 source questions](/solutions/research-copilot.md): Resolve scope, applicability, and source interpretation questions before evidence collection. - [Talk through ETSI EN 303 645 implementation](/contact.md): Review consumer IoT scope, evidence owners, and the next assessment actions with Sorena. ## Minimum row design for an ICS and IXIT evidence register A useful evidence template should let a reviewer move from a public provision claim to the exact information the assessor will need. A compact register can do this without copying the standards into a spreadsheet. Use the first columns to identify the provision and support decision, the middle columns to identify IXIT dependencies, and the final columns to record evidence, owner, version, and assessment result. This keeps public EN 303 645 claims separate from the TS 103 701 assessment mechanics that test laboratories use. - Provision reference: for example, EN 303 645 provision 5.1-1, 5.2-1, 5.3-13, 5.8-3, 5.10-1, 5.11-1, or 6-5. - ICS support status: Yes for claimed support, No for an applicable provision not fulfilled, or N/A only where the standard's conditional or feature logic allows it. - ICS detail: implemented measure, non-support reason, or not-applicable rationale written so a supply-chain reviewer can understand the decision without private context. - IXIT dependency: the relevant IXIT table or list, such as authentication mechanisms, user information, vulnerability types, confirmations, software components, update mechanisms, security parameters, personal data, telemetry data, deletion functions, user decisions, user interfaces, logical interfaces, or input validation. - Evidence reference: stable document ID, public URL, test report, certificate, configuration export, log extract, product manual section, or process record supplied to the assessment owner. - Review result: pass, fail, inconclusive, open question, or not yet assessed, with the date and owner of the last evidence review. Sources for this answer: - [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Annex B defines the support and detail columns for implementation reporting. - [ETSI TS 103 701 V2.1.1 cybersecurity assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Clause 4.5 and Annex A describe IXIT information and pro forma entries used for assessment planning. ## How to handle EN 303 645 provision claims Treat ETSI EN 303 645 as the source for the consumer IoT security and data protection provisions. The standard is outcome-focused and covers devices connected to network infrastructure and their interactions with associated services, while associated services themselves are described as out of scope. The template should make applicability visible before it asks for evidence. EN 303 645 recognizes that provision applicability depends on the device, and Provision 4-1 requires a justification for each recommendation considered not applicable or not fulfilled by the consumer IoT device. - Record product scope in consumer IoT terms: device, firmware, user interfaces, companion application, associated-service interaction, support process, and public user information. - Mark mandatory, recommended, conditional, and feature-dependent provisions according to the pro forma rather than internal priority labels. - For recommendations not fulfilled or not applicable, require a clear justification before the row can be closed. - Avoid broad phrases such as compliant with ETSI EN 303 645 unless the template also states the version, DUT boundary, ICS support set, assessment approach, and evidence basis. Sources for this answer: - [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Source for scope, applicability, reporting implementation, and Annex B support-detail conventions. ## How to handle TS 103 701 assessment evidence Use ETSI TS 103 701 for the assessment side of the template. It defines the Device Under Test, Supplier Organization, Test Laboratory, assessment phases, conceptual and functional test concepts, IXIT pro forma, verdict handling, and external-evidence handling. A strong template asks for enough IXIT detail to make grey-box testing possible. TS 103 701 says the IXIT is the basis for the grey-box testing methodology and provides design details for the test laboratory. It also warns that an inconclusive verdict may be assigned when incomplete or insufficient IXIT information prevents proper test execution. - Identify the DUT precisely, including model, software version, interfaces, update state, and the associated services that matter to the assessed functionality. - Capture supplier organization contacts and evidence owners because the SO is expected to provide ICS and IXIT and support the TL with necessary information. - Distinguish conceptual evidence from functional evidence: conceptual checks assess the IXIT against provision requirements, while functional checks assess DUT functionality, associated-service relations, or development and management processes. - For external evidence, require scope, certification or test-report details, the relevant test activities, test depth or assurance level, and the provision or test group it supports. Sources for this answer: - [ETSI TS 103 701 V2.1.1 cybersecurity assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Source for assessment roles, phases, conceptual and functional tests, IXIT expectations, verdicts, and external evidence criteria. ## Template checks before using the evidence pack Before using the template in a release review, procurement response, self-assessment, or test-lab handoff, run a consistency check across the ICS and IXIT rows. Most evidence problems appear when the support claim says one thing and the IXIT, user documentation, or functional behavior says another. This review is also where teams should remove overclaims. TS 103 701 is explicit that defining a certification or conformance declaration scheme is out of scope, and that assessment schemes typically define additional requirements such as tester expertise, cryptographic requirements, and accepted third-party evidence. - No mandatory provision claimed as No in a final assessment set unless the team is deliberately recording a failing or non-conforming result. - Every N/A has a condition or feature rationale and is checked against the IXIT and user documentation. - Every Yes claim has the IXIT entries needed for the relevant test groups and enough evidence for conceptual or functional review. - Every external evidence item is scoped to the DUT, provision, and test purpose it is supposed to support. - Every public claim avoids implying certification, legal compliance, or complete product security unless a separate scheme, certificate, or legal assessment actually supports that claim. Sources for this answer: - [ETSI TS 103 701 V2.1.1 cybersecurity assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Source for ICS verification, IXIT sufficiency, overall verdicts, and the limits of the assessment methodology. ## Common mistakes to remove from public-facing content Public guidance should not blur the standards. EN 303 645 gives the baseline consumer IoT provisions and ICS pro forma context; TS 103 701 gives the assessment methodology and IXIT pro forma context. Mixing them makes the page less useful to implementers and easier to challenge in procurement or assessment review. Remove claims that the template itself proves conformance. A template can organize evidence and make assessment preparation more consistent, but the assessment result depends on the completed ICS, sufficient IXIT information, applied test groups, verdict rules, and any assessment-scheme requirements. - Do not cite local source reference files names, private working notes, or non-public source paths. - Do not use stale or generic source links when a specific ETSI deliverable URL supports the claim. - Do not describe the IXIT as an EN 303 645 requirement; describe it as TS 103 701 assessment information. - Do not copy sample IXIT implementation values into a real product row unless they are true for that DUT. - Do not hide unresolved applicability decisions inside narrative text; keep them as open ICS rows with owners and evidence gaps. Sources for this answer: - [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Source for EN 303 645 provisions and ICS pro forma context. - [ETSI TS 103 701 V2.1.1 cybersecurity assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Source for TS 103 701 assessment methodology and IXIT pro forma context. ## Primary sources - [ETSI EN 303 645 V2.1.1 consumer IoT baseline requirements](https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02.01.01_60/en_303645v020101p.pdf?ref=sorena.io) - Primary ETSI source for consumer IoT baseline provisions, reporting implementation, and Annex B implementation conformance statement pro forma. - Quote: "Implementation conformance statement pro forma" - [ETSI TS 103 701 V2.1.1 cybersecurity assessment for consumer IoT](https://www.etsi.org/deliver/etsi_ts/103700_103799/103701/02.01.01_60/ts_103701v020101p.pdf?ref=sorena.io) - Assessment source for DUT, supplier organization, test laboratory, ICS, IXIT, conceptual tests, functional tests, verdicts, and external evidence handling. - Quote: "The TL uses these documents to derive a test plan." ## Related Topic Guides - [ETSI EN 303 645 Applicability and Scope](/artifacts/global/etsi-en-303-645/applicability-and-scope.md): Decide whether a connected product is in scope of ETSI EN 303 645, define the consumer IoT evidence boundary, and document N/A justifications for assessment. - [ETSI EN 303 645 compliance: ICS, IXIT, evidence](/artifacts/global/etsi-en-303-645/compliance.md): Plan ETSI EN 303 645 compliance evidence for consumer IoT products with scope, ICS, IXIT, TS 103 701 assessment steps, verdict risks, and source-linked controls. - [ETSI EN 303 645 consumer IoT products: what is in scope?](/artifacts/global/etsi-en-303-645/faq/iot-consumer-products.md): ETSI EN 303 645 FAQ on consumer IoT product scope: devices, associated services, constrained devices, out-of-scope industrial uses, ICS, IXIT, and TS 103 701 evidence. - [ETSI EN 303 645 Current Version Tracker](/artifacts/global/etsi-en-303-645/current-version-tracker.md): Track ETSI EN 303 645 version evidence, ETSI deliverable status checks, TS 103 701 assessment alignment, and change triggers for consumer IoT security work. - [ETSI EN 303 645 CVD Workflow for IoT Vulnerability Reports](/artifacts/global/etsi-en-303-645/vulnerability-disclosure-cvd-workflow.md): Source-linked workflow for ETSI EN 303 645 vulnerability disclosure: public policy contents, reporting contact, acknowledgement and status timelines, timely action, and TS 103 701 evidence. - [ETSI EN 303 645 Data Protection Provisions](/artifacts/global/etsi-en-303-645/data-protection-provisions.md): source-linked guide to ETSI EN 303 645 data protection provisions for consumer IoT: personal data security, telemetry transparency, consent, and deletion evidence. - [ETSI EN 303 645 default passwords: what must consumer IoT teams do?](/artifacts/global/etsi-en-303-645/faq/default-passwords.md): ETSI EN 303 645 default password guidance for consumer IoT: unique or user-defined passwords, pre-installed password generation, change mechanisms, brute-force controls, and TS 103 701 evidence. - [ETSI EN 303 645 FAQ: Consumer IoT Security Questions](/artifacts/global/etsi-en-303-645/faq.md): source-linked answers to common ETSI EN 303 645 questions on consumer IoT scope, associated services, default passwords, updates, vulnerability disclosure, telemetry, deletion, and TS 103 701 evidence. - [ETSI EN 303 645 implementation checklist](/artifacts/global/etsi-en-303-645/implementation-checklist.md): Use this ETSI EN 303 645 implementation checklist to scope a consumer IoT product, record Annex B support statuses, map IXIT evidence, and avoid weak conformance claims. - [ETSI EN 303 645 Implementation Evidence Guide](/artifacts/global/etsi-en-303-645/implementation-evidence.md): Build ETSI EN 303 645 implementation evidence from Annex B support/detail records, TS 103 701 ICS and IXIT inputs, test verdicts, and scoped external evidence. - [ETSI EN 303 645 IoT Applicability Workflow](/artifacts/global/etsi-en-303-645/iot-applicability-workflow.md): Decide whether ETSI EN 303 645 applies to a consumer IoT product, what associated services belong in scope, and how to record justified non-applicability. - [ETSI EN 303 645 personal data deletion FAQ for consumer IoT](/artifacts/global/etsi-en-303-645/faq/personal-data-deletion.md): What ETSI EN 303 645 says about deleting user data and personal data from consumer IoT devices, associated services, apps, and evidence records. - [ETSI EN 303 645 requirements: consumer IoT provision map](/artifacts/global/etsi-en-303-645/requirements.md): Map ETSI EN 303 645 consumer IoT requirements to product scope, Annex B ICS entries, TS 103 701 evidence, and implementation owners. - [ETSI EN 303 645 Secure Update Evidence Workflow](/artifacts/global/etsi-en-303-645/secure-update-evidence-workflow.md): Build secure-update evidence for ETSI EN 303 645 using provision 5.3, Annex B support/detail records, and TS 103 701 ICS, IXIT, and test-plan inputs. - [ETSI EN 303 645 Secure Update Workflow](/artifacts/global/etsi-en-303-645/secure-update-workflow.md): Map ETSI EN 303 645 secure-update provisions into a practical workflow for consumer IoT update mechanisms, support-period disclosures, and TS 103 701 evidence. - [ETSI EN 303 645 Secure Updates and Vulnerability Disclosure](/artifacts/global/etsi-en-303-645/secure-update-and-vulnerability-disclosure.md): source-linked guide to ETSI EN 303 645 clauses 5.2 and 5.3 for consumer IoT vulnerability disclosure, security updates, support periods, and TS 103 701 evidence. - [ETSI EN 303 645 support period: what must consumer IoT teams publish?](/artifacts/global/etsi-en-303-645/faq/support-period.md): ETSI EN 303 645 support-period guidance for consumer IoT: defined security-update support periods, user-accessible publication, constrained-device replacement support, model designation, and TS 103 701 evidence. - [ETSI EN 303 645 telemetry: what should consumer IoT teams evidence?](/artifacts/global/etsi-en-303-645/faq/telemetry.md): ETSI EN 303 645 telemetry guidance for consumer IoT teams: security anomaly examination, IXIT 24-TelData evidence, personal-data minimization, and consumer telemetry disclosures. - [ETSI EN 303 645 test evidence: what should consumer IoT teams keep?](/artifacts/global/etsi-en-303-645/faq/test-evidence.md): ETSI EN 303 645 test evidence guidance for consumer IoT teams: ICS support claims, IXIT detail, TS 103 701 test plans, verdicts, and external evidence checks. - [ETSI EN 303 645 vs EU CRA for Consumer IoT](/artifacts/global/etsi-en-303-645/etsi-en-303-645-vs-eu-cra.md): Use ETSI EN 303 645 and ETSI TS 103 701 evidence when preparing consumer IoT cybersecurity work that may also need a separate EU CRA legal mapping. - [ETSI EN 303 645 vs RED Cybersecurity Delegated Act](/artifacts/global/etsi-en-303-645/etsi-en-303-645-vs-red-cybersecurity-delegated-act.md): Compare ETSI EN 303 645 consumer IoT security evidence with RED cybersecurity planning without treating the ETSI baseline as a substitute for RED legal scope. - [ETSI EN 303 645 vs UK PSTI: Evidence Crosswalk](/artifacts/global/etsi-en-303-645/etsi-en-303-645-vs-uk-psti.md): Compare ETSI EN 303 645 evidence with UK PSTI review needs without assuming the same scope, legal trigger, or assurance route. - [ETSI EN 303 645 vulnerability disclosure requirements for consumer IoT](/artifacts/global/etsi-en-303-645/faq/vulnerability-disclosure.md): What ETSI EN 303 645 requires for consumer IoT vulnerability disclosure policies, report handling, status updates, timely action, and TS 103 701 evidence. - [ETSI TS 103 701 Test Evidence Workflow for EN 303 645](/artifacts/global/etsi-en-303-645/ts-103-701-test-evidence-workflow.md): Build an ETSI TS 103 701 test evidence workflow for EN 303 645 consumer IoT assessments: DUT identification, ICS, IXIT, test plans, verdicts, and external evidence. - [How should teams handle constrained devices under ETSI EN 303 645 for consumer IoT products?](/artifacts/global/etsi-en-303-645/faq/constrained-devices.md): ETSI EN 303 645 constrained-device guidance: what counts as constrained, when non-applicability can be justified, and what evidence should support update and authentication decisions. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/etsi-en-303-645/ics-and-ixit-evidence-template