GUARDIAN SECUREAPP™ · STANDARDS REFERENCE
ISO/IEC 17065 Explained — The Procedural Standard for Product Certification Bodies
ISO/IEC 17065:2012 is the international standard that defines the requirements for organisations that certify products, processes and services. It is the procedural framework that turns a technical evaluation into a procurement-grade attestation — covering impartiality, confidentiality, structural independence, certification decision-making, surveillance, and the public verifiability that makes accredited certification meaningfully different from self-declaration. Guardian Assessment Pvt. Ltd. is accredited under ISO/IEC 17065 by United Accreditation Foundation (UAF) — accreditation number 52605385601, valid until 05 May 2030.
What ISO/IEC 17065 Is
The Procedural Standard for Product Certification Bodies
ISO/IEC 17065:2012 — formally titled ‘Conformity assessment — Requirements for bodies certifying products, processes and services’ — is the international standard that defines the requirements for organisations that issue product certifications. It is the procedural framework that converts a technical evaluation into a procurement-grade attestation. Where the OWASP standards covered on the other Standards pages (ASVS, OWASP Top 10, OWASP API Security Top 10) provide the technical content of evaluation — what to verify and how to prioritise findings — ISO/IEC 17065 provides the procedural content: who can issue certifications, how they must be structured to remain impartial, how decisions must be made, how surveillance must be conducted, and how the resulting certificates must be made publicly verifiable.
This procedural layer is what makes accredited certification meaningfully different from self-declaration. Any organisation can run a security assessment and write a report. What makes a certificate trustworthy to a procurement team, an auditor or a regulator is not just the technical depth of the evaluation underneath it — though that matters — but the procedural integrity of the issuing body. ISO/IEC 17065 is the standard that defines and audits that procedural integrity. A 17065-accredited certification is one issued by a body whose impartiality, competence, decision-making process, and ongoing oversight have been independently verified by an accreditation body and continue to be subject to annual surveillance.
Within Guardian SecureApp™, ISO/IEC 17065 is the procedural backbone of the entire scheme. Guardian Assessment Pvt. Ltd. is accredited under ISO/IEC 17065 by United Accreditation Foundation (UAF) — accreditation number 52605385601, IAF Scope Code 33, with accreditation valid from 06 May 2026 until 05 May 2030. UAF audits Guardian against ISO/IEC 17065 annually; Guardian’s certification scheme document GSA-PR-01 is structured to comply with the standard’s requirements; every certificate Guardian issues is the output of a process designed to satisfy 17065’s clauses. The OWASP standards tell Guardian what to verify; ISO/IEC 17065 tells Guardian how the verification must be conducted, decided, communicated and maintained.
Who Publishes ISO/IEC 17065
Jointly Published by ISO and IEC
ISO/IEC 17065 is jointly published by two international standards organisations: ISO (the International Organization for Standardization, headquartered in Geneva) and IEC (the International Electrotechnical Commission, also headquartered in Geneva). Joint publication under the ISO/IEC prefix indicates that the standard’s content was developed cooperatively between the two organisations, reflecting that conformity assessment — the broader subject area within which 17065 sits — spans both general industry standardisation (ISO’s domain) and electrotechnical standardisation (IEC’s domain).
ISO standards are developed through a multi-stage international consensus process. Member national-standards bodies — Bureau of Indian Standards (BIS) in India, ANSI in the United States, BSI in the United Kingdom, DIN in Germany, and equivalents in around 170 member countries — nominate experts to technical committees, comment on drafts, and vote on proposed standards. The process is transparent (drafts circulate publicly), consensus-driven (broad agreement is required for publication), and time-disciplined (each standard is reviewed for continued relevance every five years). When a published standard is no longer fit for purpose, ISO either revises it (issuing a new version with a year suffix) or withdraws it. ISO/IEC 17065:2012 has been published since 2012 and remains the operative version at the time of this writing.
Unlike the OWASP standards covered on Pages 12, 13 and 14 — which are public goods freely available under Creative Commons licences — ISO standards are sold commercially through ISO directly and through national-standards-body resellers. The standards-development process is funded substantially through this sale revenue. Anyone can read excerpts and the table of contents on iso.org’s catalogue page (the canonical reference for ISO/IEC 17065 is iso.org/standard/46568.html), but the full text requires purchase. This is a structural difference worth noting: it means the standards’ content cannot be reproduced freely on a public page like this one, which is why the body copy below paraphrases the requirements rather than quoting them, and directs readers to ISO for the canonical text.
Where to find the canonical standard: The authoritative current text of ISO/IEC 17065:2012, including any official corrigenda, is published by ISO at iso.org/standard/46568.html (opens external site). National-standards bodies (Bureau of Indian Standards in India) also distribute the standard as a national adoption. This page summarises and contextualises the standard for readers researching what 17065-accredited certification means — the canonical reference is ISO’s published text.
The Eight Clauses of ISO/IEC 17065
How the Standard Is Structured
ISO/IEC 17065:2012 is organised into eight major clauses (numbered 1 through 8) plus annexes containing supporting material. The eight clauses progress from foundational scope and definitions, through the substantive requirements that certification bodies must meet, to information requirements governing what must be communicated externally. Below is a clause-by-clause summary of what each clause addresses, paraphrased and contextualised for readers researching what 17065-accredited certification means in practice.
| Clause | Title | What This Clause Covers |
|---|---|---|
| Cl. 1 | Scope | Defines the standard’s scope: what kinds of certification bodies and what kinds of certifications fall within its requirements. Establishes that 17065 applies to bodies certifying products, processes and services — distinguishing it from related standards covering management systems (ISO/IEC 17021-1) and testing laboratories (ISO/IEC 17025). |
| Cl. 2 | Normative References | Lists the standards that ISO/IEC 17065 references in its requirements. The principal normative reference is ISO/IEC 17000 (Vocabulary), which defines the conformity-assessment terminology used throughout 17065. |
| Cl. 3 | Terms and Definitions | Defines the specific terms used in the standard — ‘certification body’, ‘client’, ‘evaluation’, ‘review’, ‘decision’, ‘scheme’, ‘scheme owner’, ‘surveillance’, ‘impartiality’ — with precise meanings that govern how the rest of the standard is to be interpreted. Avoids ambiguity in a domain where everyday and technical meanings can diverge. |
| Cl. 4 | General Requirements | The foundational substantive requirements. Covers legal and contractual matters (Cl. 4.1), management of impartiality (Cl. 4.2 — including identifying impartiality threats, managing conflicts of interest, separating consultancy from certification, fee structures that do not influence decisions), liability and financing (Cl. 4.3), non-discriminatory conditions (Cl. 4.4), confidentiality (Cl. 4.5), and publicly available information (Cl. 4.6 — including the public directory of certifications). The most-referenced clause in scoping conversations. |
| Cl. 5 | Structural Requirements | Requirements for the certification body’s organisational structure. The body must be a legal entity (or part of one) with sufficient organisational structure to give confidence in its competence and impartiality. Specifies requirements for top management, the role of stakeholder oversight (e.g., impartiality committees), and the separation between the certification body and any other activities the legal entity is involved in. |
| Cl. 6 | Resource Requirements | Requirements for the people, equipment and infrastructure that conduct certification work. Covers competence requirements for certification-body personnel (Cl. 6.1.1), how competence is determined and documented (Cl. 6.1.2), training and ongoing competence development (Cl. 6.1.3), monitoring of personnel performance (Cl. 6.1.4), and use of contractors and outsourced work where applicable (Cl. 6.2). |
| Cl. 7 | Process Requirements | The procedural heart of the standard — how certification work must actually be conducted. Covers application (Cl. 7.2), application review (Cl. 7.3), evaluation (Cl. 7.4), review (Cl. 7.5), the certification decision (Cl. 7.6 — independent decision-maker requirement), certification documentation (Cl. 7.7), the directory of certified products (Cl. 7.8), surveillance (Cl. 7.9), changes affecting certification (Cl. 7.10), termination, reduction, suspension or withdrawal of certification (Cl. 7.11), records (Cl. 7.12), and complaints and appeals (Cl. 7.13). |
| Cl. 8 | Management System Requirements | Requirements for the certification body’s own management system — how it documents, controls, audits, and continually improves its own operations. Permits two compliance options: implementing a management system that meets clauses defined in 17065 itself (Option A), or implementing an ISO 9001-compliant management system that also addresses 17065’s management requirements (Option B). Most accredited certification bodies use Option A or a hybrid. |
Within Guardian SecureApp™, every clause has direct operational implications. Clause 4.2 governs how Guardian manages impartiality (including the policy that consultants who advise applicants on remediation cannot evaluate the same product, and that fees must not influence the certification decision). Clause 7.6 governs the independent decision-maker requirement (decisions are taken by a Certification Decision Authority separate from the evaluation team, on every engagement, regardless of Level). Clause 7.8 governs the public directory at /directory. Clause 7.13 governs the complaints and appeals procedure at /complaints-appeals. The Guardian SecureApp™ scheme document GSA-PR-01 and the supporting procedure suite are structured to comply with these clauses comprehensively.
How ISO/IEC 17065 Differs from Related Standards
Three Standards Commonly Confused
ISO/IEC 17065 sits within a family of conformity-assessment standards published by ISO and IEC. Three of these are commonly confused with 17065 — particularly in procurement conversations and vendor questionnaires — because they share the ‘ISO/IEC 17xxx’ prefix and operate in adjacent territory. Distinguishing them precisely is important: a vendor that names the wrong standard in its accredited-certification claim is signalling either confusion or carelessness, both of which raise procurement concerns.
| Standard | What Body It Accredits | What Is Certified | Examples |
|---|---|---|---|
| ISO/IEC 17065 | Product certification body (PrCB) | Products, processes, services | Guardian SecureApp™ — software products certified for application security; product safety certificates; organic-food certificates |
| ISO/IEC 17021-1 | Management system certification body | Management systems (organisational, not product) | ISO/IEC 27001 (information security management); ISO 9001 (quality); ISO 14001 (environment); ISO 45001 (occupational health and safety) |
| ISO/IEC 17025 | Testing and calibration laboratory | Tests, measurements, calibration results | Pesticide residue testing labs; calibration laboratories; metrology institutions |
| ISO/IEC 27001 | Itself a standard, not an accreditation framework | An organisation’s information security management system | Companies certified to ISO/IEC 27001 — issued by 17021-1-accredited bodies |
The most consequential of these distinctions is between ISO/IEC 17065 (this page) and ISO/IEC 27001. ISO/IEC 27001 is itself a standard — a framework for an information security management system — and organisations are ‘certified to ISO/IEC 27001’ by certification bodies that are themselves accredited under ISO/IEC 17021-1. The two operate at different layers: 17065 vs 17021-1 are accreditation standards (governing certification bodies); 27001 is a certifiable standard (governing organisational management). When a vendor claims ‘17065-accredited’ certification on a software product, they are saying the certification body that issued the product certificate is itself accredited under 17065 — which is what makes the certificate meaningful at procurement.
Guardian SecureApp™ is a 17065-accredited product certification scheme. ISO/IEC 27001 is complementary, not substitutable: it certifies the management system around an organisation’s information security; Guardian SecureApp™ certifies a specific software product against application security requirements. Mature procurement processes commonly request both — they answer different questions. A vendor with both 27001 (organisation-level) and Guardian SecureApp™ (product-level) certification is producing more comprehensive evidence than a vendor with only one.
How Guardian Is Accredited Against ISO/IEC 17065
The Mechanics of Guardian Assessment Pvt. Ltd.’s Accreditation
Guardian Assessment Pvt. Ltd. is accredited under ISO/IEC 17065:2012 by United Accreditation Foundation (UAF). The accreditation number is 52605385601, with IAF Scope Code 33 (Information Technology). The accreditation is valid from 06 May 2026 until 05 May 2030, subject to annual surveillance and the conditions set out in the Accreditation Agreement between Guardian and UAF. Below is a summary of how the accreditation actually works in operational terms.
| Mechanic | Implementation Details |
|---|---|
| Initial Accreditation Assessment | Before issuing accreditation, UAF conducted a multi-stage assessment of Guardian against the full text of ISO/IEC 17065. This assessment included documentation review (of Guardian’s scheme document GSA-PR-01, internal procedures, impartiality framework, complaint and appeals procedure, certification agreement template, evaluator competence framework, and supporting policies), on-site assessment (of Guardian’s office, decision-making infrastructure, and operational evidence), and witness assessments (where UAF assessors observe Guardian’s evaluators conducting actual certification work, verifying that documented procedures match operational reality). Only after each clause of 17065 was demonstrated to be operationally satisfied did UAF issue the accreditation. |
| The Scope of Accreditation | The accreditation is not generic — it is granted for a specific scope, named in the Schedule of Accreditation issued alongside the certificate. Guardian’s scope covers the Guardian SecureApp™ Product Certification Scheme — specifically third-party product certification for cybersecurity of web applications, SaaS / multi-tenant platforms, and APIs / microservices, evaluated under the OWASP standards, at three assurance levels (Level 1 Basic, Level 2 Advanced, Level 3 High-Risk / Critical). The scope is recorded with reference to the normative document GSA-PR-01. Guardian cannot issue accredited certificates outside this scope; if Guardian wished to extend accreditation to additional scheme types, that would require a scope-extension assessment by UAF. |
| Annual Surveillance by UAF | ISO/IEC 17065 accreditation is not a one-time gate — it is an ongoing relationship subject to annual surveillance by the accreditation body. UAF conducts a surveillance audit of Guardian each year that the accreditation is active, verifying that operational reality continues to match documented procedures, that any changes to the scheme have been approved appropriately, that surveillance and recertification activities for Guardian’s certified clients are being conducted as required, that complaints and appeals are being handled correctly, and that competence of personnel continues to be maintained. Findings from surveillance can result in corrective action requirements, accreditation suspension, or — in serious cases — accreditation withdrawal. |
| Witness Audits | UAF also conducts witness audits — observing Guardian’s evaluators conducting actual certification engagements with Guardian’s clients. Witness audits are scheduled per UAF’s Surveillance Programme; consent of the certified client is obtained, and the client is informed in advance. Witness audits provide UAF with first-hand evidence that the evaluation methodology described in Guardian’s scheme document is what is actually executed in client engagements. They are one of the strongest verification tools the accreditation system has. |
| Reaccreditation at the End of Each Cycle | At the end of each accreditation cycle (Guardian’s current cycle runs to 05 May 2030), reaccreditation is required for continued accreditation. Reaccreditation is more substantive than annual surveillance — it includes a comprehensive reassessment of Guardian against the full text of 17065, including any updates to the standard or to UAF’s accreditation requirements adopted since initial accreditation. The reaccreditation assessment is essentially the initial-accreditation assessment repeated. Continued accreditation is not automatic; it depends on continued demonstrated compliance. |
The Accreditation Body / IAF MLA Framework
Why the Accreditation Body Itself Matters
ISO/IEC 17065 governs the certification body. But who governs the accreditation body that audits the certification body? This is a layered question, and the answer is what gives the entire system international credibility. The framework is built on three concentric layers.
Layer 1 — The Certification Body
Guardian Assessment Pvt. Ltd. is the certification body. We issue certificates against the Guardian SecureApp™ scheme. We are accredited under ISO/IEC 17065. We are subject to UAF’s annual surveillance and witness audits. Our scope is defined in our Schedule of Accreditation. We are accountable to our clients and to UAF for compliance with 17065.
Layer 2 — The Accreditation Body (UAF)
United Accreditation Foundation Inc. (UAF) is the accreditation body that accredits Guardian. UAF is itself subject to peer evaluation under the standards governing accreditation bodies — specifically ISO/IEC 17011 (Conformity assessment — Requirements for accreditation bodies accrediting conformity assessment bodies). UAF is incorporated in the United States, headquartered at 1060 Laskin Road, Suite 12B/13B, Virginia Beach, VA 23451. UAF accredits certification bodies in multiple regions and across multiple scheme types.
Layer 3 — The IAF and the IAF MLA
UAF is a member of the International Accreditation Forum (IAF) — the global association of accreditation bodies. IAF maintains the Multilateral Recognition Arrangement (MLA), under which signatory accreditation bodies mutually recognise the certifications issued by certification bodies they accredit. The MLA is what makes accreditation internationally portable: a certificate issued in one country by a certification body accredited by an IAF MLA signatory is recognised in other countries by other MLA signatories’ regulators and procurement systems. The MLA is structured by scheme type — separate MLA scopes exist for management system certification (linked to ISO/IEC 17021-1), product certification (linked to ISO/IEC 17065), inspection bodies, testing laboratories, and so on. Each MLA scope is administered separately.
UAF’s IAF MLA scope for product certification (PrCB): UAF’s IAF MLA recognition for product certification (PrCB) is currently under process at the time of preparation of this page. The current scope of UAF’s IAF MLA recognition can be verified at the IAF’s own multilateral recognition page at iaf.nu (opens external site). Where international recognition under IAF MLA is a buyer requirement, scoping conversation should establish the current MLA scope and the buyer’s specific requirement; international recognition is the same across Guardian SecureApp™ Levels 1, 2 and 3.
Why this layered framework matters: it means a Guardian SecureApp™ certificate is not just ‘Guardian’s word’ or even ‘Guardian and UAF’s word’. It is anchored in a system where ISO/IEC 17065 governs Guardian, ISO/IEC 17011 governs UAF, and the IAF MLA governs the international recognition of accreditation bodies. Every layer has independent oversight by parties that do not have a direct commercial interest in the certificates being issued. This is precisely the structural integrity that distinguishes accredited certification from self-declaration.
Common Misconceptions About ISO/IEC 17065
What 17065 Is Not
Several persistent misconceptions about ISO/IEC 17065 surface in scoping conversations and procurement documents. Clarifying them once explicitly is more efficient than addressing them repeatedly:
Misconception 1 — ‘ISO/IEC 17065 certification is what my product gets.’
It is not. ISO/IEC 17065 is the standard that governs certification bodies, not a standard that products are certified to. Your product would be certified against the Guardian SecureApp™ scheme (which itself is anchored in OWASP standards), with the certificate issued by Guardian — and Guardian is the entity that is accredited under ISO/IEC 17065. The chain reads: ‘Your product is certified by Guardian, against the Guardian SecureApp™ scheme; Guardian is accredited under ISO/IEC 17065 by UAF.’ Confusing the layers — claiming ‘17065 certified’ on a product — would be technically incorrect and procurement-discrediting.
Misconception 2 — ‘ISO/IEC 17065 is the same as ISO/IEC 27001.’
It is not. ISO/IEC 17065 is an accreditation standard for certification bodies. ISO/IEC 27001 is a certifiable standard for information security management systems. They operate at different layers: 17065 governs the body that issues certificates; 27001 is what some bodies (specifically, those accredited under 17021-1, not 17065) issue certificates against. They are not interchangeable, not substitutable, and not the same kind of standard. Section 3.4 above details the distinctions across the conformity-assessment family.
Misconception 3 — ‘ISO/IEC 17065 has been superseded by a later version.’
It has not. ISO/IEC 17065:2012 remains the operative version. ISO standards are reviewed for continued relevance every five years; 17065 has been reviewed and confirmed in subsequent reviews. When a future revision is published, ISO will issue it under the same number with a new year suffix (e.g., ISO/IEC 17065:YYYY). Until that happens, 17065:2012 is the standard accreditation bodies enforce.
Misconception 4 — ‘A 17065-accredited certificate guarantees the product is secure forever.’
It does not. ISO/IEC 17065 does not — and could not — guarantee future security. What 17065 guarantees procedurally is that the certificate was issued by a body whose impartiality and competence are independently verified, that the evaluation methodology was rigorous, that the certification decision was independent, and that surveillance and recertification will continue throughout the certification cycle. Security itself is dynamic; 17065 is what makes the assurance signal credible at the time of evaluation, not what extends it indefinitely. Surveillance is the ongoing maintenance of the signal, which is also a 17065 requirement (Cl. 7.9).
Misconception 5 — ‘Any organisation can accredit any certification body.’
They cannot — at least not in any way that produces internationally recognised accreditation. Accreditation bodies that issue meaningful accreditation are themselves subject to peer evaluation under ISO/IEC 17011, and the credibility of their accreditation depends on their membership of the IAF and the relevant IAF MLA scopes. Some ‘accreditation bodies’ exist that are not IAF members and not subject to peer evaluation — accreditation issued by such bodies has limited recognition outside the issuer’s immediate sphere. When evaluating an accredited certificate, the question ‘who accredits the certification body?’ is meaningful — UAF, ANAB, UKAS, NABCB, JAS-ANZ, and similar IAF members produce internationally recognised accreditation; obscure or self-declared ‘accreditation bodies’ do not.
How to Verify a 17065-Accredited Certificate
Procurement-Grade Verification
A 17065-accredited certificate’s value to procurement depends on its public verifiability. Below is the verification chain that procurement teams, auditors and regulators apply when establishing the legitimacy of a 17065-accredited claim. The chain is the same regardless of which scheme or which certification body is involved; this section illustrates it using the Guardian SecureApp™ context but the logic applies generally.
Step 1 — Verify the Certificate Itself
Confirm that the certificate exists in the issuing certification body’s public directory. The directory is mandated by ISO/IEC 17065 Cl. 7.8 and must be accessible without restriction. For Guardian SecureApp™, the directory is at /directory and is searchable by certificate number, product name, or applicant name. A certificate that is not publicly listed is not a valid accredited certificate, regardless of what document the holder may produce.
Step 2 — Verify the Certification Body’s Accreditation
Confirm that the certification body that issued the certificate is itself accredited under ISO/IEC 17065 by a recognised accreditation body. Accreditation bodies maintain their own public directories of the certification bodies they accredit. UAF’s directory is at uafaccreditation.org (opens external site). The directory entry should match the accreditation number, scope, and validity dates the certification body claims. A claim of ‘17065-accredited’ that does not appear in the accreditation body’s own directory is not verifiable.
Step 3 — Verify the Accreditation Body’s IAF Status
Confirm that the accreditation body is itself a member of the IAF, and that its accreditation falls within an IAF MLA scope appropriate to the certification at hand. IAF maintains member directories at iaf.nu (opens external site), including the current MLA scopes for each member. This step matters where international recognition is a procurement requirement — domestic procurement may not require it, but cross-border procurement frequently does.
Step 4 — Verify the Scope Match
Confirm that the certificate’s scope (the products, processes, services it covers) matches the procurement question. A certificate issued for one product does not transfer to another product; a certificate issued at Level 1 does not produce Level 2 evidence; a Module A certificate does not produce Module C evidence. The Public Scope Statement, mandated by 17065, makes the boundary explicit. A 17065-accredited certificate is precise about what it covers; that precision is one of its values.
This four-step verification chain is what produces procurement confidence. It is also why 17065-accredited certification produces trust where private VAPT reports, self-attestations and unaccredited ‘security badges’ do not — every step in the chain has independent verifiability, and any link that fails verification breaks the entire chain.
Why ISO/IEC 17065 Matters in Procurement
The Procurement-Grade Standard
Procurement teams and regulators increasingly distinguish between ‘17065-accredited certification’ and other forms of security claim. The distinction is not an aesthetic preference — it is a structural difference in what each claim signals about the underlying procedural integrity. Below are the principal reasons procurement places weight specifically on 17065-accredited certification.
Independent Decision-Making
17065 Cl. 7.6 requires that the certification decision be taken by an individual or group independent of the evaluation team. This is structurally different from a security assessment where the same engineers who tested the product also issue the report — in 17065-accredited certification, the people who tested cannot be the people who decide. This separation is what produces decision integrity that procurement teams, auditors, and regulators can rely on.
Impartiality Auditing
17065 Cl. 4.2 requires the certification body to identify and manage threats to impartiality — and accreditation bodies audit this annually. The certification body cannot, for example, also act as a consultant to the same client on the certified product. The fees charged cannot be structured to influence the certification decision (which is why Guardian’s fees are payable for work performed regardless of certification outcome). These structural impartiality requirements are not aspirational principles — they are audited, with corrective actions and accreditation consequences for non-compliance.
Public Verifiability
17065 Cl. 4.6 and Cl. 7.8 require the certification body to maintain publicly available information about its certifications and the products certified. This includes the public directory at /directory, the Public Scope Statement attached to each certificate, and the publication of suspension and withdrawal status in real time. Procurement teams can verify a certificate’s current status without depending on the holder to produce a copy. Self-attestations and private security reports cannot offer this.
Ongoing Surveillance
17065 Cl. 7.9 requires ongoing surveillance of certified clients throughout the certification cycle, with surveillance frequency proportionate to the assurance signal the certificate carries. Surveillance is not a one-time gate — it is the ongoing assurance that the criteria continue to be met. A certificate that has passed surveillance recently is meaningfully different from a certificate issued years ago and never re-tested.
Complaints and Appeals
17065 Cl. 7.13 requires a documented complaints and appeals procedure, available to both certified clients (appealing certification decisions) and any third party (raising complaints about a certified product). This procedure provides procurement teams with a structural recourse if a certified product fails them — they can lodge a complaint, which the certification body must investigate, with potential certificate suspension or withdrawal as outcomes. Self-attestations have no such mechanism.
These structural features are what make a 17065-accredited certificate procurement-grade. They are also why Guardian’s emphasis on 17065 compliance — across our scheme document, our procedures, our website, our scoping conversations — is not bureaucratic flourish. It is the difference between an evaluation report and an accredited certificate, and the difference is procedurally meaningful.
Frequently Asked Questions
Common ISO/IEC 17065 Questions, Answered
ISO/IEC 17065:2012 defines the requirements for organisations that certify products, processes and services. It is the procedural framework that turns a technical evaluation into a procurement-grade attestation — covering impartiality, confidentiality, structural independence, certification decision-making, surveillance, public verifiability, and complaints and appeals. Where the OWASP standards (ASVS, OWASP Top 10, OWASP API Security Top 10) provide the technical content of evaluation, ISO/IEC 17065 provides the procedural content. Both layers are required for procurement-grade certification.
No. ISO/IEC 17065 is an accreditation standard for certification bodies — it governs the bodies that issue certificates. ISO/IEC 27001 is a certifiable standard for information security management systems — it is what some bodies issue certificates against. They operate at different layers and address different questions: 17065 governs the body issuing certificates, 27001 is what certain bodies (specifically those accredited under 17021-1, not 17065) certify organisations against. The two are complementary in mature procurement contexts; ISO/IEC 27001 attests to the management system, Guardian SecureApp™ (which is 17065-accredited) attests to a specific software product.
Your product is certified against the Guardian SecureApp™ scheme — anchored in OWASP ASVS (Modules A and B) or OWASP API Security Top 10 (Module C), at the chosen Level (1 Basic / 2 Advanced / 3 High-Risk Critical). Guardian, the certification body, is accredited under ISO/IEC 17065 by UAF — accreditation 52605385601. The chain reads: ‘Your product is certified by Guardian, against the Guardian SecureApp™ scheme; Guardian is ISO/IEC 17065-accredited by UAF.’ Saying a product is ‘17065-certified’ is technically incorrect — products are certified against schemes; certification bodies are accredited against 17065.
Because it provides structural integrity that self-declarations and private security reports cannot. Specifically: the certification decision is taken by an independent decision-maker separate from the evaluation team (Cl. 7.6); the body’s impartiality is audited annually (Cl. 4.2); certificates are publicly verifiable in a directory (Cl. 7.8); surveillance maintains the assurance signal over time (Cl. 7.9); complaints and appeals procedures provide recourse to procurement teams (Cl. 7.13). These are not aspirational principles — they are audited requirements with corrective-action and accreditation consequences for non-compliance. That structural integrity is what makes a 17065-accredited certificate procurement-grade.
Only certification bodies that have been independently audited and accredited by an accreditation body. The accreditation body must itself be subject to peer evaluation under ISO/IEC 17011 — typically through membership of the International Accreditation Forum (IAF). Guardian Assessment Pvt. Ltd. is accredited by United Accreditation Foundation (UAF), an IAF member. The accreditation is granted only after multi-stage assessment (documentation review, on-site assessment, witness audits) and is maintained through annual surveillance. Any organisation can call itself a ‘certification body’ — only those with verifiable accreditation produce internationally recognised certificates.
No. Unlike OWASP standards (which are public goods freely available under Creative Commons), ISO standards are sold commercially through ISO and national-standards-body resellers. The full text of ISO/IEC 17065 must be purchased from iso.org/standard/46568.html or from a national-standards body (Bureau of Indian Standards in India). Excerpts and the table of contents are publicly visible. The standards-development process is funded substantially through this sale revenue. This page paraphrases the requirements rather than quoting them, in line with ISO’s copyright.
The International Accreditation Forum (IAF) Multilateral Recognition Arrangement (MLA) is the framework under which signatory accreditation bodies mutually recognise the certifications issued by certification bodies they accredit. It allows certifications issued in one country to be recognised in others — making accreditation internationally portable. The MLA is structured by scheme type (separate scopes for management system certification under 17021-1, product certification under 17065, inspection bodies, testing laboratories, and so on), and each scope is administered separately. UAF is an IAF member; UAF’s IAF MLA recognition for product certification (PrCB) is currently under process, and the current scope can be verified at iaf.nu.
Clause 4.2 — the standard’s most-referenced impartiality clause — requires the certification body to identify and manage threats to impartiality on an ongoing basis. Specific requirements include: separation of consultancy from certification (a body that has consulted on a product cannot certify the same product), management of financial and personnel conflicts, fee structures that do not influence certification decisions, and oversight by an impartiality committee or equivalent stakeholder mechanism. The standard does not just require impartiality; it requires a documented programme to identify, evaluate and manage impartiality risks — and that programme is audited by the accreditation body annually.
These are three distinct procedural stages, defined in the standard’s Clause 3 and operationalised in Clause 7. Evaluation (Cl. 7.4) is the technical assessment of the product against the scheme criteria — performed by the evaluation team. Review (Cl. 7.5) is the verification that the evaluation has been conducted correctly, completely and consistently — typically by a senior reviewer. Decision (Cl. 7.6) is the determination whether to grant, deny, or defer certification — taken by an independent decision-maker who is not part of the evaluation team. The three-stage separation is structural: the same person cannot perform all three roles on the same engagement. This is what produces independent decision integrity.
A penetration test is a technical activity. 17065-accredited certification adds the procedural infrastructure that turns a technical activity into an attestation: independent decision-making (Cl. 7.6), public-directory listing (Cl. 7.8), surveillance throughout the cycle (Cl. 7.9), complaints and appeals procedures (Cl. 7.13), accreditation oversight by an external body (UAF in Guardian’s case), and cross-recognition through the IAF MLA. A penetration test report is private and point-in-time; a 17065-accredited certificate is publicly verifiable and ongoing. Both have value in different contexts; for procurement evidence at scale, the certificate is what procurement teams now expect.
Both are accreditation standards governing certification bodies. ISO/IEC 17065 governs bodies that certify products, processes and services. ISO/IEC 17021-1 governs bodies that certify management systems (organisational frameworks). The most consequential consequence of this distinction: bodies certifying organisations against ISO/IEC 27001 are accredited under 17021-1, not 17065. Bodies certifying software products under product certification schemes (like Guardian SecureApp™) are accredited under 17065. The two are complementary at the layer of organisational maturity — many mature regulated entities hold both kinds of certificate, against different aspects of their operations.
Withdrawal of accreditation is a serious event with cascading consequences. Existing certificates issued under the accreditation lose their accredited status from the withdrawal date forward (typically with a notice period). Certified clients are usually given the option to transfer their certification to another accredited body for the remainder of the cycle. The withdrawn body is removed from the accreditation body’s public directory. Withdrawal happens — in practice — through a documented process triggered by serious or persistent non-compliance with 17065, identified through annual surveillance or complaint investigation. The accreditation framework is engineered to make this consequential precisely so that certification bodies have strong incentives to maintain compliance.
Indian regulators in financial services, healthcare, government IT and other regulated sectors increasingly reference ISO/IEC 17065-accredited product certification as one form of acceptable third-party evidence — formally or by analogy. Specific regulatory acceptability for any specific Indian regulator depends on the regulator’s mandate. National Accreditation Board for Certification Bodies (NABCB), the Indian accreditation body, accredits several certification bodies under ISO/IEC 17065; UAF (Guardian’s accreditation body) is a separate IAF member. We are happy to discuss specific regulatory drivers at scoping; in regulated procurement processes, 17065-accredited certification typically serves as evidence alongside regulator-specific requirements rather than as a substitute.
A normative document is the standard or specification that defines the criteria a product is certified against — distinct from the standard that governs the certification body itself. In the Guardian SecureApp™ context: ISO/IEC 17065 governs Guardian (the certification body); the normative documents Guardian evaluates products against are OWASP ASVS (for Modules A and B), OWASP API Security Top 10 (for Module C), with GSA-PR-01 (Guardian’s own scheme document) acting as the consolidating normative that operationalises the OWASP standards. The certificate names the normative document the product was evaluated against; that is what the certificate actually attests to.
ISO standards undergo systematic review every five years to determine whether they should be confirmed (continued without change), revised (a new version issued), or withdrawn (no longer maintained). ISO/IEC 17065:2012 has been confirmed in successive reviews and remains the operative version. When a future revision is published, ISO will issue it under the same number with a new year suffix (e.g., ISO/IEC 17065:YYYY). Until that happens, 17065:2012 is the standard accreditation bodies enforce. Any future revision would trigger transition assessments for accredited certification bodies.
ISO/IEC 17065:2012 is sold by ISO at iso.org/standard/46568.html (opens external site). National-standards bodies (Bureau of Indian Standards in India, ANSI in the United States, BSI in the United Kingdom, and equivalents in around 170 member countries) also distribute the standard as national adoptions. Many corporate libraries, university libraries and standards-research databases carry it. The catalogue page on iso.org provides the official scope, table of contents and previewable excerpts; the full normative text requires purchase. This page paraphrases the requirements rather than quoting them, in line with ISO’s copyright.
Ready to Get Started?
Apply for Certification
Submit a formal application. Initial response within 5 working days.
Apply NowRequest a Quote
Tell us about your product. Indicative quote within 3 to 5 working days.
Get a QuoteTalk to Our Team
Specific question or regulatory driver to discuss?
Contact Us