Frequently Asked Questions

Guardian Assessment Pvt. Ltd. is a third-party Conformity Assessment Body headquartered in Mumbai, India. We are accredited by the United Accreditation Foundation (UAF), USA, under ISO/IEC 17065:2012 to operate the Guardian SecureApp™ Product Certification Scheme.

United Accreditation Foundation Inc. (UAF), based in Virginia Beach, USA. Our accreditation number is 52605385601, valid from 06 May 2026 to 05 May 2030.

At www.uafaccreditation.org by searching for accreditation number 52605385601, or by downloading our Certificate and Schedule of Accreditation from /accreditation.

Guardian is accredited by UAF, an internationally operating accreditation body. UAF is a member of the IAF and a signatory to the IAF MLA. The current scope of UAF’s IAF MLA recognition by accreditation type can be verified at www.iaf.nu.

Mumbai, India. Full address at /contact. Evaluation services may be conducted remotely (per IAF MD 4:2025) for clients anywhere in the world, subject to UAF policy.

No. Guardian is a certification body and provides no consultancy, design, development or remediation services. This separation is required by ISO/IEC 17065 to preserve impartiality.

Guardian SecureApp™ is a third-party product certification scheme that certifies the cybersecurity of web applications, SaaS / multi-tenant platforms and APIs / microservices, against OWASP ASVS, OWASP Top 10 and OWASP API Security Top 10, at three assurance levels.

It certifies a specific software product (named, versioned) against the scheme’s criteria — not the company that owns the product. Multiple products from the same company are certified separately.

Module A — Web Application Security. Module B — SaaS / Multi-Tenant Platform Security. Module C — API / Microservices Security. Modules can be certified independently or in combination on a single certificate.

Level 1 (Basic) for low-risk applications, Level 2 (Advanced) for customer-facing applications handling sensitive data or transactions, and Level 3 (High-Risk / Critical) for products in critical sectors such as banking, healthcare and critical infrastructure.

OWASP ASVS, OWASP Top 10, OWASP API Security Top 10 (technical evaluation), and ISO/IEC 17065 (procedural integrity). UAF mandatory documents and IAF MD 4:2025 / IAF MD 12:2023 also apply to scheme operation.

Typically three years, subject to successful annual surveillance (semi-annual at Level 3) and recertification before expiry.

Every issued certificate is listed in our public directory at /directory, with certificate number, product name, version, modules, level and validity.

Yes — for the certified product, in accordance with our Use of Mark Policy and UAF-GEN-CAB-02. Misuse may result in suspension or withdrawal.

The OWASP Application Security Verification Standard is a globally recognized standard for verifying security controls in web applications. It is structured into 14 control families (V1–V14) and three levels (1, 2, 3) that map closely to risk.

The OWASP Top 10 is a list of the most critical web application security risks, updated periodically. It is used as a prioritized risk framework alongside ASVS in our evaluations.

The OWASP API Security Top 10 lists the most critical risks specific to APIs — including BOLA, broken authentication, BFLA, unrestricted resource consumption, and security misconfiguration. It is the primary basis for Module C evaluations.

ASVS Level 1 is the minimum baseline for any application. Level 2 is appropriate for most production applications handling sensitive business or personal data. Level 3 is for applications requiring the highest assurance — financial transactions, healthcare data, critical infrastructure. The depth and rigor of testing increase substantially across levels.

No. Certification means your product met defined criteria at the time of evaluation, with the agreed scope and depth. Security is dynamic — surveillance and recertification exist precisely to track change. No certification is a guarantee against future breaches.

An international standard specifying requirements for bodies certifying products, processes and services. It governs impartiality, competence, evaluation methodology, decision-making, complaints/appeals and public information.

ISO/IEC 17021-1 is for management system certification bodies (e.g., ISO 9001, ISO 27001). ISO/IEC 17065 is for product certification bodies. They have different requirements and scopes.

ISO/IEC 17025 is for testing and calibration laboratories — it covers competence to perform tests. ISO/IEC 17065 covers competence and impartiality of certification bodies that issue certificates based on test results, evaluation reports and process compliance.

Because Guardian SecureApp™ certifies products. ISO/IEC 17065 is the right standard for product certification. A management system accreditation (17021) would be the wrong basis for issuing product-level certificates.

A CAB is any body that performs conformity assessment activities — testing, inspection or certification. Guardian is a Product Certification Body, a specific type of CAB.

The IAF Multilateral Recognition Arrangement is a peer-evaluated mutual recognition arrangement among accreditation bodies. Where signatories’ MLA scopes cover an accreditation type, certificates issued by their accredited CABs are mutually recognized as equivalent. The MLA scope varies by accreditation type — verify at www.iaf.nu.

Submit a Pre-Application Enquiry at /quote, then complete and submit the formal Application Form (GSA-F-01). Full process at /process/how-to-apply.

Application form, product description, architecture diagram, data flow diagram, threat model (if available), authentication/authorization summary, hosting details, prior assessment reports, and access details for the evaluation environment. Full list at /process/how-to-apply.

Typical Level 2 single-product engagement: 6–10 weeks. Level 3: 10–16 weeks. Timelines depend on applicant responsiveness during findings closure.

Yes, in accordance with IAF MD 4:2025. Most evaluation activities can be conducted remotely. Some Level 3 activities may benefit from on-site presence; this is determined at scoping.

Critical and High findings must be addressed for certification to be granted. Guardian does not provide remediation advice; you address findings using your own resources or any third party you engage.

Yes. Appeals are heard by an independent Appeals Panel under our Complaints & Appeals procedure (/complaints-appeals).

Periodic re-evaluation activities (annual at L1/L2, semi-annual at L3) to confirm that a certified product continues to meet certification criteria. Major changes to the product trigger additional surveillance.

Full re-evaluation against the current scheme criteria, conducted before expiry of the certification cycle (typically every 3 years).

USD 2,000 (Level 1), USD 4,000 (Level 2), USD 7,000 (Level 3) — for small organizations with a single, low-complexity product. Final fees depend on scope and complexity. Quote on request at /quote.

Fees are based on evaluation man-days, complexity, modules and level. Higher levels and more complex products require more days.

No. Surveillance fees are billed annually in advance, separately from initial certification.

No. All fees are exclusive of applicable taxes (e.g., GST in India).

No. Contingent fees would compromise impartiality (ISO/IEC 17065 Cl. 4.2). Fees are payable for work performed regardless of certification outcome.

Typically a percentage upfront and the balance prior to the certification decision. Surveillance is billed annually. Payment terms net 15 days unless otherwise agreed.

No. VAPT is a technical assessment activity that produces a findings report. Certification is a formal third-party attestation issued by an accredited certification body, with a scheme, surveillance and a public directory listing. A VAPT report alone is not equivalent to a certificate.

Yes. VAPT can be commissioned as a stand-alone service or as part of a certification engagement. VAPT findings are issued to the client; remediation is the client’s responsibility.

No. Providing remediation support would constitute consultancy and is incompatible with our role as an accredited certification body.

Guardian’s VAPT is conducted by qualified evaluators against industry-standard methodologies (OWASP WSTG, PTES, NIST SP 800-115). Acceptability for any specific regulatory purpose depends on the regulator’s empanelment requirements (e.g., CERT-In empanelment is a separate accreditation under the Government of India). Discuss your specific regulatory requirement at /quote.

Per the Use of Mark Policy at /marks-policy. The mark may be displayed on the certified product’s about page, marketing material, in proposals and on packaging — only in respect of the certified product, version and scope.

Misuse may result in a notice, suspension of the certificate, public correction and (in serious cases) withdrawal. UAF-GEN-CAB-02 governs mark usage.

Temporary loss of validity. Suspended certificates are listed publicly at /directory/suspended. The client must address the cause within a defined period or face withdrawal.

Permanent loss of certification. The client must immediately cease all use of the mark and any references to certification. Withdrawn certificates are listed publicly at /directory.

Email marks@guardiansecureapp.com with evidence (URL, screenshot).

Submit via /complaints-appeals or email appeals@guardiansecureapp.com. Complaints are acknowledged within defined timelines and investigated independently of any personnel concerned.

Yes — within the timeline specified in the Complaints & Appeals procedure. Appeals are heard by an independent Appeals Panel.

Yes. All applicant information is protected under our Confidentiality Policy. Only personnel involved in the engagement, under signed confidentiality undertakings, access your information.

No. Findings are issued only to the applicant. Public disclosure is limited to certificate facts (number, product, level, validity) per ISO/IEC 17065 Clause 4.6.

Where required by law, regulatory order, court order, or by UAF / IAF auditing — and only to the extent so required. The applicant is informed of disclosure unless prohibited by law.