GUARDIAN SECUREAPP™ · ASSURANCE LEVEL 1
Level 1 (Basic) — Guardian SecureApp™ Certification
Accredited third-party certification at OWASP ASVS Level 1 — for internal tools, low-risk public sites, content portals and any product where the certification need is for a defensible baseline of application security assurance, not the deepest evaluation possible. Issued under ISO/IEC 17065 with the same procedural integrity as Level 2 and Level 3.
Level 1
Level 1 — The Accredited Baseline
Level 1 (Basic) of Guardian SecureApp™ is the right level when your product needs a defensible, third-party-attested baseline of application security — but the breach consequences, threat profile and customer expectations do not justify the substantial additional investment of Level 2 (Advanced) or Level 3 (High-Risk / Critical). Level 1 maps directly to OWASP ASVS Level 1 — the international baseline for application security verification — combined with targeted evaluation against the OWASP Top 10 risk framework.
Level 1 is offered under the same accreditation as Levels 2 and 3 — UAF accreditation number 52605385601 under ISO/IEC 17065:2012 — with the same procedural integrity: independent certification decision, public directory listing, surveillance, complaints and appeals rights, certification mark licence, and recognition through the international accreditation infrastructure. What differs is depth, not procedural rigour.
Typical Level 1 candidates include: internal staff portals, employee self-service applications, internal admin tools and CRMs; low-risk public-information sites that handle no transactions and only public data; content portals, marketing sites and customer help centres with light forms; and (for many startups and growth-stage companies) the first product their organisation chooses to certify, where the cost of certification needs to be proportionate to the product’s risk and revenue.
Still Accredited
Level 1 Is Not a Lite Version
A common misconception about graduated certification levels is that the lowest level is somehow procedurally lighter — a ‘lite’ version of accreditation, with weaker decision-making, less rigorous documentation, or fewer protections. This is not how Guardian SecureApp™ works. Level 1 is a fully accredited certification under ISO/IEC 17065, audited annually by UAF on the same procedural basis as Level 2 and Level 3. Specifically:
- The certification decision for a Level 1 engagement is taken by an independent decision-maker, separate from the evaluation team, in line with ISO/IEC 17065 Clause 7.6 — exactly as for Level 2 and Level 3.
- The certificate is publicly listed in the same directory at /directory, searchable by certificate number, product name or applicant name. There is no separate ‘basic’ directory.
- The Public Scope Statement is issued at the same standard of clarity and the same boundary discipline as for Level 2 and Level 3.
- Surveillance is mandatory and is conducted to the same procedural standard, even if at a less frequent cadence than Level 3.
- Complaints and appeals rights are identical: any party may raise a complaint about a Level 1 certified product through the procedure at /complaints-appeals.
- The certification mark licence is the same Guardian SecureApp™ mark, governed by the same Use of Mark Policy and UAF-GEN-CAB-02. There is no ‘Level 1 mark’ as a distinct visual.
What is different at Level 1 is the depth of the technical evaluation — what we evaluate and how thoroughly we evaluate it. That is the trade-off the level represents: depth proportionate to the risk profile of the certified product, while preserving the procedural integrity that makes the certificate procurement-grade.
For your customers: When you display a Guardian SecureApp™ Level 1 certificate, your customer is not seeing a ‘partial’ or ‘starter’ certification — they are seeing an accredited, third-party, publicly-verifiable attestation that your product met defined baseline criteria, evaluated against an internationally-recognised standard, by a body whose impartiality and competence are independently audited.
Level 1 Evaluates
The Specific Coverage of Level 1
Level 1 evaluates the certified product against OWASP ASVS Level 1 control coverage and the OWASP Top 10 risk framework, applied at depth appropriate for products whose threat profile is largely automated and untargeted. Specifically, Level 1 includes the following evaluation activities, executed across all 14 ASVS control families with depth scaling per family by criticality.
| Activity | What This Means at Level 1 |
|---|---|
Documentation Review (Stage 1) | High-level review of architecture, data flow, authentication design and any prior security assessment evidence. Documentation findings are reported before Stage 2 begins. |
Automated Scanning | Dynamic Application Security Testing (DAST) of the running application; Static Application Security Testing (SAST) where source code access is provided. SAST is not mandatory at Level 1. |
Targeted Manual Verification | Scenario-based manual testing across the OWASP Top 10 baseline. Authentication, session management and access control are verified against ASVS Level 1 requirements. Single-role authenticated testing is applied. |
Architecture Review | High-level walkthrough of the application architecture, data flow and trust boundaries. Obvious design risks are identified. This is not a formal threat-modelling exercise, which is reserved for Level 3. |
Configuration / Hardening Review | Spot-check of runtime configuration, HTTP security headers, TLS configuration, secrets handling, obvious misconfigurations and permissive defaults. |
Source Code Review | Not mandatory at Level 1. Where source access is voluntarily provided, evaluation may include limited code review of authentication and authorisation logic. |
Business Logic Testing | Limited at Level 1. Obvious business-logic flaws in authenticated workflows are tested. Deep abuse-case testing is reserved for Level 2 and Level 3. |
Findings Reporting and Closure | Findings are issued with severity ratings, Critical / High / Medium / Low / Informational, referenced to the relevant ASVS or OWASP Top 10 control. One round of re-verification of corrective actions is included. |
Independent Certification Decision | The same procedural rigour as Level 2 and Level 3 applies. The decision is taken by an independent decision-maker, separate from the evaluation team, in line with ISO/IEC 17065 Clause 7.6. |
This activity set is sufficient to provide an accredited baseline of assurance against the OWASP ASVS Level 1 controls and the OWASP Top 10 risk categories. It is not sufficient to evidence depth of evaluation against threats requiring adversarial methodology, comprehensive code review, or formal threat modelling — those are Level 2 and Level 3 activities.
Three Modules
How Level 1 Differs by Module
Level 1 is available under each of the three Guardian SecureApp™ Modules — Module A (Web Application Security), Module B (SaaS / Multi-Tenant Platforms), and Module C (API / Microservices Security). The Level 1 evaluation activities described above apply across all three Modules; what varies is the surface those activities are applied to and the Module-specific control families addressed.
| Module + Level 1 Combination | Level 1 Specifics |
|---|---|
Module A + Level 1 | OWASP ASVS Level 1 evaluation across the 14 control families, V1 to V14, for the web application. Single-role authenticated testing. OWASP Top 10 baseline coverage. High-level architecture review. No mandatory source code review. Suitable for internal tools, low-risk public sites, and content portals. |
Module B + Level 1 | Module A’s Level 1 evaluation plus the six tenant-aware evaluation areas at baseline depth: configuration review and targeted testing of tenant boundary, identity, data segregation, key management, audit logging, subscription lifecycle, and operator access. Suitable for internal multi-tenant tools and low-criticality B2B SaaS. |
Module C + Level 1 | OWASP API Security Top 10, 2023 edition, coverage at baseline depth. All ten categories, API1:2023 through API10:2023, are evaluated, with single-role scenario testing for BOLA / BFLA and documented inventory verification rather than active discovery. Suitable for internal-service APIs and low-criticality partner APIs. |
The same applicant can hold a Level 1 certificate under one Module and a higher level under a different Module for a different product. There is no requirement that all certificates be at the same level — level selection is per certified product. Detailed Module-specific information is at /certification/web-application-security, /certification/saas-security and /certification/api-security.
Evaluation
How a Level 1 Engagement Runs
A Level 1 engagement runs through the same five-stage certification lifecycle as any Guardian SecureApp™ engagement (documented in detail at /certification/secureapp), but with Level-1-appropriate evaluation depth at Stage 4. The stages are:
1
Stage 1 — Application
You submit Application Form GSA-F-01 with supporting documentation: product description, architecture diagram, data flow, authentication / authorisation summary, hosting details, prior assessment evidence (if any). For Level 1, supporting documentation requirements are the lightest of the three levels — a clear architecture diagram and a short threat narrative are typically sufficient.
2
Stage 2 — Application Review
Guardian reviews the application against ISO/IEC 17065 Clause 7.3 — confirming scope match, resource availability, absence of impartiality conflicts, completeness of documentation. Outcome: acceptance, request for clarification, or rejection. Certification Agreement executed on acceptance.
3
Stage 3 — Stage 1 Documentation Review
High-level documentation review against the architecture and supporting materials provided. Documentation findings reported before Stage 2 technical evaluation begins. For Level 1, this stage is typically 1 week.
4
Stage 4 — Stage 2 Technical Evaluation
The core technical evaluation, executed at Level 1 depth: automated scanning, targeted manual verification across OWASP Top 10, single-role authenticated testing, configuration review, high-level architecture walkthrough. Findings issued with severity. One round of re-verification of corrective actions included. For Level 1, this stage is typically 2–3 weeks.
5
Stage 5 — Decision and Certificate Issuance
Evaluation Report submitted to the independent Certification Decision Authority (separate from the evaluation team, per ISO/IEC 17065 Clause 7.6). Decision: grant, defer, or refuse. On grant, certificate issued with public directory listing. For Level 1, this stage is typically 1 week.
Total typical engagement: 4–7 weeks elapsed time, depending on applicant responsiveness during findings closure.
How Level 1 Certification Stays Valid
Side-by-Side Comparison of Evaluation Depth
Level 1 certification, like Level 2 and Level 3, is issued for a defined cycle (typically 3 years) and remains valid through the cycle subject to successful annual surveillance and absence of material non-conformity.
Annual Surveillance
Once per year, Guardian conducts a surveillance audit that re-tests a targeted set of high-priority controls against the certified product as it then exists. The surveillance is lighter than initial certification — it is not a full re-evaluation — but it is substantive enough to detect drift, regression or material changes that affect certification status. Surveillance scope at Level 1 typically focuses on authentication, session management, access control, and any high-severity finding categories that emerged in prior surveillance or initial evaluation.
Change Notification
At Level 1, the Certification Agreement requires notification of significant product changes — major releases, architecture changes, breach incidents — but does not mandate routine change-driven re-evaluation outside the annual cycle. Guardian’s Decision Authority assesses each notified change and determines whether routine surveillance suffices or whether a targeted re-evaluation is warranted. Most Level 1 engagements proceed through their cycle on annual surveillance alone.
Recertification (End of Cycle)
Before the 3-year cycle expires, recertification is required for continued certification. Recertification is a comprehensive re-evaluation against the then-current scheme criteria — including any updates to OWASP ASVS, OWASP Top 10, or GSA-PR-01 adopted by Guardian since initial certification. Recertification is not a renewal — it is a full evaluation.
Suspension and Withdrawal
Where a certified client fails to comply with scheme requirements — fails surveillance, breaches the Certification Agreement, misuses the certification mark, fails to address corrective actions — Guardian may suspend or withdraw the certificate. These actions are reflected in the Public Directory in real time. Suspension is time-bounded (typically 90 days); failure to address the cause within the suspension period may result in withdrawal. All such actions are subject to appeal under the Complaints and Appeals procedure at /complaints-appeals.
Timeline and Pricing
How Long, How Much
Below are indicative timeline and pricing figures for typical Level 1 engagements. The figures apply when the engagement is scoped to a single, low-complexity product on a single technology stack in a single environment, under a single Guardian SecureApp™ Module. Outside this envelope — multi-product, multi-module, complex architectures — pricing is quoted on request.
Module A + Level 1
$2,000
onwards
4–7 weeks
Annual
Module B + Level 1
$2,000
onwards
4–7 weeks
Annual
Module C + Level 1
$2,000
onwards
4–7 weeks
Annual
*Indicative starting fees in USD, exclusive of applicable taxes (e.g., GST in India), and payable for the work performed regardless of certification outcome. Annual surveillance fees are billed separately, in advance of each surveillance cycle. Recertification fees billed at the start of the recertification engagement. Fees do not influence the certification decision (ISO/IEC 17065 Clause 4.2 — impartiality requirement).
Full fee structure, basis of fees, payment terms and surveillance fee policy at /process/fees. Quotations on request at /quote — when requesting a Level 1 quote, you can pre-select Module A, B or C in the quote form.
Choice
When Level 1 Is Not Enough
Level 1 is the right choice for a defined product profile. It is not the right choice for products outside that profile. We say this explicitly because the easiest mistake at level selection is to choose Level 1 on cost grounds when the product’s risk profile actually warrants Level 2 or Level 3. Below are situations where Level 1 is the wrong choice — and where escalating to Level 2 (or Level 3) is the proportionate decision.
- Your product handles personally identifiable information (PII) at non-trivial volume, financial transactions, healthcare data, or any regulated data class — Level 2 is the floor, regardless of cost preference.
- Your customers’ procurement processes ask specifically about source code review, business logic testing, or comprehensive control verification — Level 2 satisfies these expectations; Level 1 typically does not.
- Your product is a SaaS platform serving enterprise customers, even if individually low-risk — enterprise procurement increasingly defaults to Level 2 as the entry threshold for vendor-risk evidence.
- Your product is a public API consumed by partners or developers — API surfaces have a different threat profile than internal tools, and Level 2 is typically the proportionate floor.
- A regulator names a specific assurance level above Level 1 — that decision is made for you.
- Your competitive positioning relies on differentiating on application security depth — Level 1 is a baseline, not a differentiator, where competitors hold equivalent baselines.
- Your product is in active development with major releases every quarter — Level 1’s ‘notification only’ change handling is suitable for products with stable surfaces, but high-velocity products benefit from Level 2’s targeted re-evaluation.
Where Level 1 fits, it fits well. Where it does not, the most common error is downward — applying Level 1 to a product that warrants Level 2 — rather than upward. Scoping conversation maps your specifics; the decision remains yours.
Upgrade Path
When You Are Ready to Move Up
Level 1 is often the first level a product certifies at, and the natural lifecycle path is to upgrade to Level 2 as the product matures, enters higher-stakes contexts, or attracts customers whose due-diligence processes warrant deeper evidence. The mechanics of upgrading from Level 1 to Level 2 are as follows.
When to Upgrade
The decision to upgrade is yours. Common triggers include: customer-facing launch of a previously internal product; introduction of payment, PII or sensitive data into the product; expansion into regulated buyer markets; introduction of new authentication mechanisms or multi-tenant features; significant architecture evolution; and strategic positioning where Level 2 has become the procurement floor in your buyer ecosystem.
How the Upgrade Engagement Is Scoped
An upgrade engagement is scoped to the additional evaluation depth required between Level 1 and Level 2 — not a full re-evaluation from zero. The existing Level 1 certification’s documentation review, prior findings (and their closure), and historical evaluation work are taken into account; the upgrade engagement adds the Level 2 activities that Level 1 did not include: comprehensive ASVS Level 2 manual testing, multi-role authenticated testing, sample-based source code review on critical components, detailed architecture review with data flow analysis, and standard-scope business logic / abuse-case testing.
Pricing of the Upgrade
Pricing for a Level 1 → Level 2 upgrade reflects the evaluation man-days for the depth gap — typically a meaningful fraction of a fresh Level 2 engagement, but specifics depend on how recently the Level 1 was conducted and what has changed in the product since. Quotations are provided on request via /quote, with the existing Level 1 certificate referenced for context.
Certificate and Public Directory
On successful upgrade, a new certificate is issued at Level 2. The public directory entry is updated to reflect the new level; the prior Level 1 certificate’s history is retained for audit-trail purposes, but the active status is the new Level 2 certificate. Customer-facing communication of the upgrade is at your discretion.
Surveillance during upgrade: If your Level 1 surveillance window falls during the upgrade engagement, the surveillance activities can typically be folded into the upgrade engagement without separate billing. We confirm this at scoping.
Frequently Asked Questions
Common Questions, Answered
No. Level 1 is fully accredited under ISO/IEC 17065 by UAF — accreditation 52605385601 — with the same procedural integrity as Level 2 and Level 3. The independent certification decision, public directory listing, surveillance regime, complaints and appeals rights, and certification mark licence are identical. What differs is the depth of the technical evaluation. Level 1 is the right level for products whose risk profile warrants baseline depth — but the certificate is procurement-grade for those products.
Level 1 evaluates the certified product against OWASP ASVS Level 1 controls across all 14 control families (V1–V14, including authentication, session management, access control, input validation, cryptography, error handling, data protection, communications, configuration, etc.) and applies the OWASP Top 10 risk framework as a prioritisation lens. Activities include automated scanning (DAST, optional SAST), targeted manual verification, single-role authenticated testing, high-level architecture review, and configuration / hardening review. Source code review is not mandatory at Level 1.
Indicative starting fee is USD 2,000 onwards for small organisations certifying a single, low-complexity product on a single technology stack in a single environment, under a single Module. Final fees depend on scope, technology and complexity. Quotations on request at /quote. Annual surveillance and recertification fees are billed separately. Fees do not influence the certification decision.
Typical Level 1 engagement: 4–7 weeks elapsed time from formal application to certificate issuance. Engagements with prepared documentation and rapid corrective-action cycles complete faster. Applicant responsiveness during findings closure is the largest variable in actual timeline.
It depends on the buyer base. For internal-only SaaS or low-criticality B2B SaaS serving SMB customers, Level 1 may be proportionate. For B2B SaaS serving enterprise customers — particularly regulated buyers — Level 2 is typically the procurement floor, and Level 1 may not satisfy due-diligence questionnaires that ask about source code review, multi-role authorisation testing, or business-logic verification.
Yes. Upgrade engagements are scoped to the additional evaluation depth between Level 1 and Level 2, not a full re-evaluation from zero. The existing Level 1 certification’s documentation and prior findings are taken into account. Pricing reflects the depth gap. Quotations on request via /quote. On successful upgrade, a new Level 2 certificate is issued.
Level 1 is an accredited third-party certification — issued by an ISO/IEC 17065-accredited body, against a documented certification scheme (GSA-PR-01), with public-directory listing, surveillance, complaints and appeals rights, and recognition through the international accreditation infrastructure. A VAPT report is a private, point-in-time technical assessment. Level 1 includes VAPT-style activities as part of the technical evaluation, but the procedural infrastructure around it is what makes the certificate procurement-grade.
No. Source code review is not mandatory at Level 1. Where source access is voluntarily provided, evaluation may include limited code review of authentication and authorisation logic, but this is not required for certification at Level 1. Source code review is sample-based at Level 2 (mandatory) and comprehensive at Level 3 (mandatory).
Surveillance is conducted within a defined window each year, typically aligned to the certificate’s anniversary date. The exact scheduling is agreed with each certified client based on their product release cadence, business cycle and operational availability.
Findings are issued with severity ratings. Critical and High findings must be addressed for certification to be granted. The applicant is given a defined period to address findings; Guardian re-verifies. One round of re-verification is included in the engagement. If the product cannot meet the criteria, the certification is not issued — fees for work performed are payable per the Certification Agreement, and there is no record of the failed application in the public directory. Guardian does not provide remediation advice.
Yes — Level 1 (or any Guardian SecureApp™ level) is the product-level complement to ISO/IEC 27001 organisational certification. ISO/IEC 27001 attests to your management system; Guardian SecureApp™ attests to a specific software product. Both are typically asked for in mature procurement, and they are complementary rather than substitutable.
Yes. Marketing sites, content portals, and other low-risk public-information products are common Level 1 candidates. The evaluation focuses on access control, input handling on any forms, session management for any authenticated areas, and configuration hygiene. Where such products process even moderate PII, Level 2 may be more proportionate; scoping conversation helps map specifics to a level.
Yes. The Guardian SecureApp™ certification mark and the UAF accreditation symbol use are governed by UAF-GEN-CAB-02 and our Use of Mark Policy at /marks-policy. Display rights are the same across all three levels — the mark does not change visually based on the certification level. The certificate itself names the level, and the public directory entry shows the level.
The five-question decision framework on the Levels Hub at /levels is the most reliable orientation. In summary: Level 1 fits products whose worst-plausible breach consequence is reputational embarrassment or limited disclosure; whose threat profile is largely automated and untargeted; whose customers do not require evidence of source code review or comprehensive control testing in due diligence; and which are not subject to specific regulatory mandates above Level 1.
Level 1 carries the same accreditation as Level 2 and Level 3 — UAF accreditation under ISO/IEC 17065:2012. International recognition is at the accreditation level, not at the scheme-level granularity. UAF is a member of the IAF and a signatory to the IAF MLA; the MLA scope varies by accreditation type, and the current scope of UAF’s IAF MLA recognition for product certification can be verified at www.iaf.nu. International recognition does not differ across Levels 1, 2 and 3.
ISO/IEC 27001 and Guardian SecureApp™ are not directly comparable — they attest to different things. ISO/IEC 27001 attests to a management system, broad in organisational scope; Guardian SecureApp™ attests to a specific software product, narrow in product scope. Mature buyers do not view them as substitutes. A Level 1 certificate provides product-level assurance that ISO/IEC 27001 does not.
Ready to Get Started?
Apply for Certification
Submit a formal application. Initial response within 5 working days.
Apply NowRequest a Quote
Tell us about your product. Indicative quote within 3 to 5 working days.
Get a QuoteTalk to Our Team
Specific question or regulatory driver to discuss?
Contact Us