Navigation and service

BSI - Federal Office for Information Security (Link to homepage)

IT Security Requirements Mobile Devices

Product category

The IT security label according to § 9c BSIG can be applied for in the product category "Mobile devices".

This includes devices that

  • are portable or intended for mobile use,
  • allow free installation of applications from an (app) store,
  • can be used independently without additional devices,
  • do not allow free installation of applications outside the (app) store by default
  • perform a secure boot process by default.

This typically applies to smartphones and tablets. If notebooks and other mobile devices fit this profile, it is also be possible to apply for an IT Security Label for "mobile devices".

We are happy to provide advice e.g. if have questions about the Scope or the Standard. Please get in touch with us via E-Mail it-sicherheitskennzeichen@bsi.bund.de.

Security requirements

This category is based on the Technical Guideline TR-03180 A "Mobile Devices: Requirements catalogue for the IT Security Label" of the BSI, which is based on the European standard ETSI TS 103 732 and defines basic security requirements for mobile devices. Manufacturers can obtain the IT security label by assuring the BSI that their product complies with this guideline.

Scope of application

The requirements of TR-03180 A relate to the components of a mobile device that are supplied by the manufacturer.

The scope of application includes

  • All permanently installed components of the mobile device
  • The operating system and firmware of the mobile device
  • All pre-installed apps that cannot be uninstalled.

Explicitly excluded, however, are

  • Apps that the user can subsequently install or subsequently uninstall
  • Components of the mobile device that are not permanently installed (SIM card, SD card, etc.).

Instructions for self-assessment

TR-03180 A is intended for self-assessment by the manufacturer or by a test laboratory on behalf of the manufacturer. For this reason, the requirements catalogue defines specific properties to be tested and test methods to be used. A distinction is made between tests for technical properties (T) and process properties (P) in the follwing test depths:

  • 0 - Self-declaration
  • 1 – Evaluation of documentation
  • 2 - Evaluation of device behaviour (technical only)
  • 3 - Evaluation of implementation / process details.

At least the lowest of the specified test depths must be carried out.

The self-assessment is carried out on the basis of the TR-03180 A requirements catalogue. The enclosed declaration of conformity should be used to document the test results.

Download:

BSI TR-03180 A - Requirements catalogue for the IT Security Label

BSI TR-03180 A Appendix A - Conformity declaration for the IT-Security Label

Similar topics

Back to IT-Sicherheitskennzeichen