ISO/IEC 20243-1

ISO/IEC 20243-1, also known as the Open Trusted Technology Provider™ Standard (O-TTPS), is an international standard designed to mitigate the risk of tainted and counterfeit products entering the supply chain. It focuses on the integrity of commercial off-the-shelf (COTS) Information and Communication Technology (ICT) products and provides a set of guidelines for organizational best practices in manufacturing, sourcing, and product integrity.

Definition and purpose

The standard's purpose is to provide a set of guidelines that can help organizations establish a trustworthy supply chain and ensure the security of their products from malicious software and hardware tampering. It addresses the risk to the enterprise of including maliciously tainted or counterfeit components within a product.

Governing Body

ISO/IEC 20243-1 is maintained by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), in collaboration with The Open Group, which initially developed the O-TTPS.

Last updated

ISO/IEC 20243-1 was published in 2018. It is slated to be replaced by ISO/IEC PRF 20243-1, which is currently scheduled to be published in December 2023.

Applies to

ISO/IEC 20243-1 applies to any organization involved in the production, design, sourcing, or distribution of COTS ICT products. This includes manufacturers, suppliers, and distributors that are part of the ICT product supply chain.

Controls and requirements

The standard outlines various controls and best practices across several areas, including but not limited to:

  • Risk Assessment Procedures: Assessing risks throughout the product lifecycle and supply chain.
  • Secure Engineering and Development Practices: Ensuring that security is integrated into the engineering and development processes.
  • Supply Chain Security: Measures for securing the supply chain against counterfeit and tainted components.
  • Secure Production/Distribution: Ensuring the security and integrity of products during production and distribution.
  • Tamper Resistance: Measures to prevent unauthorized access and tampering with products.
  • Product Integrity Verification: Processes for verifying the integrity of products and components.
  • Supplier Relationship Management: Managing relationships with suppliers to ensure they adhere to security requirements.

Please refer to the official ISO/IEC 20243-1:2018 documentation for details on controls and requirements.

Audit type, frequency, and duration

Audits typically involve a third-party assessment against the standard's controls for supply chain security and integrity. The frequency of such audits may be determined by contractual obligations, risk management strategies, or as part of certification requirements.

The duration of an audit can vary widely based on the size and complexity of the organization, the number of products being audited, and the depth of the supply chain being examined.

Get compliant using Secureframe Custom Frameworks