Implementation Guides
Use the implementation guides when you need to turn secure-by-design decisions into product controls, release workflows, and post-market operating processes.
The guides are organised around two parts of the product lifecycle:
- Build Phase: Engineering controls designed into the product, firmware, software, update path, identity model, configuration, and release artifacts.
- Operate Phase: Processes used after release, including vulnerability intake, patch cadence, logging, monitoring, CI/CD hardening, and support-period evidence.
Choose By Task
| If you need to... | Start with | Then use |
|---|---|---|
| Identify product security risks | Threat Modeling | Types of Embedded Device, CRA Readiness Gap Analysis |
| Protect firmware integrity | Secure Boot | Key Provisioning & Storage, ETSI EN 304 623 |
| Design device identity and credentials | Unique Device Identity | Key Provisioning & Storage, Cryptography under the CRA |
| Deliver security fixes | Secure OTA Updates | Patch Cadence & Rollback Strategy, Vulnerability Disclosure |
| Manage component and vulnerability evidence | SBOM & VEX Workflows | Secure-by-Design Evidence Pack |
| Handle vulnerability reports | Vulnerability Disclosure | Patch Cadence & Rollback Strategy, Security Logging & Monitoring |
| Retain implementation evidence | Secure-by-Design Evidence Pack | CRA Readiness Gap Analysis |
How To Use These Guides
Start with the product risk and architecture, then choose controls. Most teams should move in this order:
- Model the product boundary and threats.
- Decide which device, identity, key, boot, update, configuration, and data controls are needed.
- Connect those controls to release workflows such as SBOM/VEX, signing, testing, and approval.
- Define post-market workflows for vulnerability disclosure, patch cadence, logging, monitoring, and evidence refresh.
For a broader route through the site, use How to Use This Handbook.