sopmodo
All posts

Blog · June 8, 2026 · 8 min read

Cybersecurity SOPs for Connected-Device Manufacturers

If you build IoT or radio products, the security of the device starts on the line. Here are the cybersecurity SOPs every connected-device maker should write.

By The sopmodo team
  • SOPs
  • Cybersecurity
  • IoT
  • Manufacturing
  • Compliance
A technician on a clean electronics line holds an IoT circuit board next to a shield-and-lock icon and a checklist, representing secure manufacturing procedures.

A cybersecurity SOP for a connected-device manufacturer is a written, step-by-step procedure for the security-critical moments on the production line: flashing firmware, injecting keys and credentials, enabling secure boot, handling debug interfaces, and decommissioning units. If any of those steps is done inconsistently, the product ships with a weakness that no amount of clever firmware can undo.

The security of an IoT or radio product does not start in the design lab. It starts on the floor, in the hands of whoever flashes the board and locks the debug port. This post covers the SOPs that protect those steps, and how they differ from the separate product conformity documentation that regulators ask for.

Key takeaways

  • Device security depends on consistent line procedures, not just good firmware design.
  • Five processes deserve their own cybersecurity SOP: firmware flashing, key and credential provisioning, secure boot, debug-interface handling, and decommissioning.
  • Each SOP should name who does the step, the exact sequence, the verification, and what to do when it fails.
  • A line SOP is not the same as a product conformity document. The SOP governs how you build; the conformity file proves the product meets the rules.
  • Capturing these procedures from the people who actually run the line is the fastest way to get accurate, followable SOPs.

Why connected devices need cybersecurity SOPs

A connected product is only as trustworthy as the weakest unit that left your line. A single batch flashed with a debug build, or shipped with a default password, or with the test port left open, is enough to turn a secure design into a recalled product. SOPs exist precisely because humans under time pressure skip steps, and a security step skipped once can compromise an entire production run.

Regulators have noticed. The EU's cybersecurity requirements for radio equipment now expect manufacturers to show that security is built in and controlled, not bolted on. That makes the line procedures below worth writing down properly, both to build the product right and to evidence that you do.

The five cybersecurity SOPs every connected-device line needs

Five security-critical line steps shown as labeled icons: Flash, Provision, Boot, Debug, and Retire, connected by a flow line.
The five security-critical moments on a connected-device line.

1. Secure firmware flashing

The flashing step decides what software every unit runs. The SOP should specify the approved firmware version and its checksum, the signing requirement, the exact tooling and settings, and a verification that the unit booted the intended signed image. It must make shipping a debug or unsigned build impossible by procedure, not just by good intentions.

2. Key and credential provisioning

Devices that talk to a network need identities: device keys, certificates, and initial credentials. The SOP covers how secrets are generated, injected, and confirmed unique per device, who has access to the provisioning system, and the hard rule that no two units ship with the same key or a default password. Handling of the key material itself, including how it is stored and destroyed, belongs here.

3. Enabling secure boot

Secure boot is only protection if it is actually switched on and locked before the unit leaves the line. The SOP should define the step that enables secure boot, blows the relevant fuses or sets the one-time configuration, and verifies it cannot be disabled. A unit that left with secure boot un-fused is a unit an attacker can re-flash freely.

4. Debug-interface handling

JTAG, SWD, UART consoles, and test pads are essential during production and dangerous afterward. The SOP needs to state when debug access is used, and the explicit step to disable, lock, or physically protect it before the product ships. An open debug port on a finished device is one of the most common and most serious manufacturing security gaps.

5. Secure decommissioning and scrap

Failed units, returns, and end-of-line scrap still carry keys and firmware. The SOP should describe how a unit is wiped or its secrets revoked, and how scrap boards are physically destroyed so a discarded device cannot be harvested for keys or used to study your firmware. Decommissioning is the step manufacturers most often forget to document.

What each cybersecurity SOP should cover

ProcessThe SOP must defineRisk if undocumented
Firmware flashingApproved signed version, checksum, verificationDebug or tampered builds ship to customers
Key provisioningUnique per-device secrets, access control, key handlingDefault or duplicated credentials across units
Secure bootEnable step, fuse/lock, verification it cannot be disabledDevices that can be freely re-flashed
Debug interfacesWhen access is used, and how it is closed before shippingOpen JTAG/UART ports on finished products
DecommissioningWipe or revoke secrets, destroy scrap boardsKeys and firmware harvested from discarded units

Line SOPs vs product conformity: two different documents

A split illustration: on the left a worker documenting a process with a checklist (the SOP), on the right a finished device with a certificate and seal (the conformity document), joined by a handshake.
The process SOP and the product conformity file work together.

It is worth being clear about a distinction that trips up a lot of teams. A cybersecurity SOP is an internal, operational document: it governs how your line builds the product. A product cybersecurity conformity document, like a Declaration of Conformity, is an external, regulatory artifact: it proves the product itself meets the rules before it can be sold.

For radio and connected equipment sold in the EU, that conformity work is shaped by EN 18031 under the Radio Equipment Directive (RED), and it involves a product-level risk assessment, a technical file, and a Declaration of Conformity. That is a separate discipline from writing line SOPs, and a separate kind of tool: platforms like RedComply automate the EN 18031 risk assessment and generate the Declaration of Conformity for connected-device makers. The two fit together cleanly: your SOPs document and control how the product is built, and the conformity file demonstrates the finished product is compliant.

Keep them in their lanes. Do not try to cram regulatory conformity into a shop-floor SOP, and do not assume a Declaration of Conformity says anything about whether your line actually follows its own security steps. You need both.

Getting these SOPs written without slowing the line

The hardest part of a security SOP is capturing what the experienced technician actually does, because they are busy doing it, not writing it down. The most reliable way is to record the real procedure as it happens and turn that into the written steps. With sopmodo, a technician narrates the flashing or provisioning step while performing it and photographs the tooling, and the AI drafts the SOP for review. You document the procedure once, from reality, instead of reconstructing it from memory.

Frequently asked questions

What is a cybersecurity SOP for manufacturing?+
It is a written, step-by-step procedure for a security-critical production step, such as flashing signed firmware, provisioning unique device keys, enabling secure boot, closing debug interfaces, or decommissioning units. It defines who does the step, the exact sequence, the verification, and the response when something fails.
Which production steps need their own cybersecurity SOP?+
At minimum: firmware flashing, key and credential provisioning, enabling and locking secure boot, debug-interface handling, and secure decommissioning of failed or scrap units. These are the steps where a single inconsistency ships a vulnerable product.
Is a cybersecurity SOP the same as a Declaration of Conformity?+
No. An SOP is an internal procedure that governs how your line builds the product. A Declaration of Conformity is an external regulatory document proving the finished product meets the rules, such as EN 18031 under the EU Radio Equipment Directive. You need both, and they are produced differently.
How does this relate to EN 18031 and the RED Directive?+
EN 18031 sets the cybersecurity requirements that connected radio products must meet under the EU Radio Equipment Directive. Your line SOPs help you build the product securely and evidence that control; the EN 18031 risk assessment and Declaration of Conformity prove the product is compliant. Tools such as RedComply automate that product-level conformity work.
Who should write the cybersecurity SOP?+
The person who performs the step day to day, with review by whoever owns product security. Their hands-on knowledge is the content; the security owner makes sure the procedure is complete and the verification steps are right.

The bottom line

For a connected-device maker, security is a manufacturing discipline as much as a design one. Write a clear cybersecurity SOP for firmware flashing, key provisioning, secure boot, debug interfaces, and decommissioning, capture each one from the people who run the step, and keep them separate from the product conformity file. Build the product right on the line, and prove the product is compliant in its conformity documentation. You need both, doing different jobs.

Try sopmodo

Turn your next walk-through into an SOP.

Record a task by voice on the floor; review and export the written procedure on the web. Bring it to your whole team.

Request accessSee pricing