HD Cameras and Webcam
Projectors and Speakers
VOIP Phones and Gateway
Access Control
LTE and 5G Devices
Smart Sensors And Automation
Fiber and SFP Modules
Firewall & Cloud Controllers
Network Adapters and Accessories
Network Switches
PoE Switches
Point To Point Wireless Radio
Routers
Wireless Access Points
IP Cameras
Memory Cards
NVR
Smart WiFi Cameras
Storage Devices
Desktop & Laptop RAMs
Internal and External Hard Drives
NAS Storage & Enclosures
SSD and NVMe Drives
USB Flash Drives
STQC Certification Process for CCTV Cameras in India
The STQC certification process for CCTV cameras starts with preparing a Technical Construction File documenting how your camera meets MeitY's six Essential Requirements, submitting an application through Form F05 to [email protected], getting your camera tested at an STQC-empaneled lab against 33 security checkpoints, and receiving a 3-year certificate if it passes. This guide covers every step from eligibility and prerequisites to lab testing, rejection reasons, required forms, and STQC contacts.
How much does it cost? We've covered the full cost breakdown, why fees vary, single model vs series pricing, and what happens after certification (validity, audits, suspension, firmware updates) in our STQC certification cost guide.
Who can apply for STQC certification for CCTV Cameras?
The applicant must be the CCTV developer, manufacturer, or an authorised agent. You need an ISO 9001 certificate with a scope covering IoT device development and manufacturing. If a separate supplier or distributor is involved, they need their own ISO 9001 (or equivalent) covering IoT device supply. You also need the company's Certificate of Incorporation and, if applicable, a manufacturer's authorisation letter.
Source: STQC CCTV Testing Procedure P01, Section on Prerequisites
Can foreign manufacturers apply?
Yes, but with conditions. The D01 requires all declarations and documents to be digitally signed with a valid Digital Certificate issued in India by an Indian certifying authority. The applicant needs a Certificate of Incorporation, and if the manufacturer is foreign, they need an authorised Indian agent or entity to submit the application. In practice, international brands that have cleared STQC (Honeywell, Vicon, Equus) all operate through Indian subsidiaries or manufacturing partners. If you're a foreign OEM without an Indian entity, you'll need to set one up or appoint an authorised Indian representative before applying.
Which assessment level applies to CCTV cameras?
The IoTSCS scheme defines three assessment levels. Level 1 covers baseline security requirements. Level 2 adds hardware and software security requirements and is the recommended level for most devices. Level 3 is for critical devices handling high-value transactions or sensitive data. The STQC scheme page explicitly states that SoC-based devices like NVR/DVR are tested at Level 2.
However, the D01 Issue 5.0 clarifies that there is no assessment level assigned to CCTV camera certification specifically. CCTV cameras are tested under their own dedicated procedure (P01) against the Essential Requirements checklist from the March 2024 Gazette notification. The three-level framework applies to general IoT devices, not to CCTV cameras. Your TCF should be prepared against the P01 checklist, not against a specific IoT assessment level.
Source: IoTSCS Rules D01, Section 4.2
Step-by-step process to get STQC certification
Step 1: Study the 6 Essential Requirements (ER)
Read MeitY's Gazette notification dated 6 March 2024, which lists the six cybersecurity requirements your camera must meet: no default passwords, encrypted video streams, secure boot with signed firmware, disabled debug ports, chipset origin disclosure, and a vulnerability disclosure policy. Design and implement these into your product before you apply.
Step 2: Prepare the Technical Construction File (TCF).
This is a detailed design dossier documenting how your camera complies with every applicable ER. It must include the product description, hardware block diagrams, firmware architecture, security mechanisms (secure boot, crypto modules, update process), and compliance evidence for each ER clause. Use the TCF template (STQC/IoTSCS/F03, Issue 04) available on the STQC website. You also need to develop and document the actual security implementation artifacts before applying: secure-boot code, secure firmware update support, crypto libraries, and the test cases to validate them. Prepare device design guidelines and any tools the test lab will need, such as a tool to load firmware, your IDE, and instructions for tamper protection mechanisms. These tools become part of your TCF submission. The lab can't test what you can't demonstrate.
To qualify as a series, all models must share the same SoC, PCB, crypto modules, and firmware (or you must document exactly what differs). If you're certifying a product series, the process is more involved than just filling Form F07. You need to produce a Differential Analysis Report (DAR) that documents model-to-model differences, select a Reference IoT Product from your series that the lab will test in full, and write a Testing Reuse Rationale (TRR) justifying how test results from the reference product can apply to other models in the series. STQC's Assessor can challenge your choice of reference product at any stage and require additional testing on other models. If the DAR or test results suggest a possible difference in security behaviour between products, the lab will run dedicated tests on the other models too.
Step 3: Optional: Vendors may choose to consult with STQC before official submission; this is not mandated by the scheme.
Before you formally submit, STQC's Certification Body may evaluate your proposed TCF and schedule a detailed technical review. This is a presentation-and-discussion session where you explain your security architecture, design decisions, and how they meet the ERs. Think of it as a sanity check before you commit to the full application and testing fees. If STQC identifies fundamental gaps at this stage, you can fix them before paying for lab testing. The P01 procedure (Step 3) explicitly describes this as STQC evaluating whether your TCF is "prima facie worthy" of proceeding
Step 4: Complete and submit the application.
Fill in Form F05 (CCTV-specific) or Form F01 (general IoT, selecting "CCTV Camera" as the product type). Attach the TCF, ISO 9001 certificate, Certificate of Incorporation, signed Agreement (Form F02), and the F07 series form as applicable. Email everything to [email protected]. All documents must be digitally signed with a valid Digital Certificate issued in India by an Indian certifying authority (like eMudhra, Sify, or CDAC). Wet signatures and foreign digital certificates are not accepted.
Step 5: STQC reviews your application and sends an invoice.
STQC checks your submission for completeness. If acceptable, they allocate an application number and issue a proposal with the certification fee. Do not pay anything before receiving this invoice.
Step 6: Contact the assigned test lab.
Once you've paid STQC's invoice, they appoint an assessor and assign an STQC-approved test lab. You contact the lab directly. The lab issues you a Service Request Form (SRF) and a cost quotation for testing. The SRF is the lab's document, not something you download from the STQC website. The Assessor oversees the entire evaluation on behalf of the Certification Body. The Assessor witnesses testing, reviews observation reports, and prepares the final evaluation report for the Certification Committee. This is not a rubber-stamp role. The Assessor can challenge your test results, request additional testing, or require you to provide more products from a series for independent verification. You fill in the SRF, pay the lab's testing charges (this is separate from the STQC certification fee you already paid via Bharat Kosh), and submit it back to the lab along with your test samples. The SRF, payment receipt, and samples all go to the assigned lab, not to STQC.
What you deliver to the lab: at least one production camera (or engineering model) with debug access probes enabled (JTAG, UART, SWD), a development kit or engineering board, firmware binaries for static code analysis, your internal code review reports, all tools needed to load firmware and demonstrate tamper protection, and the SoC datasheet. Your engineering team must also be available (in person or remote) during testing, because the lab requires the OEM team to be present for demonstrations of secure boot, firmware update, tamper resistance, and key management processes. Payment is made through Bharat Kosh, the government's electronic receipt portal.
From this point, your day-to-day coordination is with the lab. STQC's Assessor oversees the process but the lab drives the testing schedule.
STQC maintains a list of empaneled test labs (Software and Systems Testing Labs) on its website. You can scroll down to find the full list of the empanelled labs.
Step 7: Lab testing.
The lab tests your camera against the ER checkpoints: network vulnerability assessment, physical access testing (UART, JTAG), firmware extraction and analysis, secure boot verification, encryption testing, and penetration testing. You may need to support the lab with tools and demonstrations during this phase.
Step 8: Certification decision.
The lab sends a Final Test Report to STQC's Certification Committee. If the camera passes all requirements, STQC issues a Certificate of Approval valid for three years. The certified product is listed on the STQC portal.
Source: STQC CCTV Testing Procedure P01, IoTSCS Application Form F01
What will the lab test?
The test procedure (P01) covers four categories, each with specific checkpoints:
Hardware-level security (12 checkpoints): Debugging interfaces (USB, UART, JTAG, SWD) disabled or protected. Cryptographic keys unique per device. Trusted execution environment (TEE) enabled if available on the SoC. Secure boot with boot image signature validation. Tamper resistance and detection. IP protection technologies enabled. Cryptographically secure random number generation.
Software/firmware security (12 checkpoints): Memory protection (ASLR, DEP) enabled. Data-in-transit encrypted via TLS. Server certificate validation and pinning. Banned C functions replaced with safe equivalents. Software bill of materials maintained. Third-party components reviewed for hardcoded credentials. Firmware reverse engineering controls. Firmware update process secure against time-of-check/time-of-use attacks. Code signing on firmware upgrades. Anti-rollback protection. Automatic update capability.
Secure process conformance (5 checkpoints): Wireless communications mutually authenticated and encrypted. Trusted supply chain with managed bill of materials for critical hardware (SoC). Supply chain risk assessment and mitigation documented. No proprietary network protocols (or full source code provided if used).
Security at product development stage (4 checkpoints): Design and architecture documentation down to PCBA and SoC level. Threat mitigation for counterfeit and tainted products. Malware detection tools deployed in code acceptance and before final packaging. Supply chain continuity planning documented.
The lab performs both automated scanning and manual testing, including code review using licensed static analysis tools. Many tests require the OEM team to be present for live demonstrations.
Source: STQC CCTV Testing Procedure P01, Annexure-A
Common reasons applications get rejected
STQC's application form with incomplete details or those missing required documents "may be liable for rejection." The common issues: missing TCF artifacts, absent ISO 9001 certificates, an unsigned agreement (F02), or failing to submit the product series form (F07) when certifying multiple models. If the camera fails a mandatory security test, the lab reports non-conformance, and STQC can refuse certification. You can resubmit after fixing the deficiency, but that restarts the clock on testing.
Application rejection is about paperwork. Test failure is about the product itself.
What happens if your camera fails a test?
The lab reports non-conformance to STQC. You fix the deficiency (patch the firmware, redesign the security mechanism, whatever failed) and resubmit for testing. The D01 document does not specify whether re-testing requires full payment of lab fees again or a partial re-test fee. In practice, this likely depends on the scope of the failure: a minor firmware patch might require a focused re-test, while a fundamental design flaw might require the full test cycle. Contact the assigned test lab and STQC for the specific re-test cost. Either way, the timeline resets for the testing phase, as the lab needs to re-evaluate the updated product.
STQC Empaneled Laboratories
| # | Lab name | Location | Certificate no. | Valid till |
|---|---|---|---|---|
| 1 | Precise Testing Solution Pvt. Ltd. | E-81, Second Floor, Sector 63, Noida, U.P. | STQC-SAB-SETL-3 | 10 Dec 2027 |
| 2 | AQM Technologies Pvt. Ltd. | 4th Floor, A Wing, 401 Raheja Plaza, LBS Road, Ghatkopar (W), Mumbai 400086 | STQC-SAB-SETL-10 | 19 Oct 2026 |
| 3 | AKS Information Technology Services Pvt. Ltd. | B-21, Sector 59, Noida 201309, U.P. | STQC-SAB-SETL-9 | 05 Sep 2026 |
| 4 | Information Technology Quality Certification and Research (ITQCR) | C-202, Infotech Park, Tower No-8, CBD Belapur, Navi Mumbai 400614 | STQC-SAB-SETL-1 | 11 Sep 2027 |
| 5 | Quality Kiosk Technologies Pvt. Ltd. | 419 A, Rupa Solitaire, Sector 1, Millennium Business Park, Mahape, Navi Mumbai 400710 | STQC-SAB-SETL-4 | 19 Dec 2027 |
| 6 | Maverick Quality Advisory Services Pvt. Ltd. | 123 Radhey Shyam Park, PO Sahibabad, Ghaziabad, U.P. 201005 | STQC-SAB-SETL-11 | 28 Jul 2027 |
| 7 | Redinent Innovations Pvt. Ltd. | 18, Novel MSR Park, Varthur Main Road, Munnekolalu, Marathahalli, Bengaluru 560037 | STQC-SAB-SETL-12 | 05 Aug 2027 |
| 8 | Levithan Technologies Pvt. Ltd. | Shop No. 374A, Bhoor Colony, Old Faridabad, Haryana 121002 | STQC-SAB-SETL-13 | 05 Aug 2027 |
| 9 | CyberSRC Consultancy Pvt. Ltd. | Unit 605, 6th Floor, World Trade Tower, Sector 16, Noida 201301 | STQC-SAB-SETL-14 | 18 Aug 2028 |
| 10 | ITOrizin Technology Solution Pvt. Ltd. | 8/14, Sahid Nagar, Ground Floor, Haltu, Garfa, Kolkata 700078 | STQC-SAB-SETL-15 | 23 Nov 2028 |
Source: STQC Empaneled Laboratories.
All the forms and documents you will need
- Application Form F01 (IoT Product Certification)
- TCF Template F03 (Issue 04)
- Product Series Details F07
- Certification Agreement F02
- CCTV Testing Procedure P01
- IoTSCS Rules and Procedures D01 (Issue 5.0)
- Empaneled Test Labs
- Application Form F05 (CCTV-specific)
STQC contacts for IoTSCS
The IoTSCS scheme is managed by STQC's IT and e-Gov Division.
Scheme Head: Shri Arvind K. Upadhyaya (Scientist 'G'), Phone: 011-24301272, Email: [email protected] Deputy Head: Shri Gautam Prasad (Scientist 'D'), Phone: 011-24301388, Email: [email protected] Application submission: [email protected]
Contact details are from the STQC IoTSCS scheme page as of April 2026. Verify on the portal before reaching out, as government postings may change.
All scheme documents (rules, procedures, forms, TCF template) are on the STQC IoTSCS page.
Source: STQC IoTSCS scheme page