diff --git a/modules/mbedtls/Kconfig b/modules/mbedtls/Kconfig
index 81edf4ab574..67277fb24c4 100644
--- a/modules/mbedtls/Kconfig
+++ b/modules/mbedtls/Kconfig
@@ -182,8 +182,8 @@ config MBEDTLS_ENABLE_HEAP
 	  This option enables the mbedtls to use the heap. This setting must
 	  be global so that various applications and libraries in Zephyr do not
 	  try to do this themselves as there can be only one heap defined
-	  in mbedtls. If this is enabled, then the Zephyr will, during the device
-	  startup, initialize the heap automatically.
+	  in mbedtls. If this is enabled, and MBEDTLS_INIT is enabled then the
+	  Zephyr will, during the device startup, initialize the heap automatically.
 
 config MBEDTLS_HEAP_SIZE
 	int "Heap size for mbed TLS"
@@ -201,6 +201,13 @@ config MBEDTLS_HEAP_SIZE
 	  be needed. For some dedicated and specific usage of mbedtls API, the
 	  1000 bytes might be ok.
 
+config MBEDTLS_INIT
+	bool "Initialize mbed TLS at boot"
+	default y
+	help
+	  By default mbed TLS will be initialized at Zephyr init. Disabling this option
+	  will defer the initialization until explicitly called.
+
 config MBEDTLS_SHELL
 	bool "mbed TLS shell"
 	depends on MBEDTLS
diff --git a/modules/mbedtls/include/mbedtls_init.h b/modules/mbedtls/include/mbedtls_init.h
new file mode 100644
index 00000000000..61b51f367aa
--- /dev/null
+++ b/modules/mbedtls/include/mbedtls_init.h
@@ -0,0 +1,15 @@
+/*
+ * Copyright (c) 2022 Qualcomm Innovation Center, Inc.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+#ifndef MBEDTLS_INIT_H
+#define MBEDTLS_INIT_H
+
+/* This should be called by platforms that do not wish to
+ * have mbedtls initialised during kernel startup
+ */
+int mbedtls_init(void);
+
+#endif /* MBEDTLS_INIT_H */
diff --git a/modules/mbedtls/zephyr_init.c b/modules/mbedtls/zephyr_init.c
index a157dac54e6..a9351be8f55 100644
--- a/modules/mbedtls/zephyr_init.c
+++ b/modules/mbedtls/zephyr_init.c
@@ -95,4 +95,15 @@ static int _mbedtls_init(void)
 	return 0;
 }
 
+#if defined(CONFIG_MBEDTLS_INIT)
 SYS_INIT(_mbedtls_init, POST_KERNEL, 0);
+#endif
+
+/* if CONFIG_MBEDTLS_INIT is not defined then this function
+ * should be called by the platform before any mbedtls functionality
+ * is used
+ */
+int mbedtls_init(void)
+{
+	return _mbedtls_init(NULL);
+}