Topic-specific policies
ISO/IEC 27400

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27400 — Cybersecurity — IoT security and privacy — Guidelines [DRAFT]



“Provides guidelines on risks, principles and controls for security and privacy of Internet of Things (IoT).”
[Source: SC 27 Standing Document 11 (2021)]


The standard will provide guidance on the principles, [information] risks, and corresponding information security and privacy controls to mitigate those risks for the Internet of Things.



The standard will be specific to IoT, covering both information security and privacy.


Purpose and justification

[The following is my interpretation of the project brief, with several changes ...]

IoT things may interconnect and connect to the Internet. Insecure things may impact security and privacy, in ways that differ from more conventional IT systems (e.g. desktops, laptops and servers). Therefore, appropriate security and privacy controls may be necessary to mitigate unacceptable risks.

The standard will provide security and privacy guidance for “an IoT system/service/solution” (whatever that means!). The standard may also cover “trustworthiness” and will hopefully align with other IoT standards.

Issues [information risks] to be addressed by the standard include:

  • Broad extent and nature of impacts, potentially including safety issues and property damage;
  • Long lifecycle of [some] things [some are cheap and disposable, anticipating short lifecycles ... but who knows how long they will remain in service? Version control and change management (e.g. patching) are further issues with IoT];
  • [Due in part to a lack of standardization] there are difficulties in monitoring and managing things, hence some (many!) are [likely to remain] unmanaged;
  • Concerns around interoperability and interaction between things, and with other networked devices;
  • Things have limited functionality and performance [capability and capacity];
  • Possible connections to/uses of things which were not anticipated by their designers/manufacturers;
  • Owners/users of things may change over time [hence the context or situation in which things are used may change - as with conventional IT!].

IoT designers/manufacturers and users, both individuals and corporates, may be oblivious to the information risks and expected/necessary controls, hence the standard (and this website!) has a role in raising awareness and driving maturity on both the supply (vendor) and the demand (customer) sides.


Status of the standard

The standard was originally numbered ISO/IEC 27030 during drafting but will become ISO/IEC 27400 when published, slotting in neatly alongside other ISO27k IoT security and privacy standards.

Status update April Publication is imminent after a few typos and other corrections are made to the Final Draft International Standard.


Personal comments

The standard identifies some generic ‘risk sources’ and ‘risk scenarios’ relevant to IoT, essentially a selection of examples for consideration. I have some concerns about the selection and the wording (e.g. vulnerabilities are not risks! Weak or missing controls are not risks!), suggesting limited appreciation of the fundamental concepts. Furthermore, I see no direct link between the IoT security controls recommended elsewhere in the standard and the identified risks that they are presumably intended to mitigate. However, discussing relevant [information] risks in an ISO27k standard is, I feel, a positive move in its own right. Most ISO27k standards leap directly to recommending a bunch of information security controls, barely even mentioning the information risks. This standard goes a step beyond the “Just do this:” style, albeit a small step. It’s a start, a prompt for users of the standards to identify, consider and evaluate the information risks in their own contexts.

I just hope the [information] risk-aligned approach spreads to all the ISO27k standards in due course ... although so far I’ve seen no hint of strategic intent expressed by SC 27. Sometimes I wonder if anyone reads this stuff.


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2022 IsecT Ltd.