Topic-specific policies
ISO/IEC 27400

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27400 — Cybersecurity — IoT security and privacy — Guidelines [DRAFT]



The standard will provide guidance on the principles, [information] risk and controls for IoT security and privacy.



The standard will be specific to IoT, covering both information security and privacy.


Purpose and justification

[The following is my interpretation of the project brief, with several changes ...]

IoT things may interconnect and connect to the Internet.  Insecure things may impact security and privacy, in ways that differ from more conventional IT systems (e.g. desktops, laptops and servers). Therefore, appropriate security and privacy controls are necessary. The standard will provide security and privacy guidance for “an IoT system/service/solution” (whatever that means!). The standard may also cover “trustworthiness” and will hopefully align with other IoT standards.

Issues [information risks] to be addressed by the standard include:

  • Broad extent and nature of impacts, potentially including safety issues and property damage;
  • Long lifecycle of [some] things [some are cheap and disposable, anticipating short lifecycles ... but who knows how long they will remain in service? Version control and change management (e.g. patching) are further issues with IoT];
  • [Due in part to a lack of standardization] there are difficulties in monitoring and managing things, hence some (many!) are [likely to remain] unmanaged;
  • Concerns around interoperability and interaction between things, and with other networked devices;
  • Things have limited functionality and performance [capability and capacity];
  • Possible connections to/uses of things which were not anticipated by their designers/manufacturers;
  • Owners/users of things may change over time [hence the context or situation in which things are used may change - as with conventional IT!].

IoT designers/manufacturers and users, both individuals and corporates, may be oblivious to the information risks and expected/necessary controls, hence this standard (and this website!) has a role in raising awareness and driving maturity on both the supply and the demand sides.


Status of the standard

The standard is due to be published in 2022.  It was originally numbered ISO/IEC 27030 during drafting but will become ISO/IEC 27400 alongside other IoT security and privacy standards.

It is currently at 3rd Committee Draft stage.

April update The standard is due to be published in 2022.


Personal comments

The standard identifies some generic ‘risk sources’ and ‘risk scenarios’ relevant to IoT, essentially a selection of examples for consideration.  I have some concerns about the selection and the wording (e.g. vulnerabilities are not risks!  Weak or missing controls are not risks!), suggesting limited appreciation of the fundamental concepts.  Furthermore, I see no direct link between the IoT security controls recommended elsewhere in the standard and the identified risks.  However, discussing relevant [information] risks in an ISO27k standard is, I feel, a positive move in its own right.  Most ISO27k standards leap directly to recommending a bunch of information security controls, barely even mentioning the information risks they are intended to mitigate. This standard goes a step beyond the “Just do this:” style, albeit a small step.  It’s a start.  I just hope the [information] risk-aligned approach spreads to all the ISO27k standards in due course.  Give it a decade or so for SC27 to leap into action!


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2021 IsecT Ltd.