Topic-specific policies
ISO/IEC 27400


Search this site
 

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >

 

ISO/IEC 27400 — Cybersecurity — IoT security and privacy — Guidelines [DRAFT]

 

Introduction

The standard will provide guidance on the principles, [information] risk and controls for IoT security and privacy.

 

Scope

The standard will be specific to IoT, covering both information security and privacy.

 

Purpose and justification

[The following is my interpretation of the project brief, with several changes ...]

IoT things may interconnect and connect to the Internet.  Insecure things may impact security and privacy, in ways that differ from more conventional IT systems (e.g. desktops, laptops and servers). Therefore, appropriate security and privacy controls are necessary. The standard will provide security and privacy guidance for “an IoT system/service/solution” (whatever that means!). The standard may also cover “trustworthiness” and will hopefully align with other IoT standards.

Issues [information risks] to be addressed by the standard include:

  • Broad extent and nature of impacts, potentially including safety issues and property damage;
  • Long lifecycle of [some] things [some are cheap and disposable, anticipating short lifecycles ... but who knows how long they will remain in service? Version control and change management (e.g. patching) are further issues with IoT];
  • [Due in part to a lack of standardization] there are difficulties in monitoring and managing things, hence some (many!) are [likely to remain] unmanaged;
  • Concerns around interoperability and interaction between things, and with other networked devices;
  • Things have limited functionality and performance [capability and capacity];
  • Possible connections to/uses of things which were not anticipated by their designers/manufacturers;
  • Owners/users of things may change over time [hence the context or situation in which things are used may change - as with conventional IT!].

IoT designers/manufacturers and users, both individuals and corporates, may be oblivious to the information risks and expected/necessary controls, hence this standard (and this website!) has a role in raising awareness and driving maturity on both the supply and the demand sides.

 

Status of the standard

The standard was originally known as ISO/IEC 27030 during drafting but morphed into ISO/IEC 27400, slotting in alongside other IoT security and privacy standards.

May update It is currently at Draft International Standard stage and is due to be published in 2022.

 

Personal comments

The standard identifies some generic ‘risk sources’ and ‘risk scenarios’ relevant to IoT, essentially a selection of examples for consideration. I have some concerns about the selection and the wording (e.g. vulnerabilities are not risks! Weak or missing controls are not risks!), suggesting limited appreciation of the fundamental concepts. Furthermore, I see no direct link between the IoT security controls recommended elsewhere in the standard and the identified risks that they are presumably intended to mitigate. However, discussing relevant [information] risks in an ISO27k standard is, I feel, a positive move in its own right. Most ISO27k standards leap directly to recommending a bunch of information security controls, barely even mentioning the information risks. This standard goes a step beyond the “Just do this:” style, albeit a small step. It’s a start, a prompt for users of the standards to identify, consider and evaluate the information risks in their own contexts.

I just hope the [information] risk-aligned approach spreads to all the ISO27k standards in due course ... although so far I’ve seen no hint of strategic intent expressed by management.

 

< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2021 IsecT Ltd.