Topic-specific policies
ISO/IEC 27402

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27402 — Cybersecurity — IoT security and privacy — Device baseline requirements [DRAFT]



This project is documenting basic, commonplace security features expected of all IoT devices, enabling the IoT security controls documented in ISO/IEC 27030.

Scope of the standard

The standard is intended to specify a ‘baseline’ or platform for ‘IoT devices’ [things] supporting information security and privacy controls.

Examples of baseline [information security]  requirements:

  • Unique (and ideally immutable and verifiable!) device identifier.
  • A ‘factory reset’ function.
  • A ‘delete all my [personal] information’ function.
  • “Data protection” (presumably access and integrity controls?).
  • Patching/updating capability (for firmware and software, I guess).

It is anticipated that additional security controls will be required and may be defined in further standards for specific applications (e.g. medical things).

Content of the standard



The standard is already at Committee Draft stage.

It is due to be published in 2023.

Personal notes

The sheer scale and variety of IoT is going to be distinctly challenging for those writing this standard, while the intense market pressures on manufacturers seem unlikely to lead to voluntary adoption without additional factors (which are beyond the scope of the standard).

At present, the standard has a few notes in some sections but others are essentially placeholders, awaiting input.

< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2021 IsecT Ltd.