Topic-specific policies
ISO/IEC 27402

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27402 — Cybersecurity — IoT security and privacy — Device baseline requirements [DRAFT]





This project is documenting basic, commonplace security features expected of all networkable IoT devices, thereby enabling, providing or supporting the IoT security controls documented in ISO/IEC 27400.


Scope of the standard

The standard will specify a ‘baseline’ or platform for ‘IoT devices’ [things] supporting information security and privacy controls.


Content of the standard

Main sections:

    4  Overview (1 paragraph).

    5  [Cybersecurity and privacy baseline] Requirements:

      5.1  Requirements for IoT device policies and documentation

      5.2  Requirements for IoT devices

    Annex - Risk management guidance based on ISO 31000.



The standard is at 2nd Committee Draft stage. It is due to be published at the end of 2023.

Substantial revisions have been requested by CASCO.


Personal notes

CASCO requires conformance standards to have a single target: for ‘27402, that would be either things OR the developers of things. With more work, it may be possible to split the draft standard into two parts accordingly, rather than simply dropping one or other of the current targets.

The sheer scale, variety and rate of change in IoT makes developing information security and privacy standards challenging.

The intense market pressures on manufacturers seem unlikely to lead to voluntary adoption of this standard without additional factors (which are beyond the scope of the standard) ... unless a sufficient proportion of customers starts asking about the security and privacy controls for IoT, and voting with their checkbooks.

The approach being taken is to specify only a few fundamental information security and privacy controls in this baseline standard, with the intention of developing further standards specifying additional requirements for particular industries or verticals, building on the generic baseline. It is anticipated that additional security controls will be required and may be defined in further standards for specific applications (e.g. medical things).

Noticeably absent from SC 27’s strategy (at present) are standards for implementing, using, managing, monitoring and administering IoT devices securely. The committee is currently focused on getting appropriate security and privacy controls integrated into things: advice on using IoT controls may follow.


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2023 IsecT Ltd.