Topic-specific policies
ISO/IEC 27402

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27402 — Cybersecurity — IoT security and privacy — Device baseline requirements [DRAFT]



Abstract added July “This document provides baseline requirements for IoT devices to support security and privacy controls.”
[Source: ISO/IEC JTC 1/SC 27 SD11]


This project is documenting basic, commonplace security features expected of all networkable IoT devices, thereby enabling, providing or supporting the IoT security controls documented in ISO/IEC 27400.


Scope of the standard

The standard will specify a ‘baseline’ or platform for ‘IoT devices’ [things] supporting information security and privacy controls.


Content of the standard

Main sections:

    4  Overview (1 paragraph).

    5  [Cybersecurity and privacy baseline] Requirements:

      5.1  Requirements for IoT device policies and documentation

      5.2  Requirements for IoT devices

    Annex - Risk management guidance based on ISO 31000.



The standard is at Final Draft Internatlonal Standard stage, on track to be published at the end of 2023.


Personal notes

CASCO requires conformance standards to have a single target: for ‘27402, that would be either the IoT things themselves OR the developers of things. I’m not clear yet how this will be resolved.

The sheer scale, variety and rate of change in IoT makes developing information security and privacy standards challenging.

Rapid innovation and intense market pressures on manufacturers seem unlikely to lead to voluntary adoption of this standard without additional factors (which are beyond the scope of the standard and ISO) ... unless a sufficient proportion of customers starts asking about the security and privacy controls for IoT, and voting with their wallets.

The approach taken is to specify only a few fundamental information security and privacy controls in this ‘horizontal’ baseline standard (such as an information risk management process involving the identification, evaluation and treatment of information risks), with the intention of developing further standards specifying additional requirements for particular industry ‘verticals’, building on the generic baseline. It is anticipated that additional security controls will be required and defined in further standards for specific applications (e.g. for medical things).

Noticeably absent from SC 27’s strategy (at present) are standards for implementing, using, managing, monitoring and administering IoT devices securely. The committee is currently focused on getting appropriate security and privacy controls specified, designed and integrated into things: advice on using the controls may follow.


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2023 IsecT LtdContact us re Intellectual Property Rights