Topic-specific policies
ISO/IEC 27402


Search this site
 

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >

 

ISO/IEC 27402 — Cybersecurity — IoT security and privacy — Device baseline requirements [DRAFT]

 

Abstract

“This document provides baseline requirements for IoT devices to support information security and privacy controls. This document covers IoT devices that have a network interface.”
[Source: SC27 Standing Document 11 (2021)]
 

Introduction

This project is documenting basic, commonplace security features expected of all networkable IoT devices, enabling/providing/supporting the IoT security controls documented in ISO/IEC 27400.

 

Scope of the standard

The standard is intended to specify a ‘baseline’ or platform for ‘IoT devices’ [things] supporting information security and privacy controls.

 

Update July Content of the standard

Main sections:

    4  Overview (1 paragraph).

    5  [Cybersecurity and privacy baseline] Requirements:

      5.1  Requirements for IoT device developers:

        - risk assessments for IoT product lines;

        - documentation;

        - vulnerability disclosure processes

      5.2  Requirements for IoT devices:

        - protect identity information, including device IDs;

        - control device administration;

        - reset to a secure/fail-safe state (if applicable);

        - data erasure;

        - cryptographic controls over data access, integrity, authenticity etc.;

        - interface access controls;

        - controls over firmware & software updates;

       

    Annex - Brief risk assessment guidance based on ISO 31000.

     

Update July Status

The standard is already at 2nd Committee Draft stage.

It is due to be published in 2023 but may be ready sooner.

 

Personal notes

The sheer scale and variety of IoT is distinctly challenging for generic information security and privacy standards, while the intense market pressures on manufacturers seem unlikely to lead to voluntary adoption of this standard without additional factors (which are beyond the scope of the standard) ... unless a sufficient proportion of customers starts asking about the security and privacy controls for IoT, and voting with their checkbooks.

The approach being taken is to specify only a few fundamental information security and privacy controls in this baseline, with the intention of developing further standards specifying additional requirements for particular industries or verticals, building on the generic baseline. It is anticipated that additional security controls will be required and may be defined in further standards for specific applications (e.g. medical things).

Noticeably absent from SC27’s strategy (at present) are standards for implementing, using, managing, monitoring and administering IoT devices securely.

 

< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2021 IsecT Ltd.