Topic-specific policies
ISO/IEC 27402

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27402 — Cybersecurity — IoT security and privacy — Device baseline requirements [DRAFT]





This project is documenting basic, commonplace security features expected of all networkable IoT devices, thereby enabling, providing or supporting the IoT security controls documented in ISO/IEC 27400.


Scope of the standard

The standard is intended to specify a ‘baseline’ or platform for ‘IoT devices’ [things] supporting information security and privacy controls.


Content of the standard

Main sections:

    4  Overview (1 paragraph).

    5  [Cybersecurity and privacy baseline] Requirements:

      5.1  Requirements for IoT device developers:

        - risk assessments for IoT product lines;

        - documentation;

        - vulnerability disclosure processes.

      5.2  Requirements for IoT devices:

        - protect identity information, including device IDs;

        - control device administration;

        - reset to a secure/fail-safe state (if applicable);

        - data erasure;

        - cryptographic controls over data access, integrity, authenticity etc.;

        - interface access controls;

        - controls over firmware and software updates.


    Annex - Brief risk assessment guidance based on ISO 31000.



The standard is at 2nd Committee Draft stage.

It is due to be published at the end of 2023.


Personal notes

The sheer scale, variety and rate of change in IoT maked developing information security and privacy standards challenging.

The intense market pressures on manufacturers seem unlikely to lead to voluntary adoption of this standard without additional factors (which are beyond the scope of the standard) ... unless a sufficient proportion of customers starts asking about the security and privacy controls for IoT, and voting with their checkbooks.

The approach being taken is to specify only a few fundamental information security and privacy controls in this baseline standard, with the intention of developing further standards specifying additional requirements for particular industries or verticals, building on the generic baseline. It is anticipated that additional security controls will be required and may be defined in further standards for specific applications (e.g. medical things).

Noticeably absent from SC 27’s strategy (at present) are standards for implementing, using, managing, monitoring and administering IoT devices securely. The committee is currently focused on getting appropriate security and privacy controls integrated into things: advice on using IoT controls may follow.


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2022 IsecT Ltd.