Topic-specific policies
ISO/IEC 27403

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27403 — Cybersecurity — IoT security and privacy — Guidelines for IoT-domotics [DRAFT]



“This document provides guidelines to analyze security and privacy risks and identifies controls that need to be implemented in IoT-domotics systems.”
[Source: SC27 Standing Document 11 (2021)]


Setting the standard for information security and privacy of IoT things intended for home use is quite a challenge given the variety of things, homes and living arrangements, security and privacy issues and controls. Rapid innovation and change in this area further complicates matters.


Scope of the standard

“Domotics” was originally known as home automation a.k.a. “smart homes”, where domicile or home is described as “The private, hence highly customizable area where someone lives,  alone or with guests or cohabitants” that “includes dedicated infrastructure aimed to support those individuals, such as healthcare and wellness systems, building control systems, smart metering and systems for entertainment or gaming.”

This cybersecurity standard is aimed squarely at the designers, manufacturers and security/privacy assessors of IoT domotics, rather than the “users” (consumers/retail customers).

It will cover the information security and privacy aspects of device-device interactions (e.g. hubs and subsystems) as well as human-device plus device-sensors/actuators that physically interact with the home, and networking both within the home and beyond (e.g. via Internet gateways/firewalls).


Content of the standard

  • Overview including an outline of the stakeholders, the lifecycles for IoT domotics developers, [service] providers and users, and an architectural reference model
  • Risk assessment guidelines covering ‘security’ (cybersecurity) and privacy risks
  • ‘Security’ and privacy controls
  • Use cases
  • ‘Security’ and privacy concerns and responsibilities of various stakeholders with differing perspectives
  • ‘Security measures’ (IT-based infosec and privacy controls) for various IoT domotics devices



Oct update The standard is at Committee Draft stage.

It is due to be published in 2023.


Personal notes

“IoT” has become a common abbreviation in the IT field but “domotics” is a neologism derived from domus (Latin for house) and robotics.

Rather than simply recommending a bunch of controls, the standard will describe typical information [security and privacy] risks relating to domotics, and recommend information security controls to mitigate them, making this a risk-based ISO27k standard. Hoorah!

The main advantage of this approach for readers of the standard is that the risks provide the rationale, context or basis for the controls. Helping readers identify and consider the information risks gives them a better appreciation of what the information security controls are required to achieve. The risks and the controls in the standard are examples to stimulate readers into considering the risks and control requirements in their particular contexts.

Challenges in the home environment include:

  1. Limited information security awareness and competence by most people.
  2. Ad hoc assemblages of networked IT systems - including things worn/carried about the person (residents and visitors) and work things, not just things physically installed about the home (e.g. smart heating controls, door locks and cat feeders).
  3. Things are not [always] designed for security or privacy since other requirements (such as low price and ease of use) generally take precedence.
  4. Lack of processes for managing security and privacy systematically at home. If anything, activities tend to be ad hoc/informal and reactive rather than proactive.
  5. Informality in general: the home is an unstructured and dynamic environment.

The standard will encompass ‘systems’ that include but extend beyond the IT parts, taking in (for instance) the people and pets occupying smart homes.


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2021 IsecT Ltd.