Topic-specific policies
ISO/IEC 27404


Search this site
 
ISMS templates

< Previous standard      ^ Up a level ^      Next standard >

 

ISO/IEC 27404 — Cybersecurity — IoT security and privacy Cybersecurity labelling framework for consumer IoT [DRAFT]

 

Abstract

“[ISO/IEC 27404] defines a cybersecurity labelling framework for the development and implementation of cybersecurity labelling programmes for consumer IoT products. It provides requirements and includes guidance on the following topics:
    • risks and threats associated with consumer IoT products;
    • stakeholders, roles and responsibilities;
    • relevant standards and guidance documents;
    • conformity assessment;
    • labelling issuance and maintenance;
    • mutual recognition.
       

    [ISO/IEC 27404] is limited to consumer IoT products, such as:

    • IoT gateways, base stations and hubs to which multiple devices connect;
    • smart cameras, televisions, and speakers;
    • wearable devices;
    • connected smoke detectors, door locks and window sensors;
    • connected home automation and alarm systems;
    • connected appliances, such as washing machines and fridges;
    • smart home assistants; and
    • connected children’s toys and baby monitors.


    Products that are not intended for consumer use are excluded from this standard. Examples of excluded devices are those that are primarily intended for manufacturing, healthcare and other industrial purposes. [ISO/IEC 27404] is applicable to Consumers, Developers, issuing bodies of cybersecurity labels and conformity assessment bodies.”

[Source: ISO/IEC JTC 1/SC 27 SD11 Jan 2025 amended Mar]
 

Introduction

Although cybersecurity is seldom promoted as a feature of consumer-oriented IoT devices (things), it can be important. Inconsistent and unclear cybersecurity labelling does not help consumers appreciate their security and privacy objectives, nor evaluate and select things accordingly. Standardising the cybersecurity labelling of things is intended to improve consistency across the global market, increase consumer awareness and promote better cybersecurity designs.

 

Scope of the standard

The standard concerns consumer-grade (retail) things - as opposed to business, industrial, engineering, medical, scientific or mil-spec things (since their cybersecurity requirements and features/capabilities are more likely to be specified in detail).

It covers cybersecurity and privacy but excludes safety aspects.

 

Content of the standard

The main sections are:

  1. Overview
  2. International alignment
  3. Components and considerations for labelling framework
  4. Label issue and maintenance

    5. Annex A - types and features of labels

    Annex B - examples of multi-level labelling schemes

    Annex C - examples of binary labelling schemes

    Annex D - determination of equivalency between labelling schemes

    Annex E - cybersecurity baseline examples

    Annex F - secure-by-design examples

    Annex G - privacy assessment examples

     

Status

Drafting started in 2022.

The standard is at Draft International Standard stage and is due to emerge in 2026.

 

Personal comments

Singapore standard TR 91:2021 Cybersecurity labelling for consumer IoT formed the original basis for this standard, with editorial changes to suit the more formal ISO/IEC style.

 

 

< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2025 IsecT Ltd. Contact us re Intellectual Property Rights