< Previous standard      ^ Up a level ^      Next standard >

ISO/IEC 27402:2023 — Cybersecurity — IoT security and privacy — Device baseline requirements [first edition]

Abstract

“This document provides baseline requirements for IoT devices to support security and privacy controls.”

[Source: ISO/IEC 27402:2023]

Introduction

ISO/IEC 27400 describes commonplace information risks relevant to consumer and industrial IoT devices (things) plus the associated network/cloud services, introducing the corresponding ICT security and privacy controls for the manufacturers and the users. In practice, however, as insecure things have been proliferating rapidly, the risks have generally increased.

As an international standard, ISO/IEC 27402 is intended to ensure that all things at least provide a common set of foundational capabilities and functionality.  IoT manufacturers using the suggested information risk management processes can build upon the standardised foundation, providing additional controls addressing the information risks relevant to various industrial and consumer applications.

Scope of the standard

The standard concerns basic information security and privacy controls for things.

Content of the standard

Main sections:

4  Overview (1 paragraph).

5  [Cybersecurity and privacy baseline] Requirements:

5.1  Requirements for IoT device policies and documentation

5.2  Requirements for IoT device capabilities and operations

Annex - Risk management guidance based on ISO 31000.

 

Status

The first edition was published in 2023.

Personal notes

The sheer scale, variety and rate of change in IoT makes developing information security and privacy standards challenging and yet important, arguably essential.

Rapid innovation and intense market pressures on manufacturers seem unlikely to lead to voluntary adoption of this standard without additional factors (which are beyond the scope of the standard and ISO) ... unless a sufficient proportion of industrial and general consumers start inquiring about the security and privacy controls for IoT, voting with their budgets and wallets.

The approach taken is to specify only a few fundamental information security and privacy controls in this ‘horizontal’ baseline standard (such as an information risk management process involving the identification, evaluation and treatment of information risks), with the intention of developing further standards specifying additional requirements for particular industry ‘verticals’, building on the generic baseline. It is anticipated that additional security controls will be required and defined in further standards for specific applications (e.g. for medical or vehicular things).

Noticeably absent from SC 27’s strategy (at present) are standards for implementing, using, managing, monitoring and administering IoT devices securely. The committee has initially focused on getting appropriate security and privacy controls specified. As the controls are gradually designed and integrated into things (hopefully!), advice on the associated operational aspects may yet follow.

< Previous standard      ^ Up a level ^      Next standard >