Topic-specific policies
ISO/IEC 27403

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27403 — Cybersecurity — IoT security and privacy — Guidelines for IoT-domotics [DRAFT]



Setting the standard for information security and privacy of IoT things intended for home use is quite a challenge given the variety of things, home circumstances, security and privacy issues and controls.

Scope of the standard

“Domotics” is what was originally known as home automation a.k.a. “smart homes”, where domicile or home is described as “The private, hence highly customizable area where someone lives,  alone or with guests or cohabitants” that “includes dedicated infrastructure aimed to support those individuals, such as healthcare and wellness systems, building control systems, smart metering and systems for entertainment or gaming.”

This standard is aimed at the designers, manufacturers and security/privacy assessors of IoT domotics, rather than the consumers/retail customers.

Content of the standard



April update The standard is at 5th Working Draft stage.

It is due to be published in 2023.


Personal notes

“IoT” has become a common abbreviation in the IT field but “domotics” is novel.

Rather than simply recommending a bunch of controls, the standard will describe typical information [security] risks relating to domotics, and recommend information security controls to mitigate them, making this a risk-based ISO27k standard. Hoorah!

The main advantage of this approach for users of the standard is that the risks provide the rationale, context or basis for the controls.  Helping users to identify and consider the information [security] risks gives them a better appreciation of what the information security controls are required to achieve.  Both the risks and the controls in the standard are examples to stimulate users into considering the risks and control requirements in their own contexts.

Particular challenges in the home environment include:

  1. Limited information security awareness and competence by most people.
  2. Ad hoc assemblages of networked IT systems - including things worn/carried about the person (residents and visitors) and work things, not just things installed about the home.
  3. Things are not [always] designed for security or privacy since other requirements (such as low price and ease of use) generally take precedence.
  4. Lack of systems and processes for managing security and privacy at home. If anything, they tend to be ad hoc/informal and reactive rather than systematic and proactive.
  5. Informality in general: the home is an unstructured and dynamic environment.


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2021 IsecT Ltd.