ISO/IEC 27404
ISO/IEC 27404:2025 — Cybersecurity — IoT security and privacy — Cybersecurity labelling framework for consumer IoT
[first edition]
Abstract
ISO/IEC 27404 "defines a cybersecurity labelling framework for the development and implementation of cybersecurity labelling programmes for consumer IoT products. It provides requirements and includes guidance on the following topics:
Risks and threats associated with consumer IoT products;
Stakeholders, roles and responsibilities;
Relevant standards and guidance documents;
Conformity assessment;
Labelling issuance and maintenance;
Mutual recognition.
[ISO/IEC 27404] is limited to consumer IoT products, such as: IoT gateways, base stations and hubs to which multiple devices connect; smart cameras, televisions, and speakers; wearable devices; connected smoke detectors, door locks and window sensors; connected home automation and alarm systems; connected appliances, such as washing machines and fridges; smart home assistants; and connected children’s toys and baby monitors.
Products that are not intended for consumer use are excluded from this standard. Examples of excluded devices are those that are primarily intended for manufacturing, healthcare and other industrial purposes.
[ISO/IEC 27404] is applicable to consumers, developers, issuing bodies of cybersecurity labels and conformity assessment bodies.”
[Source: ISO/IEC 27404:2025]
Introduction
Although cybersecurity is seldom promoted as a feature of consumer-oriented IoT devices (things), it can be important. Inconsistent and unclear cybersecurity labelling does not help consumers appreciate their security and privacy objectives, nor evaluate and select things accordingly. Standardising the cybersecurity labelling of things is intended to improve consistency across the global market, increase consumer awareness and promote better cybersecurity designs.
Scope
The standard concerns consumer-grade (retail) things - as opposed to business, industrial, engineering, medical, scientific or mil-spec things (since their cybersecurity requirements and features/capabilities are more likely to be specified in detail).
It covers cybersecurity and privacy but excludes safety aspects.
Structure
Main sections:
5: Overview of cybersecurity labelling for consumer IoT
6: International alignment through a cybersecurity labelling framework
7: Requirements and guidance for the components of the cybersecurity labelling framework for consumer IoT
8: Requirements and guidance for labelling issuance and maintenance for consumer IoT
Annex A: types and features of cybersecurity labels
Annex B: illustrative examples of multi-level labelling schemes
Annex C: illustrative examples of binary labelling schemes
Annex D: determination of equivalency among labelling schemes
Annex E: examples of cybersecurity baseline provisions
Annex F: examples of secure-by-design provisions
Annex G: examples of privacy assessment requirements
Status
The current first edition was published in 2025.
Commentary
Singapore standard TR 91:2021 Cybersecurity labelling for consumer IoT formed the original basis for this standard, with editorial changes to suit the more formal ISO/IEC style.