ISO/IEC 27400 — Cybersecurity — IoT security and privacy — Guidelines [Draft]
In this standard, there is guidance on IoT security and privacy principles, [informational] risks, and controls.
This standard will be tailored to IoT, providing both information security and privacy.
The purpose and rationale
There are possibilities for IoT devices to connect to the Internet and interconnect. Unlike more conventional IT systems (e.g. desktops, laptops, and servers), insecure things may compromise privacy and security. Therefore, appropriate privacy and security controls are required. As part of the standard, IoT systems/solutions will be provided with security and privacy guidance (whatever it means!). Additionally, the standard might address trustworthiness and might match other IoT standards.
This standard will address the following matters [information risk]:
– Broad scope and nature of impacts, potentially including property damage and safety concerns;
– Some things have a long life cycle, others are cheap and disposable, anticipating a short life cycle … but for how long are these things going to last? Managing the version and change management (such as patching) are further issues for IoT;
– A lack of standardization creates challenges in monitoring and managing things, which may result in some going unmanaged;
– Questions concerning interoperability and interaction among things and devices;
– There are limits to the functionality and performance [capacity] of some things;
– Possible connections or uses not anticipated by the designer or manufacturer;
The situation or context in which things are used may change over time due to the changing owners and users of things, just like in traditional IT.
Many IoT designers/manufacturers and users, both individuals and corporations, may not be aware of the information risks and anticipated/necessary controls, so this standard (and this website!) are intended to raise awareness and increase maturity on both supply and demand sides.
The standard’s status
Standard ISO/IEC 27400 was originally ISO/IEC 27030 during drafting, but it evolved into ISO/IEC 27400 as part of IoT security and privacy standards.
Currently, it is in the draft stage of the international standard and is due for publication in 2022.
The standard provides generic ‘risk sources’ and ‘risk scenarios’ relevant to IoT, actually a collection of examples for consideration. There are some concerns about the selection and the wording (vulnerabilities are not risks! Missing or weak controls are not risks! ), indicating a limited understanding of the fundamental concepts. The IoT security controls available elsewhere in the standard do not appear to be directly related to risks they are presumably proposed to mitigate. It is a positive step to discuss relevant [information] risks in ISO27k. In most ISO27K standards, information security controls are recommended straight away, without mentioning the risks to information. This standard offers a step further than the “Just do this:” style, even though it is a small step. This serves as a prompt for users to identify, examine, and evaluate information risks in their organizations.
It would be great if the [information] risk-aligned approach can be extended to all ISO27k standards at some point, but so far I haven’t seen any indication that management has a specific strategy in mind.