ISO/IEC 27402

ISO/IEC 27402 — Cybersecurity — IoT security and privacy — Device baseline requirements [Draft]

Introduction

This project documents the basics of IoT security, enabling the controls in ISO/IEC 27030 for IoT devices.

The scope of the standard

A ‘baseline’ or platform for IoT [Internet of Things] devices that support information security and privacy controls are specified in the standard.

Here are some examples of baseline [information security] requirements:

– Unique device identifier.
– A ‘factory reset’ feature.
– A program that lets me delete all my [personal] information.
– “Data protection” (access controls and integrity).
– Firmware and software patching/updating (I assume).

For specific applications (e.g. medical things), it is expected that additional security controls will be necessary and defined in future standards.

The content

To be determined

Status

At this point, the standard is in the Committee Draft stage.

A 2023 publication date has been set for it.

Commentary

This standard will be quite challenging to write due to the sheer dimension of connectable devices and the wide variety of data they exchange. Moreover, the pressures that manufacturers face due to market demands seem least likely to result in widespread voluntary adoption (which will require additional factors not covered by this standard).

There are a few notes in some sections of the standard, but the remainder is just a placeholder awaiting input.