Brief Overview of ISO/IEC 27400: Comprehensive Standard on IoT Security and Privacy

ISO/IEC 27400 is a newly released comprehensive standard that provides guidelines on risks, principles, and controls for the security and privacy of Internet of Things (IoT) solutions. This standard also refers to other international standards that include ISO/IEC 20924, ISO/IEC 27000, ISO/IEC 29100, ISO 31000, etc. This blog gives you a brief overview of ISO/IEC 27400.

Identified Stakeholders

ISO/IEC 27400 standard identifies three stakeholders responsible for the security of IoT solutions as mentioned below:

  • IoT Service Provider - Responsible for providing services that include the operation of the IoT ecosystem. They are responsible for connectivity, data collection, and managing deployed IoT devices/solutions.
  • IoT Service Developer - Responsible for designing, implementing, and integrating IoT services. The developer is expected to follow standard practices to secure the IoT ecosystem.
  • IoT User - The end user (including human and digital users) of the IoT ecosystem.
StandardDescription
ISO/IEC 27000Information Security Management System (ISMS)
Widely used by the industry
ISO/IEC 27701extended requirements to ISMS for privacy information management
ISO/IEC 29134guidelines on privacy impact assessment
IEC 62443guidance in the domain of security of Industrial Automation and Control Systems (IACS)
ISO 31000guidelines on risk management
ISO/IEC 27005providing information security-specific guidelines for risk management

Identified Controls in ISO/IEC 27400

ISO/IEC 27400 has 45 controls to secure the deployed IoT solutions. In addition, the standard clearly identifies the purpose of control, responsible stakeholders, domain, and guidance on how to implement the IoT solutions securely.

Notations

  • IoT Service Developer - ISD
  • IoT Service Provider - ISP
  • IoT User - IU
  • IoT Device Developer - IDD
Controls related toResponsible Stakeholders
IoT security policyISD/ISP
Responsibility for IoT security in an organizationISD/ISP
Asset managementISP
Equipment and assets located outside physically secured areasISP
Secure disposal or re-use of equipmentISP
Learning from security incidentsISD/ISP
Secure IoT system engineering principlesISD
Secure development environment and proceduresISD
Security of IoT systems in support of safetyISD/ISP
Security in connecting varied IoT devicesISD/ISP
Verification of IoT devices and systems designISD/ISP
Monitoring and loggingISD/ISP
Protection of logsISD/ISP
Use of suitable networks for the IoT systemsISD/ISP
Define the provision of software and firmware updatesISD/ISP
User and device authenticationISD/ISP
Safe disposal or re-use of IoT deviceISD/ISP
Sharing vulnerability informationISD/ISP
Adapted security measures to the life cycle of IoT systems and servicesISD/ISP
Guidance for IoT users on the proper use of IoT devices and servicesISD/ISP
Determination of security roles for stakeholdersISD/ISP
Management of vulnerable devicesISP
Management of supplier relationships in IoT securityISD/ISP
Secure disclosure of Information regarding the security of IoT devicesISD
Contacts and support serviceIU
Initial settings of IoT device and serviceIU
Deactivation of unused devicesIU
Consideration of IoT UsersIU
Prevention of privacy-invasive eventsISD/ISP
IoT privacy by defaultISD/ISP
Provision of the privacy noticeISP
Verification of IoT functionalityISD/ISP
Privacy controls for IoT usersISD/ISP
Management of IoT privacy controlsISP
Unique device identityISD
Fail-safe authenticationISD/ISP
Minimization of indirect data collectionISP
Communication of privacy preferencesISP
Verification of automated decisionISP
Accountability for stakeholdersISD/ISP
Unlinkability of PIIISD/ISP
Sharing information on PII protection measures of IoT devicesISD
Privacy controls for IoT userIU
Purposeful use for connecting with other devices and servicesIU/ISP/ISD
Certification/validation of PII protectionIU

Summary

This standard has 45 controls for security and privacy applicable to IoT systems.

28 security controls for ISD, ISP, and IU that include a policy for IoT security, asset management, learning from security incidents, security of IoT systems in support of safety, logging and monitoring, authentication, updates, etc.

17 privacy controls are also available for ISD, ISP, and IU that include prevention of privacy-invasive documents, management of IoT privacy controls, PII-related, fail-safe authentication, etc.

References

ISO/IEC 27400

Subscribe us to receive more such articles updates in your email.

If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!

Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

10 Blockchain Security Vulnerabilities OWASP API Top 10 - 2023 7 Facts You Should Know About WormGPT OWASP Top 10 for Large Language Models (LLMs) Applications Top 10 Blockchain Security Issues