Brief Overview of ISO/IEC 27400: Comprehensive Standard on IoT Security and Privacy
ISO/IEC 27400 is a newly released comprehensive standard that provides guidelines on risks, principles, and controls for the security and privacy of Internet of Things (IoT) solutions. This standard also refers to other international standards that include ISO/IEC 20924, ISO/IEC 27000, ISO/IEC 29100, ISO 31000, etc. This blog gives you a brief overview of ISO/IEC 27400.
Identified Stakeholders
ISO/IEC 27400 standard identifies three stakeholders responsible for the security of IoT solutions as mentioned below:
- IoT Service Provider - Responsible for providing services that include the operation of the IoT ecosystem. They are responsible for connectivity, data collection, and managing deployed IoT devices/solutions.
- IoT Service Developer - Responsible for designing, implementing, and integrating IoT services. The developer is expected to follow standard practices to secure the IoT ecosystem.
- IoT User - The end user (including human and digital users) of the IoT ecosystem.
Recommended Standards referred in ISO/IEC 27400
| Standard | Description |
| ISO/IEC 27000 | Information Security Management System (ISMS) Widely used by the industry |
| ISO/IEC 27701 | extended requirements to ISMS for privacy information management |
| ISO/IEC 29134 | guidelines on privacy impact assessment |
| IEC 62443 | guidance in the domain of security of Industrial Automation and Control Systems (IACS) |
| ISO 31000 | guidelines on risk management |
| ISO/IEC 27005 | providing information security-specific guidelines for risk management |
Identified Controls in ISO/IEC 27400
ISO/IEC 27400 has 45 controls to secure the deployed IoT solutions. In addition, the standard clearly identifies the purpose of control, responsible stakeholders, domain, and guidance on how to implement the IoT solutions securely.
Notations
- IoT Service Developer - ISD
- IoT Service Provider - ISP
- IoT User - IU
- IoT Device Developer - IDD
| Controls related to | Responsible Stakeholders |
| IoT security policy | ISD/ISP |
| Responsibility for IoT security in an organization | ISD/ISP |
| Asset management | ISP |
| Equipment and assets located outside physically secured areas | ISP |
| Secure disposal or re-use of equipment | ISP |
| Learning from security incidents | ISD/ISP |
| Secure IoT system engineering principles | ISD |
| Secure development environment and procedures | ISD |
| Security of IoT systems in support of safety | ISD/ISP |
| Security in connecting varied IoT devices | ISD/ISP |
| Verification of IoT devices and systems design | ISD/ISP |
| Monitoring and logging | ISD/ISP |
| Protection of logs | ISD/ISP |
| Use of suitable networks for the IoT systems | ISD/ISP |
| Define the provision of software and firmware updates | ISD/ISP |
| User and device authentication | ISD/ISP |
| Safe disposal or re-use of IoT device | ISD/ISP |
| Sharing vulnerability information | ISD/ISP |
| Adapted security measures to the life cycle of IoT systems and services | ISD/ISP |
| Guidance for IoT users on the proper use of IoT devices and services | ISD/ISP |
| Determination of security roles for stakeholders | ISD/ISP |
| Management of vulnerable devices | ISP |
| Management of supplier relationships in IoT security | ISD/ISP |
| Secure disclosure of Information regarding the security of IoT devices | ISD |
| Contacts and support service | IU |
| Initial settings of IoT device and service | IU |
| Deactivation of unused devices | IU |
| Consideration of IoT Users | IU |
| Prevention of privacy-invasive events | ISD/ISP |
| IoT privacy by default | ISD/ISP |
| Provision of the privacy notice | ISP |
| Verification of IoT functionality | ISD/ISP |
| Privacy controls for IoT users | ISD/ISP |
| Management of IoT privacy controls | ISP |
| Unique device identity | ISD |
| Fail-safe authentication | ISD/ISP |
| Minimization of indirect data collection | ISP |
| Communication of privacy preferences | ISP |
| Verification of automated decision | ISP |
| Accountability for stakeholders | ISD/ISP |
| Unlinkability of PII | ISD/ISP |
| Sharing information on PII protection measures of IoT devices | ISD |
| Privacy controls for IoT user | IU |
| Purposeful use for connecting with other devices and services | IU/ISP/ISD |
| Certification/validation of PII protection | IU |
Summary
This standard has 45 controls for security and privacy applicable to IoT systems.
28 security controls for ISD, ISP, and IU that include a policy for IoT security, asset management, learning from security incidents, security of IoT systems in support of safety, logging and monitoring, authentication, updates, etc.
17 privacy controls are also available for ISD, ISP, and IU that include prevention of privacy-invasive documents, management of IoT privacy controls, PII-related, fail-safe authentication, etc.
References
ISO/IEC 27400
Subscribe us to receive more such articles updates in your email.
If you have any questions, feel free to ask in the comments section below. Nothing gives me greater joy than helping my readers!
Disclaimer: This tutorial is for educational purpose only. Individual is solely responsible for any illegal act.
