IoT Security Standards and Codes

Baseline IoT Security Requirements

To ensure global conformance and applicability the established IoT Security Standards, Recommendations, Guidelines and Codes, (referenced below), that are published and maintained by international Standards Bodies and Government Departments and Agencies from time to time, are adopted by the IoT Security Trust Mark™ (STM) scheme technical Decision Authority (DA) to establish the STM IoT Security Baseline Requirements (BRs) which, in turn, are utilised by scheme Accredited Test Facilities (ATFs) as a minimum level that participating vendors products are required to achieve, in conjunction with verifying their stated security claims.

Delivering value, flexibility and adoption as good IoT Security practice evolves over the years, ensuring currency of the scheme as new IoT Security Principles, Recommendations, Guidelines, Codes and Standards are developed and released.

European Telecommunications Standards Institute

Cyber Security for Consumer Internet of Things: Baseline Requirements

ETSI EN 303 645 V2.1.1 (2020-06)

The present document provides a set of baseline provisions applicable to all consumer IoT devices. It is intended to be complemented by other standards defining more specific provisions and fully testable and/or verifiable requirements for specific devices which, together with the present document, will facilitate the development of assurance schemes. 

European Telecommunications Standards Institute

Cyber Security for Consumer Internet of Things: 

Conformance Assessment of Baseline Requirements 

ETSI TS 103 701 V1.1.1 (2021-08)

The present document specifies a conformance assessment methodology for consumer IoT devices, their relation to associated services and corresponding relevant processes against ETSI TS 103 645/ETSI EN 303 645, addressing the mandatory and recommended provisions as well as conditions and complements of ETSI TS 103 645/ETSI EN 303 645 by defining test cases and assessment criteria for each provision.

European Network and Information Security Agency

Baseline Security Recommendations for IoT

ISBN: 978-92-9204-236-3, doi: 10.2824/03228 

ENISA identified and analysed existing IoT security practices, security guidelines, relevant industry standards and research initiatives in the area of IoT security for Critical Information Infrastructures (e.g. Industry 4.0, Machine-to-Machine (M2M) communications, IoT updatability). Having reviewed and thoroughly analysed existing work and ongoing activities, ENISA compared these practices and standards and developed baseline security measures to be adopted by relevant stakeholders. 

National Institute of Standards and Technology

US Department of Commerce

Foundational Cybersecurity Activities
for IoT Device Manufacturers

NISTIR 8259 (DOI)

This publication describes six recommended foundational cybersecurity activities that manufacturers should consider performing to improve the securability of the new IoT devices they make. Performing all six activities can help manufacturers provide IoT devices that better support the cybersecurity-related efforts needed by IoT device customers, which in turn can reduce the prevalence and severity of IoT device compromises and the attacks performed using compromised IoT devices. These activities are intended to fit within a manufacturer’s existing development process and may already be achieved in whole or part by that existing process.

National Institute of Standards and Technology

US Department of Commerce

IoT Device Cybersecurity Capability Core Baseline 

NISTIR 8259A (DOI)

Device cybersecurity capabilities are cybersecurity features or functions that computing devices provide through their own technical means (i.e., device hardware and software). This publication defines an Internet of Things (IoT) device cybersecurity capability core baseline, which is a set of device capabilities generally needed to support common cybersecurity controls that protect an organization’s devices as well as device data, systems, and ecosystems. The purpose of this publication is to provide organizations a starting point to use in identifying the device cybersecurity capabilities for new IoT devices they will manufacture, integrate, or acquire. This publication can be used in conjunction with NISTIR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers. 

National Institute of Standards and Technology

US Department of Commerce

IoT Non-Technical Supporting Capability Core Baseline 

NISTIR 8259B (DOI)

Non-technical supporting capabilities are actions a manufacturer or third-party organization performs in support of the cybersecurity of an IoT device. This publication defines an Internet of Things (IoT) device manufacturers’ non-technical supporting capability core baseline, which is a set of non-technical supporting capabilities generally needed from manufacturers or other third parties to support common cybersecurity controls that protect an organization’s devices as well as device data, systems, and ecosystems. The purpose of this publication is to provide organizations a starting point to use in identifying the non-technical supporting capabilities needed in relation to IoT devices they will manufacture, integrate, or acquire. This publication is intended to be used in conjunction with NISTIR 8259, Foundational Cybersecurity Activities for IoT Device Manufacturers and NISTIR 8259A, IoT Device Cybersecurity Capability Core Baseline.

National Institute of Standards and Technology

US Department of Commerce

DRAFT Baseline Security Criteria for Consumer IoT Devices

August 31, 2021

Executive Order (EO) 14028, “Improving the Nation’s Cybersecurity,” tasks the National Institute of Standards and Technology (NIST), in coordination with the Federal Trade Commission (FTC) and other agencies, to initiate pilot programs informed by existing consumer product labeling programs to educate the public on the security capabilities of Internet-of- Things (IoT) devices and software development practices. NIST also is to consider ways to incentivize manufacturers and developers to participate in these programs. This white paper proposes baseline security criteria for consumer IoT devices. This is one of three dimensions of a consumer Internet of Things (IoT) cybersecurity labeling program that would be responsive to Sections 4 (s) and (t) of the EO. The other dimensions are criteria for conformity assessment and the label. In addition to the feedback sought on this white paper, NIST will also consult with stakeholders on those additional considerations. 

National Institute of Standards and Technology

US Department of Commerce

Considerations for Managing IoT Cybersecurity and Privacy Risks 

NISTIR 8228

The Internet of Things (IoT) is a rapidly evolving and expanding collection of diverse technologies that interact with the physical world. Many organizations are not necessarily aware of the large number of IoT devices they are already using and how IoT devices may affect cybersecurity and privacy risks differently than conventional information technology (IT) devices do. The purpose of this publication is to help federal agencies and other organizations better understand and manage the cybersecurity and privacy risks associated with their individual IoT devices throughout the devices’ lifecycles. This publication is the introductory document providing the foundation for a planned series of publications on more specific aspects of this topic.

International Standards Organisation
International Electrotechnical Commission

Cybersecurity – IoT Security and Privacy – Guidelines

ISO/IEC DIS 27400

Information security is a major concern of any information and communication technology (ICT) system and Internet of Things (IoT) systems are no exception. IoT systems present particular challenges for information security in that they are highly distributed and involve a large number of diverse entities. This implies that there are a very large attack surface and a significant challenge for the information security management system (ISMS) to apply and maintain appropriate security controls across the whole system.

Security and privacy controls in this standard are developed for stakeholders in an IoT system environment, so as to be utilized by each IoT stakeholder, throughout the IoT system life cycle.

This document provides guidelines on risks, principles and controls for security and privacy of Internet of Things (IoT) solutions.

International Standards Organisation
Society of Automotive Engineers

Road Vehicles – Cybersecurity Engineering

ISO/SAE 21434:2021

This document specifies engineering requirements for cybersecurity risk management regarding concept, product development, production, operation, maintenance and decommissioning of electrical and electronic (E/E) systems in road vehicles, including their components and interfaces.

A framework is defined that includes requirements for cybersecurity processes and a common language for communicating and managing cybersecurity risk.

This document is applicable to series production road vehicle E/E systems, including their components and interfaces, whose development or modification began after the publication of this document.

This document does not prescribe specific technology or solutions related to cybersecurity.

UK Government

Department for Digital, Culture, Media & Sport

Code of Practice for Consumer IoT Security

The aim of this Code of Practice is to support all parties involved in the development, manufacturing and retail of consumer IoT with a set of guidelines to ensure that products are secure by design and to make it easier for people to stay secure in a digital world.

The Code of Practice brings together, in thirteen outcome-focused guidelines, what is widely considered good practice in IoT security. It has been developed by the Department for Digital, Culture, Media and Sport (DCMS), in conjunction with the National Cyber Security Centre (NCSC), and follows engagement with industry, consumer associations and academia.

Australian Government

Department of Home Affairs

Code of Practice
Securing the Internet of Things for Consumers

The Code of Practice was developed by the Department of Home Affairs, in partnership with the Australian Signals Directorate’s Australian Cyber Security Centre, and follows nation-wide engagement with industry and the Australian public. The Code of Practice was recognised as a necessary step to lifting the cyber security of internet-connected devices domestically.

In acknowledgement of the global nature of this issue, the Code of Practice aligns with and builds upon guidance provided by the United Kingdom and is consistent with other international standards. The principles will help inform domestic and international manufacturers about the security features expected of devices available in Australia.

Government of India

Department of Telecommunications

Code of Practice for
Securing Consumer Internet of Things

TEC 31318:2021

As per the National Digital Communication Policy (NDCP) 2018 released by Department of Telecommunications (DoT), an eco-system is to be created for 5 billion connected devices by 2022. Therefore, it is expected that around 60% of 5 billion i.e. 3 billion connected devices may exist in India by 2022. 

In view of the anticipated growth of IoT devices, it is important to ensure that the IoT end points comply to the safety and security standards and guidelines in order to protect the users and the networks that connect these IoT devices. The IoT devices must undergo mandatory testing & certification prior to sale, import or use in India, in compliance to the MTCTE guidelines issued by Department of Telecommunications (DoT), Government of India under the Indian Telegraph (Amendment) Rules, 2017.

This document on Code of Practice for consumer IoT security provides baseline requirements as a basis for the implementation of the above referred recommendations. Substantial input has been taken from the ETSI TS 103 645 and ETSI EN 303 645. It is expected that the ETSI TS 103 701 (Cybersecurity assessment for consumer IoT products) will help in the implementation of the provisions available in these guidelines.