The established IoT Security Recommendations, Guidelines and Codes referenced, which are set and published by international Standards Bodies and Government Departments and Agencies, are used by the scheme to establish the IoT Security Baseline Requirements (BRs) that are utilised by IoT Security Trust Mark™ Accredited Test Facilities (ATFs) as a minimum level that participating vendors products are required to achieve, in conjunction with verifying their stated security claims.
This enables flexibility and adoption as good IoT Security practice evolves over the years, ensuring currency of the scheme as new IoT Security Principles, Recommendations, Guidelines, Codes and Standards are developed and released.
Baseline Security Recommendations for IoT
ISBN: 978-92-9204-236-3, doi: 10.2824/03228
ENISA identified and analysed existing IoT security practices, security guidelines, relevant industry standards and research initiatives in the area of IoT security for Critical Information Infrastructures (e.g. Industry 4.0, Machine-to-Machine (M2M) communications, IoT updatability). Having reviewed and thoroughly analysed existing work and ongoing activities, ENISA compared these practices and standards and developed baseline security measures to be adopted by relevant stakeholders.
Cyber Security for Consumer Internet of Things: Baseline Requirements
ETSI EN 303 645 V2.1.1 (2020-06)
The present document provides a set of baseline provisions applicable to all consumer IoT devices. It is intended to be complemented by other standards defining more specific provisions and fully testable and/or verifiable requirements for specific devices which, together with the present document, will facilitate the development of assurance schemes.
US Department of Commerce
Foundational Cybersecurity Activities
for IoT Device Manufacturers
NISTIR 8259 (DOI)
This publication describes six recommended foundational cybersecurity activities that manufacturers should consider performing to improve the securability of the new IoT devices they make. Performing all six activities can help manufacturers provide IoT devices that better support the cybersecurity-related efforts needed by IoT device customers, which in turn can reduce the prevalence and severity of IoT device compromises and the attacks performed using compromised IoT devices. These activities are intended to fit within a manufacturer’s existing development process and may already be achieved in whole or part by that existing process.
Department for Digital, Culture, Media & Sport
Code of Practice for Consumer IoT Security
The aim of this Code of Practice is to support all parties involved in the development, manufacturing and retail of consumer IoT with a set of guidelines to ensure that products are secure by design and to make it easier for people to stay secure in a digital world.
The Code of Practice brings together, in thirteen outcome-focused guidelines, what is widely considered good practice in IoT security. It has been developed by the Department for Digital, Culture, Media and Sport (DCMS), in conjunction with the National Cyber Security Centre (NCSC), and follows engagement with industry, consumer associations and academia.
Department of Home Affairs
Code of Practice
Securing the Internet of Things for Consumers
The Code of Practice was developed by the Department of Home Affairs, in partnership with the Australian Signals Directorate’s Australian Cyber Security Centre, and follows nation-wide engagement with industry and the Australian public. The Code of Practice was recognised as a necessary step to lifting the cyber security of internet-connected devices domestically.
In acknowledgement of the global nature of this issue, the Code of Practice aligns with and builds upon guidance provided by the United Kingdom and is consistent with other international standards. The principles will help inform domestic and international manufacturers about the security features expected of devices available in Australia.