IoT Security Recommendations, Guidelines and Codes

Baseline IoT Security Requirements

The established IoT Security Recommendations, Guidelines and Codes referenced, which are set and published by international Standards Bodies and Government Departments and Agencies, are used by the scheme to establish the IoT Security Baseline Requirements (BRs) that are utilised by IoT Security Trust Mark Accredited Test Facilities (ATFs) as a minimum level that participating vendors products are required to achieve, in conjunction with verifying their stated security claims.

This enables flexibility and adoption as good IoT Security practice evolves over the years, ensuring currency of the scheme as new IoT Security Principles, Recommendations, Guidelines, Codes and Standards are developed and released.

European Network and Information Security Agency

Baseline Security Recommendations for IoT

ISBN: 978-92-9204-236-3, doi: 10.2824/03228 

ENISA identified and analysed existing IoT security practices, security guidelines, relevant industry standards and research initiatives in the area of IoT security for Critical Information Infrastructures (e.g. Industry 4.0, Machine-to-Machine (M2M) communications, IoT updatability). Having reviewed and thoroughly analysed existing work and ongoing activities, ENISA compared these practices and standards and developed baseline security measures to be adopted by relevant stakeholders. 

European Telecommunications Standards Institute

Cyber Security for Consumer Internet of Things: Baseline Requirements

ETSI EN 303 645 V2.1.1 (2020-06)

The present document provides a set of baseline provisions applicable to all consumer IoT devices. It is intended to be complemented by other standards defining more specific provisions and fully testable and/or verifiable requirements for specific devices which, together with the present document, will facilitate the development of assurance schemes.

National Institute of Standards and Technology

US Department of Commerce

Foundational Cybersecurity Activities
for IoT Device Manufacturers


This publication describes six recommended foundational cybersecurity activities that manufacturers should consider performing to improve the securability of the new IoT devices they make. Performing all six activities can help manufacturers provide IoT devices that better support the cybersecurity-related efforts needed by IoT device customers, which in turn can reduce the prevalence and severity of IoT device compromises and the attacks performed using compromised IoT devices. These activities are intended to fit within a manufacturer’s existing development process and may already be achieved in whole or part by that existing process.

UK Government

Department for Digital, Culture, Media & Sport

Code of Practice for Consumer IoT Security

The aim of this Code of Practice is to support all parties involved in the development, manufacturing and retail of consumer IoT with a set of guidelines to ensure that products are secure by design and to make it easier for people to stay secure in a digital world.

The Code of Practice brings together, in thirteen outcome-focused guidelines, what is widely considered good practice in IoT security. It has been developed by the Department for Digital, Culture, Media and Sport (DCMS), in conjunction with the National Cyber Security Centre (NCSC), and follows engagement with industry, consumer associations and academia.

Australian Government

Department of Home Affairs

Code of Practice
Securing the Internet of Things for Consumers

The Code of Practice was developed by the Department of Home Affairs, in partnership with the Australian Signals Directorate’s Australian Cyber Security Centre, and follows nation-wide engagement with industry and the Australian public. The Code of Practice was recognised as a necessary step to lifting the cyber security of internet-connected devices domestically.

In acknowledgement of the global nature of this issue, the Code of Practice aligns with and builds upon guidance provided by the United Kingdom and is consistent with other international standards. The principles will help inform domestic and international manufacturers about the security features expected of devices available in Australia.