ISO/IEC 27403:2024
(Main)Cybersecurity – IoT security and privacy – Guidelines for IoT-domotics
Cybersecurity – IoT security and privacy – Guidelines for IoT-domotics
This document provides guidelines to analyse security and privacy risks and identifies controls that can be implemented in Internet of Things (IoT)-domotics systems.
Cybersécurité — Sécurité et protection de la vie privée pour l'IDO — Lignes directrices pour la domotique-IDO
General Information
Buy Standard
Standards Content (Sample)
International
Standard
ISO/IEC 27403
First edition
Cybersecurity – IoT security
2024-06
and privacy – Guidelines for IoT-
domotics
Cybersécurité — Sécurité et protection de la vie privée pour l'IDO
— Lignes directrices pour la domotique-IDO
Reference number
© ISO/IEC 2024
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
© ISO/IEC 2024 – All rights reserved
ii
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 2
5 Overview . 2
5.1 General .2
5.2 Features .2
5.3 Stakeholders .4
5.4 Life cycles .4
5.5 Reference model .5
5.6 Security and privacy dimensions .8
6 Guidelines for risk assessment . 8
6.1 General .8
6.2 Sources of security risks . . .9
6.2.1 Security risks for service sub-systems .9
6.2.2 Security risks for IoT-domotics gateway .10
6.2.3 Security risks for IoT-domotics devices and physical entities . . 12
6.2.4 Security risks for networks . 13
6.3 Sources of privacy risks . 13
6.3.1 Privacy risks for service sub-systems . 13
6.3.2 Privacy risks for IoT-domotics gateway .14
6.3.3 Privacy risks for IoT-domotics devices and physical entitles .16
6.3.4 Privacy risks for networks .16
7 Security and privacy controls . 17
7.1 Principles .17
7.1.1 General .17
7.1.2 Different levels of security for different services .17
7.1.3 Easy security settings for users .17
7.1.4 Failsafe domotics devices .17
7.1.5 Restricted access to content services .17
7.1.6 Consideration for children .17
7.1.7 Scenario-specific privacy preferences .17
7.2 Security controls .18
7.2.1 P olicy for IoT-domotics security .18
7.2.2 Organization of IoT-domotics security .18
7.2.3 Asset management .18
7.2.4 Equipment and assets located outside physical secured areas .18
7.2.5 Secure disposal or re-use of equipment .18
7.2.6 Learning from security incidents.19
7.2.7 Secure IoT-domotics system engineering principles .19
7.2.8 Secure development environment and procedures .19
7.2.9 Security of IoT-domotics systems in support of safety . 20
7.2.10 Security in connecting varied IoT-domotics devices . 20
7.2.11 Verification of IoT-domotics devices and systems design . 20
7.2.12 Monitoring and logging . 20
7.2.13 Protection of logs . 20
7.2.14 Use of suitable networks for the IoT-domotics systems . 20
7.2.15 Secure settings and configurations in delivery of IoT-domotics devices and
services . 20
7.2.16 User and device authentication .21
© ISO/IEC 2024 – All rights reserved
iii
7.2.17 Provision of software and firmware updates .21
7.2.18 Sharing vulnerability information .21
7.2.19 Security measures adapted to the life cycle of IoT-domotics system and services .21
7.2.20 Guidance for IoT-domotics users on the proper use of IoT-domotics devices and
services .21
7.2.21 Determination of security roles for stakeholders . 22
7.2.22 Management of vulnerable devices . 22
7.2.23 Management of supplier relationships in IoT-domotics security . 22
7.2.24 Secure disclosure of Information regarding security of IoT-domotics devices . 22
7.3 Privacy controls . . 22
7.3.1 Prevention of privacy invasive events . 22
7.3.2 IoT-domotics privacy by default . 22
7.3.3 Provision of privacy notice . 23
7.3.4 Verification of IoT-domotics functionality . . 23
7.3.5 Consideration of IoT-domotics users . 23
7.3.6 Management of IoT-domotics privacy controls . 23
7.3.7 Unique device identity .24
7.3.8 Fail-safe authentication .24
7.3.9 Minimization of indirect data collection .24
7.3.10 Communication of privacy preferences .24
7.3.11 Verification of automated decision .24
7.3.12 Accountability for stakeholders.24
7.3.13 Unlinkability of PII . .24
7.3.14 Sharing information on PII protection measures of IoT-domotics devices . 25
Annex A (informative) Use cases of IoT-domotics .26
Anne
...
FINAL DRAFT
International
Standard
ISO/IEC FDIS
ISO/IEC JTC 1/SC 27
Cybersecurity – IoT security
Secretariat: DIN
and privacy – Guidelines for IoT-
Voting begins on:
domotics
2024-03-26
Voting terminates on:
2024-05-21
RECIPIENTS OF THIS DRAFT ARE INVITED TO SUBMIT,
WITH THEIR COMMENTS, NOTIFICATION OF ANY
RELEVANT PATENT RIGHTS OF WHICH THEY ARE AWARE
AND TO PROVIDE SUPPOR TING DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO
LOGICAL, COMMERCIAL AND USER PURPOSES, DRAFT
INTERNATIONAL STANDARDS MAY ON OCCASION HAVE
TO BE CONSIDERED IN THE LIGHT OF THEIR POTENTIAL
TO BECOME STAN DARDS TO WHICH REFERENCE MAY BE
MADE IN NATIONAL REGULATIONS.
Reference number
ISO/IEC FDIS 27403:2024(en) © ISO/IEC 2024
FINAL DRAFT
ISO/IEC FDIS 27403:2024(en)
International
Standard
ISO/IEC FDIS
ISO/IEC JTC 1/SC 27
Cybersecurity – IoT security
Secretariat: DIN
and privacy – Guidelines for IoT-
Voting begins on:
domotics
Voting terminates on:
RECIPIENTS OF THIS DRAFT ARE INVITED TO SUBMIT,
WITH THEIR COMMENTS, NOTIFICATION OF ANY
RELEVANT PATENT RIGHTS OF WHICH THEY ARE AWARE
AND TO PROVIDE SUPPOR TING DOCUMENTATION.
© ISO/IEC 2024
IN ADDITION TO THEIR EVALUATION AS
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO
LOGICAL, COMMERCIAL AND USER PURPOSES, DRAFT
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
INTERNATIONAL STANDARDS MAY ON OCCASION HAVE
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
TO BE CONSIDERED IN THE LIGHT OF THEIR POTENTIAL
or ISO’s member body in the country of the requester.
TO BECOME STAN DARDS TO WHICH REFERENCE MAY BE
MADE IN NATIONAL REGULATIONS.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland Reference number
ISO/IEC FDIS 27403:2024(en) © ISO/IEC 2024
© ISO/IEC 2024 – All rights reserved
ii
ISO/IEC FDIS 27403:2024(en)
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 2
5 Overview . 2
5.1 General .2
5.2 Features .2
5.3 Stakeholders .4
5.4 Life cycles .4
5.5 Reference model .5
5.6 Security and privacy dimensions .8
6 Guidelines for risk assessment . 8
6.1 General .8
6.2 Sources of security risks . . .9
6.2.1 Security risks for service sub-systems .9
6.2.2 Security risks for IoT-domotics gateway .10
6.2.3 Security risks for IoT-domotics devices and physical entities . . 12
6.2.4 Security risks for networks . 13
6.3 Sources of privacy risks . 13
6.3.1 Privacy risks for service sub-systems . 13
6.3.2 Privacy risks for IoT-domotics gateway .14
6.3.3 Privacy risks for IoT-domotics devices and physical entitles .16
6.3.4 Privacy risks for networks .16
7 Security and privacy controls . 17
7.1 Principles .17
7.1.1 General .17
7.1.2 Different levels of security for different services .17
7.1.3 Easy security settings for users .17
7.1.4 Failsafe domotics devices .17
7.1.5 Restricted access to content services .17
7.1.6 Consideration for children .17
7.1.7 Scenario-specific privacy preferences .17
7.2 Security controls .18
7.2.1 P olicy for IoT-domotics security .18
7.2.2 Organization of IoT-domotics security .18
7.2.3 Asset management .18
7.2.4 Equipment and assets located outside physical secured areas .18
7.2.5 Secure disposal or re-use of equipment .18
7.2.6 Learning from security incidents.19
7.2.7 Secure IoT-domotics system engineering principles .19
7.2.8 Secure development environment and procedures .19
7.2.9 Security of IoT-domotics systems in support of safety . 20
7.2.10 Security in connecting varied IoT-domotics devices . 20
7.2.11 Verification of IoT-domotics devices and systems design . 20
7.2.12 Monitoring and logging . 20
7.2.13 Protection of logs . 20
7.2.14 Use of suitable networks for the IoT-domotics systems . 20
7.2.15 Secure settings and configurations in delivery of IoT-domotics devices and
services . 20
7.2.16 User and device authentication .21
© ISO/IEC 2024 – All rights reserved
iii
ISO/IEC FDIS 27403:2024(en)
7.2.17 Provision of software and firmware updates .21
7.2.18 Sharing vulnerability information .21
7.2.19 Security measures adapted to the life cycle of IoT-domotics system and services .21
7.2.20 Guidance for IoT-domotics users on the proper use of IoT-domotics devices and
services .21
7.2.21 Determination of security roles for stakeholders . 22
7.2.22 Management of vulnerable devices . 22
7.2.23 Management of supplier relationships in IoT-domotics security . 22
7.2.24 Secure disclosure of Information regarding security of IoT-domotics devices . 22
7.3 Privacy controls . . 22
7.3.1 Prevention of privacy invasive events . 22
7.3.2 IoT-domotics privacy by default . 22
7.3.3 Provision of privacy notice . 23
7.3.4 Verification of IoT-domotics functionality . . 23
7.3.5 Consideration of IoT-domotics users . 23
7.3.6 Management of IoT-domotics privacy controls . 23
7.3.7 Unique device identity .24
7.3.8 Fail-safe authentication .
...
Style Definition
ISO/IEC DISFDIS 27403:2023(E) .
Formatted: zzCover large
ISO/IEC JTC 1/SC 27/WG 4
Formatted: Left: 1.5 cm, Right: 1.5 cm, Top: 1.4 cm,
Bottom: 1 cm, Width: 21 cm, Height: 29.7 cm, Header
Date: 2023-12-12
distance from edge: 1.27 cm, Footer distance from
edge: 1.27 cm
Secretariat: ILNAS DIN
Formatted
...
Date: 2024-03-12
Formatted: Cover Title_A1
Cybersecurity – IoT security and privacy – Guidelines for IoT-
domotics
FDIS stage
ISO/IEC DISFDIS 27403:2023(E2024(en)
Formatted: HeaderCentered
© ISO/IEC 20232024
Formatted: Default Paragraph Font
Formatted: Adjust space between Latin and Asian text,
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication
Adjust space between Asian text and numbers
may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying,
or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO
at the address below or ISO'sISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: + 41 22 749 01 11
Formatted: French (Switzerland)
Formatted: French (Switzerland)
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail: copyright@iso.org
Formatted: French (Switzerland)
Formatted: zzCopyright address, Adjust space between
Web www.iso.org
Latin and Asian text, Adjust space between Asian text
and numbers
Website: www.iso.org
Formatted: French (Switzerland)
Published in Switzerland.
Formatted: Adjust space between Latin and Asian text,
Adjust space between Asian text and numbers
Formatted: FooterPageRomanNumber
ii © ISO/IEC 2023 – All rights reserved
© ISO/IEC 2024 – All rights reserved
ii
ISO/IEC DISFDIS 27403:2023(E2024(en)
Formatted: HeaderCentered, Left
Formatted: FooterPageRomanNumber
© ISO/IEC 2023 – All rights reserved iii
© ISO/IEC 2024 – All rights reserved
iii
ISO/IEC DISFDIS 27403:2023(E2024(en)
Formatted: HeaderCentered
Contents Page
Foreword . x
Introduction . xi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 2
5 Overview . 2
5.1 General . 2
5.2 Features . 3
5.3 Stakeholders . 4
5.4 Life cycles . 5
5.5 Reference model . 7
5.6 Security and privacy dimensions . 10
6 Guidelines for risk assessment . 11
6.1 General . 11
6.2 Sources of security risks . 12
6.2.1 Security risks for service sub-systems . 12
6.2.2 Security risks for IoT-domotics gateway . 13
6.2.3 Security risks for IoT-domotics devices and physical entities . 15
6.2.4 Security risks for networks . 16
6.3 Sources of privacy risks . 17
6.3.1 Privacy risks for service sub-systems . 17
6.3.2 Privacy risks for IoT-domotics gateway . 18
6.3.3 Privacy risks for IoT-domotics devices and physical entitles . 19
6.3.4 Privacy risks for networks . 20
7 Security and privacy controls . 21
7.1 Principles . 21
7.1.1 General. 21
7.1.2 Different levels of security for different services . 21
7.1.3 Easy security settings for users . 21
7.1.4 Failsafe domotics devices . 21
7.1.5 Restricted access to content services . 21
7.1.6 Consideration for children . 21
7.1.7 Scenario-specific privacy preferences . 21
7.2 Security controls . 22
Formatted: FooterPageRomanNumber
iv © ISO/IEC 2023 – All rights reserved
© ISO/IEC 2024 – All rights reserved
iv
ISO/IEC DISFDIS 27403:2023(E2024(en)
Formatted: HeaderCentered, Left
7.2.1 Policy for IoT-domotics security . 22
7.2.2 Organization of IoT-domotics security . 22
7.2.3 Asset management . 22
7.2.4 Equipment and assets located outside physical secured areas . 22
7.2.5 Secure disposal or re-use of equipment . 23
7.2.6 Learning from security incidents . 23
7.2.7 Secure IoT-domotics system engineering principles . 23
7.2.8 Secure development environment and procedures . 23
7.2.9 Security of IoT-domotics systems in support of safety . 24
7.2.10 Security in connecting varied IoT-domotics devices . 24
7.2.11 Verification of IoT-domotics devices and systems design . 24
7.2.12 Monitoring and logging . 24
7.2.13 Protection of logs . 25
7.2.14 Use of suitable networks for the IoT-domotics systems . 25
7.2.15 Secure settings and configurations in delivery of IoT-domotics devices and services . 25
7.2.16 User and device authentication . 25
7.2.17 Provision of software and firmware updates . 25
7.2.18 Sharing vulnerability information . 26
7.2.19 Security measures adapted to the life cycle of IoT-domotics system and services . 26
7.2.20 Guidance for IoT-domotics users on the proper use of IoT-domotics devices and services . 26
7.2.21 Determination of security roles for stakeholders. 26
7.2.22 Management of vulnerable devices . 27
7.2.23 Management of supplier relationships in IoT-domotics security . 27
7.2.24 Secure disclosure of Information regarding security of IoT-domotics devices . 27
7.3 Privacy controls . 27
7.3.1 Prevention of privacy invasive events. 27
7.3.2 IoT-domotics privacy by default . 27
7.3.3 Provision of privacy notice . 27
7.3.4 Verification of IoT-domotics functionality . 28
7.3.5 Consideration of IoT-domotics users . 28
7.3.6 Management of IoT-domotics privacy controls . 28
7.3.7 Unique device identity . 28
7.3.8 Fail-safe authentication . 29
7.3.9 Minimization of indirect data collection . 29
7.3.10 Communication of privacy preferences . 29
7.3.11 Verification of automated decision . 29
7.3.12 Accountability for stakeholders .
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.