ISO/IEC 30147:2021

ISO/IEC 30147
Edition 1.0 2021-05
INTERNATIONAL
STANDARD
Internet of things (IoT) – Integration of IoT trustworthiness activities in
ISO/IEC/IEEE 15288 system engineering processes

All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form
or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from
either IEC or IEC's member National Committee in the country of the requester. If you have any questions about
ISO/IEC copyright or have an enquiry about obtaining additional rights to this publication, please contact the address
below or your local IEC member National Committee for further information.

IEC Central Office Tel.: +41 22 919 02 11
3, rue de Varembé info@iec.ch
CH-1211 Geneva 20 www.iec.ch
Switzerland
About the IEC
The International Electrotechnical Commission (IEC) is the leading global organization that prepares and publishes
International Standards for all electrical, electronic and related technologies.

About IEC publications
The technical content of IEC publications is kept under constant review by the IEC. Please make sure that you have the
latest edition, a corrigendum or an amendment might have been published.

IEC publications search - webstore.iec.ch/advsearchform IEC online collection - oc.iec.ch
The advanced search enables to find IEC publications by a Discover our powerful search engine and read freely all the
variety of criteria (reference number, text, technical publications previews. With a subscription you will always
committee, …). It also gives information on projects, replaced have access to up to date content tailored to your needs.
and withdrawn publications.
Electropedia - www.electropedia.org
IEC Just Published - webstore.iec.ch/justpublished
The world's leading online dictionary on electrotechnology,
Stay up to date on all new IEC publications. Just Published
containing more than 22 000 terminological entries in English
details all new publications released. Available online and
and French, with equivalent terms in 18 additional languages.
once a month by email.
Also known as the International Electrotechnical Vocabulary

(IEV) online.
IEC Customer Service Centre - webstore.iec.ch/csc

If you wish to give us your feedback on this publication or
need further assistance, please contact the Customer Service
Centre: sales@iec.ch.
ISO/IEC 30147
Edition 1.0 2021-05
INTERNATIONAL
STANDARD
Internet of things (IoT) – Integration of IoT trustworthiness activities in

ISO/IEC/IEEE 15288 system engineering processes

INTERNATIONAL
ELECTROTECHNICAL
COMMISSION
ICS 35.020; 35.030 ISBN 978-2-8322-9808-4

– 2 – ISO/IEC 30147:2021 © ISO/IEC 2021
CONTENTS
FOREWORD . 4
INTRODUCTION . 5
1 Scope . 6
2 Normative references . 6
3 Terms and definitions . 6
4 Abbreviated terms . 9
5 IoT systems/services and IoT trustworthiness . 9
5.1 Characteristics specific to IoT systems and services . 9
5.2 IoT trustworthiness . 11
6 Processes for realizing IoT trustworthiness . 12
6.1 General . 12
6.2 Agreement processes . 12
6.2.1 Acquisition process . 12
6.2.2 Supply process . 13
6.3 Organizational project-enabling processes . 13
6.3.1 Life cycle model management process . 13
6.3.2 Infrastructure management process . 13
6.3.3 Portfolio management process . 13
6.3.4 Human resource management process . 13
6.3.5 Quality management process . 13
6.3.6 Knowledge management process . 14
6.4 Technical management processes . 14
6.4.1 Project planning process . 14
6.4.2 Project assessment and control process . 14
6.4.3 Decision management process . 15
6.4.4 Risk management process . 15
6.4.5 Configuration management process . 16
6.4.6 Information management process . 16
6.4.7 Measurement process . 16
6.4.8 Quality assurance process . 17
6.5 Technical processes . 17
6.5.1 Business or mission analysis process . 17
6.5.2 Stakeholder needs and requirements definition process . 17
6.5.3 System requirements definition process . 18
6.5.4 Architecture definition process . 19
6.5.5 Design definition process . 19
6.5.6 System analysis process . 20
6.5.7 Implementation process . 20
6.5.8 Integration process . 20
6.5.9 Verification process . 21
6.5.10 Transition process . 22
6.5.11 Validation process . 22
6.5.12 Operation process . 23
6.5.13 Maintenance process . 24
6.5.14 Disposal process . 24

Annex A (informative) Examples of risks specific to IoT systems . 25
A.1 General . 25
A.2 Example 1: Security risk . 25
A.3 Example 2: Reliability risk . 25
A.4 Example 3: Safety risk . 25
A.5 Example 4: Privacy risk . 26
A.6 Example 5: Resilience risk . 26
A.7 Example 6: Risk arising from interconnected IoT trustworthiness factors . 26
Annex B (informative) Overview of process and its application . 27
B.1 Overview of approach toward process for IoT trustworthiness . 27
B.2 Application of process to enhance IoT trustworthiness . 29
Bibliography . 30

Figure 1 – An IoT system, a system of systems . 10

Table B.1 – Relations between typical characteristics of IoT systems and process
bases . 29

– 4 – ISO/IEC 30147:2021 © ISO/IEC 2021
INTERNET OF THINGS (IoT) –
INTEGRATION OF IoT TRUSTWORTHINESS ACTIVITIES
IN ISO/IEC/IEEE 15288 SYSTEM ENGINEERING PROCESSES

FOREWORD
1) ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission)
form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC
participate in the development of International Standards through technical committees established by the
respective organization to deal with particular fields of technical activity. ISO and IEC technical committees
collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental,
in liaison with ISO and IEC, also take part in the work.
2) The formal decisions or agreements of IEC and ISO on technical matters express, as nearly as possible, an
international consensus of opinion on the relevant subjects since each technical committee has representation
from all interested IEC and ISO National bodies.
3) IEC and ISO documents have the form of recommendations for international use and are accepted by IEC and
ISO National bodies in that sense. While all reasonable efforts are made to ensure that the technical content of
IEC and ISO documents is accurate, IEC and ISO cannot be held responsible for the way in which they are
used or for any misinterpretation by any end user.
4) In order to promote international uniformity, IEC and ISO National bodies undertake to apply IEC and
ISO documents transparently to the maximum extent possible in their national and regional publications. Any
divergence between any IEC and ISO document and the corresponding national or regional publication shall be
clearly indicated in the latter.
5) IEC and ISO do not provide any attestation of conformity. Independent certification bodies provide conformity
assessment services and, in some areas, access to IEC and ISO marks of conformity. IEC and ISO are not
responsible for any services carried out by independent certification bodies.
6) All users should ensure that they have the latest edition of this document.
7) No liability shall attach to IEC and ISO or their directors, employees, servants or agents including individual
experts and members of its technical committees and IEC and ISO National bodies for any personal injury,
property damage or other damage of any nature whatsoever, whether direct or indirect, or for costs (including
legal fees) and expenses arising out of the publication, use of, or reliance upon, this ISO/IEC document or any
other IEC and ISO documents.
8) Attention is drawn to the Normative references cited in this document. Use of the referenced publications is
indispensable for the correct application of this document.
9) Attention is drawn to the possibility that some of the elements of this ISO/IEC document may be the subject of
patent rights. IEC and ISO shall not be held responsible for identifying any or all such patent rights.
ISO/IEC 30147 has been prepared by subcommittee 41: Internet of Things and related
technologies, of ISO/IEC joint technical committee 1: Information technology. It is an
International Standard.
The text of this International Standard is based on the following documents:
FDIS Report on voting
JTC1-SC41/210/FDIS JTC1-SC41/221/RVD

Full information on the voting for its approval can be found in the report on voting indicated in
the above table.
The language used for the development of this International Standard is English.
This document was drafted in accordance with ISO/IEC Directives, Part 2, and
developed in accordance with ISO/IEC Directives, Part 1, available at
www.iec.ch/members_experts/refdocs and www.iso.org/directives.

INTRODUCTION
In the Internet of Things (IoT), all IoT devices are mutually connected to each other and this is
expected to bring new advantages to daily life. On the other hand, traditional system
management devices (thermostats, lighting systems, traffic lights, etc.) which were not
previously connected to the Internet are now being connected without regard to the level of
IoT trustworthiness required by the system-of-interest. Many of these devices are being
connected without the benefit of security controls and processes in place for servers, PCs,
and smartphones. Flaws or failures in these devices caused by lack of IoT trustworthiness can
have a deep impact on the users and system operation. This implies that there are conditions
and characteristics specific to IoT systems and services which are different from those of
other existing IT systems and services. Examples are as follows.
– The extent and the degree of impacts of threats are very wide and big.
– The life time of IoT systems and services, especially in operation and maintenance, is
sometimes very long.
– It can be very difficult to monitor and manage some types of IoT devices.
– It can be difficult for communication entities including IoT devices to sufficiently know the
environments of each other.
– The functions and performances of some IoT devices might be restricted technologically.
– In IoT systems and services, connections between entities can be made which the
developers of the entities did not anticipate.
The purpose of this document is to provide guidance to realize IoT trustworthiness. This is
because existing documents are targeted to each application area and do not necessarily
cover all the challenges faced by the IoT system and service according to the above
conditions and characteristics specific to IoT systems and services. This document provides
system life cycle processes to realize IoT trustworthiness by applying and supplementing
ISO/IEC/IEEE 15288:2015.
– 6 – ISO/IEC 30147:2021 © ISO/IEC 2021
INTERNET OF THINGS (IoT) –
INTEGRATION OF IoT TRUSTWORTHINESS ACTIVITIES
IN ISO/IEC/IEEE 15288 SYSTEM ENGINEERING PROCESSES

1 Scope
This document provides system life cycle processes to implement and maintain
trustworthiness in an IoT system or service by applying and supplementing
ISO/IEC/IEEE 15288:2015. The system life cycle processes are applicable to IoT systems and
services common to a wide range of application areas.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their
content constitutes requirements of this document. For dated references, only the edition
cited applies. For undated references, the latest edition of the referenced document (including
any amendments) applies.
IEC 61508 (all parts), Functional safety of electrical/electronic/programmable electronic
safety-related systems
ISO/IEC Guide 51:2014, Safety aspects – Guidelines for their inclusion in standards
ISO/IEC 27005:2018, Information technology – Security techniques – Information security risk
management
ISO/IEC 27031:2011, Information technology – Security techniques – Guidelines for
information and communication technology readiness for business continuity
ISO/IEC 29134:2017, Information technology – Security techniques – Guidelines for privacy
impact assessment
ISO/IEC/IEEE 15288:2015, Systems and software engineering – System life cycle processes
ISO 31000, Risk management – Guidelines
3 Terms and definitions
For the purposes of this document, the terms and definitions given in
ISO/IEC/IEEE 15288:2015, and the following apply.
NOTE The following terms are defined in ISO/IEC/IEEE 15288:2015:
acquirer, acquisition, activity, agreement, architecture, architecture viewpoint, asset, baseline, concept of operation,
concern, customer, design (verb), design (noun), enabling system, environment, incident, information item,
interface, life cycle, life cycle model, operational concept, operator, organization, party, problem, process, product,
project, quality assurance, quality characteristic, quality management, requirement, resource, risk, stage,
stakeholder, supplier, system, system element, system-of-interest, task, user, validation, verification.

ISO and IEC maintain terminological databases for use in standardization at the following
addresses:
• IEC Electropedia: available at http://www.electropedia.org/
• ISO Online browsing platform: available at http://www.iso.org/obp
3.1
asset
entity (3.6) that has value and is either owned by or under the custody of an individual, an
organization, a government, or other groups
[SOURCE: ISO/IEC 20924:2021[1], 3.1.4]
3.2
availability
property of being accessible and usable on demand by an authorized entity (3.6)
Note 1 to entry: IoT systems can include both human users and service components as "authorized entities".
[SOURCE: ISO/IEC 27000:2018[2], 3.7]
3.3
characteristic
abstraction of a property of an entity (3.6) or of a set of entities
[SOURCE: ISO 18104:2014[3], 3.1.4]
3.4
component
modular, deployable, and replaceable part of a system that encapsulates implementation and
exposes a set of interfaces
[SOURCE: ISO 14813-5:2010[4], B.1.31]
3.5
confidentiality
property that information is not made available or disclosed to unauthorized individuals,
entities (3.6), or processes
[SOURCE: ISO/IEC 27000:2018[2], 3.10]
3.6
entity
thing (physical or non-physical) having a distinct existence
[SOURCE: ISO/IEC 15459-3:2014[5], 3.1, modified – In the definition, "anything" has been
replaced by "thing".]
3.7
integrity
property of accuracy and completeness
[SOURCE: ISO/IEC 27000:2018[2], 3.36]

– 8 – ISO/IEC 30147:2021 © ISO/IEC 2021
3.8
Internet of Things
IoT
infrastructure of interconnected entities (3.6), people, systems and information resources
together with services which processes and reacts to information from the physical world and
virtual world
[SOURCE: ISO/IEC 20924:2021[1], 3.2.4]
3.9
IoT device
entity (3.6) of an IoT system that interacts and communicates with the physical world through
sensing or actuating
[SOURCE: ISO/IEC 20924:2021[1], 3.2.6]
3.10
IoT system
system providing functionalities of IoT
Note 1 to entry: An IoT system can include, but not be limited to, IoT devices, IoT gateways, sensors, and
actuators.
[SOURCE: ISO/IEC 20924:2021[1], 3.2.9]
3.11
IoT trustworthiness
trustworthiness of an IoT system with characteristics including security, privacy, safety,
reliability and resilience
Note 1 to entry: The term "trustworthiness" is defined at 3.1.34 in ISO/IEC 20924:2021 as the ability to meet
stakeholder expectations in a demonstrable, verifiable and measurable way
Note 2 to entry: The relative importance of characteristics of IoT trustworthiness, including security, privacy,
safety, reliability and resilience, depends on the nature and the context of the IoT system or service.
[SOURCE: ISO/IEC 20924:2021[1], 3.2.10, modified – Note 1 to entry and Note 2 to entry
have been added.]
3.12
network
infrastructure that connects a set of endpoints, enabling communication of data between the
digital entities (3.6) reachable through them
[SOURCE: ISO/IEC 20924:2021[1], 3.1.26]
3.13
reliability
ability of an item to perform as required, without failure, for a given time interval, under given
conditions
Note 1 to entry: The time interval duration may be expressed in units appropriate to the item concerned, e.g.
calendar time, operating cycles, distance run, etc., and the units should always be clearly stated.
Note 2 to entry: Given conditions include aspects that affect reliability, such as: mode of operation, stress levels,
environmental conditions, and maintenance.
[SOURCE: IEC 60050-192:2015, 192-01-24]

3.14
resilience
tolerance of a system to malfunctions or capacity to recover functionality after stress
[SOURCE: ISO 18457:2016[6], 3.9]
3.15
security
protection against intentional subversion or forced failure, achieved by a composite of five
attributes – confidentiality, integrity, availability, non-repudiation, and accountability – plus
aspects of a sixth, usability, all of which have the related issue of their assurance
[SOURCE: ISO/IEC/IEEE 15288:2015, 4.1.41, modified – In the definition, the attribute "non-
repudiation" has been added.]
3.16
service
distinct functionality that is provided by an entity (3.6) through interfaces
[SOURCE: ISO/IEC 20924:2021[1], 3.1.30]
4 Abbreviated terms
ATM automated teller machine
ICT information and communication technology
IIoT industrial IoT
OS operating system
OT operational technology
PC personal computer
SoS system of systems
5 IoT systems/services and IoT trustworthiness
5.1 Characteristics specific to IoT systems and services
An IoT service is a service provided by an IoT system which may be a system of systems
(SoS), characterized as operationally and managerially independent of constituent systems
(see 4.1 in ISO/IEC/IEEE 21839:2019[7] , see also Figure 1). Note that there may be a case
where no one is responsible for an IoT system which is an SoS. In such a case, it is a
distinguishing feature of an IoT system that cooperation with other organizations, which
operate and manage constituent systems of the IoT system, is necessary to achieve IoT
trustworthiness. IoT trustworthiness is considered to be achieved if all the requirements of IoT
trustworthiness are satisfied because IoT trustworthiness depends on each system. For
details of IoT systems, a lot of examples are provided in ISO/IEC TR 22417:2017[8].
This document is targeted at users who are responsible for implementation and maintenance
of IoT trustworthiness. When there is no entity responsible for the whole IoT system or service,
this document applies to each constituent system or service for which there is an entity
responsible regardless of whether it consists of multiple subsystems, part(s) of which may be
operated and managed by another entity or entities.
_____________
Numbers in square brackets refer to the Bibliography.

– 10 – ISO/IEC 30147:2021 © ISO/IEC 2021
Activities and tasks in each process to realize IoT trustworthiness are included in those for the
IoT system by which the IoT service is provided. Descriptions of activities and tasks are
represented by those for an IoT system, unless otherwise specified. When applied to an IoT
service, choose activities and tasks that are applicable.

Figure 1 – An IoT system, a system of systems
A Thing in an IoT system might be the following status or might have the following issues.
1) Compromised Thing
An intruder could have taken control of the Thing-of-interest and provided data, command
and controls with the intent of disrupting the entire IoT setup resulting in the loss of trust
of the Thing. This results in hacking of flights or automobiles, for example.
2) Incorrectly configured Thing
Because of some fault in command and control, the configuration of the Thing-of-interest
could have exhibited a state that is neither expected nor detected, resulting in loss of IoT
trustworthiness of the Thing. An example of this issue is CO and SO sensors incorrectly
configured in a gas turbine.
3) Damaged Thing
Because of some operational conditions, the Thing-of-interest could have become
damaged, resulting in a situation or state that the Thing-of-interest is not trustworthy. This
can cause a disaster if it is an altitude, speed, or flap sensor in an airplane.
4) Incorrect interactions because of poor interfaces
The interfaces between the Thing-of-interest and other Things could have lost the
compatibility because of various factors (upgrades, incorrect patches, wrong configuration
and so on), resulting in the Thing-of-interest ceasing to be trustworthy. For example,
patches not or incorrectly installed in medical devices can cause a serious healthcare
problem.
5) Incompatibility because of incorrect configuration
The Thing-of-interest could be configured incorrectly (for example, units of measurement,
size of data exchange, nature of data, and so on), resulting in a situation that the
information received from the Thing-of-interest is not useful, which results in the Thing-of-
interest ceasing to be trustworthy. An example is incorrect baud rate used for configuring
the IoT devices.
6) Failure to respond
The Thing-of-interest may fail to respond in certain situations to other Things because of a
variety of factors (not a known request, not configured to respond, and so on), resulting in
the Thing-of-interest ceasing to be trustworthy from the point of view of the other Things.
The Air France 447 case is considered an example of this.
7) Failure to recognize
The Thing-of-interest may generate a response which is not recognized as a meaningful
interaction because of the incorrect configuration of other Things, resulting in the Thing-of-
interest and the other Things losing mutual trust. For example, altimeter failure results in
discrepancy between the displayed altitudes.
As Things in an IoT system are such as those in the above, IoT systems have specific
conditions and characteristics which are very different from other existing IT systems, such as
the following.
a) The extent and the degree of impacts of threats become very wide and big. The impacts
may include damages to the lives and properties of individuals, leaking of confidential
information of individuals.
b) The life time of IoT systems, especially in operation and maintenance, is sometimes very
long. For example, the lifespan of an IIoT system is more than ten years in general.
c) There are cases where it is very difficult to monitor and manage IoT devices. Unmanaged
IoT devices may connect to IoT systems. Users may not be aware of problems if they
occur. For example, an IoT system suffers from security issues by not being updated or in
relation with firmware issues.
d) It can be difficult for communication entities including IoT devices to sufficiently
understand the environments of each other.
e) The functions and performances of IoT devices are restricted.
f) There are possibilities of connections in IoT systems which the developers did not expect.
After an IoT device is connected to the Internet, the IoT system to which the IoT device
provides data may change. The data owners and users of the IoT system may also change
as time passes.
Because of the above conditions and characteristics, IoT system can have risks shown in
Annex A. Annex B provides an overview of how the above issues are resolved with the
processes in Clause 6.
5.2 IoT trustworthiness
The definition of IoT trustworthiness can apply to the entities within an IoT system if "an IoT
system" in the definition is replaced appropriately. Note that IoT trustworthiness is realized if
IoT trustworthiness of all the entities in the IoT system is achieved.
IoT trustworthiness, especially safety, is not realized only with ICT elements. Only ICT
elements are dealt with in this document.
The concept of IoT trustworthiness is similar to that of dependability, which covers reliability,
availability, maintainability and supportability and other related attributes such as durability,
integrity, recoverability and robustness (see IEC 62853[9]). This document defines that
security comprises integrity and availability as well as other attributes. Maintainability,
supportability, durability, recoverability, and robustness themselves do not appear in the
definition of IoT trustworthiness. However, they are attributes to achieve resilience and
reliability of IoT trustworthiness.
The relative importance of each of safety, security, privacy, reliability and resilience depends
on the nature and the context of the IoT system.

– 12 – ISO/IEC 30147:2021 © ISO/IEC 2021
In addition to the five factors listed in the definition of IoT trustworthiness, the following
factors can be also relevant to the IoT trustworthiness. In Clause 6, the five factors are mainly
considered, but the following factors should also be considered in each process, if necessary.
a) Coherence
The interaction between two or more Things-of-interest needs to be coherent and
meaningful to the situation context.
b) Consistency
The interaction between two or more Things-of-interest across different instances needs to
be consistent and in accordance with the expectations defined earlier.
c) Flexibility
The Thing-of-interest needs to be able to adapt to the different conditions that it
encounters because of the change in environment, change in relationships, change in
situation context, change in responses and so on.
d) Robustness
The Thing-of-interest needs to be strong and not be vulnerable to changes introduced into
the environment or the Internet either intentionally or non-intentionally.
e) Cohesion
The Thing-of-interest needs to compose the Internet of Things together and function
seamlessly as a cohesive whole.
f) Recoverability
The Thing-of-interest needs to be able to maintain and preserve a specified level of
operations and quality, even in the event of failure, in a specific context of use.
g) Scalability
Adding a Thing-of-interest (or even a new feature to the Thing) needs to not escalate the
need for upgrading existing working methodology, but rather accommodate, maintain, and
preserve the potential of growth of the system.
6 Processes for realizing IoT trustworthiness
6.1 General
For each process, there is no change from "Purpose" and "Outcomes" in
ISO/IEC/IEEE 15288:2015. Therefore, this document describes only the supplements to
"Activities and tasks" in ISO/IEC/IEEE 15288:2015. Follow ISO/IEC/IEEE 15288:2015 at each
process unless otherwise specified.
6.2 Agreement processes
6.2.1 Acquisition process
In addition to the contents in 6.1.1.3 written in ISO/IEC/IEEE 15288:2015, conduct the
following.
a) In a) 1), include the selection criteria.
NOTE The selection criteria include, for example:
i) management systems properly established and operated, help desks and support systems well prepared,
and service management efficiently and effectively operated;
ii) requirements when the contract with the supplier is finished (e.g. expiration of contract period, end of
support).
b) In a) 2), include in the request requirements for IoT trustworthiness appropriate to the
processes and IoT system-of-interest that the product or service will be used for,
especially continuous improvement of the standard measures, related procedures, and
others on IoT trustworthiness. Note that the request identifies the privacy principles, which
meet those of the IoT system-of-interest, such as consent and choice, transparency, and
individual participation (see ISO/IEC 29134:2017) if the product or service handles
personal identifiable information of users of the IoT system-of-interest.
c) In e) 1), confirm that the delivered product or service satisfies the requirements on IoT
trustworthiness in the agreement, if any.
6.2.2 Supply process
In addition to the contents in 6.1.2.3 written in ISO/IEC/IEEE 15288:2015, conduct the
following.
a) In a) 2):
1) Include requirements when the contract with the acquirer is finished (e.g. expiration of
contract period, end of support) in the criteria.
2) Consider the importance of the to-be-supplied system or service in the acquirer's
system or service in defining a supply strategy.
b) In c) 1), include the scope of the responsibilities on IoT trustworthiness throughout the life
cycle in the acceptance criteria of the agreement.
c) In e) 2), improve continuously the standard measures, related procedures, and others on
IoT trustworthiness.
6.3 Organizational project-enabling processes
6.3.1 Life cycle model management process
In addition to the contents in 6.2.1.3 written in ISO/IEC/IEEE 15288:2015, conduct the
following.
a) In a) 5):
1) Consider each of the five factors of IoT trustworthiness. If a factor requires a specific
life cycle model different from other factors, take this fact into consideration. Address
any conflicts arising from different life cycle models according to the priorities of
factors which are set up by the IoT trustworthiness policy.
6.3.2 Infrastructure management process
There is no supplement to this process.
6.3.3 Portfolio management process
There is no supplement to this process.
6.3.4 Human resource management process
In order to realize IoT trustworthiness of the IoT system-of-interest, conduct activities and
tasks written in 6.2.4.3 of ISO/IEC/IEEE 15288:2015 for IoT trustworthiness because the
technologies in IoT are updated rapidly.
6.3.5 Quality management process
In order to realize IoT trustworthiness of the IoT system-of-interest, conduct activities and
tasks written in 6.2.5.3 of ISO/IEC/IEEE 15288:2015 for IoT trustworthiness. This is done by
replacing "quality" with "IoT trustworthiness" in the activities and tasks for "Quality
Management process" in ISO/IEC/IEEE 15288:2015.

– 14 – ISO/IEC 30147:2021 © ISO/IEC 2021
6.3.6 Knowledge management process
In order to realize IoT trustworthiness of the IoT system-of-interest, conduct activities and
tasks written in 6.2.6.3 of ISO/IEC/IEEE 15288:2015 for IoT trustworthiness because the
technologies in IoT are updated rapidly.
6.4 Technical management processes
6.4.1 Project planning process
In addition to the contents in 6.3.1.3 written in ISO/IEC/IEEE 15288:2015, conduct the
following.
a) In a) 1), identify also the policy on IoT trustworthiness. In this task, identify each
interaction (input/output) with other interrelated IoT systems and their data protection
policies. At a second step, identify which factors of IoT trustworthiness relate to each
interaction and prioritize the factors at each interaction. Considering all these, determine
the policy on IoT trustworthiness including business continuity of the IoT system-of-
interest.
b) In b) 4):
1) Define roles and responsibilities throughout the life cycle separately for each factor of
IoT trustworthiness – security, privacy, reliability, resilience, and safety – after
recognizing roles and responsibilities of other related systems or services. Define also
a role to control and be responsible for the whole IoT trustworthiness. Contain multiple
members in the role, say IoT trustworthiness team, and assign the chief responsible for
the IoT trustworthiness of the IoT system-of-interest. In addition, assign a chief to each
team of the five factors. Demonstrate top management's commitment to IoT
trustworthiness.
2) Define communication channels between the IoT trustworthiness team and each of the
teams of the five factors, and also those between relevant organizations responsible
for other related systems or services.
c) In b) 6), plan the acquisition of materials and enabling system services supplied from
outside the project, especially from other systems in the IoT system, which are interrelated
to the IoT system-of-interest.
6.4.2 Project assessment and control process
In addition to the contents in 6.3.2.3 written in ISO/IEC/IEEE 15288:2015, conduct the
following.
a) In a) 1), identify activities for the acquired products or systems that are not compliant to
contractual requirements found in technical management processes and technical
processes.
b) In b) 7):
1) Conduct required management and technical reviews when internal and external
incidents on IoT trustworthiness occur and when the IoT system-of-interest connects to
new IoT devices/systems.
2) Check the impacts caused by internal and external incidents on IoT trustworthiness to
the production by the IoT system-of-interest, if applicable.
c) In c) 1):
1) Include continuous improvements of the activities and tasks for IoT trustworthiness in
the related processes.
NOTE The improvements include detection of security incidents, contingency plans, and so forth.
2) Choose actions that minimize damages and mitigate the impacts caused by future
incidents on IoT trustworthiness.
3) Include necessary actions for the production by the IoT system-of-interest in order to
keep the quality of the products, if applicable.

6.4.3 Decision management process
In addition to the contents in 6.3.3.3 written in ISO/IEC/IEEE 15288:2015, conduct the
following.
a) In a) 3), involve especially the relevant parties on the IoT devices/systems which are
interrelated to the IoT system-of-interest in the decision-making in order to draw on
experience and knowledge, if appropriate.
b) In b) 2), include certainties and risks in measurable selection criteria.
6.4.4 Risk management process
In addition to the contents in 6.3.4.3 written in ISO/IEC/IEEE 15288:2015, conduct the
following.
a) Conduct activities for risk management in alignment with ISO 31000 or conduct those
separately and in parallel for each factor of IoT trustworthiness in alignment with the
existing International Standards: ISO/IEC 27005:2018 for security, ISO/IEC 29134:2017
for privacy, ISO/IEC 27031 for resilience, and ISO/IEC Guide 51, IEC 61508 (all parts) and
many industry specific standards for safety, for example. Ensure that physical risks
against safety are taken into consideration. Study relevant accidents and incidents which
have already occurred in these activities.
b) In a) 1), consider when and under what conditions risk assessment should be undertaken
and how often risks and their treatments should be reviewed. This is because the risks
and the acceptable risks of the IoT system-of-interest may change as time passes.
c) In a) 2):
1) Identify the assets and processing of the IoT system-of-interest.
2) Prioritize them in each of the five factors of IoT trustworthiness, where priority levels
are defined independent of the five factors and approved by the IoT trustworthiness
team.
d) In b) 1), define criteria by which the significance of risk will be decided. This may be based
on state of risk (consequences and their likelihood) or other factors and may differ for
each of the categories of IoT trustworthiness (e.g. decisions about whether to treat a
safety risk may be based on criteria of risks being reduced so far as is reasonably
practicable).
e) In c), record the results from each task.
f) In c) 1), consider:
1) risks which may be caused by other IoT systems which connect to the IoT system-of-
interest, risks which may be caused by other IoT systems, which may connect to the
IoT system-of-interest in the future including replacements of IoT devices/systems, and
also the case where the IoT system-of-interest receives contradicting requests from
multiple entities, between which there are no relations at all, as a risk because they
may cause an incident of the IoT system-of-interest;
2) risks of the IoT system-of-interest which may influence other IoT systems;
3) risks caused by internal fraud, mistakes in operation, and unawareness of users on
specifications of the IoT devices/system.
g) When d) 2) for each factor has finished, assess proposed risk treatments to check that
they do not introduce new risks to the IoT system-of-interest or to other factors of IoT
trustworthiness. Iterate this task until all the factors get consistent results. If there are
conflicts among the results from risk management process of the factors of IoT
trustworthiness, cooperate to resolve the conflicts. If the conflicts are not resolved, the IoT
trustworthiness team determines the priority among the risks and resolves the conflicts.
h) In d) 4), review and authorize the results of the whole risk management process activities
where the resolved conflicts, if any, are reported clearly and in detail to the IoT
trustworthiness team, and update document to reflect new risk treatments as existing
controls.
– 16 – ISO/IEC 30147:2021 © ISO/IEC 2021
6.4.5 Configuration management process
In addition to the contents in 6.3.5.3 written in ISO/IEC/IEEE 15288:2015, conduct the
following.
a) In a) 1):
1) Manage automatic updates of configuration.
2) Include the protection of configuration into the necessary baseline.
3) Coordinate the configuration management strategy well across the organizations
managing IoT systems, which are connected to the IoT system-of-interest, to cover the
whole life cycle of the IoT system-of-interest or the extent of the contract, as
appropriate.
b) In b) 4), consider well security risks caused by connection to the Internet and reflect the
results to the baseline, especially to IoT devices/systems which have not been connected
to the Internet.
c) In c), review configuration change management from the viewpoint of IoT trustworthiness.
6.4.6 Information management process
In addition to the contents in 6.3.6.3 written in ISO/IEC/IEEE 15288:2015, conduct the
following.
a) In a) 1):
1) Define the strategy to meet the privacy principles if the IoT system-of-interest handles
personal identifiable information.
2) Define who collects from which resource and how to analyse relevant information on
IoT trustworthiness continuously.
NOTE 1 The information resources can include IoT device vendors, consultation companies, the national
computer security incident response team, and so forth. The information includes recent countermeasures
on IoT trustworthiness which need to be shared with stakeholders.
3) Categorize the collected information and analysed information depending on
importance and impact, and also categorize the stakeholders.
NOTE 2 The categorization of the collected information
...