ISO/IEC 27403:2024

Cybersecurity – IoT security and privacy – Guidelines for IoT-domotics

ISO/IEC 27403:2024

Name:ISO/IEC 27403:2024   Standard name:Cybersecurity – IoT security and privacy – Guidelines for IoT-domotics
Standard number:ISO/IEC 27403:2024   language:English language
Release Date:24-Jun-2024   technical committee:ISO/IEC JTC 1/SC 27 - Information security, cybersecurity and privacy protection
Drafting committee:ISO/IEC JTC 1/SC 27/WG 4 - Security controls and services   ICS number:35.030 - IT Security

International
Standard
ISO/IEC 27403
First edition
Cybersecurity – IoT security
2024-06
and privacy – Guidelines for IoT-
domotics
Cybersécurité — Sécurité et protection de la vie privée pour l'IDO
— Lignes directrices pour la domotique-IDO
Reference number
© ISO/IEC 2024
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: [email protected]
Website: www.iso.org
Published in Switzerland
© ISO/IEC 2024 – All rights reserved
ii
Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 2
5 Overview . 2
5.1 General .2
5.2 Features .2
5.3 Stakeholders .4
5.4 Life cycles .4
5.5 Reference model .5
5.6 Security and privacy dimensions .8
6 Guidelines for risk assessment . 8
6.1 General .8
6.2 Sources of security risks . . .9
6.2.1 Security risks for service sub-systems .9
6.2.2 Security risks for IoT-domotics gateway .10
6.2.3 Security risks for IoT-domotics devices and physical entities . . 12
6.2.4 Security risks for networks . 13
6.3 Sources of privacy risks . 13
6.3.1 Privacy risks for service sub-systems . 13
6.3.2 Privacy risks for IoT-domotics gateway .14
6.3.3 Privacy risks for IoT-domotics devices and physical entitles .16
6.3.4 Privacy risks for networks .16
7 Security and privacy controls . 17
7.1 Principles .17
7.1.1 General .17
7.1.2 Different levels of security for different services .17
7.1.3 Easy security settings for users .17
7.1.4 Failsafe domotics devices .17
7.1.5 Restricted access to content services .17
7.1.6 Consideration for children .17
7.1.7 Scenario-specific privacy preferences .17
7.2 Security controls .18
7.2.1 P olicy for IoT-domotics security .18
7.2.2 Organization of IoT-domotics security .18
7.2.3 Asset management .18
7.2.4 Equipment and assets located outside physical secured areas .18
7.2.5 Secure disposal or re-use of equipment .18
7.2.6 Learning from security incidents.19
7.2.7 Secure IoT-domotics system engineering principles .19
7.2.8 Secure development environment and procedures .19
7.2.9 Security of IoT-domotics systems in support of safety . 20
7.2.10 Security in connecting varied IoT-domotics devices . 20
7.2.11 Verification of IoT-domotics devices and systems design . 20
7.2.12 Monitoring and logging . 20
7.2.13 Protection of logs . 20
7.2.14 Use of suitable networks for the IoT-domotics systems . 20
7.2.15 Secure settings and configurations in delivery of IoT-domotics devices and
services . 20
7.2.16 User and device authentication .21

© ISO/IEC 2024 – All rights reserved
iii
7.2.17 Provision of software and firmware updates .21
7.2.18 Sharing vulnerability information .21
7.2.19 Security measures adapted to the life cycle of IoT-domotics system and services .21
7.2.20 Guidance for IoT-domotics users on the proper use of IoT-domotics devices and
services .21
7.2.21 Determination of security roles for stakeholders . 22
7.2.22 Management of vulnerable devices . 22
7.2.23 Management of supplier relationships in IoT-domotics security . 22
7.2.24 Secure disclosure of Information regarding security of IoT-domotics devices . 22
7.3 Privacy controls . . 22
7.3.1 Prevention of privacy invasive events . 22
7.3.2 IoT-domotics privacy by default . 22
7.3.3 Provision of privacy notice . 23
7.3.4 Verification of IoT-domotics functionality . . 23
7.3.5 Consideration of IoT-domotics users . 23
7.3.6 Management of IoT-domotics privacy controls . 23
7.3.7 Unique device identity .24
7.3.8 Fail-safe authentication .24
7.3.9 Minimization of indirect data collection .24
7.3.10 Communication of privacy preferences .24
7.3.11 Verification of automated decision .24
7.3.12 Accountability for stakeholders.24
7.3.13 Unlinkability of PII . .24
7.3.14 Sharing information on PII protection measures of IoT-domotics devices . 25
Annex A (informative) Use cases of IoT-domotics .26
Anne
...

  • Relates Information
  • ISO 8130-9:1992

    ISO 8130-9:1992 - Coating powders
    09-28
  • EN 352-2:2020/FprA1

    EN 352-2:2021/oprA1:2023
    09-28
  • IEC TS 61158-4:1999

    IEC TS 61158-4:1999 - Digital data communications for measurement and control - Fieldbus for use in industrial control systems - Part 4: Data Link protocol specification Released:3/24/1999 Isbn:2831847656
    09-28
  • HD 566 S1:1990

    HD 566 S1:1998
    09-28
  • ISO 5131:1982/Amd 1:1992

    ISO 5131:1982/Amd 1:1992
    09-28
  • EN 60598-2-22:1990

    EN 60598-2-22:1996
    09-27
  • ISO 8504-2:1992

    ISO 8504-2:1992 - Preparation of steel substrates before application of paints and related products -- Surface preparation methods
    09-27
  • EN 12165:2024

    prEN 12165:2022
    09-27
  • IEC TS 61158-6:1999

    IEC TS 61158-6:1999 - Digital data communications for measurement and control - Fieldbus for use in industrial control systems - Part 6: Application Layer protocol specification Released:3/24/1999 Isbn:2831847613
    09-27
  • ISO 4252:1992

    ISO 4252:1992 - Agricultural tractors -- Operator's workplace, access and exit -- Dimensions
    09-27