Standard
Track updates
AS/NZS ISO/IEC 27400:2024
[Current]Cybersecurity - IoT security and privacy - Guidelines
AS/NZS ISO/IEC 27400:2024 identically adopts ISO/IEC 27400:2022, which provides guidelines on risks, principles and controls for security and privacy of Internet of Things (IoT) solutions
Published: 23/08/2024
Pages: 42
Table of contents
Cited references
Content history
Table of contents
Header
About this publication
Preface
National Foreword
Foreword
Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviated terms
5 IoT concepts
5.1 General
5.2 Characteristics of IoT systems
5.3 Stakeholders of IoT systems
5.3.1 General
5.3.2 IoT service provider
5.3.3 IoT service developer
5.3.4 IoT user
5.4 IoT ecosystem
5.5 IoT service life cycles
5.6 Domain based reference model
6 Risk sources for IoT systems
6.1 General
6.2 Risk sources
6.2.1 General
6.2.2 Sample risk sources related to IoT domains
6.2.2.1 Sensing and controlling domain
6.2.2.2 Operations and management domain
6.2.2.3 Application and service domain
6.2.2.4 Resource access and interchange domain
6.2.2.5 User domain
6.2.3 Risk sources from outside the IoT domains
6.2.4 Privacy related risk sources
7 Security and privacy controls
7.1 Security controls
7.1.1 General
7.1.2 Security controls for IoT service developer and IoT service provider
7.1.2.1 Policy for IoT security
7.1.2.2 Organization of IoT security
7.1.2.3 Asset management
7.1.2.4 Equipment and assets located outside physical secured areas
7.1.2.5 Secure disposal or re-use of equipment
7.1.2.6 Learning from security incidents
7.1.2.7 Secure IoT system engineering principles
7.1.2.8 Secure development environment and procedures
7.1.2.9 Security of IoT systems in support of safety
7.1.2.10 Security in connecting varied IoT devices
7.1.2.11 Verification of IoT devices and systems design
7.1.2.12 Monitoring and logging
7.1.2.13 Protection of logs
7.1.2.14 Use of suitable networks for the IoT systems
7.1.2.15 Secure settings and configurations in delivery of IoT devices and services
7.1.2.16 User and device authentication
7.1.2.17 Provision of software and firmware updates
7.1.2.18 Sharing vulnerability information
7.1.2.19 Security measures adapted to the life cycle of IoT system and services
7.1.2.20 Guidance for IoT users on the proper use of IoT devices and services
7.1.2.21 Determination of security roles for stakeholders
7.1.2.22 Management of vulnerable devices
7.1.2.23 Management of supplier relationships in IoT security
7.1.2.24 Secure disclosure of Information regarding security of IoT devices
7.1.3 Security controls for IoT user
7.1.3.1 Contacts and support service
7.1.3.2 Initial settings of IoT device and service
7.1.3.3 Deactivation of unused devices
7.1.3.4 Secure disposal or re-use of IoT device
7.2 Privacy controls
7.2.1 General
7.2.2 Privacy controls for IoT service developer and IoT service provider
7.2.2.1 Prevention of privacy invasive events
7.2.2.2 IoT privacy by default
7.2.2.3 Provision of privacy notice
7.2.2.4 Verification of IoT functionality
7.2.2.5 Consideration of IoT users
7.2.2.6 Management of IoT privacy controls
7.2.2.7 Unique device identity
7.2.2.8 Fail-safe authentication
7.2.2.9 Minimization of indirect data collection
7.2.2.10 Communication of privacy preferences
7.2.2.11 Verification of automated decision
7.2.2.12 Accountability for stakeholders
7.2.2.13 Unlinkability of PII
7.2.2.14 Sharing information on PII protection measures of IoT devices
7.2.3 Privacy controls for IoT user
7.2.3.1 User consent
7.2.3.2 Purposeful use for connecting with other devices and services
7.2.3.3 Certification/validation of PII protection
Annex A
Bibliography
Cited references in this standard
One-time Purchase
Access via web browser on any device
One-time purchase
Single publication
Offline access via PDF^
$169.15 AUD
Inclusive of GSTFormat *
Web Reader
Licenses *
1 user
Total$169.15 AUD
IMPORTANT