ISO/IEC 27400:2022 — IoT Security and Privacy Guidelines

1. Scope and Purpose of ISO/IEC 27400:2022

ISO/IEC 27400:2022 provides comprehensive guidelines for cybersecurity, privacy, and data protection in the Internet of Things (IoT) ecosystem. Published by ISO/IEC JTC 1, SC 27, this standard addresses the unique challenges posed by the vast attack surface of interconnected smart devices that now number in the tens of billions worldwide. It serves as the foundational document for the 27400 series, establishing core principles and a risk-based framework that subsequent standards (27402, 27403, 27404) build upon with increasing specificity.

The standard applies to all types of IoT systems including consumer devices, industrial IoT (IIoT), healthcare IoT, smart city infrastructure, and automotive telematics. It recognises that IoT environments differ fundamentally from traditional IT environments: devices are often resource-constrained (limited CPU, memory, battery), deployed in physically accessible locations, expected to operate unattended for years, and connected through heterogeneous networks with varying security properties. These characteristics demand security and privacy approaches tailored specifically to IoT rather than adapted from enterprise IT.

2. Core Security and Privacy Principles

The standard defines eight overarching principles for IoT security and privacy. These principles guide every stage of IoT system development, deployment, and operation. Principle one, security-by-design and privacy-by-design, requires that security controls and privacy protections be integrated into the system architecture from the initial concept phase rather than added after implementation. Principle two, risk-based approach, mandates that security decisions be driven by systematic risk assessment rather than by compliance checklists or vendor claims. Principle three, data minimisation, limits PII and telemetry collection to only what is strictly necessary for the intended function. Principle four, transparency, requires clear communication to users about what data is collected, how it is used, and with whom it is shared. Principle five, accountability, holds the system operator responsible for security and privacy outcomes regardless of whether components are sourced from third parties. Principle six, lifecycle protection, extends security coverage from device manufacturing through active operation to secure decommissioning. Principle seven, interoperability, ensures that security mechanisms work correctly across multi-vendor ecosystems. Principle eight, user autonomy, empowers users with meaningful control over their devices and data.

3. Risk Management Framework for IoT

ISO/IEC 27400 adopts a risk-based approach aligned with ISO/IEC 27005 and ISO 31000. The IoT risk assessment process includes five stages. Stage one, asset identification, catalogues all IoT components including devices, gateways, cloud backends, mobile applications, communication protocols, and data stores. Stage two, threat scenario analysis, identifies relevant threats across the IoT attack surface including physical tampering, network eavesdropping, firmware reverse engineering, side-channel attacks, cloud API exploitation, and social engineering targeting device administrators. Stage three, impact evaluation, assesses the business, privacy, safety, and regulatory consequences of each threat scenario materialising. Stage four, risk determination, combines likelihood and impact to prioritise risks for treatment. Stage five, risk treatment, selects appropriate controls from the standard’s control catalogue to mitigate identified risks to an acceptable level.

A distinctive feature of the standard is its treatment of privacy risk separately from security risk. While the two are interdependent, the standard requires organisations to conduct dedicated Privacy Impact Assessments (PIA) in addition to security risk assessments. This dual-track approach ensures that personally identifiable information receives appropriate safeguards even when security risks are deemed low. The PIA process in 27400 addresses data classification, consent management, cross-border data transfer, data subject rights, and third-party data sharing specifically within the IoT context.

4. Engineering Design Insights and Implementation Guidance

From an engineering perspective, the standard recommends specific technical controls for each IoT architectural layer. At the device layer: secure boot with hardware root of trust, cryptographically signed firmware updates with anti-rollback protection, physical tamper detection and response, minimal attack surface through disabled unused ports and services, and secure credential storage using hardware security modules or trusted execution environments. At the communication layer: TLS 1.3 or DTLS 1.3 for all network traffic, certificate-based mutual authentication between devices and cloud, network segmentation through VLANs or software-defined networking, and anomaly-based intrusion detection at the gateway level. At the platform and cloud layer: encrypted data-at-rest using AES-256 with customer-managed keys, role-based access control with least privilege, comprehensive audit logging with immutable storage, automated security incident response playbooks, and regular third-party penetration testing.

The standard also provides guidance on supply chain security, an often overlooked aspect of IoT security. It recommends that organisations conduct security assessments of component suppliers, establish security requirements in procurement contracts, verify that third-party components have known vulnerability disclosure processes, and maintain a software bill of materials (SBOM) for all IoT products to enable rapid vulnerability response when new CVEs are published.