ISO/IEC 27404:2024 — IoT Security and Privacy Labelling Framework

1. Purpose of ISO/IEC 27404:2024

ISO/IEC 27404:2024 defines a cybersecurity labelling framework for IoT products, enabling consumers and procurement professionals to make informed security decisions. As IoT devices proliferate in homes, offices, and critical infrastructure, the inability to easily compare security postures across products has become a significant market failure. Consumers cannot be expected to read lengthy security specifications, and even professional buyers struggle to evaluate the security of increasingly complex IoT products. This standard provides a standardised labelling scheme that communicates security capabilities through a clear, multi-tier rating system analogous to the energy efficiency labels that transformed consumer appliance purchasing decisions in the 1990s.

The labelling framework addresses three market needs: enabling consumers to choose more secure products, creating market incentives for manufacturers to invest in security, and providing regulators with a standardised mechanism for minimum security requirements. The standard is designed to work alongside regulatory frameworks such as the EU Cyber Resilience Act (CRA), Singapore’s Cybersecurity Labelling Scheme (CLS), and the US IoT Cybersecurity Improvement Act.

2. Label Structure and Rating Methodology

The standard defines a label comprising four key elements: (a) a security rating level from 1 to 5 stars indicating the overall security posture, (b) a security capability class indicator mapped to the ISO/IEC 27402 class system (1, 2, or 3), (c) a privacy protection level indicator (Level A, B, or C), and (d) a conformity assessment mark indicating whether the rating is self-declared or third-party verified. The comprehensive rating methodology evaluates devices across eight security domains: device identity and authentication, secure boot and firmware integrity, cryptography and key management, network security and communication protection, update and patch management, physical security and tamper resistance, vulnerability management and disclosure, and privacy controls and data protection.

3. Conformity Assessment Approaches

ISO/IEC 27404 defines three conformity assessment models with increasing levels of assurance. First-party assessment allows the manufacturer to self-declare the security rating supported by a technical dossier that documents all security features and testing results. This is the most accessible approach but provides the lowest assurance level. Second-party assessment involves the buyer or their representative evaluating the device against the framework, suitable for enterprise and government procurement where the buyer has technical capabilities. Third-party assessment requires an accredited independent laboratory to test and certify the security rating, providing the highest assurance and strongest market credibility. The standard strongly recommends third-party assessment for devices deployed in critical infrastructure, healthcare, high-security commercial environments, and any application where device compromise could lead to physical safety risks.

The conformity assessment process includes five stages: application and scope definition, evidence collection (technical documentation, design specifications, test results), laboratory testing (penetration testing, cryptographic verification, firmware analysis), rating determination and review, and certification issuance with ongoing surveillance. The standard specifies minimum testing requirements for each star rating level, ensuring consistency across different laboratories and jurisdictions.

4. Engineering and Market Implications

For engineering teams, the labelling framework creates clear incentives to invest in security architecture from the design phase. Products targeting a 5-star rating must demonstrate hardware-backed secure boot with firmware integrity verification, tamper-responsive mechanisms that disable the device upon detected physical intrusion, certified cryptographic modules (FIPS 140-3 Level 2 or equivalent at minimum), comprehensive vulnerability disclosure and patch management programmes with documented response timelines, and privacy-by-design data handling with local processing preference and data minimisation by default. The framework also requires manufacturers to maintain the security rating throughout the product’s support lifetime, with re-assessment triggered by major firmware updates or after 24 months, whichever comes first.

The market implications are significant. Products with 1-2 star ratings may be excluded from government and enterprise procurement shortlists, and consumer-facing retailers may begin to require minimum star ratings for shelf placement. Insurance companies may offer reduced premiums for products with higher security ratings, creating financial incentives that extend beyond the consumer purchase decision.