ISO/IEC 27403
ISO/IEC 27403 — Cybersecurity — IoT security and privacy — Guidelines for IoT-domotics [Draft]
Introduction
It can be quite challenging to set a standard for information security and privacy for IoT things that are intended for home use due to the wide variety of things, circumstances at home, security and privacy concerns and controls.
The scope of the standard
“Domotics” refers to what was originally called home automation, or “smart homes”, a term which describes a domicile as “a private, hence highly customizable area in which an individual lives, alone or with guests or cohabiting residents” in combination with “dedicated infrastructure aimed at meeting those individuals’ needs, including smart building control systems, smart meters, and entertainment and gaming systems.”
Design or manufacturing companies, as well as security and privacy assessors, are the intended recipients of this standard rather than consumers or retail customers.
The content
To be determined
Status
Currently, the standard is at the 5th Working Draft stage.
It will be released in 2023.
Commentary
In the IT field, “IoT” has become a common acronym, but “domotics” is a new one.
A risk-based ISO27k standard, rather than simply listing controls, describes typical information [security] risks associated with domotics and suggests controls to mitigate those risks. Bravo!
For users of the standard, this approach has the main advantage of providing rationale, context, or basis for the controls. The process of helping users identify and consider the data [security] risks can help them better appreciate what the data security controls are required to accomplish. The standard intends to stimulate users to consider their contexts when evaluating the risks and controls.
The home environment presents some challenges, including:
– A lack of information security awareness and competence among most people.
– Ad hoc assemblages of networked information technology, including devices worn or carried by people (residents and visitors), not just devices installed in homes.
– Not all products are designed for privacy or security because other factors (such as low cost and ease of use) generally take precedence.
– There are no procedures or processes in place to manage security and privacy at home. Instead of being methodical and proactive, they are more ad hoc/informal and reactive.
– Informality in general: the home is fluid and unstructured setting.