This site maps global IoT security and privacy recommendations to the UK’s Code of Practice for Consumer IoT Security, produced by the Department for Digital, Culture, Media & Sport (DCMS). The sources of data come from a host of recommendations and standards bodies, governments and cities through to individuals across the world.
03/10/21 The site is now re-orienting its work towards mapping against the international consumer IoT security standard ETSI EN 303 645, showing the successful defragmentation of recommendations in this space. Please visit: https://iotsecuritymapping.com/ to see more details and new mappings and future candidates for mapping. Further details can also be found in this blog: https://www.copperhorse.co.uk/mapping-iot-security-and-privacy-recommendations-and-guidance-to-the-consumer-iot-standard-etsi-en-303-645/
This site will continue to be maintained, but no new mappings will be added here from this date onwards. All new mappings will be provided on the iotsecuritymapping.com site.
15/07/20 The site was updated to include some new recommendations which have been mapped, including the recently approved ETSI EN for IoT security:
- Australian Government Department of Home Affairs – Code of Practice Securing the Internet of Things for Consumers (DRAFT)
- California State Legislature – California Law, Civil Code, Part 4, Division 3, Title 1.81.26. Security of Connected Devices
- European Telecommunications Standards Institute (ETSI) – EN 303 645 Cyber Security for Consumer Internet of Things: Baseline Requirements
- National Institute of Standards and Technology (NIST) – NISTIR 8259A IoT Device Cybersecurity Capability Core Baseline
- Singapore Infocomm Media Development Authority (IMDA) – Internet of Things (IoT) Cyber Security Guide V1
Additionally, we have identified further candidate specifications and recommendations which we will seek to map in the coming months including those which have been updated or deprecated. We have corrected some website links where documents have been moved (where possible).
As the market matures globally and centres around a core set of baseline security and privacy standards for IoT, we have seen manufacturers ensuring that their products are compliant, throughout the hardware and software stack. Compliance schemes continue to be developed and launched, based around the standards and recommendations listed here. We will see future consolidation in compliance schemes too as the testing market matures and settles.
The candidates for the next update are:
- Cloud Security Alliance (CSA) – IoT Security Controls Framework
- Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) – IoT Security Best Practice Guidelines
- Japan Computer Emergency Response Team Coordination Center (JPCERTCC) – IoT Security Checklist
Observed updated recommendations:
- Cellular Telecommunications Industry Association (CTIA) – CTIA Cybersecurity Certification Test Plan for IoT Devices v1.2
- Council to Secure the Digital Economy (CSDE) – International Anti-Botnet and IoT Security Guide 2020
- GSMA – CLP.12 IoT Security Guidelines for Service Ecosystems v2.2 (understood to be minor changes)
- GSMA – CLP.13 IoT Security Guidelines for Endpoint Ecosystems v2.2 (understood to be minor changes)
- GSMA – CLP.14 IoT Security Guidelines for Network Operators v2.2 (understood to be minor changes)
- IoT Security Foundation – IoT Security Compliance Framework v2.1
- ioXT Alliance – The ioXT Security Pledge V16
- Open Connectivity Foundation (OCF) – OCF Security Specification v2.1.2
- W3C – Web of Things (WoT) Security and Privacy Guidelines W3C Editor’s Draft 06 April 2020
15/08/19 The site was updated to include a number of recommendations which have emerged or that have been sent to Copper Horse as a result of this site being created. The following additional recommendations are added:
- Cellular Telecommunications Industry Association (CTIA) – CTIA Cybersecurity Certification Test Plan for IoT Devices
- Council to Secure the Digital Economy (CSDE) – International Anti-Botnet Guide 2018
- IoT Acceleration Consortium (IOTAC) – IoT Security Guidelines Ver. 1.0
- IoT Security Foundation – IoT Security Compliance Framework 2.0 (update to previous version)
- ioXt Alliance – The ioXt Security Pledge
- Korea Internet & Security Agency (KISA) – IoT Security Certification Service (IoT-SAP*)
- Mozilla – Minimum Security Standards for Tackling IoT Security
- National Institute of Standards and Technology (NIST) – Considerations for a Core IoT Cybersecurity Capabilities Baseline
- Open Connectivity Foundation (OCF) – OCF Security Specification v2.0.1
- PSA Certified – Critical security questions for chip vendors, OS providers and OEMs
- UL – IoT Security Top 20 Design Principles
- W3C Web of Things (WoT) – Security Best Practices Editors draft 14th June 2019
19/02/19 The site was updated to include the ETSI TS ‘Cyber Security for Consumer Internet of Things’, TS 103 645. We have a number of specification and recommendation mappings in the pipeline, including the IoT Security Foundation’s Release 2.0 of its specifications, also mapped to the ETSI publication today.
The site is designed to visually show two main things. First of all, how the DCMS Code of Practice (CoP) for IoT security maps to existing IoT security and privacy recommendations. Secondly, how the material that those existing organisations referenced themselves fits together to provide an overall picture of the IoT security ecosystem.
The mappings are designed to be used by any entity interested in how to meet the recommendations of the CoP, the emerging standards and recommendations within the IoT space around the world and to understand the level of consensus and fragmentation.
The work is further described in detail in the DCMS paper Mapping of IoT Security Recommendations, Guidance and Standards to the UK’s Code of Practice for Consumer IoT Security (pdf).
How to use this site?
The menu links from this page take you to individual visual mappings for the individual guidelines. In addition, there is a page with an external reference mapping, which is sourced from the external references used in the documentation of the organisations who developed the various recommendations and standards. This is useful to see what material and what organisations are regularly referenced and used, by whom. From these pages you can also download files which contain open data datasets of the mappings to use yourself and within your company.
Feedback and further input is welcomed, more details can be found on the Frequently Asked Questions page.