Why have you performed this work?
The IoT world is currently heavily fragmented. Our intent was to understand how well existing recommendations and standards in the IoT security space map to the published Code of Practice from the UK government. This will help vendors and other stakeholders in the IoT ecosystem to understand how everything fits together. This will reduce time and effort significantly for many who need to answer questions about what is available around the world and also ultimately help to reduce fragmentation in the standards and recommendations space.
Will you develop the mapping further?
We have been continually updating the mapping. Updates are listed on the front page of this site. The space is constantly moving and as such new and updated documentation is always emerging. We’ll keep tracking it as much as possible! From the 3rd of November 2021, we launched iotsecuritymapping.com which re-orients our work towards the international standard ETSI EN 303 645 which is being widely adopted across the world. All new updates and mappings will be posted to that site.
Standards and recommendations are constantly being updated. How up to date are these mappings?
The research conducted to create the initial mappings was performed in July 2018. We have been regularly maintaining and updating this site based on newly published and submitted material. As fully-fledged standards emerge that defragment IoT, we’ll look to draw a line under the Code of Practice mappings. The market is maturing significantly (July 2020) and there has been a consolidation of ideas and best practice to the point where there is broad harmonisation on what constitutes the foundations of IoT security. The biggest event recently has been the publication of ETSI EN 303 645 – a European standard for IoT security. See above for further details on how we have decided to proceed.
Why didn’t you include x standard or recommendation?
Some documents were reviewed and judged to be out-of-scope. The reasons for this included that the document wasn’t publicly available, hadn’t been published at the time of review, did not include security or privacy requirements, had no specific recommendations, or that the specification was at too much of a specific low level to be practical as a reference to the Code of Practice. Submissions of other documentation for future consideration are welcomed at: iotsecuritymapping[@]copperhorse.co.uk.
Why didn’t you update to new version x of our recommendation?
We have observed in some cases, newer versions of recommendations have been issued but on review, the updates have been editorial in nature or are not related to the Code of Practice work. For those recommendations, we’ve left the mapping at the version we mapped previously.
Where did you source the recommendations?
We performed our own research but were able to source guidance references from a number of places including our own mobilephonesecurity.org living list of IoT security and privacy resources and others which are referenced within the published mapping document from DCMS. We have also had excellent feedback and submissions since the original publication of this site.
Why is GDPR not mapped?
A decision was taken not to map GDPR because it is seen as fundamental to all consumer products, it should be considered an underlying foundational requirement for creating a secure product. We also mainly tried to concentrate on documents that focused on IoT security & privacy guidance and recommendations rather than government policy or legal requirements. That said, we did include the draft US bill on Internet of Things (IoT) Security Improvement as a number of sources referred to it. The same applies to California’s CCPA, although we did map SB-327 on the Security of Connected Devices which came into law in January 2020.
Is there a downloadable copy of the data available?
Yes, all the data is available as open data on this site in JSON, CSV and ODS formats.
What platform was used to create the visual mappings?
We used the excellent kumu.io to provide the visual mappings.
How can I contact you?
Questions related to this site and its contents should be submitted to: iotsecuritymapping[@]copperhorse.co.uk . Questions related to the DCMS Code of Practice should be directed to: securebydesign[@]culture.gov.uk .