Why have you done this work?
The IoT world is currently heavily fragmented. Our intent was to understand how well existing recommendations and standards in the IoT security space map to the published Code of Practice from the UK government. This will help vendors and other stakeholders in the IoT ecosystem to understand how everything fits together. This will reduce time and effort significantly for many who need to answer questions about what is available around the world and also ultimately help to reduce fragmentation in the standards and recommendations space.
Will you develop the mapping further?
We intend to update the mapping. The space is constantly moving and as such new and updated documentation is always emerging.
Standards and recommendations are constantly being updated. How up to date are these mappings?
The research conducted to create these mappings was performed in July 2018. We intend to regularly maintain and update this site based on newly published and submitted material.
Why didn’t you include x standard or recommendation?
Some documents were reviewed and judged to be out-of-scope. The reasons for this included that the document wasn’t publicly available, hadn’t been published at the time of review, did not include security or privacy requirements, had no specific recommendations, or that the specification was at too much of a specific low level to be practical as a reference to the Code of Practice. Submissions of other documentation for future consideration are welcomed at: iotsecuritymapping[@]copperhorse.co.uk.
Where did you source the recommendations?
We performed our own research but were able to source guidance references from a number of places including our own mobilephonesecurity.org living list of IoT security and privacy resources and others which are referenced within the published mapping document from DCMS.
Why is GDPR not mapped?
A decision was taken not to map GDPR because it is seen as fundamental to all consumer products, it should be considered an underlying foundational requirement for creating a secure product. We also mainly tried to concentrate on documents that focused on IoT security & privacy guidance and recommendations rather than government policy or legal requirements. That said, we did include the draft US bill on Internet of Things (IoT) Security Improvement as a number of sources referred to it.
Is there a downloadable copy of the data available?
Yes, all the data is available as open data on this site in JSON format.
What platform was used to create the visual mappings?
We used the excellent kumu.io to provide the visual mappings.
How can I contact you?
Questions related to this site and its contents should be submitted to: iotsecuritymapping[@]copperhorse.co.uk . Questions related to the DCMS Code of Practice should be directed to: securebydesign[@]culture.gov.uk .