About IoTSF Publications
Like any aspect of information security, IoT security is not absolute and can never be guaranteed. New vulnerabilities are constantly being discovered, which means there is a need to monitor, maintain and review both policy and practice on a regular basis.
Users of IoT Security Foundation (IoTSF) guidance materials are encouraged to use the latest advice and frameworks available. To maintain and build on our published materials, IoTSF issues releases in a timely manner – consistent with other bodies working in dynamic settings.
Documents published by the IoTSF are therefore subject to regular review and may be updated or subject to change at any time. The current status of IoTSF publications, can be found on this website and users are encouraged to check back for current releases on a regular basis.
IoTSF will make new releases public in appropriate ways such as press releases, bulletins and this website.
IoTSF endeavours to provide fit-for-purpose and up to date guidance. In the spirit of continuous improvement, IoTSF invites feedback from users and third party experts to help make those improvements to our outputs. You can do this simply by emailing us at [email protected] – please include the document title and “feedback” in your email subject line.
Organisations that follow IoTSF best practices may download and use the Best Practice User mark on their marketing materials.
Publications
Best Practice User Mark
IoT Security Compliance Framework
About the IoT Security Compliance
Framework
The IoT security compliance framework is a comprehensive checklist to guide an organisation through the IoT security assurance process, gathering evidence in a structured manner to demonstrate conformance with best practice.
Release 1 of the compliance framework is targeted at companies in consumer markets and consumer applications, however the framework has wider utility as it is built on security principles.
Additional categories will be added in future releases.
The scope of this document includes (but is not limited to):
- Business processes
- Devices and aggregation points such as related gateways/hubs that form part of the connectivity
- Networking including wired, and radio connections using both short-range, LPWA and cellular
- Cloud and server elements as specific to IoT.
The document is aimed at the following readers.
- For Managers; it gives a comprehensive overview of the management process needed to follow best practice.
- For Developers and Engineers, Logistics and Manufacturing Staff, it provides a detailed checklist to use in their daily work and in project reviews to validate the use of best practice by different functions (e.g. hardware and software development, logistics etc.).
- For Supply chain managers, the structure can be used to guide the auditing of security practices.
Users are encouraged to provide constructive feedback for consideration in future releases.
Connected Consumer Products BPG
About the Connected Consumer Best Practice Guidelines
IoT products are permeating every avenue of modern life and increasing found in our work places, homes and about our person. Many new entrants are bringing IoT class products into these unregulated markets and whilst their focus is on innovation, they may have little experience in terms of security. Security is a fundamental of the hyper-connected digital age yet we cannot expect everybody to be an expert and IoTSF aims to be a destination for those seeking knowledge and advice.
The IoTSF Executive Steering Board prioritised the connected-consumer / connected-home category due to the growing number of identified issues and widespread concerns amongst security commentators and the media.
The IoTSF Connected Consumer Best Practice guidelines are targeted at new and existing companies. IoTSF best practice guidelines are intended to be pragmatic and easily consumable for those with limited security knowledge and cover the most common issues. They provide awareness and advice on the most salient elements that affect product, service and user security.
You can download the IoTSF the Best Practice Guidelines below, for free.
Users of the guidelines are encouraged to display the Best Practice User mark on marketing materials.
Vulnerability Disclosure
BPG
About the Vulnerability Disclosure Best Practice Guidelines
The complexity of todays digital systems means that all but the simplest of systems will inevitably have security flaws – this is why PC’s and mobile apps get frequently patched for example. Large or small, all companies are likely to have to deal with security breaches at some point. Companies that have been doing business on the web for many years have learned how to cope with this, as the scale and consequences of attacks have gradually increased. Companies that are just starting to connect their products and services to the Internet (IoT) can quickly learn from that experience.
Your company will likely do all it can to avoid security issues as an IoT supplier or user. However the security flaws that exist in your systems are likely going to be found by third parties – including legitimate researchers. IoTSF therefore encourages you to make provision for third parties to make contact.
Having a published Vulnerability Disclosure Policy and a supporting process means you will have a clear method of responding to the discovery of a vulnerability in a way that preserves your customers’ privacy and safety. The alternative? It could be that the finder may choose to go somewhere else with their knowledge (including to the black market, to the press, to the stock market or to your competitors).
You can download the Best Practice Guidelines below, for free
Users of the guidelines are encouraged to display the Best Practice User mark on marketing materials.
IoT Security Compliance Framework
IoT Security Compliance
Framework
The IoT security compliance framework is a comprehensive checklist to guide an organisation through the IoT security assurance process, gathering evidence in a structured manner to demonstrate conformance with best practice.
Release 1 of the compliance framework is targeted at companies in consumer markets and consumer applications, however the framework has wider utility as it is built on security principles.
Additional categories will be added in future releases.
The scope of this document includes (but is not limited to):
- Business processes
- Devices and aggregation points such as related gateways/hubs that form part of the connectivity
- Networking including wired, and radio connections using both short-range, LPWA and cellular
- Cloud and server elements as specific to IoT.
The document is aimed at the following readers.
- For Managers; it gives a comprehensive overview of the management process needed to follow best practice.
- For Developers and Engineers, Logistics and Manufacturing Staff, it provides a detailed checklist to use in their daily work and in project reviews to validate the use of best practice by different functions (e.g. hardware and software development, logistics etc.).
- For Supply chain managers, the structure can be used to guide the auditing of security practices.
Users are encouraged to provide constructive feedback for consideration in future releases.
Connected Consumer Products BPG
About the Connected Consumer Best Practice Guidelines
IoT products are permeating every avenue of modern life and increasing found in our work places, homes and about our person. Many new entrants are bringing IoT class products into these unregulated markets and whilst their focus is on innovation, they may have little experience in terms of security. Security is a fundamental of the hyper-connected digital age yet we cannot expect everybody to be an expert and IoTSF aims to be a destination for those seeking knowledge and advice.
The IoTSF Executive Steering Board prioritised the connected-consumer / connected-home category due to the growing number of identified issues and widespread concerns amongst security commentators and the media.
The IoTSF Connected Consumer Best Practice guidelines are targeted at new and existing companies. IoTSF best practice guidelines are intended to be pragmatic and easily consumable for those with limited security knowledge and cover the most common issues. They provide awareness and advice on the most salient elements that affect product, service and user security.
You can download the IoTSF the Best Practice Guidelines here, for free.
Users of the guidelines are encouraged to display the Best Practice User mark on marketing materials.
Vulnerability Disclosure
BPG
About the Vulnerability Disclosure Best Practice Guidelines
The complexity of todays digital systems means that all but the simplest of systems will inevitably have security flaws – this is why PC’s and mobile apps get frequently patched for example. Large or small, all companies are likely to have to deal with security breaches at some point. Companies that have been doing business on the web for many years have learned how to cope with this, as the scale and consequences of attacks have gradually increased. Companies that are just starting to connect their products and services to the Internet (IoT) can quickly learn from that experience.
Your company will likely do all it can to avoid security issues as an IoT supplier or user. However the security flaws that exist in your systems are likely going to be found by third parties – including legitimate researchers. IoTSF therefore encourages you to make provision for third parties to make contact.
Having a published Vulnerability Disclosure Policy and a supporting process means you will have a clear method of responding to the discovery of a vulnerability in a way that preserves your customers’ privacy and safety. The alternative? It could be that the finder may choose to go somewhere else with their knowledge (including to the black market, to the press, to the stock market or to your competitors).
You can download the Best Practice Guidelines here, for free
Users of the guidelines are encouraged to display the Best Practice User mark on marketing materials.
TO DOWNLOAD THESE DOCUMENTS
- For website members, please login to the site and return this page
- If you are not registered with the site, please complete this form*. When you have submitted you will be redirected to the downloads page
*By clicking submit you are giving IoTSF permission to send newsletters to your email address.