Considering ISO27001 for IoT Security Readiness

Manufacturing companies are heading towards IoT (Internet of Things) in a fast pace. While most of the companies are focused on automating their production processes, they seems to be losing focus from one key element – information security. This article briefs about typical challenges in IoT Security Readiness and how ISO27001 can help in the process.

Challenges in IoT security

  • Too many OEM devices which makes it complex to integrate those in a secure way
  • Too many attack vectors open up, considering complexity of the network
  • Multiple geographical locations
  • Usage of cloud technology

How ISO27001 can help?

Since ISO27001 is a risk assessment framework, it comes handy to prepare for the IoT implementation. Following 10 step program, provide a systematic approach to use the framework in a highly effective way.

  1. Approach IoT technical design one geographical location at a time.
  2. Segregate the design into OEM and home-grown components (software and hardware)
  3. Layout data flow for each of the components (input and output)
  4. Perform technical threat modelling for each component
  5. Note down processes that bind the people with IoT devices
  6. Perform risk assessment based on outcome of threat modelling.
  7. Apply controls as per ISO27001 standard
  8. Create risk mitigation and note down residual risk
  9. Apply ISO27001 controls meant for third party vendors (including cloud service providers)
  10. Repeat the same for other locations and supporting processes

In IoT world, the security is never 100%. It is a continuous improvement process.

Why ISO27001 Compliance?

Over years, it had been practically proven that ISO27001 controls are industry neutral, are very well defined, and hence prove effective to achieve the required information security. If the compliance framework is properly designed for a given scenario, ISO27001 ensures following in an IoT scenario.

  • Confidentiality of historic logs generated by IoT infrastructure
  • Integrity of data being input into and handled by IoT devices
  • Availability of entire IoT infrastructure
  • Privacy of Personal information being handled by IoT implementation (especially home based IoT)

Extending ISO27001
Its less known that ISO27001 also has an exclusive guideline ISO27030 for ensuring data privacy and security for IoT infrastructures. Also for modern age IoT platforms which extensively use cloud SaaS and PaaS models, there are specific security guidelines ISO27017 and ISO27018.

IoT Security Partners
For a foolproof implementation, its highly recommended to consider a partner or vendor, who is well versed with security technical designing, vulnerability assessment and IoT/SCADA technology.