Introduction
1.1 Introduction
The IoT Security Foundation (IoTSF) was established to address the challenges of IoT security in an increasingly connected world. It has a specific mission “to help secure the Internet of Things, in order to aid its adoption and maximise its benefits. To do this IoTSF will promote knowledge and clear best practice in appropriate security to those who specify, make and use IoT products and systems”.
In more concise terms for vendors, operators, and end-users: “Build Secure, Buy Secure, Be Secure”.
This IoT Security Assurance Framework (‘Framework’) leads its user through a structured process of questioning and evidence gathering. This ensures suitable security mechanisms and practices are implemented. It was previously published as the IoT Security Compliance Framework up until Release 2.1, and this version remains fully backward compatible with the same sections and requirement numbering. The terminology better reflects the risk-based system and is better aligned with how governments and international bodies are approaching IoT security.
The Framework is intended to help all companies make high-quality, informed security choices by guiding them through a comprehensive requirement checklist and evidence gathering process. The evidence gathered during the process can be used to declare conformance with best practice to customers and other stakeholders.
Providing good security capability requires decisions upfront in design and use – often referred to as secure by design. In most cases, addressing the security of a product at the design stage is proven to be lower cost, and requiring less effort than trying to “put security” into or around a product after it has been created (which may not even be possible). Decisions need to be made to address use-case, business model, liability level and risk management in addition to technical concerns such as architecture, design features, implementation, testing, configuration and maintenance.
Throughout this document, and others published by the IoTSF, reference is made to “best practice” or “best practice security engineering”. These best practices are derived from the combined expertise of the IoTSF members, used and tested within their own companies, and from the publications and guidance of other relevant organisations. Wherever possible, reference is made to existing standards and best practice materials to avoid unnecessary duplication. A list of external reference materials and related bodies is included at the end of this document in the section References and Abbreviations.