ISACA_logo_RGB
Home / Resources / News and Trends / ISACA Now Blog / 2017 / Twelve IoT Controls

ISACA NOW BLOG

Twelve IoT Controls

Author: Marcin Jekot, CISSO, ISO 27001 LA, SSP, and Yiannis Pavlosoglou, Ph.D., CISSP
Date Published: 21, December 2017

Not too far in the future, Internet of Things (IoT) devices will carry a white-goods-equivalent rating scale, similar to washing machines and refrigerators. Instead of being measured on energy usage, manufacturers will be measured on the number and type of security controls they have implemented for their devices. We wrote our recent Journal article to provide a simple way to audit IoT devices, based on their environment of use. The article identifies 12 simple IoT controls that almost no manufacturer completely implements today.‎ Hopefully, this method will serve as the motivation to start the journey toward standardization of IoT controls.

We selected the number 12 to avoid discussions of “security theater” and focus instead on a dozen critical security controls as things that matter in IoT. Expecting this number to be criticized, we have built our audit methodology with the intention to use the audit output as a method for the security classification of IoT devices. Those 12 controls were selected in an effort to make them comprehensive for everyone—including the consumers of IoT devices.

Furthermore, we tried to build on existing standards so as not to reinvent the wheel. For turning a large technical problem into smaller environment of use problem, we glued together the layers of Transmission Control Protocol/Internet Protocol (TCP/IP) with the US National Institute of Standards and Technology (NIST) pyramid for organizational/business process/IT system tiers. This allowed us to see what control fits where and for what reason. It also helped identify overlap and reduce the total number of controls to just 12.

Finally, manufacturers seeking an independent objective assessment of their products could use this method. The same 12 controls can also be applied to a corporate environment. By certifying IoT devices against these controls, you can assess what data classes the device can process or what business activities can be supported.

Read Marcin Jekot and Yiannis Pavlosoglou’s recent Journal article:
An IoT Control Audit Methodology,” ISACA Journal, volume 6, 2017.

ISACA Now By Year

2020
Check Mark

2019
Check Mark

2018
Check Mark

2017
Check Mark

2016
Check Mark