This site maps global IoT security and privacy recommendations to the ETSI standard for Cyber Security for Consumer Internet of Things: Baseline Requirements, EN 303 645. It is an evolution of our previous site, which continues to be hosted at iotsecuritymapping.uk. That previous work, conducted on behalf of the UK Government provided organisations around the world with the ability to see how different requirements mapped to the UK’s Code of Practice for Consumer IoT Security and enabled them to use the information in their own developments. Our aim was to facilitate the defragmentation of IoT security requirements and emergent standards such that a set of common, harmonised requirements could be agreed upon globally. This mission has been successful and with an international, European Standard in place, together with an accompanying conformance assessment specification, it has rapidly become the de facto global standard that industry and governments have turned to as a solution to IoT product security.

We have therefore begun the process of mapping requirements against EN 303 645 and will continue to do so as new requirements, standards, testing schemes and government regulations are published. The sources of data come from a host of recommendations and standards bodies, governments and cities through to individuals across the world and we are very grateful to everyone who has supported the initiative with input and advice. As ever, if you have any new documents for us to map or any input, drop us an email via the address on the Frequently Asked Questions page. 

Updates: 

Candidate documents for the next iteration are:

• NIST Profile of the IoT Core Baseline for Consumer IoT Products – NIST IR 8425
• International Telecommunication Union Security Requirements for Internet of Things (IoT) Devices and Gateway – X.1352

 

23/02/2023 – Newly mapped documents added in this iteration are:

• ANSSI – RECOMMENDATIONS RELATING TO THE SECURITY OF (SYSTEMS OF) CONNECTED OBJECTS 
  • The ANSSI RECOMMENDATIONS ON THE SECURITY OF (SYSTEMS OF) OBJECTS CONNECTED was released as an exclusively French language document in 2021. Copper Horse decided, at the time, to hold out until an English language translation was available. No English version has yet been produced, so Copper Horse have used Google Translate to map this document. Please be aware that as the translation isn’t 100% accurate, discrepancies in the mapping may have occurred. If/when an English translation is made available, Copper Horse will remap this document.
• The Islamic Cooperation Computer Emergency Response Team (OIC-CERT) – Guidelines for Secure Internet of Things (IoT)
• Connectivity Standards Alliance – Matter
• European Commission – Cyber Resilience Act
• European Commission – NIS2 Directive

Additionally, this iteration, Copper Horse has mapped new versions of multiple documents, and removed the outdated documents. The updated documents are below:

• ANSI/CTA – Baseline Cybersecurity Standard for Devices and Device Systems (ANSI/CTA-2088)
• Council to Secure the Digital Economy (CSDE) – International Anti-Botnet Guide 2021
• Open Connectivity Foundation (OCF) – OCF Security Specification v2.2.6
• W3C – Web of Things (WoT) Security Best Practices W3C Editor’s Draft 11 April 2022

27/05/2022 – Newly mapped documents added in this iteration are:

• Oman Telecommunications Regulatory Authority – Public Consultation on IoT Security Regulatory Framework and Standards

10/05/2022 – Newly mapped documents added in this iteration are:

• CSA – IoT Controls Matrix v3

24/01/2022 – Newly mapped documents added in this iteration are:

• IoTSF – IoT Security Assurance Framework 3.0
• UL – MCV 1376 

With the addition of these two new documents, we have deprecated two previously mapped documents that have been superseded. The deprecated documents are:

• IoTSF – IoT Security Compliance Framework 2.0
• UL – IoT Security Top 20 Design Principles

17/12/2021 – This update includes four newly mapped documents. One of which is the IoTSF’s Vulnerability Disclosure Best Practice Guidelines 2.0, with this new version we have deprecated the previous version we had mapped.

• Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) – Security Best Practice Guidelines
• IoTSF – Vulnerability Disclosure Best Practice Guidelines 2.0
• Japan Computer Emergency Response Team Coordination Center (JPCERTCC) – IoT Security Checklist
• US National Institute of Standards and Technology (NIST) – NIST Special Publication 800-213A

There are also some documents that we have not mapped at this point, but will be processed in the next release:

To be mapped in the future: 

• ANSSI – RECOMMENDATIONS RELATING TO THE SECURITY OF (SYSTEMS OF) CONNECTED OBJECTS 
  • Waiting for a English language version of this standard seemed the best choice to avoid any possible errors due mistranslation.

16/11/2021 – This update includes two new documents. One of which is the final release of the Indian Code of Practice. Previously we had mapped the draft version of this document, which has been deprecated with the addition of the full release. Additionally, we have added the IoXt Alliance’s Certified Component Program document.

• India, Telecommunication Engineering Center (TEC) – Code of Practice for Securing Consumer Internet of Things (IoT) – TEC 31318:2021 
• IoXt Alliance – Certified Component Program (Base Profile) 

01/10/2021 This site marks the evolution of the adoption of best practice in IoT to the point where there is an international standard from ETSI’s TC CYBER group ‘Cyber Security for Consumer Internet of Things: Baseline Requirements’ ETSI EN 303 645. That work is also accompanied by a conformance assessment Technical Specification, TS 103 701 marking an important step forward for global cyber security in IoT. We have mapped all previously reviewed standards against the ETSI specification baseline, including the original UK Code of Practice.

New Additions: 

• Australian Government Department of Home Affairs – Code of Practice: Securing the Internet of Things for Consumers 
  • Previously we had mapped the draft version of this document, this previous entry has been deprecated with the addition of the final release version.
• PSA Certified – Expert IoT Security Framework and Certification 
• IoXt – Pledge: The Global Standard for IoT Security 

• ANSI/CTA – Baseline Cybersecurity Standard for Devices and Device Systems (ANSI/CTA-2088) 
• India, Telecommunication Engineering Center (TEC) – Draft Guidelines/Code of Practice for Securing Consumer Internet of Things (IoT) 
• Global Certification Forum (GCF) – Consumer IoT Security Accreditation Program Procedures

Updated Versions:

• CTIA – Cybersecurity Test Plan for IoT Devices v1.3
• PSA Certified – JSADEN001 2.1
• GSMA – Coordinated Vulnerability Disclosure Program Version 3.0

As well as the documents above, there are a number of released or updated documents and legislation we intend to re-map and / or re-assess and deprecate where necessary:

• IoTSF – Vulnerability Disclosure Best Practice Guidelines 2.0
• IoTSF – IoT Security Compliance Framework 2.1
• US Senate – S.1691 Internet of Things Cybersecurity Improvement Act of 2020 (move from Bill to Act)
• (Candidate for deprecation) NIST Considerations for a Core IoT Cybersecurity Capabilities Baseline

How to use this site?

The menu links from this page take you to individual visual mappings for the individual guidelines. In addition, there is a page with an external reference mapping, which is sourced from the external references used in the documentation of the organisations who developed the various recommendations and standards. This is useful to see what material and what organisations are regularly referenced and used, by whom. From these pages you can also download files which contain open data datasets of the mappings to use yourself and within your company.

Feedback and further input is welcomed, more details can be found on the Frequently Asked Questions page.