ISO/IEC DIS 27404

Cybersecurity — IoT security and privacy — Cybersecurity labelling framework for consumer IoT

General information

40.20 DIS ballot initiated: 12 weeks   Dec 16, 2024

ISO/IEC

ISO/IEC JTC 1/SC 27 Information security, cybersecurity and privacy protection

International Standard

35.030   IT Security | 35.240.95   Internet applications

Scope

This document defines a Universal Cybersecurity Labelling Framework for the development and implementation of cybersecurity labelling programmes for consumer IoT products and includes guidance on the following topics:
• Risks and threats associated with consumer IoT products;
• Stakeholders, roles and responsibilities;
• Relevant standards and guidance documents;
• Conformity assessment options;
• Labelling issuance and maintenance requirements; and
• Mutual recognition considerations.
The scope of this document is limited to consumer IoT products, such as IoT gateways, base stations and hubs to which multiple devices connect; smart cameras, televisions, and speakers; wearable health trackers; connected smoke detectors, door locks and window sensors; connected home automation and alarm systems, especially their gateways and hubs; connected appliances, such as washing machines and fridges; smart home assistants; and connected children's toys and baby monitors.
The Universal Cybersecurity Labelling Framework addresses the expected and intended use of IoT devices and systems by consumers, that is, the general public and non-technical users. These devices and systems are used with the understanding that the label and criteria are designed for consumer use and consumer security concerns. Safety is not addressed in this Universal Cybersecurity Labelling Framework even though it is an important aspect to consider. Consumer IoT devices used in an enterprise context may not be classified as consumer IoT devices due to potentially more serious implications if compromised, which then entails more stringent cybersecurity provisions. Furthermore, in threat models of consumer IoT, there is no IT/system administrator as a pre-condition.
Products that are not intended for consumer use are excluded from this standard. Examples of excluded devices are those that are primarily intended for manufacturing, healthcare and other industrial purposes.
The Universal Cybersecurity Labelling Framework is based on requirements from international standards, with objectives to facilitate mutual recognition of labelling schemes for consumer IoT (regardless if they are binary or multi-level), avoid fragmentation of standards, eradicate duplicated testing (across countries), reduce the cost of compliance and facilitate market access for developers.
This document is applicable to consumers, developers, issuing bodies of cybersecurity labels and independent test laboratories.

Life cycle

NOW

IN_DEVELOPMENT
ISO/IEC DIS 27404
40.20 DIS ballot initiated: 12 weeks
Dec 16, 2024