IS0/IEC 27403:2024(en) International Standard Cybersecurity - IoT security and privacy - Guidelines for IoT- domotics 1 Scope This document provides guidelines to analyse security and privacy risks and identifies controls that can be implemented in Internet of Things (IoT)-domotics systems. 2 Normative references The following documents are referred to in the text in such a way that some or all of their content constitutes requirements of this document. For dated references, only the edition cited applies. For undated references the latest edition of the referenced document (including any amendments) applies. IS0/IEC 20924, Internet of Things (loT) and digital twin - Vocabulary Iso/IEc 270oo, Information technology-Security techniques-Information security management systems - Overview and vocabulary ISo/IEC 29100, Information technology Security techniques-Privacy framework 3 Terms and definitions For the purposes of this document, the terms and definitions given in IS0/IEC 27000, IS0/IEC 29100, IS0/IEC 20924 and the following apply. ISO and IEC maintain terminology databases for use in standardization at the following addresses: -Iso Online browsing platform: available at https://www.iso.org/obp IEC Electropedia: available at https://www.electropedia.org/ 3.1 IoT-domotics Internet of Things (loT) system composed of networks, devices, services and users typically used in the domicile or as electronic wearables Note 1 to entry: Devices are usually available to the consumer through retail purchase. Note 2 to entry: According toISO/IEC TR 22417:2017,6.3, IoT-domotics denotes the private, hence highly customizable indoorareawheresomeonelives,aloneo r with friends/relatives/roommates. Thus, it includes dedicated infrastructure aimed to support those individuals, such as healthcare and wellness systems, building control systems, smart metering and systems for entertainment and gaming. 3.2 entity physical or non-physical element, which has a distinct and independent existence Note 1 to entry: Every entity has a unique identity. Note 2 to entry: See IS0/IEC 30141:2018, 8.2.1.2. @ IS0/IEC 2024 - All rights reserved 1 IS0/IEC 27403:2024(en) 3.3 domain major functional group of an Internet of Things (loT) system Note 1 to entry: Every entity (3.2) in an IoT system participates in one or more domains and is said to be included or containedbythatdomain. Note 2 to entry: See IS0/IEC 30141:2018, 8.2.1.3. 4 Abbreviated terms AI artificial intelligence App application AR augmented reality CRM customer relationship management DDoS distributed denial of service ICT information and communication technology IP internet protocol IoT Internet of Things NB-IoT narrow band Internet of Things PII personally identifiable information RF radio frequency TV television URL uniform resource locator USB universal serial bus VR virtual reality 5 Overview 5.1 General The security and privacy of IoT-domotics have a bearing on the normal operation of in-domicile services, the well-being of residents, and the integrity of infrastructures that are linked directly or indirectly with devices of services. Stakeholders including users, service providers, device manufacturers, network operators and industry supervisors are becoming increasingly concerned by security and privacy issues of IoT-domotics. In comparison with other IoT solutions, IoT-domotics have specific features and concerns. It is therefore essential to adapt the general IoT security and privacy principles to IoT-domotics and provide stakeholders with thorough and tailored guidelines in specific scenarios of IoT-domotics. 5.2 Features Some examples of IoT-domotics systems can be found in Annex A. Many of the features of IoT-domotics can affect the security and privacy considerations. These features should be specifically considered in the context of security and privacy. Such features include: a)open and varied home environments; 1)terminal devices: devices can be smart devices, lightweight function de