Category Archives: ISO Standards

How to secure your start up

It can be both hectic and rewarding when starting a new venture. After being around startups since 2000, I know how you feel. While it can be overwhelming you need to know how security and privacy play a part of your success.

First of all you should not ignore security despite what many venture capitalist groups are preaching it is pure BS. By designing security and privacy into your solution you will be miles ahead of your competition.

Here is how you need to approach this complex problem (which is not complex by the way but people feel better when you tell how complex it really is).

1. Need to conduct a Risk Assessment against both your product and small company to determine the data you collect and the means of collecting, processing, storing and destroying this data.  I would recommend to use ISO 27005 as the framework for this. As you step through this process you will need to consider all aspects of your solution including but not limited too, hosting, OS, plugins, modules, binaries, daemons, services, coding languages, authentication, logging, encryption, databases, etc. You get the point. You must focus on how each of the elements is going to be integrated and test each to confirm that you actually did not introduce any vulnerabilities.

2. Threat model your solution to determine how it can be attacked……because it will be. There are several frameworks for this out there. Get one and use it and make it part of a simple but efficient SDLC.

3. Know the laws and regulations that impact your product not just today but geographic regions where you plan to do business. These will be requirements for your product.

4. Unit testing for each of risks that you identify ensure that you create unit tests that will validate that you have identified and will ensure that each one is mitigated to minimum.

Here is the secret formula for security success (Sssshhh don’t tell anyone):

TRA + Regulatory + Threat Modeling + Testing/Verfication = Security Success

Some keys to success

1. Keep it simple but create a SDLC that drive security into your solution now. This will save you money down the road. If you have completely resign your software 2 years down the road to deal with security the costs will be prohibative. Trust me you will learn this the hard way.

2. Not all risks can and need to be eliminated. You need to determine how to get them to a level that you and the other founders are willing to accept. Keep in mind some privacy laws and regulations cannot be ignored you must mitigate the risks to a bare minimum.

3. Keep documentation of all your activities. These can be used if a partner or customer send in their auditors because you know they will.

4. Once you company is about 6-12 months old consider drafting some policies and procedures to drive new employees to better understand the culture of security you are looking to create.

Good luck and realize that you can simplify the security process but do it now! It will save you time and money down the road. I will also point out the 68% of SMBs that experience a data breach are usually out of business within two years. Hopefully, that is motiviation enough.


Evaluation of an IoT Solution

After attending the latest meeting of IEC SC 41 and ITU SG20 meetings recently in Japan and China. I am still surprized that many are still unsure how to determine the risk of a IoT solution. One thing that complicates matters is this concept of System-of-Systems (SoS) for IoT. If you break it down most IoT solutions are a SoS. The device is full fledged system that includes HW/SW, OS, server, application at a minimum. Then consider there is mobile application and cloud hosting for data and application layers.

The first place to start is quantifying the risk. Risk from the aspect of if this system was compromise what impact might that have to your organization using or deploy it? This might include:

a. Can the device or service be weaponized due to weak design or lack of formal testing and design?

b. Does the system at any level  store Personally Identifiable Information (PII) that has very specific regulations in many jurisdictions?

c. Does the vendor have a Secure Development Lifecycle (SDLC)?

d. Does the vendor have company policies and procedures that include developing a secure product? This aspect can many other aspects that need to be considered including privacy by design, audit process, risk registry, etc. Security is an ongoign process so this should be easily proven by the way the organization operates and deals with security.

e. Only use products that can be validated as authentic no grey market goods.

f. Have your solution verified by a 3rd party provider who is certified in conducting formal audits on these solutions.

e. Ensure that any penetration testing that was conducted included all components not just the device.

As a footnote please keep following ISO 27030 Security and Privacy in IoT, and IEC 30149 Trustworthiness Framework as two key works that will aid industry and buyer of IoT solutions. These two projects will help to drive the requirements that should be considered by vendors and help in the assessment of solution comparisons based on security and privacy features.


Meeting Report – ISO/IEC SC27 Gjovik, Norway

We just wrapped up another week of ISO meetings for SC 27 this past week in Gjovik, Norway. A few updates to share:

  1. We are making progress on ISO 27030 Security and Privacy for IoT. We just completed our WD1 review that focused mainly on structure but also had some privacy inputs from experts from Singapore and India. Our Japanese experts did identify many new controls to be added including the request that we need to ensure that our control format needs needs to align to 27002.
  2. Our next stage is WD2 and we are hoping the experts continue to provide more content to build out a strong version of the document for one more WD version.
    Based on suggestions from the vendors in attendance, it seems that vendors want a checklist of a few items that would indicate that their device is secure. While this might help the vendor community it is not the right approach as cyber security consists of many moving parts that includes how a company operates and the product they product, not just a device in the IoT context.
  3. From a privacy front, it seems that GDPR caused quite the impact on the vendor community. As a result many of bigger names have grouped together to write a proposal for a standard for data privacy where the vendor would own the data not the user. This will include a clause that allows this standard to supersede any local or global regulations. While just a discussion it does represent a very concerning perspective for governments who are fighting to protect citizen data.
  4. Finally, it seems that there is a theme from large cloud service providers to want to remove any requirements in ISO standards. This started in SC38 which has no should or shalls, it is all maybe’s and could be on a good day if your lucky. If your cloud service provider claims conformance to these standards it is sham. Make sure you investigate the claims of any vendor and what they have really implemented from a security and privacy controls. As usual it is a case of buyer beware when purchasing services even from the big guys.

It was good to see so many experts from different national bodies and liaison organizations in attendance to the IoT meetings and sessions. Standards Norway did a great job of hosting and Gjovik and the surrounding region are really beautiful at this time of the year. Hope to get back and visit more of this country and their friendly citizens.


Getting Reading for an ISMS Implementation

So you decided to take the leap and secure your organization and data. Where do you start? I would highly recommend you get a copy of ISO/IEC 27001 to get familiar with the terminology and concepts. You can get a copy here from our friends at the CSA Group. Once you get it, read it at least once to get an idea to the concepts and process. It will be dry reading, just a heads up.

So what do you do next?

It typically starts with a Gap Analysis that attempts to document your current security controls compared to the mandatory requirements for an ISMS. This will include aspects of your current policies and procedures, are they current and reflect both business operations and identified risks, are they using best practices, etc. Now, it is important to point out that an ISMS is more than just polices and procedures but they do play a large part of it.

Next, a company wide Threat and Risk Assessment (TRA) is conducted to determine the assets at risk and the controls that are used to protect them. A “control” in this context is a person, process, or technology that will mitigate a risk. The assessor will evaluate the current controls used, the current risks based on technology, processes and even consider contracts with 3rd parties, these Findings will be put into a Risk Report that quantifies all of these risks with recommendations.

Up next, we put it all together in a report and presentation that outlines the cyber risks to the business, recommendations for corrective actions, and possibly a Statement of Applicability (SoA) if your organization is going to seek certification. Realize you can deploy a ISMS without certification and increasingly more companies are asking partners and suppliers to prove how secure organizations are prior to signing contracts; an ISMS makes this easy. I would also point out that the ISMS will improve your risk posture and level of maturity over time. It is also a great tool for improving your security posture. We realize that your security maturity might be low to start but over time, it should improve and the ISMS helps build the necessary plans and identifies the risks to get you there. It is also generates the necessary documentation that will prove your attention given to cyber risks and mitigate any negligence in the organization.

If you do implement your ISMS, first you need to create a risk management framework. I will provide more details to this a second blog posting – stay tuned. A Risk Registry will be created and a project plan for implementing the necessary controls to protect your current risks and to highlight those risks that are being accepted by the organization, as this is an approach as well. At this point, an implementation plan is created to help deploy the necessary controls such a processes, procedures and technologies to mitigate risks. The resources to do this both financial and staff time will depend on the risks, budget and corporate drivers such as compliance and regulatory requirements.

Once the controls are implemented, it is a matter of ensuring a few cycles of the ISMS in action. This is basically, the PLAN-DO-CHECK-ACT for your security risks.

Plan (Establish the ISMS) – Establish ISMS policy, objectives, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organization’s overall policies and objectives.

Do (Implement and Operate the ISMS) – Implement and operate the ISMS policy, controls, processes and procedures.

Check (Monitor and Review the ISMS) – Assess and where applicable, measure process performance against ISMS policy, objectives, and practical experience and report the results to management for review.

Act (Maintain and Improve the ISMS) – Take corrective and preventive actions based on the results of the internal ISMS audit and management review or other relevant information to achieve continual improvement of the ISMS.

This is typically handled by the risk framework that will be implemented to ensure that all cyber risks are identified, quantified and mitigated on a on going basis. Once, that has been completed a few times such as 6 to 12 months. You should be ready for an internal audit and certification if you decide to go that route.

That’s it in a nutshell folks. Keep in mind an ISMS can be used for companies of all sizes not just large ones. Companies are increasingly being asked to prove their cyber security stance in order to win contracts and provide services to larger organizations and regulators. An ISMS is a great approach to meet and/or exceed this requirement.


NAFTA Cyber Security Framework

As part of the NAFTA discussions it looks like the US is looking to add a cyber security component in the mix. Finally a great idea in a trade agreement! The basis for this is quite clear given the interconnected world we live in and the fact that all Canadian Internet traffic is routed to the US. We have to ensure that one country is not in a position to bring the downfall of another due to weak security practices.

Given the current state of cyber security practices in Canada by most SMB’s this will serve as a good wake up call to get your security house in order if you want to sell to the US. Based on the current wording companies would have to demonstrate the implementation of an accepted cyber security framework within the organization.

What does these mean? From the top down, executives are responsible enough to have implemented the necessary security management system to measure and mitigate cyber risk within their respective organizations. I am not going to provide all the nuts and bolts to how to do this but would “highly” recommend you get a copy of ISO/IEC 27001/27002 and build your plan to implement a Information Security Management System (ISMS). Don’t let the information part of the name fool you, this standard has been written to fully consider the cyber elements of any organization regardless of sector.

The best place to buy this is from our friends at CSA Group in Canada. They actually offer a Security bundle that contains all the base standards to get you started at a very reason price.

When you initiate your cyber program focus on conducting your risk assessments, your action/mitigation plan and getting those policies and processes nailed down, and most of all education and awareness will be a key element of your success.

Keep in mind that this will not be easy but the benefits will help you sell your solutions to the US and will help protect your digital assets. What else could you ask for?


The Smart City Under Attack – CBoC Presentation

I recently got an opportunity to speak at the Conference Board of Canada’s Securing the Smart City of the Future. It was great to be able to speak to those dealing with the daunting challenge of managing the issues related to security, privacy and safety risks while still providing smart city services.

It is clear that the potential benefits of fully-connected smart cities fed by sensors and data are significant especially when seen in the advance of the Internet of Things (IoT). These benefits could tackle some of the greatest problems with urbanization such as traffic congestion, inefficient use of energy, and pollution. As great as these potential benefits are so are the risks and unanswered questions that the integration of new technology brings. Countries looking to implement smart city initiatives need to have a national policy that mandates aspects of security, privacy and safety. This policy should include the following as a minimum:

  • Requirements for an Information Security Management System (ISMS).
  • City breach plans for emergency services, vendors, citizens, etc.
  • Security tested components and solutions that are validated prior to release.
  • “Assurance” from solution providers and vendors for their products/services.
  • Buyers requesting that products and solutions be evaluated.
  • Demand Threat & Risk Assessment (TRAs) and Privacy Impact Assessments (PIAs) for all solutions prior to deployment by City Managers.
  • Respect for the privacy of citizens.

The security breaches in the recent past and the ongoing increase in cyber attacks and crime have made one thing very clear: In building the smart cities of tomorrow we need to be smart! Bearing this in mind, what is the biggest barrier to smart city entry?

The biggest barrier seems to be security and privacy of the sensors and data – the very things that make a city smart. The concern seems to be around data breach and how to minimize the exposure of the sensors in-field. However, in the past year or so there seems to have been a shift in the mind set of what is more important: a $5 sensor or the data we collect on people and objects. Clearly the data protection is more important. An example would be smart city projects in Canada that want to provide more real-time information to citizens about services and conditions. It requires them to track citizens to offer this service which means that there are substantial privacy concerns. The client can share lots of data but if it becomes compromised the city collecting it is liable under new legislation in Canada. Cities are taking the time to understand the risks and prepare for the eventuality of data breach and invasion of privacy.

You can see presentation that I gave below. As always if you have any questions about the presentation, please do not hesitate to contact us for clarification.


CB0C A Smart City Under Attack – TwelveDot


IoT Security @ Ottawa Meetup

Wow! A verMeetupy informative evening in front of a full house at the Ottawa Meetup IoT Security Meetup (standing room only actually)! Big thanks to Pascal and Jacques!

Our very own Faud Khan delivered, according those present, ” a very informative and entertaining presentation” on IoT Security.


“Absolutely super informative presentation and a great showcase of the depth of TwelveDot’s knowledge and experience in the security field.”

The presentation explored how to make security and privacy part of  the daily business ritual so as to significantly reduce the cyber exposure of products, solutions and the business itself.  As such it provided a look at:

• ISO standardization of IoT

• Security considerations for your organization

• Security considerations at design and development

• Testing and evaluation of IoT solutions

• Privacy considerations and practices


FYI – Elements of the presentation are:

IoT Technologies Mind Map – SWG_5_IoT_Technologies_MindMap

IoT Threats and Risks Poster – IoT Threats and Risks

Presentation Slide Deck IoT Security – IoT Meetup Ottawa Presentation Slide Deck – June 28_2016


  1. When can we get access to ISO/IEC 30141 Reference Architecture? The information will be available Fall/Winter of 2016. You can keep track of development at the ISO site.
  2. What is scope of IoT Reference Architecture? The scope according to ISO 30141 is “This International Standard specifies IoT Conceptual Model, Reference Model, and Reference Architecture from different architectural views, common entities, and high-level interfaces connecting the entities.”
  3. What is PIPEDA? The Personal Information Protection and Electronic Documents Act (PIPEDA or the PIPED Act) is a Canadian law relating to data privacy. It governs how private sector organizations collect, use and disclose personal information in the course of commercial business. More details are can be found here.
  4. Why do we have to pay to meet these standards? Doesn’t it harm the whole process? ISO needs a means to pay for the system even after Canada pays it’s membership into ISO. The base 27000 is free but others like 27001 etc. do cost a little -$35.
  5. Who do you call first if you get breached? Do not call your security guy! You should contact your lawyer and have your lawyer contact your security people. This ensures client confidentiality and attorney client privilege.
  6. Have you looked at Intel IoT development kits with security infrastructure built into target software? Intel libraries maybe investigated more than open source libraries but they are still vulnerable — always do your due diligence on any solution.
  7. For 3rd party libraries we use well known libraries and black duck to test etc…beyond that are there other practices that you recommend? Take advantage of the hashes publishers use ( one way hashes ), ensure they are validated prior to use. Likewise ensure ensure you monitoring them via CERT and other vulnerability disclosure services to ensure that you are notified to new vulnerabilities.
  8. What is your minimum recommendation when trying to implement a security plan? Encourage Threat Modelling at the design stage, identify your data at risk, have in-depth knowledge to how you are processing data, storing and transporting it. Conduct a PIA using ISO 29134 you can find lots of details on this at the PCO site. Privacy Commissioner of Canada PIA
  9. Can security be a marketable aspect of a product? Absolutely. Security is a very important part of any product and can be a huge selling point for any product provided it is implemented properly. With breach laws in the world changing as an executive you need to show due diligence using the process outlined which provides the outputs necessary.
  10. Is there any industry forum etc assisting ISO standard development? Prior to beginning new project ISO implements a study period to reach out to the community and create liaison relationships. Specific, to IoT WG10, what liaison relationships with ITU-T, IIC, IEEE, and many more. This ensures these standards are not created in a bubble.
  11. What do you think about open source standards ( block chains in particular ). Block chains can be used in applications, tracking ownership or documentation, physical and digital assets. It holds lots of promise however, many countries look to ISO to provide the necessary guidance on standards. In the case of block chains the current open standard is being proposed as the base standard for ISO. As this project is just starting we are a long way from determining if it will be adopted as the benchmark.
  12. Are any big security companies involved with ISO standards? Many large security companies and non-security companies are involved with ISO standards. The list is much too long for this blog but most large technology companies are current members of national committees.

We hope this information helps. If you need more guidance on securing your products and solutions please reach out to us.




Ottawa IoT Meetup – June 28th

This month I have the honour of being the presenter at the YOW IoT Meetup and I hope to see you there. Please bring all your questions. I look forward to providing guidance and suggestions to your projects. Here is the outline for my discussion:

Security and Privacy for IoT: A Standards Based Approach

IoT has the promise to change our lives and provide interactions that were previously unheard of – with upwards of 20 billion devices connected. However, one of biggest barriers to adoption is security and privacy.

Daily reports of compromised networks and systems have become common place and many IoT services and solutions will be based on this same architectures and techniques – risky! The only way to change the IoT security landscape is to change our approach to design.

Our discussion will explore how to make security and privacy part of your daily ritual with the aim to significantly reduce the cyber exposure of your products and solutions. As we are quite active in the development of both IoT and security standards, we use a standards based approach to solving these problems.

International standards provide a global yardstick from which to base build and design solutions. In the age of IoT, even small companies are being forced to think globally.

We will look at:

  • ISO standardization of IoT
  • Security considerations for your organization
  • Security considerations at design and development
  • Testing and evaluation of IoT solutions
  • Privacy considerations and practices

We will record all the questions we get and post them for all to see. I am sure that you will agree with me  that it is important to share as I believe the same root issues and problems are being experienced by many product and solutions organizations.


Cyber Canucks EP 7: Selecting Cloud Service Providers

We hope you enjoy episode 7 in our series of podcasts on cybersecurity

Hosts: Cid Parato and Faud Khan

Topics of this episode:

  • What is the data that you are protecting or storing in the cloud?
  • Benchmarks to compare cloud service providers
  • Policies and Procedures – Implement an ISMS to ensure policies and procedures align to corporate objectives
  • Data Centre Evaluation ( location, service platform, what are their rules for data )
  • Access to Data ( who has access from provider side and your side, authentication )

For more details please follow us on Twitter @TwelveDotSec and if you have any questions or comments please reach out to us at

A big Thx goes out to Jack Wiles for sound editing.



Talking IoT Standards in Shanghai

This past week we had our 4th meeting of the ISO/IEC WG10 on IoT meetings. We are working towards writing ISO 30141 Reference Architecture for IoT. While, it is not easy to get many global experts to agree on such a broad topic it good to see so many of us attempting to find a common ground on IoT. We have had many issues over the years and it has take a while to over come of the conception concerns to what is required. However, it seems that we have started to work towards a common goal and are now more focused.

Some of the more contentious issues are:

  1. What does a conceptual model need to contain? With so many experts from a diverse backgrounds it is not easy. You get fixated in your vertical and its needs but we need to come with a model that represents the basic common elements to all IoT Systems. We are getting there but we still need to agree on level this diagram should represent.
  2. Terms and definitions is another one but if you have been around standards this is quite normal. With the content constantly changing in a Working Draft (WD) so to does the terms to ensure alignment to content and context of the topic.
  3. Dealing with other Standards Development Organizations (SDO)s and their view of IoT. While we need to respect each others perspective of IoT, we have to be keenly aware that we do not duplicate the work of others. This is much harder for IoT given the breath of technologies that it encompasses.


I was grateful to our Chinese hosts from WSN who did invite me as a security expert to a panel on IoT. This event got lots of local press coverage and it was attended by over 200 delegates. One question from the audience was about security and what do companies need to do better. My usual response it that if your building something make sure you threat profile and have a SDLC that includes security and privacy at every stage of development. It will go a long way to ensure your product/service is more secure in-field.