We just wrapped up another week of ISO meetings for SC 27 this past week in Gjovik, Norway. A few updates to share:
- We are making progress on ISO 27030 Security and Privacy for IoT. We just completed our WD1 review that focused mainly on structure but also had some privacy inputs from experts from Singapore and India. Our Japanese experts did identify many new controls to be added including the request that we need to ensure that our control format needs needs to align to 27002.
- Our next stage is WD2 and we are hoping the experts continue to provide more content to build out a strong version of the document for one more WD version.
Based on suggestions from the vendors in attendance, it seems that vendors want a checklist of a few items that would indicate that their device is secure. While this might help the vendor community it is not the right approach as cyber security consists of many moving parts that includes how a company operates and the product they product, not just a device in the IoT context.
- From a privacy front, it seems that GDPR caused quite the impact on the vendor community. As a result many of bigger names have grouped together to write a proposal for a standard for data privacy where the vendor would own the data not the user. This will include a clause that allows this standard to supersede any local or global regulations. While just a discussion it does represent a very concerning perspective for governments who are fighting to protect citizen data.
- Finally, it seems that there is a theme from large cloud service providers to want to remove any requirements in ISO standards. This started in SC38 which has no should or shalls, it is all maybe’s and could be on a good day if your lucky. If your cloud service provider claims conformance to these standards it is sham. Make sure you investigate the claims of any vendor and what they have really implemented from a security and privacy controls. As usual it is a case of buyer beware when purchasing services even from the big guys.
It was good to see so many experts from different national bodies and liaison organizations in attendance to the IoT meetings and sessions. Standards Norway did a great job of hosting and Gjovik and the surrounding region are really beautiful at this time of the year. Hope to get back and visit more of this country and their friendly citizens.