ISO 27001 and IoT: Securing Connected Devices
Your ISMS already covers IoT - if you scope it right
IoT devices expand your attack surface, but ISO 27001 does not need a special IoT add-on to address them. The standard’s risk-based approach and Annex A controls already cover connected devices - you just need to include them in your ISMS scope and treat the risks they introduce. The challenge is that IoT devices behave differently from traditional IT assets, and your risk assessment needs to reflect that.
Why IoT devices need special attention
IoT devices introduce risks that traditional servers, laptops, and cloud services do not. Understanding these differences is the first step to managing them properly.
Limited patching capability. Many IoT devices run embedded firmware that cannot be updated easily or at all. A server gets monthly patches. A building access controller or environmental sensor might run the same firmware for years. Your patch management process needs to account for devices where “apply the latest update within 14 days” is simply not possible.
Weak default configurations. IoT devices frequently ship with default credentials, open management ports, and unnecessary services enabled. Unlike enterprise servers that go through hardening before deployment, IoT devices often get plugged in and forgotten. Configuration management (A.8.9 in the 2022 version) is critical here.
Network exposure. IoT devices often need network connectivity to function but should not sit on the same network segment as production systems or user workstations. A compromised smart thermostat should not give an attacker lateral access to your database servers.
Physical accessibility. Many IoT devices are installed in locations with limited physical security - factory floors, public areas, remote sites. Someone with physical access to the device may be able to extract credentials, install modified firmware, or use it as a network entry point.
Long lifecycle. Enterprise laptops get replaced every 3-5 years. Industrial IoT devices might run for 10-15 years. Your security controls need to account for devices that will outlast multiple generations of your security architecture. ENISA’s guidelines on IoT security provide additional context on managing these long-lived assets.
Which ISO 27001 controls apply to IoT
You do not need a separate IoT security framework. The 2022 version’s Annex A controls already cover the key areas. Here are the most relevant ones:
| Control | How it applies to IoT |
|---|---|
| A.5.9 - Information and asset inventory | Every IoT device must be in your asset register with owner, location, firmware version, and network segment |
| A.5.23 - Cloud services security | Many IoT platforms depend on cloud backends - cover the cloud component in your risk assessment |
| A.8.1 - User endpoint devices | IoT devices are endpoints - include them in your endpoint security policy |
| A.8.9 - Configuration management | Document and enforce secure configurations for each IoT device type: disable defaults, close unused ports, change credentials |
| A.8.20 - Network security | Segment IoT devices onto dedicated VLANs with firewall rules restricting lateral movement |
| A.8.8 - Management of technical vulnerabilities | Track firmware vulnerabilities and apply updates where possible; document accepted risks where patching is not feasible |
| A.8.12 - Data leakage prevention | Monitor what data IoT devices transmit and to where - some devices phone home to manufacturer servers in unexpected jurisdictions |
| A.8.16 - Monitoring activities | Include IoT network segments in your security monitoring - anomalous traffic from a sensor array may indicate compromise |
| A.7.1-A.7.4 - Physical security controls | Secure physical access to IoT devices, especially those in accessible locations |
The key principle is that IoT devices are information assets. They go in your asset register, they get risk-assessed, and the controls you select get documented in your Statement of Applicability.
How to include IoT in your ISMS scope
Step 1: Inventory everything. Survey your environment for connected devices. This goes beyond the obvious (security cameras, access control systems) to include printers with network cards, smart displays in meeting rooms, building management systems, environmental sensors, and any device with an IP address. We regularly find 30-50% more connected devices than organizations expect during initial assessments.
Step 2: Classify and group. Not every IoT device carries the same risk. Group devices by function, data sensitivity, and network location. A CCTV camera recording a public lobby is different from an environmental sensor in your server room. Classification drives proportionate controls.
Step 3: Assess IoT-specific risks. Add IoT-specific threat scenarios to your risk assessment: default credential exploitation, firmware tampering, unauthorized network access through compromised devices, data interception from unencrypted protocols, and supply chain risks from device manufacturers.
Step 4: Define controls per device class. Write device-class-specific security requirements. All IoT devices on the network must have default credentials changed and unnecessary services disabled. Devices handling sensitive data must use encrypted communications. Devices that cannot be patched must be isolated on dedicated network segments with strict firewall rules.
Step 5: Monitor and review. Include IoT devices in your internal audit program and your ongoing monitoring. Check that configurations have not drifted, firmware is current where possible, and network segmentation rules are still enforced.
Common mistakes
Excluding IoT from scope entirely. Some organizations scope their ISMS to “IT systems” and assume IoT devices are out of scope. If those devices connect to your network, process data, or could be used as an attack vector against in-scope systems, they need to be addressed. An auditor reviewing your scope will ask about connected devices.
Applying desktop security policies to IoT. A policy that says “all endpoints must run antivirus software” does not work for an embedded Linux sensor. IoT devices need their own control profiles that account for their constraints. Be specific about what “secure configuration” means for each device type.
Ignoring the supply chain. IoT device manufacturers vary widely in their security practices. Some provide regular firmware updates, vulnerability disclosures, and end-of-life policies. Others ship a device and never update it. Your supplier security assessment (A.5.19-A.5.22) should evaluate IoT vendors just like any other supplier.
How 27kay can help
We help organizations bring IoT environments into their ISO 27001 ISMS without overcomplicating the process. Whether you are dealing with a handful of smart office devices or a complex industrial IoT deployment, we scope the controls proportionately - enough to manage the real risks without creating unworkable policies for devices that cannot support them.
Need to figure out how IoT fits into your ISMS? Let’s talk - we will help you inventory, assess, and control your connected devices within your existing security management framework.