macrovector - Fotolia

Manage Learn to apply best practices and optimize your operations.

IoT compliance standards and how to comply

To address IoT security concerns, it is critical for IT leaders to adhere to IoT compliance standards. Learn more about IoT compliance and its IT-relevant standards.

IoT is here. But be aware: Despite the excitement -- and challenges -- generated by it, IoT technology is still largely a work in progress.

While IT professionals are increasingly intrigued at how IoT can enhance their organizations, they must also be concerned about its risks. One way to address these concerns is to establish a process for compliance with appropriate standards, regulations, benchmarks and controls. Additionally, IT teams must be familiar with the existing IoT compliance standards and how their organization can comply with each of them.

Pay attention to compliance basics

Many internet standards have been in place for years, such as IP -- including IPv6 -- used for communicating via the internet. Devices that link to the internet, regardless of their application, must comply with the established IP. IT professionals generally are not concerned about this kind of compliance because most of the devices in their inventories incorporate the proper IP.

Security standards and protocols must also be factored into anything that uses the internet, as the concern for cybersecurity threats grows daily. Again, these are usually built into security equipment firmware.

Getting to know IoT compliance standards

Several standards have been developed for IoT connectivity, some of which address connectivity of low-power devices -- such as home security systems or Wi-Fi-enabled devices -- to the internet. These include the following:

  • Bluetooth Low Energy. This wireless personal area network technology was developed by the Bluetooth Special Interest Group to support applications in healthcare, fitness, security and home entertainment, as well as management systems.
  • IEEE 802.11ah. This low-energy wireless networking protocol that extends the range of connectivity for Wi-Fi networks is part of the IEEE 802.11 suite of wireless protocols.
  • Thread. Developed by the Thread Group, a consortium of leading technology firms, Thread is a low-power networking protocol designed for IoT products.
  • Zigbee. This is an IEEE 802.15.4-based wireless protocol for low-power and low-bandwidth devices used in healthcare, home and personal network applications.
  • Z-Wave. This wireless, low-power networking protocol, developed in 1999 by Zensys for use in home automation systems, is currently run by Sigma Designs.

In most cases, wireless devices using these standards have the protocol embedded in firmware. This way, IoT compliance becomes a matter of the approach used by the manufacturer of wireless low-power devices.

IEEE P2413 draft standard

Perhaps the closest thing to an IoT compliance standard is the IEEE P2413 draft standard, which establishes a framework for IoT. The architecture describes IoT domains and identifies areas of commonality among different IoT domains. IEEE has defined dozens of networking protocols that can be applied to IoT applications, including IEEE 802.1, 802.3, 802.11, 802.15, 802.16 and 802.22 series. The P2413 draft standard provides a way to effectively use relevant IEEE standards in a cohesive IoT infrastructure.

Establishing IoT compliance

It is clear that compliance with established IoT standards and protocols is usually automatic. However, this depends on which standards or protocols are built into the devices using an IoT infrastructure. Other IT audit controls, such as IT general controls that address security, access, data integrity and other issues, can also be applied to IoT situations. As IoT devices generally exhibit the same control requirements of other IT systems and data, those control metrics can be applied to IoT system compliance auditing.

When auditing IoT devices and networks, the same IT audit controls should be used to establish and confirm compliance with good IT practices. Compliance with the IEEE P2413 standard -- once it is approved -- may introduce additional controls for auditors to use in their work.

Currently, the challenge for compliance with current IoT standards is a matter of selecting a specific technology or suite of systems that uses one or more protocols. Traditional IT audit controls can be applied to IoT compliance, and the new draft standard from IEEE provides a framework and guidelines from which compliance requirements can be developed.

Dig Deeper on Information technology governance

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Very loosely worded information that highlight lack of familiarity with standards and standards developing organizations. IEEE 2413-2019 was approved in May 2019 and published in March 2020. The article cites both a draft standard and standard for IEEE 2413. Was article written before May 2019? The IEEE 2413 was developed by a group of companies using the IEEE Corporate Advisory Group (CAG) procedures, meaning that is was a group of industry companies that sponsored the project. Given that example, standards organizations publish and own copyright to the published standards. The standards organizations provide the accredited procedures and organizational structure by which companies and subject matter experts develop the standards. Unless mandated by regulation or laws, standards are for voluntary use. Companies using the standards may claim conformance to the requirements (mandatory features) of the standards and accommodate the optional features suitable for their products. Conformance to the requirements specified in the standards is distinct and separable from compliance to regulations and laws. Companies do not comply with standards. In the article the use of the term compliance is incorrect and misleading. The wording about compliance with recommended practices is indicative of the lack of precision in use of terms by the writers. Much more to pick at in the article much more editorial review needed before publishing, much more understanding of the accredited standards organizations, consortia, and industries trade associations is suggested if this series of articles on compliance is to be of value and to retain credibility, both for the writers and publisher. I am disappointed and inclined to continue to scan items for useful content and comical relief. FWIW.
Cancel

-ADS BY GOOGLE

SearchCIO

SearchHealthIT

SearchCloudComputing

SearchDataCenter

SearchDataManagement

SearchSecurity

Close