IoT compliance standards and how to comply

Pay attention to compliance basics

IoT is closely aligned with the internet, and any device that aims to qualify for IoT status must accommodate its various protocols. Many internet standards -- such as IP, which is used for communicating on the internet -- have been in place for years. Devices that link to the internet, regardless of their application, must comply with the established IP. IT professionals generally aren't concerned about this kind of compliance because most devices in their inventories incorporate the proper IP.

Security standards and protocols must also be factored into anything that uses the internet, as the concern for cybersecurity threats grows daily. Again, these are usually built into security equipment firmware.

Getting to know IoT compliance standards

Several standards and protocols have been developed for IoT connectivity, many of which address connectivity of low-power devices to the internet, including smart homes, home security systems or Wi-Fi-enabled devices. Standards include the following:

• Bluetooth and Bluetooth Low Energy (BLE).These wireless personal area network technologies were developed by the Bluetooth Special Interest Group to support applications in healthcare, fitness, security and home entertainment, as well as management systems. BLE uses less energy than standard Bluetooth, and today it's a popular low-power, low-range networking protocol for personal mobile devices and IoT implementations.
• Cellular technology. Cellular wireless services, such as 4G and 5G, deliver high-bandwidth connectivity, which is important for sending large volumes of data. However, they cost more than other lower-power protocols.
• Constrained Application Protocol (CoAP). Designed to work with HTTP-based IoT systems, CoAP provides secure communications that can support IoT applications.
• Data Distribution Service. Developed by the Object Management
  Group, this machine-to-machine (M2M) protocol supports high-performance and scalable, real-time data connectivity.
• Extensible Messaging and Presence Protocol. XMPP is an open source standard that can be used for M2M communications and specifically in consumer-oriented IoT devices, such as smart appliances.
• IEEE 802.11ah. This low-energy, long-range wireless networking protocol that extends the range of connectivity for Wi-Fi networks is part of the IEEE 802.11 suite of wireless protocols and is considered a good option for IoT.
• IEEE 802.15.4. This is another low-power wireless personal area network standard that provides specifications for the physical and media access layers that support IoT devices.
• Lightweight Machine-to-Machine Protocol (LWM2M). Developed by OMA SpecWorks, this is an application layer protocol that simplifies device management and messaging in IoT devices.
• Long Range (LoRa) and Long-Range Wide Area Network (LoRaWAN). The LoRa protocol was developed by Semtech, a founding member of the LoRa Alliance, which was involved in the development of the LoRaWAN specification. Both are designed for low-power, wide-range wireless connectivity using unlicensed radio frequency bands and are designed to support IoT applications.
• Message Queuing Telemetry Transport (MQTT). Now referred to simply as MQTT, this protocol is a popular open source alternative for connecting IoT and industrial IoT devices.
• Thread. Developed by the Thread Group, a consortium of leading technology firms, Thread is a low-power and low-latency mesh networking protocol designed for IoT products.
• Wi-Fi. Widely used in home and commercial wireless applications, Wi-Fi is an option for connecting IoT devices, but it can be power-hungry, and its limited range can affect IoT applications.
• Zigbee. Supported by the Connectivity Standards Alliance (formerly Zigbee Alliance), this IEEE 802.15.4-based wireless mesh network protocol is intended for low-power and low-bandwidth devices used in healthcare, home and personal network applications.
• Z-Wave. This wireless, low-power mesh networking protocol, developed in 1999 by Zensys, lets smart devices communicate securely using encryption and is popular for smart home products, security systems and commercial applications. It is currently run by the Z-Wave Alliance.

In most cases, wireless devices using these standards have the protocol embedded in firmware. This way, IoT compliance becomes a matter of the approach used by the manufacturer of wireless low-power devices.

International Telecommunications Union Recommendation ITU-T Y 2060 (2012)

This set of documents provides specifications, characteristics and definitions for IoT. The "Y" series defines information infrastructure, IP considerations, next-generation networks, IoT and smart cities.

IEEE P2413 IoT standard

Perhaps the closest thing to an IoT compliance standard is the IEEE P2413 (2019) standard, which establishes an architectural framework for IoT that describes IoT domains and identifies areas of commonality among different IoT domains. IEEE has defined dozens of networking protocols that can be applied to IoT applications, including IEEE 802.1, 802.3, 802.11, 802.15, 802.16 and 802.22 series. The P2413 draft standard provides a way to effectively use relevant IEEE standards in a cohesive IoT infrastructure.

ISO 301XX standards

Since 2020, the International Organization for Standardization (ISO) has introduced six standards addressing IoT:

1. ISO/IEC 30141. Internet of things (IoT) -- Reference architecture, published in 2024.
2. ISO/IEC TS 30149. Internet of things (IoT) -- Trustworthiness principles, published in 2024.
3. ISO/IEC TR 30172. Internet of things (loT) -- Digital twin -- Use cases, published in 2023.
4. ISO/IEC 30173. Digital twin-- Concepts and terminology, published in 2023.
5. ISO/IEC TR 30166. Internet of things (IoT) -- Industrial IoT, published in 2020.
6. ISO/IEC 30194. Internet of things (IoT) and digital twin -- Best practices for use case projects, published in 2024.

Additional standards, regulations and frameworks

Several additional standards and regulations -- three of which also have specific compliance requirements -- should be considered:

• NIST Cybersecurity for IoT Program. Developed by NIST, this program facilitates the development of secure IoT systems by providing standards, guidelines and tools to improve cybersecurity.
• NIST Cybersecurity Framework. This program provides broad guidance to establish and maintain secure information system environments.
• GDPR. This global EU-based regulation specifies how data is protected and has significant penalties for noncompliance.
• HIPAA. In healthcare, this regulation provides very specific rules for security and data privacy.
• ISO/IEC 27001 -- Information technology -- Security techniques -- Information security management systems -- Requirements. This is a major international standard for information security affecting all kinds of technology, including IoT, and has strict compliance requirements.

IoT compliance challenges

Considering the number and types of standards, protocols and regulations in place, IT professionals have many different issues to consider from a compliance perspective, including the following:

• Establish policies for IoT activities. These measures can specify how IoT will be used and implemented, and it can also specify how the systems will comply with standards and regulations.
• Ensure senior management support. This is especially important for funding IoT initiatives, demonstrating ROI for IoT and compliance reporting.
• Define the technology to be used. The types of devices and their networking requirements must be considered.
• Identify technology applications. Use cases must be carefully defined.
• Define networking connectivity. The different networking options must be considered, along with their various protocols.
• Select the appropriate protocols. This is key to ensuring seamless connectivity throughout the ecosystem.
• Identify the key standards, regulations and protocols. These are essential to ensure the organization is complying with the right statutes.
• Determine which statutes have specific compliance requirements. Some are voluntary, some are open source, and some have strict compliance requirements.
• Ensure the selected protocols are properly deployed and tested. This ensures the technology and networking mix is right for the application.
• Establish a process for monitoring, reviewing and documenting compliance. This ensures that compliance is an ongoing activity.
• Report on how compliance has been achieved and is being maintained. Often achieved through compliance auditing, this is important for senior management, stakeholders and compliance reporting entities.
• Present evidence of compliance to the proper standards reporting agencies. Each standards group will have its own process for presenting evidence of compliance for consideration of certification.
• Establish a process to monitor, review and manage ongoing compliance. This involves scheduling compliance reviews and audits, tests and reporting.

Establishing IoT compliance

It's clear that compliance with established IoT standards and protocols is usually automatic. However, this depends on which standards or protocols are built into the devices using an IoT infrastructure. Other IT audit controls, such as IT general controls that address security, access and data integrity, can also be applied to IoT situations. As IoT devices generally exhibit the same control requirements as other IT systems and data, those control metrics can be applied to IoT system compliance auditing.

When auditing IoT devices and networks, the same IT audit controls should be used to establish and confirm compliance with good IT practices. Compliance with the IEEE P2413 standard and others noted above can introduce additional controls for auditors to use in their work.

The following practices can ensure compliance is achieved and maintained:

1. Understand key IoT standards. Many of the most important current standards, protocols and regulations are listed above; it's important to keep current on these and any new standards.
2. Establish policies and procedures. Policies and procedures set ground rules for IoT activities and are very important as audit evidence.
3. Determine and implement the best security. Establishing a robust cybersecurity framework is essential and can include the deployment of end-to-end encryption, strong access authentication, regular patching and updating, and secure boot provisioning.
4. Implement processes to achieve regulatory compliance. This means identifying the key statutes, the standards bodies' requirements for compliance and how to officially present evidence of compliance.
5. Ensure device interoperability. For a true IoT ecosystem to work, all devices must be able to communicate with each other seamlessly; thus, adherence to the proper networking protocols is essential.
6. Monitor, review, test and audit compliance. In addition to ensuring that systems are performing properly, check that the software complies with standards, perform penetration tests to identify any potential security gaps and ensure that all third-party entities comply with the company's IoT requirements.

Complying with current IoT standards requires selecting a specific technology or suite of systems that uses one or more protocols. Traditional IT audit controls can be applied to IoT compliance, and the standards from IEEE, ISO, the International Telecommunication Union, NIST and others provide frameworks and guidelines for developing compliance policies and procedures for demonstrating compliance.

Paul Kirvan, FBCI, CISA, is an independent consultant and technical writer with more than 35 years of experience in business continuity, disaster recovery, resilience, cybersecurity, GRC, telecom and technical writing.