BS ISO/IEC 27402:2023
Cybersecurity. IoT security and privacy. Device baseline requirements

Standard No.
BS ISO/IEC 27402:2023
Release Date
2024
Published By
British Standards Institution (BSI)  GB  /  BSI
Latest
BS ISO/IEC 27402:2023
 
Introduction

Standard Background and Technical Evolution

BS ISO/IEC 27402:2023 is the UK's national implementation of ISO/IEC 27402:2023, developed by IST/33/4 Technical Committee. This standard establishes a globally unified baseline requirement framework for security challenges brought about by the explosive growth of IoT devices. With the emergence of vertical standards such as ETSI EN 303 645, this standard provides basic security specifications for cross-industry applications.

Core Requirements Analysis

Control Domain Mandatory Requirements Recommended Practices
Risk Management Risk assessment must be performed and documented at the device level (5.1.1.1) ISO 31000 methodology is recommended (5.1.1.2)
Data Protection Cryptographic technology must be used to protect stored and transmitted data (5.2.5.1.4) Hardware Root of Trust (RoT) implementation (5.2.5.3)
Firmware Update The update process needs to verify integrity and authenticity (5.2.7.1.1) Automatic update mechanism configuration options (5.2.7.2)

Key technology implementation

Device identity authentication scheme

Standard 5.2.6.1.4 requires replacing the default key. It is recommended to adopt:

  • Hardware-level device identification based on TPM
  • Unique certificate injection in the manufacturing process (compliant with ISO/IEC 19790)
  • Dynamic token authentication mechanism

Secure update architecture

For the requirements of clause 5.2.7, typical implementation plans include:

  1. Dual-bank flash design ensures rollback of update failure
  2. Use ECDSA signature to verify firmware packages
  3. Implement centralized update management through IoT gateway

Compliance implementation recommendations

Phase-based implementation path:

Phase Key tasks Acceptance indicators
1. Preparation period Establish a risk assessment process that complies with 5.1.1 Form a Statement of Applicability (SoA) document
2. Development period Implement 5.2.5 data protection requirements Pass FIPS 140-2 Level 3 certification
3. Operation and maintenance period Establish vulnerability disclosure process (5.1.3) Comply with ISO/IEC 29147 specification

Note: This standard does not replace the requirements of Schedule 1 of the UK PSTI regulations (see the national preface) and must also meet the relevant regulations on UKCA marking.

BS ISO/IEC 27402:2023 history

Cybersecurity. IoT security and privacy. Device baseline requirements

Standard and Specification

ISO/IEC 27402:2023 CybersecurityIoT security and privacyDevice baseline requirements GSO ISO/IEC 27402:2025 CybersecurityIoT security and privacyDevice baseline requirements SS-ISO/IEC 27402:2024 CybersecurityIoT security and privacyDevice baseline requirements (ISO/IEC 27402:2023, IDT) DANSK DS/ISO/IEC 27402:2023 CybersecurityIoT security and privacyDevice baseline requirements ISO/IEC FDIS 27402:2023 CybersecurityIoT security and privacyDevice baseline requirements IS/ISO/IEC 27402-2023 Cybersecurity-IoT Security and Privacy-Device Baseline Requirements DS/ISO/IEC 27402:2023 CybersecurityIoT security and privacyDevice baseline requirements 23/30422722 DC . Cybersecurity. IoT security and privacy. Device baseline requirements LST ISO/IEC 27402:2023 CybersecurityIoT security and privacyDevice baseline requirements (ISO/IEC 27402:2023, identical)


Copyright ©2026 All Rights Reserved
Update: Fri, 12 Jun 2026 05:44:48 +0000