ENISA conducts a preliminary analysis of the IoT-related landscape of standards, which indicates that there is no significant gap in standards to bring secure IoT to the market. This does not mean that the security of= the IoT ecosystem as a whole has been addressed by means of standards. Elements of a holistic approach towards IoT security can be found in a series of standards, however to achieve an overarching approach that protects the entire IoT ecosystem further work is needed. Accordingly, given the particularity of the IoT ecosystem (e.g. very high scalability, context of use, short time to market and cost drivers), this study does not intend to promote a specific solution for the entire IoT. Conversely, by identifying and mapping the existing standards landscape for IoT security, the study aims at pinpointing potential areas of improvement and additional efforts in securing the IoT. In general, there is an identifiable gap in process by which a vendor can assert that their IoT product or service is secure. On the assertion that standards enable interoperability, the lack of cohesion on the use and application of standards for secure IoT mean that interoperability is not guaranteed even if all devices were to be placed on the market with security features enabled. The primary argument of the present document is that standards are essential but not sufficient to ensure open access to markets. In the particular case of security a large number of processes as well as technical standards have to be in place to ensure that any device placed on the market is assuredly secure. In this case the present document proposes, in Annex B, a theoretical approach towards a certification and assurance and validation scheme to identify what is sufficient, as a precursor to allow for market access through device, service and process certification. It should be noted that this approach is inherently theoretical, since it does not take into account relevant concerns such as economic considerations that might affect the viability of applying standards. The process recommended in this document is intended in part to engender a change in attitude towards device security by making secure IoT the only form of IoT that reaches the market and to give confidence to the market through a mélange of certification, assurance testing & validation, and market surveillance. The bulk of the material in the present report is contained in Annex A, the mapping of requirements to available standards, and in Annex B, a proposal for the technical basis of market certification.
