The IoT Security Foundation announces ‘Release 2’ of its IoT Security Best Practice Guidelines. Across the world we are starting to see governments and states introduce legislation in various forms, requiring the IoT industry to implement good security practice. We’re also seeing the formalisation of ‘Best Practice’ into recognised industry standards. Thus the pressure is mounting upon creators of IoT products and services to ensure what they deliver is truly compliant and can be trusted by their customers.

The IoTSF Best Practice Guidelines are a freely available (zero cost) resource for use by anyone developing IoT products and services. The Guides provide awareness and advice on the most salient elements that affect product, service and user security. Intended for use either standalone or in association with our Compliance Framework, the Guides will help IoT developers address the varied security issues that must be tackled in order to deliver a safe, secure, trusted and mature end product.

Jeff Day, Group Chair and lead author, said “We are delighted to announce publication of Release 2 of the IoTSF Best Practice Guidelines (BPGs). Previous releases have seen thousands of downloads from all around the world, with many people giving us positive feedback. Designers and developers alike are finding the BPGs immensely useful in the creation of their products and also as a tool to review the security profile of their existing offerings. Because the BPGs complement our Compliance Framework, they help manufacturers identify the specific details they need to verify in order to achieve security compliance.”


In Release 2 we have fully reviewed the existing 11 Guides to make sure they are fully updated. We have also worked hard to deliver another three Guides covering topics that some might consider as ‘dark arts’ in this area…

  1. For those who’ve held back from delving into the world of Secure Boot, we have ‘M: Assessing a Secure Boot Process’, which helps the reader better understand what they’re trying to achieve when developing a secure boot process.
  2. Digital signing of updates and software images is very important but not always clearly understood. BPG ‘N: Software Image and Update Signing‘ should help clarify what you’re trying to achieve and some key points to consider.
  3. And finally ‘P: Side Channel Attacks‘, although not necessarily on everyone’s requirements lists, gives some background on the subject and possible mitigations. This will certainly be useful for those scenarios where IoT devices are working in high risk or critical environments, and may prompt some designers to re-think whether or not this is an area they should be addressing.