Business ready: extends use into supply chain and aligns with more security standards

November 17th, 2021

The IoT Security Foundation today announced the availability of Release 3.0 of it’s ever-popular IoT Security Assurance Framework.

The Framework is a practical resource that helps IoT vendors provide fit-for-purpose security in their products and services. It is a multi-faceted publication which acts as a guide, a tool and expert reference. It leads its users through a risk management process to determine security objectives and provides a template to collect evidence to help demonstrate security claims. Purpose ready evidence may then be used to support business needs in commercial (customer), conformance (standards) or compliance (regulation) settings.

What’s in a Name?

The Framework has proven to be popular with industry having accumulated over 7200 downloads internationally since 2019 and being used by professionals that design, specify and procure IoT related products. Users of earlier releases will note that is has had a subtle, yet important, name change; with this release, it is now referred to as the ‘Assurance Framework’ having been changed from the ‘Compliance Framework’. This reflects its long term intentions to be more versatile in helping users achieve the form of assurance that is right for them – such as a self-declaration, meeting the conformance assessment of a growing number of third-party, standards-based schemes, or compliance with forthcoming regulation.

What’s New?

Release 3.0 extends the requirements for supply chain management and places extra emphasis on the evolving international standards.  Since the original Release 1.0 (Dec 2016), the Framework has both informed, and evolved alongside standardisation efforts. Release 3.0 has been aligned (mapped) to ETSI EN 303 645 and NIST 8259 – two of the latest consumer baseline standards thus helping vendors claim conformance to them. With greater applicability and more standards in development, it is the intention of the Framework to be further extended in the future. In this way, it aligns with the most relevant IoT cybersecurity standards across application domains and is a sustainable, valuable resource for users. This provides a significant motivation to adopt the Framework as it functions as a pre-compliance tool, allowing users a pathway to self-certify, or advancing their readiness in applying for a number of emerging 3rd party assessments and labelling schemes.

A spokesperson for the Working Group said “Some of the contributors to the Framework are also practitioners themselves and use it as part of the attestation of security ‘fitness’ of the product in the market. Therefore we can see first hand that by following the process,  users will create an unparalleled evidence portfolio documenting a product’s security”

John Moor, IoTSF said “The IoT Security Assurance Framework continues to evolve, keeping it up-to-date and helping to stand the test of time. As such it remains one of our most popular publications with many of its users telling us that they value its quality, its comprehensiveness and its ease of use. With Release 3.0, we have added more functionality yet have kept it backwards compatible to ensure that prior user efforts can be built upon. We are immensely proud of the IoTSF members collaborative efforts to produce this major resource and firmly believe it significantly contributes to our mission to help secure the IoT. We encourage industry to continue making good use of it.”

The Framework is available free to download without registration from the IoT Security Foundation website at

More about the Framework


The IoT Security Assurance Framework (‘Framework’) is aimed at Managers, Developers and Engineers, Logistics and Manufacturing Staff and Supply Chain Managers.


Providing good security capability requires decisions upfront in design and use – often referred to as security by design. In most cases, addressing the security of a product at the design stage is proven to be lower cost, and requiring less effort than trying to “put security” into or around a product after it has been created (which may not even be possible). Decisions need to be made to address use-case, business model, liability level and risk management in addition to technical concerns such as architecture, design features, implementation, testing, configuration and maintenance.

The Framework is intended to help all companies make high-quality, informed security choices by guiding them through a comprehensive requirements and evidence gathering process. It can be used internally in an organisation as a pre-compliance tool to self-assess or self-certify against, or by a third-party auditor. It can also be used ‘in part’, as a procurement mechanism to help specify security requirements of a supplier contract.

The Framework leads its users through a structured process that ensures suitable security mechanisms and practices are implemented. It was previously published as the IoT Security Compliance Framework up until Release 2.1, and this version remains fully backward compatible with the same sections and requirement numbering. The terminology better reflects the risk-based system and is better aligned with how governments and international bodies are approaching IoT security.

The Framework is available free to download without registration from the IoT Security Foundation website at

IoTSF Members can also download and use the accompanying Questionnaire (available from the members platform) which has an embedded tool that configures the security requirements based on goals derived from the Confidentiality, Integrity and Availability needs of the product’s use-case.