Prism Infosec, the independent cybersecurity consultancy, has announced it has been certified as an IoT (Internet of Things) Security Assured Assessor under the IoT Security Assured scheme run by the IASME Consortium. The scheme sees internet connected devices assessed against industry best practice and is aligned with the ETSI technical standard for IoT security, EN 303 645, with the proposed UK IoT security legislation and guidance, the Product Security and Telecommunications Infrastructure (PSTI) Bill and is also mapped to the IoTSF Security Compliance Framework. Prism Infosec is now able to help those manufacturers looking to comply with the new standard by assessing and validating their application as an IoT Security Assured Assessor.
Initially funded by a grant from the Department for Digital, Culture, Media and Sport (DCMS), the IoT Security Assured scheme aims to boost consumer confidence in the IoT and was launched following a successful pilot in 2021. The scheme features three levels of security. A Basic level aligned with the PSTI and the top three requirements of the ETSI standard, a Silver level with the ETSI mandatory requirements and data protection provisions and a Gold level with the ETSI mandatory requirements as well as all additional ETSI recommended requirements and data protection provisions. Those manufacturers meeting the criteria will be able to display the relevant badge on their IoT device, providing consumers with added reassurance.
The IoT Security Assured Scheme is designed to be accessible and achievable and requires the applicant to work through eight categories of questions about the security controls in place on the connected device and any associated services. These cover issues including passwords and credentials, vulnerabilities and anomalies, software, secure configuration, communications and usage of data. A board member from the organisation must then declare the claims are true before submitting the application for review by the assessor within six months. As the process is self-led up until this point, the assessor plays a crucial role in providing feedback and in helping the manufacturer to meet the necessary criteria to reach the desired level of certification.
“Assessors will provide hands-on certification of the IoT Security Assured Scheme. This means that manufacturers are required to first achieve the verified self-assessment and then upgrade to the hands-on version which would involve additional documentation and a hands-on assessment of the device by the assessor. Importantly, this level of certification does not involve an in-depth technical assessment, but sees the assessor examining the device from a user-perspective in a typical use environment, providing a significant additional level of assurance without a significant additional cost,” explains Dr Emma Philpott MBE, CEO, IASME.
“Security is a top concern among consumers when it comes to the Internet of Things so it’s vital to the industry to allay those concerns. The IoT Security Assured Scheme provides a low barrier of entry, enabling manufactures to assess their products against the security controls and practices advocated by the existing and emerging sets of regulation. Those that sign-up to the scheme can capitalise on our expertise to help improve their security controls, are able to reassure their customers and to use the badge to differentiate their offering in the marketplace. But it will also enable them to get ahead of the regulatory curve and futureproof their offering,” states Phil Robinson, Principal Consultant and Founder of Prism Infosec.
IoT manufacturers can preview the self-assessment questions here and are invited to sign-up for the IoT Security Assured Scheme here: iasme.co.uk