In the future, IoT devices will have a white-goods-equivalent rating scale, measuring not energy, but controls

Our Method

Transforming the NIST Controls to IoT Controls

If you think about it, an IoT device is just another type of information system. Manufacturers of IoT devices are merely providing an environment of use outside of their organization, for us, consumers. Thus, the controls required for securing IoT devices are the controls used to secure information systems, focused on the environment of use of the IoT device. In our method, we start with a known standard for security controls and assessment procedures of information systems, namely NIST SP 800-53. We replace "Information System" with "IoT Device" and "Organization" with either "Environment of Use" or "Manufacturer". Then, we examine our use case for the IoT device again, and replace wordy clauses where not applicable. Grammar aside, we have transformed a known set of controls to an IoT specific set of controls. 

Grouping IoT Controls Together

When examining how different IoT devices gets used in their environment, patterns emerge. This is because almost all IoT devices have two things in common, a TCP/IP stack and a specific business purpose to fulfil.  These common things allow us to group controls more consistently and ask which layer of operation does the control apply to. The layers we have selected to group controls are derived from the TCP/IP stack and the "Organisation, Mission and Information System View" of NIST. This grouping allows us to shortlist controls applicable to our use case, based on the patterns that emerge. 

Shortlisting Twelve Controls

For different types of IoT devices, the same controls come up as important, over and over again. This allows us to break down the problem of how to secure an IoT device into a set of smaller questions, specific to the control objective of these re-occurring themes. We selected a dozen critical security controls as things that matter in IoT and offer ‘just enough’ security. We’ve done our best to make them comprehensive for everyone — including the consumers of IoT devices.

Control List












“An IoT Control Audit Methodology,” ISACA Journal, volume 6, 2017. Reprinted with permission from ISACA

About Us

Marcin Jekot

CISSO, ISO27001 LA, SSP. Is an IT risk and security specialist at UBS. He has architected and implemented a number of processes and services related to IT risk management and control. He also provided security consultancy to research initiatives at his alma mater. His main research interests consist of corporate risk management, emerging technologies and evolution of modern IT threats.

Yiannis Pavlosoglou

PhD, CISSP. Is the strategic change manager for operational resilience at UBS. He is also cochair of the (ISC)2 EMEA Advisory Council. Starting in the mid-2000s as a penetration tester in London, United Kingdom, Pavlosoglou worked for more than 5 years in technical roles. He then headed up a number of on-shore and off-shore risk assessment teams with a cyber and technology focus.