Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Other Opportunities
Event Partnerships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Registry
STAR Home
Submit to Registry
Provide Feedback
What is the STAR Registry?
Learn how to stay compliant in the cloud.
CCAK Training
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
GDPR Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
CSA Approved STAR Assessment Firms
Certificates & Training
Events
Learn and network while you earn CPE credits.
Events
Virtual Events & Webinars
Certificates & Training
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Micro-Trainings
Train my entire team
Training Instructors
Become an Instructor
Training Partners
Become a Training Partner
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Zero Trust Advancement Center
CxO Trust
CloudBytes Webinars
Industry Specific Research
Financial Services
Healthcare
Getting Started with CSA Research
Best practices for cloud security
Assess your compliance to cloud standards
Security questionnaire for vendors
The top threats to cloud computing
Zero Trust Architecture
View more
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Architectures and Components
Enterprise Architecture
Hybrid Cloud Security
Emerging Technologies
Blockchain/Distributed Ledger
Internet of Things (IoT)
Quantum-safe Security
Securing DevOps
Application Containers and Microservices
DevSecOps
Serverless
Security Services
Enterprise Resource Planning
Cloud Key Management
Security as a Service
Software-Defined Perimeter
Zero Trust
Threat Intelligence
Global Security Database (GSD)
Incident Response
Top Threats
View all topics
Membership
Join as an Organization
Enterprises
Solution Providers
Contact Us
Current Members
Initiatives & Partnerships
CxO Trust
Zero Trust Advancement Center
Trusted Cloud Providers
Other Opportunities
Event Partnerships
Join as Individual
Chapters
Circle Community Forum
Research Working Groups
Volunteer Opportunities
STAR Program
STAR Registry
STAR Home
Submit to Registry
Provide Feedback
What is the STAR Registry?
Learn how to stay compliant in the cloud.
CCAK Training
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
GDPR Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
CSA Approved STAR Assessment Firms
Certificates & Training
Events
Learn and network while you earn CPE credits.
Events
Virtual Events & Webinars
Certificates & Training
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Micro-Trainings
Train my entire team
Training Instructors
Become an Instructor
Training Partners
Become a Training Partner
Research
CSA Research
Latest Research
Working Groups
Open Peer Reviews
Research Topics
Zero Trust Advancement Center
CxO Trust
CloudBytes Webinars
Industry Specific Research
Financial Services
Healthcare
Getting Started with CSA Research
Best practices for cloud security
Assess your compliance to cloud standards
Security questionnaire for vendors
The top threats to cloud computing
Zero Trust Architecture
View more
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Architectures and Components
Enterprise Architecture
Hybrid Cloud Security
Emerging Technologies
Blockchain/Distributed Ledger
Internet of Things (IoT)
Quantum-safe Security
Securing DevOps
Application Containers and Microservices
DevSecOps
Serverless
Security Services
Enterprise Resource Planning
Cloud Key Management
Security as a Service
Software-Defined Perimeter
Zero Trust
Threat Intelligence
Global Security Database (GSD)
Incident Response
Top Threats
View all topics
Circle
Events
Blog
Sign In

Download Publication

Home
Publications
CSA IoT Security Controls Framework v2
CSA IoT Security Controls Framework v2

CSA IoT Security Controls Framework v2

Release Date: 01/28/2021

Working Group: Internet of Things

The IoT Security Controls Framework Version 2 is relevant for enterprise IoT systems that incorporate multiple types of connected devices, cloud services, and networking technologies. The Framework has utility across many IoT domains from systems processing only “low-value” data with limited impact potential, to highly sensitive systems that support critical services. The classification of a system is assigned by the system owner based on the value of the data being stored and processed and the potential impact of various types of physical security threats. 

Updates for Version 2 include...
• Updated Controls - All Controls have been reviewed and updated for technical clarity
• New Domain Structure - Control domains have been reviewed and updated to better categorize each control.
• New Legal Domain - Introduces relevant legal controls
• New Security Testing Domain - Introduces Security testing of architectural allocations.
• Simplified Infrastructure Allocations - Device types have been consolidated to a single type in order to simplify the allocation of controls to architectural components.

The Guide to the IoT Security Controls Framework Version 2 provides instructions for using the companion CSA IoT Security Controls Framework v2. This guide explains how to use the framework to evaluate and implement an IoT system for your organization by providing a column by column description and explanation.

Download this Resource

LoginCreate Account

Prefer to access this resource without an account? Download it now.

Acknowledgements

Brian Russell Headshot
Brian Russell

Brian Russell

Brian Russell is co-author of the book “Practical Internet of Things Security” and is a Chief Engineer focused on Cyber Security Solutions for Leidos (www.leidos.com). He oversees the design and development of security solutions and the implementation of privacy and trust controls for customers. Brian leads efforts that include security engineering for Unmanned Aerial Systems (UAS) and Connected Cars, and the development of hig...

Read more

Michael Roza Headshot
Michael Roza
Risk, Audit, Control and Compliance Professional

Michael Roza

Risk, Audit, Control and Compliance Professional

Since 2012 Michael has contributed to over 85 CSA projects completed by CSA's Internet of Things, Zero Trust/Software-Defined Perimeter, Top Threats, Cloud Control Matrix, Containers/Microservices, DevSecOps, and other working groups. He has also served as co-chair of CSA's Enterprise Architecture, Top Threats, and Security-as-a-Service working groups while also serving as the Standards Liaison Officer for IoT, ICS, EA, SECaaS, and Cloud Key M...

Read more

​Aaron Guzman Headshot
​Aaron Guzman

​Aaron Guzman

Aaron is a passionate information security professional specializing in IoT, embedded, and automotive security. He is co-author of the “IoT Penetration Testing Cookbook” and a technical editor for the "Practical Internet of Things Security” Packt Publishing books. Aaron is co-chair of CSA’s IoT working group as well as a leader for OWASP’s IoT and Embedded Application Security projects; providing practical guidance to address the most commo...

Read more

Ashish Vashishtha Headshot
Ashish Vashishtha
Cybersecurity - Sr. Risk Manager & Security Architect at IBM

Ashish Vashishtha

Cybersecurity - Sr. Risk Manager & Security Architect at IBM

Analytical, results-oriented IS/IT Audit, Governance, Risk, and Compliance (GRC) leader over 19 years of experience managing enterprise-wide IT/IS security risk approach for large healthcare and IT services organizations. Passionate design thinker with an ability to harness innovation by facilitating collaboration to develop enterprise-wide security risk assessments (onsite as well as remote) for high-risk Third-Parties leveraging NIST 800-...

Read more

Renu Bedi Headshot
Renu Bedi
Manager-IT Security

Renu Bedi

Manager-IT Security

This person does not have a biography listed with CSA.

Hillary Baron Headshot
Hillary Baron
Senior Technical Director - Research, CSA

Hillary Baron

Senior Technical Director - Research, CSA

This person does not have a biography listed with CSA.

Ramon Codina Headshot Missing
Ramon Codina

Ramon Codina

This person does not have a biography listed with CSA.

Umesh Jaiswal Headshot Missing
Umesh Jaiswal

Umesh Jaiswal

This person does not have a biography listed with CSA.

Raj Sachdev Headshot Missing
Raj Sachdev

Raj Sachdev

This person does not have a biography listed with CSA.

Are you a research volunteer? Request to have your profile displayed on the website here.

Interested in helping develop research with CSA?

Join this Working Group
View all Working Groups