Companies are adopting more and more IoT devices: cameras, sensors, access control, production meters, and smart building systems. The benefits are clear, but at the same time, the risk grows that devices appear on the network without being managed as rigorously as servers or workstations. This is exactly where many SMEs notice a problem: there are many devices, responsibilities are unclear, and security practices remain incomplete.
In this article, we will go through what ISO 27001 means in an IoT environment, the most common risks, and how you can proceed practically toward compliant operations. You will also get a clear roadmap for integrating IoT security into your company’s management system, rather than treating it as a disconnected technical project.
Why is IoT a special case from the ISO 27001 perspective?
IoT devices—connected to the internet or internal network—differ from traditional IT devices in one important way: they are often purchased to meet business needs, not through IT management processes. As a result, devices may enter the network with default passwords unchanged, outdated software versions, or without any logging at all.
ISO 27001 does not list specific IoT devices that must be protected in a certain way. Instead, the standard requires organizations to identify risks, define controls, and demonstrate systematic management. In practice, this means that IoT devices fall under the same security management as other data assets and systems.
In an IoT environment, you should check at least these basics:
- Is there an up-to-date inventory of all network-connected devices?
- Is ownership and maintenance responsibility clearly identified for each device?
- Are default credentials changed before deploying devices?
- Is the device firmware updated regularly, for example, within 30 days of a critical update?
- Are IoT devices segregated into their own network segment or VLAN?
- Are event logs retained for at least 90 days?
Note
ISO 27001 is not just an IT department standard. If IoT devices are acquired by the facilities team, production, or business units, their risks and responsibilities must also be integrated into the same management model.
Which IoT risks are emphasized in SMEs?
In SMEs, the problem often isn’t lack of technology but lack of control. There may be only 20–200 devices, but even that can make management complex if processes are missing. A single unmonitored camera or sensor with remote access can open a path for attackers into the internal network.
Typical IoT risks can be grouped into five categories:
| Risk | Practical Example | Business Impact | Recommended Metric |
|---|---|---|---|
| Poor authentication | Default password remains active | Unauthorized access to device or network | 100% of devices without default credentials |
| Missing updates | Firmware not updated for a year | Known vulnerability remains open | Critical updates within 30 days |
| Unclear ownership | Nobody knows who is responsible for the device | Incident handling and removals delayed | 100% devices with assigned owner |
| Inadequate network segmentation | Camera on same network as finance systems | Easier lateral movement for attackers | 0 critical IoT devices on office network |
| Lack of lifecycle management | Decommissioned device remains connected | Unnecessary attack surface grows | Credentials and connections removed within 24 hours of removal |
When conducting risk assessment, don’t try to evaluate everything at once. Often, it suffices to identify 3–5 key risks per IoT category. For example, access control, video surveillance, and production sensors should be handled as separate categories because their impacts and requirements differ.
What does ISO 27001 practically require from an IoT environment?
A management system essentially means security is governed by agreed procedures, responsibilities, metrics, and continuous improvement. For IoT, this especially appears in asset management, risk management, access control, change management, and vendor management.
If your company uses IoT devices, these areas should be clearly described:
- Scope: which IoT devices, networks, locations, and services are included
- Asset inventory: what devices exist, where they are located, and what data they process
- Responsibilities: who acquires, approves, maintains, and decommissions devices
- Risk management: how risks are assessed and when reassessed
- Access rights: who is authorized to manage devices and how rights are revoked
- Vendor management: vendor or maintenance partner requirements
- Incident management: procedures if a device behaves anomalously or is attacked
Many ask if heavy documentation is needed for each sensor. It isn’t. More important is a unified model. For example, temperature sensors from the same manufacturer can be handled as one device class if their purpose, risks, and controls are the same.
Tip
Start with one IoT category, such as cameras or access control devices. Once you have an owner, risks, update model, and removal process established for one category, it’s easy to replicate the model to other devices.
Vendors matter more than many realize
IoT security isn’t just about internal settings. Often, devices involve cloud services, mobile apps, remote maintenance, or external installation partners. That’s why vendor management is a critical part of ISO 27001 compliance.
Ask vendors at a minimum these questions before purchase:
- How long will security updates be supported, e.g., 3 years or 5 years?
- Can default credentials be changed and does the device support strong authentication?
- Where is the data collected by the device stored?
- Is remote access mandatory or can it be restricted?
- Can logs be exported to centralized monitoring?
- How are vulnerabilities reported to customers?
If a vendor cannot answer these basic questions, it indicates a genuine security risk, not just an unclear purchase. A poor vendor choice may lock your company into a device that can’t be updated, monitored, or safely removed.
| Vendor Criteria | Minimum Level | Good Level | Excellent Level |
|---|---|---|---|
| Update support | 12 months | 36 months | 60 months |
| Authentication | Password change possible | Role-based credentials | Multi-factor authentication |
| Logging | Basic device logging | Centralized log export | Real-time monitoring integration |
| Remote maintenance | Always on | Restrictable by IP | On-demand, logged connection |
| Data location | No precise info | EU/EEA location | Contractually defined and auditable |
How to proceed toward ISO 27001 compliant IoT security
Make IoT devices visible
Collect an inventory of all network-connected IoT devices over 2–4 weeks. Record at least device name, location, owner, network connection, vendor, and purpose. If you don’t know what’s on the network, you cannot manage risks or demonstrate compliance.
Assess risks by device category
Group devices into categories such as cameras, sensors, access control, and production devices. Identify 3–5 key risks per category and score them on impact and likelihood on a scale of 1–5. Then select controls only for the most significant risks to keep work manageable.
Define minimum requirements for deployment
Create a short checklist to follow for each new IoT device. The list should include at least changing default passwords, network segmentation, removing unnecessary services, activating logging, and verifying update status before production use. The goal is 100% of new devices follow the same approval process.
Establish a clear maintenance rhythm
Schedule monthly or at least quarterly reviews to check updates, exceptions, and devices to be decommissioned. A good practical goal is to address critical vulnerabilities within 30 days, and close credentials and network access of decommissioned devices within 24 hours.
Integrate IoT into your ISO 27001 management system
Document responsibilities, risks, controls, and metrics consistently with other security domains. When IoT appears in management reviews, internal audits, and incident handling, it becomes a controlled part of the overall system rather than an isolated technical silo.
Common mistakes slowing progress
The biggest mistake is thinking IoT is just a technical installation project. In reality, problems often emerge after deployment: devices aren’t updated, credentials aren’t removed during personnel changes, and vendor remote access remains permanently open.
Avoid especially these mistakes:
- Devices are acquired without security approval
- The same maintenance account is used by multiple vendors
- IoT devices are placed on the same network as workstations
- Decommissioned devices remain powered and connected for months
- Documentation is done only for audit purposes and not used in daily operations
Warning
A common pitfall is copying ISO 27001 controls onto paper without linking them to actual devices, responsibilities, and deadlines. During audit, what matters is demonstrating practical implementation—not just general policy.
How to measure success?
Without metrics, IoT security easily relies on intuition. SMEs often benefit from a small but consistent set of metrics, reviewed monthly or quarterly.
A good starter package includes these metrics:
| Metric | Target Level | Review Frequency |
|---|---|---|
| Inventoried IoT devices of total assessed | 95–100% | Monthly |
| Devices with named owner | 100% | Monthly |
| Critical updates within deadline | 90%+ | Monthly |
| Credentials revocation for decommissioned devices | 24 h | As needed |
| Incident resolution time | 1–5 working days depending on severity | Monthly |
If your company already has an ISO 9001 or other management system, align these metrics with your existing review cycle. This simplifies daily operations and reduces siloed processes. Tietoturvapankki helps precisely here: combining requirements, documentation, and practical execution into a single controlled whole.
A unified approach also eases work across corporate groups and partner environments. Solutions developed by Softapankki Oy and QMClouds Oy reflect this broader vision: Laatupankki — the product brand for corporate quality management systems — supports practical implementations, and in information security the same systematics help embed ISO 27001 into everyday practice.
Summary
- IoT devices must be brought under the same management system scope as other IT to ensure risks, responsibilities, and controls are managed.
- Start with visibility: inventory devices, assign owners, and identify 3–5 key risks per device category.
- Define clear minimum requirements such as removing default credentials, network segmentation, and critical updates within 30 days.
- Measure success concretely, for example by ownership coverage, update compliance, and credential removal within 24 hours.
- ISO 27001 compliant IoT security isn’t created on paper but through repeatable practices that are continuously monitored and improved.
Need help with information security management?
Our experts are here to assist you.