Cloud Security Alliance Announced Internet of Things (IoT) Security Controls Framework Version 2

By Larry O'Brien

Company and Product News

The Cloud Security Alliance (CSA), an organization dedicated to defining standards, certifications and best practices to help ensure a secure cloud computing environment, announced Internet of Things (IoT) Security Security Controls FrameworkControls Framework Version 2 and the accompanying Guide to the Internet of Things (IoT) Security Controls Framework.  Created by the CSA IoT Working Group, the updated Framework includes several significant changes, most notably the development of a new domain structure and infrastructure.  Together with the companion piece, the Framework will make it easier for organizations to evaluate and implement security controls within their IoT architecture.

The IoT Security Controls Framework, first released in early 2019, introduced 155 base-level security controls required to mitigate many of the risks associated with an IoT system that incorporates multiple types of connected devices, cloud services, and networking technologies.  Today, it continues to be used by system architects, developers, and security engineers in evaluating their implementations' security as they progress through the development lifecycle to ensure they meet industry-specified best practices.

The most significant changes in Version 2 include:

  • Updated security controls: All controls have been reviewed and updated for technical clarity.
  • New domain structure: Control domains have been reviewed and updated to better categorize each control.
  • New legal domain: Introduces relevant legal controls.
  • New security testing domain: Introduces security testing of architectural allocations.
  • Simplified infrastructure allocations: Device types have been consolidated to a single category to simplify the distribution of controls to architectural components.


Applicable across many IoT domains, ranging from systems processing only "low-value" data with limited impact potential to highly sensitive systems that support critical services, the Framework lets system owners classify components based on the value of data being stored and processed and the potential impact of various physical security threats.  Once identified, security controls can be allocated to specific architectural components, including devices, networks, gateways, and cloud services.

The CSA IoT Working Group develops frameworks, processes and best-known methods for securing these connected systems.  Further, it addresses topics including data privacy, fog computing, smart cities and more.  Individuals interested in becoming involved in future IoT research and initiatives are invited to visit the Internet of Things Working Group join page.

The IoT Security Controls Framework complements the Cloud Controls Matrix, CSA Enterprise Architecture, and other best practices as part of a holistic approach to securing the cloud ecosystem.  The Framework and accompanying guide are free resources and are available for download now.



Engage with ARC Advisory Group