State-of-the-Art: Cybersecurity standards and guidelines for low-complexity, low-risk products, services, and processes

In the state of the art, the team reviewed and analyzed requirements and considerations from widely accepted published standards and guidelines to serve as a source of generic requirements and recommendations for basic levels of security in low-complexity and low-risk products, services, and processes. As stated in the grant agreement, the review exercise focuses on ICT products, ICT services, and ICP processes.


The review of existing requirements for products focuses on the area of IoT, Web application, and Artificial intelligence. These categories of products were considered because of their low-complexity and risk characteristics. The following standards and articles were considered for the evaluation of products security requirements:

  1. The ISO/IEC 15408 series “Evaluation criteria for IT security” (Common Criteria);
  2. ISO/IEC TS 19249:2017 Information technology — Security techniques — Catalogue of architectural and design principles for secure products, systems and applications;
  3. ETSI EN 303 645 V2.1.1 (2020-06) CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements;
  4. ICSA Internet of Things (IoT) Security Testing Framework v2.01;
  5. BITAG Internet of Things (IoT) Security and Privacy Recommendations;
  6. GSMA IoT Security Guidelines for Endpoint Ecosystems v2.2;
  7. IoT Security Assurance framework v3.0
  8. Online Trust Alliance IoT Trust Framework;
  9. Strategic Principles for Securing the Internet of Things (IoT);
Web application products
  1. OWASP Application Security Verification Standard 4.0.2
  2. OWASP Web Security Testing Guide v4.2
AI products
  1. The Asses13. sment List for Trustworthy Artificial Intelligence (ALTAI);
  2. Securing Machine Learning Algorithms;
  3. ETSI GR SAI 005 V1.1.1 Securing Artificial Intelligence (SAI); Mitigation Strategy Report;


The evaluation of the existing security standards and requirements for ICT services focuses on generic known security standards, cloud, and telecommunications services. The team considered the following standards and articles as part of their review:

  1. ISO/IEC 20000-1:2018 Information technology — Service management — Part 1: Service management system requirements;
  2. StarAudit framework;
  3. ITU-T X.1631 (07/2015) ISO/IEC 27017:2015 Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services;
  4. SecNumCloud ( Requirements list proposed by the French national cybersecurity agency ANSSI);
  5. The Cloud Computing Compliance Criteria Catalogue (C5);
  6. The Cloud Security Alliance Cloud Control Matrix and Consensus Assessments Initiative Questionnaire;
  7. GSMA IoT Security Guidelines for IoT Service Ecosystems v2.2;
  8. ITU-T X.1051 (2016) ISO/IEC 27011:2016 Information technology — Security techniques — Code of practice for Information security controls based on ISO/IEC 27002 for telecommunications organizations;
  9. ITU-T X.1033 (04/2016) Guidelines on security of individual information services provided by operators;
  10. ITU-T X.1053 (11/2017) Code of practice for information security controls based on ITU-T X.1051 for small and medium-sized telecommunication organizations.


In order to assess existing requirements and guidelines for security evaluation of ICT processes, the team reviewed industry-leading standards in the area of the supply chain. The following standards were considered for the evaluation:

  1. The ISO/IEC 27036 series “Information security for supplier relationships”;
  2. ISO/IEC 21827:2008 Information technology — Security techniques — Systems Security Engineering — Capability Maturity Model.

For the detailed deliverable, please look at this document