ISO/IEC 27404:2025

Cybersecurity — IoT security and privacy — Cybersecurity labelling framework for consumer IoT

Publication date: Oct 17, 2025

General information

Current stage: 60.60 Effective date: Oct 17, 2025

Originator: ISO/IEC

Owner: ISO/IEC JTC 1/SC 27

Type: International Standard

ICS: 35.030 35.240.95

Languages: English

Buying

Status: Published

PDF

Paper

PDF and Paper

Language

Language in which you want to receive the document.

Scope

This document defines a cybersecurity labelling framework for the development and implementation of cybersecurity labelling programmes for consumer Internet of things (IoT) products. It provides requirements and guidance on the following topics:
—   risks and threats associated with consumer IoT products;
—   stakeholders, roles and responsibilities;
—   relevant standards and guidance documents;
—   conformity assessment;
—   labelling issuance and maintenance;
—   mutual recognition.
This document is limited to consumer IoT products, such as:
—   IoT gateways, base stations and hubs to which multiple devices connect; smart cameras, televisions, and speakers;
—   wearable devices;
—   connected smoke detectors, door locks and window sensors;
—   connected home automation and alarm systems;
—   connected appliances, such as washing machines and fridges;
—   smart home assistants; and
—   connected children’s toys and baby monitors.
Products that are not intended for consumer use are excluded from this document. Examples of excluded devices are those that are primarily intended for manufacturing, healthcare and other industrial purposes.
This document is applicable to consumers, developers, issuing bodies of cybersecurity labels and conformity assessment bodies.

Life cycle

NOW

PUBLISHED
ISO/IEC 27404:2025
60.60 Standard published
Oct 17, 2025