The IoT (Internet of Things) technology led to tremendous growing of the connected devices. This growing connected market required new approach of security certification which will meet the fast and dynamic changed products.
1 Cybersecurity Standards
1.1 Type of coverage - Environmental vs. Functional Standardization
To standardize this discipline, academics and professionals collaborate and seek to set basic guidance, policies, and industry standards.
Cybersecurity standards have evolved to address multiple layers of protection in the product lifecycle, which can broadly be categorized into two complementary domains: environment security and functional security implementation. This layered approach is particularly critical in complex and vulnerable ecosystems such as the Internet of Things (IoT), where both the development infrastructure and embedded security functions are frequent attack surfaces. This classification reflects the understanding that effective cybersecurity requires both a secure foundation during development and robust protections within the product itself
*Environment security standards Secure the development, testing, and manufacturing environments by protecting tools, source code, and intellectual property, and by establishing Information Security Management Systems (ISMS).
*Functional security standards Ensure products embed security features like secure boot, cryptography, access control, and tamper detection, applied during the design phase to make security requirements testable and verifiable.
These two domains are not mutually exclusive but deeply interdependent.
1.2 Standardization Category Governance Levels
The standards are developed and applied at multiple governance levels - international, regional, and national (country-specific) - to address diverse regulatory environments, technological ecosystems, and geopolitical considerations. Each level plays a unique role in shaping the frameworks, compliance mechanisms, and technical specifications governing the protection of information assets:
* At the international level, standards are typically developed by globally recognized bodies such as ISO/IEC aim to provide global harmonization, facilitating international trade, cross-border data flow, and common security assurance frameworks for multinational organizations.
*Regional standards are typically introduced by economic or political unions to align practices across member states. They often build on or adapt international standards while considering regional laws and policies.
*At the National level, individual states develop and enforce security standards tailored to their specific infrastructure, threat landscape, and regulatory priorities.
This multi-tiered structure ensures both broad interoperability and local adaptability. International standards foster global trust and facilitate compliance across borders. Regional standards address regional legal and regulatory harmonization. National standards reflect local priorities, strategic industries, and legal systems.
1.3 Applicability across Horizontal and Vertical frameworks
Standards in the field of cybersecurity and ICT are strategically developed to serve either as cross-industry frameworks (horizontal standards) or as domain-specific regulations (vertical standards):
*Horizontal standards Apply across industries using a risk assessment approach to manage general cybersecurity risks in products and processes.
*Vertical standards Tailored to specific sectors like automotive or healthcare, focusing on meeting domain-specific requirements based on horizontal frameworks.
The main difference between a horizontal/risk assessment-based approach and a Vertical/product-based approach is the focus of the process: the former focuses on managing potential risks, while the latter focuses on delivering a product that meets specific requirements.
1.4 Evaluation Methodology
Looking at the cybersecurity standards, there are 3 main types of Evaluation methodology:
*Self-Declaration - The manufacturer independently claims compliance without external review.
*Declaration of Conformity (DoC) - A formal statement confirming compliance with legal and technical requirements.
*3rd Party Evaluation - An independent body verifies compliance through testing, reviews, and audits.
For some of the standard the minimum evaluation methodology is define while there is a freedom for the evaluation sponsor/ manufacturer to use more strict methodology for the evaluation, exm: for Declaration of conformity to use 3rd party evaluation for demonstrating the conformity. It is popular is cases of test evidence, especially for penetration testing.
2 Classification and Analysis of Security IT Standards
Several widely recognized IT standards were selected for analysis based on their relevance to cybersecurity, regulatory compliance, and sector-specific adoption. At this part the standards are classifies and analyzes across key dimensions, including evaluation methodology (e.g., self-declaration, declaration of conformity, third-party certification), type of coverage (functional vs. environmental), standardization category governance level and applicability across horizontal and vertical frameworks:
Table 1: Security IT Standards
Source: Company
The evaluation of the selected standards based on their coverage type - whether functional or environmental - yields the following overview:
Figure 1: Standards Type of coverage
Source: Company
As illustrated, the majority of the analyzed standards primarily address functional security requirements, while only 10% focus exclusively on environmental aspects. Notably, 20% of the standards incorporate both environmental and functional security considerations. An examination of the governance levels yielded the following insights:
Figure 2: Distribution of Standards by Region and Governance
Source: Company
In this analysis, 35% of the standards are international in scope, while 40% represent regional. The remaining 25% are national standards established by individual countries.
An analysis of standards applicability - reveals that 40% are horizontal standards, providing general requirements for ICT products or cryptographic algorithm implementations. In contrast, 60% are vertical standards, tailored to specific market segments such as the automotive and industrial sectors. Notably, 45% of the overall standards focus specifically on the IoT segment:
Figure 3: Standards Applicability
Source: Company
Examining the type of methodology which is used to be certified foreach standard shows the following:
Figure 4: Evaluation Methodology
Source: Company
75% of the standards require third-party evaluation, while only 15% allow for self-declaration. These requirements suggest that the majority of ICT products are likely to undergo third-party certification. However, to accurately assess the impact, it's important to consider which of these standards are mandatory. The current situation is that Only 35% of the cybersecurity standards are mandatorily required.
3 The Challenge
Due to the IoT revolution which all is connected, the challenges at the national segment and in the market segments are to be able to secure the citizen from cyber threats, attacks and cybercriminals by developing the appropriate regulations. These challenges may present obstacles to achieving effective and comprehensive cybersecurity regulation:
*Evolving Threats: Cyber attacks are becoming more advanced and exploit new vulnerabilities, requiring adaptable regulations.
*Global Harmonization: Diverse legal systems make aligning international cybersecurity regulations complex but essential.
*Regulatory Fragmentation: Varying national standards can burden global companies and hinder collaboration.
*Tech Advancements: Rapid growth in AI, quantum computing, and IoT challenges regulators to keep pace.
*Privacy vs. Security: Balancing data protection with cybersecurity needs remains a persistent issue.
*Resource Gaps: Smaller firms may lack the resources to comply with complex regulations.
*Skills Shortage: A global lack of cybersecurity talent threatens effective implementation.
*Compliance Burden: Managing multiple regulatory frameworks adds cost and complexity.
*AI-Powered Threats: Attackers are increasingly using AI, demanding smarter defensive measures.
*New Sectors: Emerging fields like smart cities and autonomous vehicles need tailored cybersecurity rules.
Addressing these future challenges will require collaboration between governments, industry stakeholders, international organizations, and cybersecurity experts. Striking a balance between proactive regulation, technological innovation, and effective enforcement will be crucial to building resilient and secure digital ecosystems in the years to come.
For more information on how Winbond can support your security and compliance needs, visit Winbond's website or contact Winbond directly, or download the latest Hardware Security White Paper.
Cybersecurity standards cover multiple protection layers, including environment and functionality
Photo: Winbond.
Article edited by Jerry Chen