TR 91:2021

Cybersecurity labelling for consumer IoT


This standard introduces a multi-levelled and cost-effective cybersecurity labelling for consumer IoT. It aims to raise the cybersecurity hygiene of the IoT ecosystem by improving the transparency of cybersecurity provisions. Cybersecurity labelling for consumer IoT provides a basic level of security assurance through the elimination of common vulnerabilities using a simple, tiered, and progressive assessment model for IoT devices that avoids resource-intensive security evaluations.

It also provides a basic level of security hygiene which is typically expected for consumer IoT, i.e. to be able to deter casual adversaries utilising common attack vectors such as default factory credentials or the exploitation of vulnerable protocols. It does not offer formal security assurance. Given sufficient time, determined adversaries who possess advanced skillsets and tools can be capable of compromising such IoT devices, regardless of whether it is labelled. Users seeking higher security assurance – e.g. enterprise, manufacturing, industrial applications and healthcare – are strongly recommended to consider devices certified under formal evaluation and certification schemes




Status Current
Edition 2021
No. of Pages 23
ICS Classification 35.030 IT Security
Committee Information Technology Standards Committee
Available for Purchase Global
Adoption -