CEN/CENELEC

This document provides a standardized IoT Reference Architecture using a common vocabulary, reusable designs and industry best practices. It uses a top down approach, beginning with collecting the most important characteristics of IoT, abstracting those into a generic IoT Conceptual Model, deriving a high level system based reference with subsequent dissection of that model into the four architecture views (functional view, system view, networking view and usage view) from different perspectives.

The standard provides guidelines for the security standards of organizational information and information security management practices, including the selection, implementation and management of controls, taking into account the risk environment for the security of the organisation information.

The standard defines the specific guidelines for the management of digital data which are the identification, collection, acquisition and preservation of digital evidence that can be of probative value. This standard provides guidance to individuals regarding common situations encountered during the processing of digital data and assists organizations in their disciplinary procedures and in facilitating the exchange of potential digital evidence between jurisdictions.

The standard provides a guideline on the mechanisms to ensure that the methods and processes used in the investigation of information security incidents are "fit for purpose". It contains the best practices regarding the definition of the requirements, the description of the methods, and demonstration of how the implementation of the methods can satisfy the requests. It also includes considerations on how vendors and third parties can be used to help this warranty process.

This standard provides a guide for the analysis and interpretation of digital data in a way that highlights problems related to continuity, validity, reproducibility and repeatability. It encompasses the best practices for selecting, designing and implementing sufficient information analysis and registration processes to allow processes to be subjected to independent review if necessary. It also provides guidance on the appropriate mechanisms to demonstrate the professionalism and competence of the investigation team.

Describes guidelines based on idealized models for common incident investigation processes across various incident investigation scenarios involving digital evidence.

Data Protection, Privacy and Identity Management

The proposed standard will specify a reference architecture for decentralised identity management, optionally enabled by distributed ledger technology (DLT) and blockchain systems. The reference architecture aims to natural persons and legal entities and addresses concepts, cross-cutting aspects, architectural considerations, and architecture views, including functional components, roles, activities, and their relationships with blockchain and DLT. Technical specifications of the legal identity itself and specifically those of official identity documents issued by competent authorities are outside the scope of this standard, since they are regulated based on its own legislation and technical standards. Likewise, this standard does not aim to define specifications that are within the scope of REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, currently in force, but to support the Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity (COM/2021/281 final, eIDAS 2 Proposal), which includes the provision by Member States of EU Digital Identity Wallets as an enabler for personal identification and qualified trust services, including the issuance of qualified electronic attestations of identity attributes. The standard does not aim to impose any device identification procedure before third parties, without prejudice of any wallet authentication capability required by the eIDAS 2 Proposal. The standard will meet at least the following criteria: - it is technologically neutral; - it is compatible with other relevant international standards on digital identity, such as ISO/IEC 24760, - it is applicable to identity attributes of natural persons, legal entities and things, - the application of this standard allows compliance with current privacy and personal data protection regulation, when appropriate, - it is aligned with the relevant provisions of the eIDAS 2 Regulation proposal, - it enables the deployment of practical, usable, flexible and cost-efficient decentralised identity management systems, - it takes into account the specific needs of small and medium-sized enterprises (SMEs); and, - it is suitable for use in business-to-business relationships with individuals and legal entities.