Discover your certification today Browse
Open page navigation
Risk ManagementComplianceIT Governance

The Internet of Things (IoT) is here, with potential to be wonderful. But it is also the Internet of Trouble.

 Read what Harari writes about the pace of another innovation, biological engineering:

“The prevailing feeling is that too many opportunities are opening too quickly and that our ability to modify genes is outpacing our capacity for making wise and far-sighted use of the skill”.
Harari, Y N, “Sapiens A Brief History of Humankind” 


Replace “genes” with “IoT”, and realise that the 4th industrial revolution is here.  This well-written Cisco paper sets out useful facts, figures and approaches for organisations. 

Even if there has been no conscious strategy to deploy IoT, it already exists in business and we need to track it down to have any chance of “making wise and far-sighted use of the skill”. 

One approach is that both IT professionals and business decision-makers read Cisco’s paper and then answer these six questions:

1. What IoT already exists?

Look at all network/WIFI enabled devices, including PCs, laptops, mobile phones, printers and servers.

2. What is IoT used for?

Check asset registers for the purpose of each device and make sure they are complete, including ownership and the networks to which they are connected.

3. What knowledge exists about IoT’s components?

Understand the subtle differences: whilst computers tend to sit in the centre of things, IoT tends to work at the ‘edge’ ( - processing data at the edge of the network, near the data source: a sort of end user.

4. How is IoT defined in the organisation?

This is a good one from[i]: “the Internet of Things (IoT) is a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction”.  It is comprehensive and recognises that it is not just inanimate objects that can become smart and wi-fi enabled, it is animals (pets and farm animals) and people too.  But there are hundreds.  Your organisation needs one that is understood and applied in the context of its business.  To do this, identify what the strategic aims relating to IoT are that set out current and future IoT needs and investment.  Check how these are aligned with business opportunities for using IoT.

5. How are ethical dilemmas identified and dealt with?

Whether we make or use IoT devices, from robots to kettles, IT professionals are now affecting lives with the same beneficial and damaging consequences that come from doctors, for example.  One hacked IoT device in the home could literally kill.  Check for, and also compliance with, an ethical policy for those who make or use IoT.

6. What safeguards exist in respect of safety, privacy and security?

Start with the basics: check whether and how IoT devices can be updated with patches, new software and security.  Then apply the General Data Protection Regulation (GDPR) requirements to see how far-reaching and robust the safeguards are – this will be necessary anyway for the 25th May 2018, when GDPR becomes effective.   Find out who is responsible for IoT policy, practices and processes and how compliance with regulation and legislation is managed.

These questions will spawn many more and are inter-related, with answers to each influencing answers to the rest.  A holistic rather than silo mentality is required, with different disciplines coming together.  Embracing IoT requires help from a sound, comprehensive framework. 

COBIT 5 is perfect for this and available for purchase at  occur throughout the blog.

COBIT 5’s enterprise-wide, holistic approach is as far-reaching as IoT’s.  Look at COBIT 5’s Enabling Processes, Chapter 2, (  The generic approach works for specifics too.  Insert “IoT” into the titles of Figures 2 and 8-10 to see how well the framework applies.  Have a look at chapters 4 and 5 on Risk Aggregation and Risk Response in COBIT 5 for Risk to understand how to approach a risk assessment for IoT.  For security coverage, COBIT 5 for Information Security provides the breadth and depth of security management.


i Harari, Y N, 2011, “Sapiens A Brief History of Humankind”, Vintage Books, ISBN 978-0-09959008-8



Cobit illustration

COBIT® 5 - IT Governance Framework

Optimizing IT across the entire enterprise

View more
Bridge across a river

Business Information Services Library (BiSL®)

Connecting business information with key management areas

View more
IT Security

ISACA Certification

ISACA is an independent, non-profit, global association engaging in the development, adoption and adaption of industry-leading knowledge and practices for information systems.

View more