There’s an interesting new draft, Best Practices for IoT Security:What Does That Even Mean? It’s by Christopher Bellman and Paul C. van Oorschot. The abstract starts: “Best practices for Internet of Things (IoT) security have recently attracted considerable attention worldwide from industry and governments, while academic research has highlighted the failure of many IoT product manufacturers to follow accepted practices. We explore not the failure to follow best practices, but rather a surprising lack of understanding, and void in the literature, on what (generically) “best practice” means, independent of meaningfully identifying specific individual practices. Confusion is evident from guidelines that conflate desired outcomes with security practice to achieve those outcomes.”
Highly readable, and worth your time. The contrast they provide between activity descriptions and outcome goals is one of many points I hadn’t noticed.