Secure by Design

The Government's Code of Practice for Consumer Internet of Things (IoT) Security for manufacturers, with guidance for consumers on smart devices at home.


Consumer guidance for smart devices in the home

This file may not be suitable for users of assistive technology. Request an accessible format.

If you use assistive technology (such as a screen reader) and need a version of this document in a more accessible format, please email Please tell us what format you need. It will help us if you say what assistive technology you use.

Mapping of the 13 guidelines of the Code of Practice to recommendations, guidance and standards - JSON

Mapping of external references within recommendations, guidance and standards - JSON

Secure by Design report

Literature Review


The Government’s ambition is to make the UK the most secure place in the world to live and do business online, and the best place in the world to start and grow a digital business. As part of this, the Government wants to ensure the security of the growing number of internet-connected devices in the home.

In March 2018 the Government published the Secure by Design report which advocated a fundamental shift in approach to securing IoT devices, by moving the burden away from consumers and ensuring that security is built into products by design. Central to the report was a draft Code of Practice primarily for manufacturers of consumer IoT devices and associated services. An informal consultation on the report and its proposed policy interventions was undertaken.

In October 2018 the Government is published the finalised Code of Practice for Consumer IoT Security. To simplify implementation of its thirteen guidelines, we are also publishing a mapping document that links the Code’s thirteen guidelines to existing recommendations and standards on IoT security. This mapping is also available as an open data JSON file and an interactive version is available on

Whilst the Code is voluntary, implementing its 13 guidelines may help organisations achieve compliance with applicable data protection laws, such as the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). The Government’s ambition is for appropriate aspects of the Code of Practice to be legally enforceable and has commenced work to map out the impacts of regulatory intervention and to consider which aspects of regulatory change are necessary with further details to be shared in due course.

Tech companies HP Inc. and Centrica Hive Ltd are the first companies to sign up to commit to the code and the Government encourages other manufacturers and retailers to follow suit.

In addition, the Government is also publishing Consumer Guidance on Smart Devices in the Home to support the UK public with setting-up, managing and improving the security of their devices. This guidance has been produced in collaboration with industry and academic experts, the National Cyber Security Centre and consumer organisations.

Finally, the Government is publishing its response to the informal consultation from March, which sets out the intended future work in this area.

If your organisation would like to discuss making a pledge to implement the Code, please contact the Secure by Design team -

Published 7 March 2018
Last updated 14 October 2018 + show all updates
  1. New additions to page: Code of Practice for consumer IoT security; Consumer guidance for smart devices in the home; Government response to the Secure by Design informal consultation; Rapid evidence assessment on labelling schemes and implications for consumer IoT security; Mapping of IoT Security Recommendations, Guidance and Standards to the UK's Code of Practice for Consumer IoT Security; and supporting JSONs.
  2. First published.