ICSA recently announced an Internet of Things testing and certification program. It has six components (highlights in brackets) –

1. cryptography (FIPS 140-2 crypto algos by default, secure PRNGs)
2. communications (PKI auth, all traffic must be authorized)
3. authentication (secure auth, protect auth data, no privilege escalation)
4. physical security (tamper detection, defense, disable)
5. platform security (secure boot, secure remote upgrade, DoS defense)
6. alert/logging (log upgrades, attacks, tampering, admin access)

Their IoT security requirements framework is found here.

This is a great list. I think another dimension to think about is usability of the security – many products come with security options buried so deep in documentation or UI, that a regular user may not configure the device securely and leave it more open than intended – this has historically been true of a variety of webcams, SCADA systems, wifi routers and other devices.