IoT Security Frameworks
IoT Security Frameworks generally fall into 5 categories: wearable, home, city, environment, and Enterprise. Enterprise software is usually in the purview of OWASP, which has the OWASP IoT project. Enterprise software often transacts PII and payment-card information, which makes it fall under PCI DSS regulations. While not yet strictly regulated, the DHS -- https://www.dhs.gov/securingtheIoT -- the FTC -- https://www.ftc.gov/tips-advice/business-center/guidance/careful-connections-building-security-internet-things -- and ENISA -- https://www.enisa.europa.eu/topics/iot-and-smart-infrastructures -- have also published guidance and supporting documents around IoT Security.
Home IoT devices and apps typically involve iOS (well, or tvOS), Android, or a similar operating system base. If you're an ISV developing apps for these platforms, check out OWASP again, at the Mobile Security Project and also the ASVS standard under the V17 Mobile Security Verification Requirements. If you actively make home IoT devices including a custom OS or stack, then you will also have to involve the regulatory requirements dictated by your location (your country and/or state where the devices will be developed, purchased, and used) as well as what types of transactions and people that will be using the devices. For example, baby monitors might fall under COPPA, heart monitors under HIPAA and HITECH, food and medicine under the FDA, etc.
For the US military, the DIACAP and DITSCAP standards including NIST RMF govern all computing devices, including IoT, especially wearables.
Environment and city-based IoT is much more akin to ICS/SCADA technologies. NIST has selected a program to include environment, city, and ICS to all be under the banner of Cyber-Physical Systems (CPS) and produces standards and frameworks here -- https://www.nist.gov/el/cyber-physical-systems For ICS/SCADA systems, the NIST SP 800-82 Guide to Industrial Control Systems, has been the long standard, but certainly coupled best with the NERC/FERC compliance standard on Critical Infrastructure Protection, especially the sections on System Security Management (CIP-007-5), as well as the ties to International Society of Automation and their all-encompassing ISA/IEC 62443 standard (formerly ISA-99). CIP-007-5 also adheres to other NIST standards on security event monitoring, including NIST SP 800-92 and SP 800-137, but the latest on Continuous Diagnostics and Monitoring comes from the DHS CDM framework. All of these are applicable for Industrial Internet-of Things (IIoT).
IoT Security Platforms
For a platform that can actively scan and produce reports based on IoT/IoE Security frameworks, check out the Pwn Pulse platform from Pwnie Express -- http://m.marketwired.com/press-release/pwnie_express_unveils_industrys_first_internet_of_everything_threat_detection_system-2010032.htm
For other companies working to produce standard interfaces for IoT devices that enable security and reduce cyber-risk, check out (in order of the most-prominent to least-prominent): Bastille, Securithings, Dojo Labs (acquired by Bullguard), and BitDefender (who makes the IoT and smart-things security enabler, BOX). WindRiver, a long-time leader in embedded-system security also released a paper detailing IoT Security -- [PDF] https://www.windriver.com/whitepapers/security-in-the-internet-of-things/wr_security-in-the-internet-of-things.pdf [PDF]
Additionally, only a few companies are bridging the middleware layers between IoT devices and IoT service-layer apps. Certainly the big players are doing their part, but usually with proprietary interfaces such as Cisco Fog Computing (Microsoft Azure IoT Suite, IBM Watson IoT platform, and others have their own ways of doings things as well). The key players changing the game of IoT are working at the all-important instrumentation layer, as well as providing standards for middleware and apps, especially cloud apps. NCC Group published guidelines for these and other security testers here -- https://www.nccgroup.trust/uk/our-research/security-of-things-an-implementers-guide-to-cyber-security-for-internet-of-things-devices-and-beyond/
AWS has published guidance on IoT Security Best Practices -- https://aws.amazon.com/iot/ -- and also provides that middleware layer through their Thing Shadow project (supporting the MQTT IoT protocol standard) -- https://docs.aws.amazon.com/iot/latest/developerguide/thing-shadow-mqtt.html
Splunk has produced a product called the HTTP Event Collector (HEC) to receive cloud-based (Splunk Cloud, AWS, etc) machine data from IoT and future-IoE technologies -- [PDF] https://conf.splunk.com/files/2016/slides/wrangling-your-iot-data-into-splunk.pdf [PDF]. In particular, HEC supports token-authenticated events, as a nice-to-have IoT security feature.