A security decoupling approach for IoT device communications is presented, based on a Digital Twin with runtime verification capabilities. The solution proposed assumes that a local agent (security module) can be deployed to the IoT device by the IoT server. The runtime verification approach implemented in the Digital Twin detects possible violations of protected communications from either a remote device or a local compromised process and provides timely and valuable information for countering a potential cyber-security attack. Moreover, only a subset of the observed traffic needs to be monitored, which induces negligible overhead and allows deploying the Digital Twin in IoT devices with limited computational resources. Runtime verification was implemented by adopting a rule-based approach for monitoring parametric events, i.e. the packets that carry data.