Nearly every security practitioner is familiar with the ISO27001 standard for information security. A lot of companies base their internal security policies on it and third parties use certification to it as a gold standard.
But, what do the statements, recommendations and controls actually mean? Working for very large organisations, I learnt them to mean very different to what I suppose they were intended and now that I no longer am a practitioner and the 2005 standard has been replaced by the 2013 version, I thought it would be a good time to share some of my internal thoughts.
I’d also like to thank Brian Honan for his help in putting this together – if anyone understands security standards; it’s Brian.
The Cynics Guide to ISO27001:2005
The meaning behind the requirements
A.5 Security Policy
Objective: To state the bleeding obvious.
A.5.1.1 – Information security policy document
To set the readers expectations, the standard requires the security policy to be documented. That’s right you need an actual policy document.
The standard doesn’t define what the policy must be written on, so you could harness your inner Moses and etch it out on stone tablets. Or alternatively record it on a tapestry, which would be far more artistic and you’ve got more chance of someone reading it.
A.5.1.2 – Review of the information security policy
No-one has ever made money by selling something only once. Just ask any network marketer caught up in a pyramid selling scheme. The only way you make any real money is through repeat sales to family members who don’t have the heart to tell you they don’t need any more water filters.
Similarly, for a security policy to remain relevant, you need to ensure your policy is reviewed frequently; generating enough money to fuel the ever-growing population of security professionals wanting to leech off your company profits.
A.6 Organisation of information security
A6.1. Internal organisation
Objective: Keep your glass house in order before you collect some stones
A.6.1.1 – Management commitment to information security
Managers have a lot on their plate. In between the meetings, listening to their staff’s personal problems, trying to generate more profit they must show an unwavering commitment to information security.
Like most great ambition, there is no way of measuring just how committed a manager is to information security. I’ve always been a bit of a Jack Bauer fan, and how a bit of quick torture seems to resolve all issues. So next time you’re recruiting a manager, try electrocuting them for a little while. If they give up their mothers’ maiden name too quickly, you know they just aren’t cut out for management.
A.6.1.2 – Information security co-ordination(more…)
An Article about Information Security Articles
Edit: Despite almost qualifying as a senior citizen, my award-winning friend Thom Langford agreed to write me a guest post (seeing as he writes guests posts for everyone else). I did not impose any conditions except that the topic be relevant and not self-serving in the slightest.
I found myself writing an article that I didn’t have the time or inclination to write the other day; it actually came out well and was commented upon by a number of people in a favorable light, so I hope it was of some value to its audience. However the difficulty was that I wrote it in exchange (albeit in jest) for someone to support my nomination for an upcoming award.
“Immoral!” I hear you cry. “Unethical!” you wail. Well, I disagree because I was carrying out an activity for a friend who I know and trust, an activity that I regularly do for free elsewhere, and to be honest I think he would have voted for me anyway.
But it made me think about the sheer volume of information security writing that I see out there from the various bloggers, pundits and professionals. These are not journalists who are paid to write every day, but people often in high level positions who are not time rich but are still able to produce volumes of words that would put Salman Rushdie to shame. How do we ensure that our nominated spokespeople are true to their ethical commitments?
We should question the motives and therefore the content of such work; was it written to someone else’s agenda in exchange for something else such as a free dinner or even votes Was it actually written by them in the first place, or even has it been presented as researched act when actually it was just a small idea that came to them as they sat on the toilet reading Dilbert?
Many of us, myself included, will eagerly await the next blog or article from someone as it gives me an opportunity to learn in an unbiased and open manner. I can see the inner workings of an organization, or the prevailing attitudes amongst the rockstars of the industry, and apply them (or not) to my own industry outlook. But if these opinions are being formed elsewhere, or influenced by vendors seeking sales the benefits gained from that article are skewed and devalued. What if the writer simply wanted to artificially raise their profile to secure more votes for a nomination for instance?
I certainly won’t name names here, but I would urge all of you to read between the lines, look for patterns where vendors and other third parties may be present, make up your own minds and vote with your browsers.
(Pretty sure I didn’t mention I am up for an award, which you can vote on here.)
*NOTE: Thom Langford wrote this article entirely of his own volition and was not encouraged to do so in order to secure more votes for the award he is nominated for. He is a staunch supporter of the ethics and morals of the Information Security industry.