Today I was heartened by the success of the IT Security community in protecting a most valuable asset. No, I don’t mean your customer banks details or copyright music or state secrets. I am, of course, referring to the International Standard for Information security ISO 27001.
ISO27001 are a collection of standards which list numerous actions or “controls” which may be implemented to protect information against cyber-crime. The controls have been assembled into a unified framework so that they can be more easily addressed and reviewed. All terribly dull and awful of course.
But wait! In the right hands, these standards are extremely useful and one would assume that the goal would be to distribute them to the IT Community as quickly as possible so that their recommendations might be implemented. Distributed not only in their raw (and ghastly) PDF format, but in CSV or Excel format which a security professional might actually be able to use.
Not a bit of it. The guys at The International Standards Organisation (ISO) have apparently got the wrong end of the stick and have done their damnedest to ensure that it is nye on impossible to get a hint of the content of these standards without putting one’s hand in one’s pocket. The ISO27001 documents appear to be the only documents in the world protected by every single one of the bloody ISO27001 controls even right down to: If you try to google it you get a millions companies trying to flog you something before you find any meat about the standards themselves.
In my experience, many companies have a go at IT security and end up with poorly written controls and incomplete coverage. By the time the control text reaches the techy it is frequently gobbledegook. A simple solution would be to make these standards free too everyone.
What is frustrating is that the work to devise a solid control framework has been done; the text exists and is owned by the International Standards Organisation. They will argue that it is reasonable that they, and their associated companies, charge for copies of standards as they need to be maintained and updated but, given the prevalence of cyber-crime and the threat posed to everyone, one might be forgiven for thinking that this is an emergency and copies of ISO 27001 in useable formats should be made available for free download on the ISO web site.
If cyber-crime were HIV and ISO27001 were a vaccine then the world would be crying out for this.
Think of the children! Think of the children!