This month marks the twentieth anniversary of the conception of the ISO27K standards, which began as as the formalized version of an existing British Standards Institute document DISC PD0003 “A Code of Practice for Information Security Management” (ISBN 0 580 22536 4), originally published on 20th September 1993.
David Lacey, a visiting senior research fellow at the University of Plymouth, founder of the Jericho Forum, and member of the Infosecurity Europe Hall of Fame, was intimately involved in creating and editing that original document.
In our first installment of this series on the history of ISO27K, Lacey recounted the events leading up to the conception of the standards, and in this chapter of the story he discusses the process involved in the production of the first draft.
The UK Department of Trade and Industry (DTI) assembled a group of industry representatives from seven different sectors to spearhead the initiative: Shell (Lacey and Les Riley), BOC Group (Neil Twist), BT (Dennis Willets), Marks & Spencer (Steve Jones), Midland Bank (Richard Hackworth), Nationwide (John Bowles) and Unilever (Rolf Moulton).
The group first met early in 1993 and decided to aim for the creation of a single document that could become an international standard and be supported by an accredited certification process.
Lacey says that the first suggestion of employing a consultant to produce the document was quickly ruled out, as the group felt that all companies had more experience as well as existing policies already in place that they could use as a baseline.
“I proposed that we all bring our own existing material to the next meeting and then work out how to combine them all into a single document,” Lacey said. “At the second meeting we all brought our stuff along, and it was a very impressive spread.”
They all agreed that the documentation was similar, and so Lacey presented more than a dozen different structures for a contents list based on specifics like technologies, processes, areas of responsibility and the group agreed on a “natural subject area” – a structure based the most commonly used chapter headings in our existing guidance – was the most sensible approach.
“The group also agreed that the Shell Baseline Controls was the most suitable base document, as it was more comprehensive and up-to-date than other company guides,” Lacey recalled.
“There were things missing though, as financial institutes had more material on regulatory compliance than other companies. So we decided to use the Shell document and roll in the best practices from other company guides. I agreed to serve as chief scribe, supported by Shell colleague Les Riley.”
Lacey also offered to write the introduction as well as a free-standing management overview, which he believed to have turned out to be an excellent document, but it is long since been lost.
Midland Bank and Marks & Spencer offered to take the lead on a chapter each, and the group also agreed to include a new chapter on Business Continuity Planning based on a new guideline that Lacey had recently prepared for Shell. The other members of the group agreed to review all the drafts in detail.
“We produced the fresh drafts within a few weeks and then the review process took over. It was highly intensive, with several fresh drafts being prepared and significantly enhanced each time,” said Lacey. “After that we agreed that only practices that we ourselves actually deployed or were prepared to implement would be included, i.e. no theoretical measures.”
The document developed by the group was considered to be of a much higher quality than other standards because it was based on the actual best practices of leading companies, all of which had been proven in the field, none of it was theoretical, and all of the contributors believed they were reasonable to apply in all types of organizations and industry verticals.
Lacey says that at one point the UK Government’s Central Computer and Telecommunications Agency (CCTA) turned up to contribute to the effort, but they only provided a rather thin policy. “I also came under substantial pressure to include the government ITSEC standards, but it was clear this fell into the theoretical, nice-to-have category, so we resisted.” Lacey said.
Finally, by the summer of 1993, the group had produced a final version of the document and decided to publish, and the question of copyright was debated.
“We agreed it should be free or very cheap, but we wanted a British Standards Institute (BSI) label to provide the necessary status, as well as central control over the text to prevent numerous alternative versions from circulating.” Lacey recalled.
“We were not happy with the BSI prices, typically more than a hundred dollars a copy, but discovered that the main reason for the high prices was the expensive BSI invoicing process, then Marks & Spencer (our retail experts) persuaded them to accept credit cards, and so we were able to agree to an unprecedented bargain price of £10 a copy,” Lacey continued. “Unfortunately later versions of the standard quickly returned to the traditional pricing model.”
One last thing the group did was to come up with a Top 10 “start here” guide of the most essential controls, designed to help small companies who would be lost implementing the nearly 100 controls in the standard. Each of these was marked with key symbol.
“Several years later I noticed that we had actually marked 11 controls by mistake. But this useful guide was unfortunately not carried through to later versions,” said Lacey. “We were also uncomfortable with the presentation of British Standards and decide to come up with a more user-friendly format, which again this was ditched in later versions.”
“Marks and Spencer worked on the formatting and font while I developed the text in the new format. I also commissioned at Shell’s expense a set of artwork and catchy slogans from an ex-Saatchi creative team I had been using. The theme was ostriches with their heads in PC screens,” he continued.
The documents went straight from Lacey’s PC to the printers, so he received the first proofs, one of which he presented to Sir John Jennings, Shell’s Managing Director at the time.
“In those days we had plenty of executive board interest and oversight, something many people today still regard as a relatively new concept,” Lacey quipped.
The group released the document at a press conference at Shell Centre in London on 30th September 1993 with representatives from Shell, BOC Group, BT, Marks & Spencer, Midland Bank, Nationwide, and of course the DTI and BSI.
Formal pledges of support were given at the press conference by BP, British Aerospace, British Steel, Bull, Cadbury Schweppes, Cameron Markby Hewitt, Chelsea Building Society, Ciba Geigy, Digital Equipment Corporation, Reuters and TSB Bank, but failed to follow through.
“Dozens of organizations pledged their support for the standard but out of all of them only Shell actually implemented it and went on seek accredited certification,” Lacey said.
In the next installment of our look at the history of ISO27K, Lacey will discuss the process of early implementation and certifications, and in the final chapter he will offer his own critical assessment of the state of the ISO27K standards today.
- NIST: It’s Time to Abandon Control Frameworks as We Know Them
- Enterprise Insurance Policies and the 20 Critical Security Controls
- NERC CIP Version 5: One Giant Leap
- Security Standards: Are We Doing It Right?
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock. Photos provided by David Lacey.