Last month marked the twentieth anniversary of the conception of the ISO27K standards, which originated as as a formalized version of an existing British Standards Institute document DISC PD0003 “A Code of Practice for Information Security Management” (ISBN 0 580 22536 4), first published on 20th September, 1993.
David Lacey, founder of the Jericho Forum, member of the Infosecurity Europe Hall of Fame and a visiting senior research fellow at the University of Plymouth, was intimately involved in creating that original document.
In our first installment of this series on the history of ISO27K, Lacey recounted the events leading up to the conception of the standards. In the second chapter of the story he discussed the process involved in the production of the first draft, and in the third part of our look at the history of ISO27K, Lacey discussed early implementation, certification efforts and the eventual adoption of the standards.
In this final installment, Lacey offers his own critical assessment of the state of the ISO27K standards today, and his thoughts on how compliance is killing security innovation.
It was fitting to do a series on the ISO27k standards not only commemorate the anniversary of their conception, but also because of the recent revision of ISO27001-2013. For more on the revisions, Dejan Kosutic outlined an overview of the changes in a great infographic which is available here.
“I’m not up-to-date with the very latest developments, but it’s clear that the standard has been firmly set in stone by the forces of regulatory compliance, and they will dominate it for at least a decade to come,” Lacy said.
He contends that the ISO27k standards are in essence broken, as a focus on compliance has overshadowed the standard’s original intent – establishing an international baseline of best practices in information security.
“Unfortunately, the standard has numerous flaws because of its age and the progressive influence of auditors, consultants and standards professionals, as well as the negative influence of outdated quality management concepts.”
Chief among Lacey’s criticism of what the standards have become today include:
- It’s an outdated solution driven by compliance and steered by standards committee members. The collection of controls is well over twenty years old yet has undergone very little change.
- The cycle for updating the standard is too slow ( every 5 years). Requirements can change in months or weeks in today’s cyber security environment.
- The detailed control descriptions which dominated the original version have been progressively de-emphasized to the point that today hardly anyone ever reads them. Instead practitioners apply a tick-box approach to a set of one-paragraph statements.
- ISO 27001 is bloated with excessive wording, long lists, and unnecessary prescriptive text about how to manage security.
- The standard has been unduly influenced by quality management principles which emphasize repeatability over excellence. These principles might be acceptable for an industrial age factory that aims to churn out identical widgets each day, but they’re not appropriate for safeguarding fast-changing abstract intellectual assets.
- Requirements have been added which do not make sense – e.g. “repeatable” risk assessments – or do not exist in most companies – e.g. measuring the cost and effectiveness of security. I say this despite the fact that I once wrote the definitive whitepaper on metrics for nCIrcle (now part of Tripwire, Inc.)
- Certification audit cycles are far too long and do meet the real-time demands of modern infrastructures. How can it be satisfactory to grant a certificate to a services company on the basis that it can remedy major non-conformities over a period of months? We need a real time response.
- The excessive amounts of paperwork and evidence demanded by ISO 27001 is worthless and counter-productive. Many enterprises have policy portfolios running into more than a hundred pages. Nobody ever reads them. They can occupy up to 100% of a security manager’s time.
- The standard was originally developed for a large, Western company. It is unsuitable for small or medium sized business which do not have committees, corporate policies, security staff or auditors. It is also inappropriate for many non-Western countries which do not follow written procedures.
- The standard is not sufficiently high for critical applications such as Cloud services or for mitigating advanced persistent threats.
- The standards community has developed too many unnecessary, content-free variants of the standards. We need a single document, not several dozen. This explosion in standards reflects the desire of the people who earn a living from standards, not the interest of the people who are forced to use them.
As it stands, many of these critiques could be directed at any number of security standards in use today, and Lacey says the root of the problem lies in the desire to maintain compliance, even at the risk of undermining security efforts.
“There is a major problem with standards and compliance overall,” Lacey said. “Compliance sets old standards in stone, preventing new ones from being introduced. This is a fault of compliance, and the standards community needs to recognize and compensate for this obstacle to innovation.”
Lacey believes excessive standardization also encourages a herd mentality and breeds a dangerous, predictable monoculture, which is a real and growing danger as enterprises continue to adopt identical security measures.
“Attackers are fully aware of this weakness, and they do exploit it,” Lacey concluded.
- NIST: It’s Time to Abandon Control Frameworks as We Know Them
- Enterprise Insurance Policies and the 20 Critical Security Controls
- NERC CIP Version 5: One Giant Leap
- Security Standards: Are We Doing It Right?
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock