Navigable structures

Some interesting suggestions concerning structures, content and management tools came up on CISSPforum yesterday as we chatted about security policies. 

I mentioned before that I'm getting glimpses of structure within the policy suite. In fact, there are several structures, different ways to group, link and use them which complicates matters. It's a mesh of  multiple partially-overlapping categories, and a number of possible viewpoints reflecting  the perspectives and interests of the various users. 

Much the same issue affects ISO/IEC 27002: numerous possible controls addressing a plethora of risks can be groups and arranged in several ways. At the same time the standard is aimed at a wide variety of people and organizations, with perspectives and needs that, by the way, aren't static but change as they get stuck in the subject and their interests develop.

ISO/IEC JTC 1/SC 27 is tackling this issue by systematically 'tagging' the controls with labels, allowing users to select whichever ones interest them. It's an obvious application for a database ... but how it will work with corporate security policies is not entirely obvious. 

Suggestions on the table so far include:

1. General-purpose database or document management systems 
2. [Security] policy [and procedure, standard and guideline] management systems
3. Documents, simple or compound with a fixed structure but numerous cross-references
4. Web sites and wikis with relatively fixed structures and loads of hyperlinks
5. Something more dynamic and flexible, yet usable.

I'm idly exploring some of those options in parallel with reviewing and updating our policy suite, thinking about how we might deliver an even more valuable product without making our maintenance nightmares any scarier.