Standards development - a tough, risky business
News emerged during June of likely further delays to the publication of the third edition of ISO/IEC 27001, this time due to the need to re-align the main body clauses with ISO's revised management systems template (specfically, the 2022 edition of the ISO/IEC Directives, Part 1 "Consolidated ISO Supplement — Procedure for the technical work — Procedures specific to ISO", Annex SL "Harmonized approach for management system standards").
Although we already have considerable discretion over which information security controls are being managed within our ISO/IEC 27001 Information Security Management Systems today, an unfortunate side-effect of standardisation, harmonisation, adoption, accreditation and certification is substantial inertia in the system as a whole. It’s a significant issue for our field where the threats, vulnerabilities, impacts and controls are constantly shifting and often moving rapidly ahead of us … but to be honest it’s equally problematic for other emerging and fast-moving fields. Infosec is hardly special in this regard. Just look at what's happening in microelectronics, IT, telecomms, robotics, environmental protection and globalisation generally for examples.
One possible route out of the tar-pit we've unfortunately slid into is to develop forward-thinking ‘future-proof’ standards and release them sooner, before things mature, but that’s a risky approach given uncertainties ahead. It would not be good for ill-conceived/premature standards to drive markets and users in inappropriate directions. It’s also tough for such a large, ponderous, conservative committee as ISO/IEC JTC 1/SC 27. However, the smart city privacy standard ISO/IEC TS 27570 is a shining beacon of light, with promising signs for the developing security standards on Artificial Intelligence and big data security too. I wish I could say the same of 'cyber', cloud and IoT security but (IMNSHO) the committee is struggling to keep pace with these fields, despite some fabulous inputs and proactive support from members plus the likes of the Cloud Security Alliance and NIST.
The floggings will continue until morale improves.
Another tar-pit escape plan involves speeding-up the standards development process, perhaps also the promotion, accreditation and certification processes that follow each standard's publication – but again there are risks in moving ahead too fast, compromising the quality and value of the standards, damaging ISO/IEC’s established brands.
SC 27 management appears to be working on just such an approach right now with ISO/IEC 27028, putting more time and effort into the informal drafting stages ahead of the formalities of Committee Drafts and voting. The idea is to smooth and speed up the formalities by drafting better standards in the first place, and gaining the committee’s implicit support/consensus ahead of explicit approval. Likewise with recent moves to separate subject matter expert involvement in the creative preliminary stages from national body involvement in the latter stages. We’ll see how that turns out!
Personally, I yearn for modern, collaborative, cloud-based methods, particularly for the early informal stages of each standard. I'm sure we could get a lot more done, relatively quickly and painlessly, by working together online as a group in near-realtime ahead of the necessary ISO formalities around proofreading and approval. At the very least, more productive social dialogue between the experts would help get us all to the same chapter, if not on the same page. Committee meetings, whether virtual or in person, are costly and ponderous compared to, say, Google Groups or Microsoft Teams. I see these as complementary not alternatives, not either-or but both-and.
Yet another tar-mitigation option would be for SC 27 leadership to clarify the strategy and (re)align the committee members accordingly, increasing their understanding and support for whatever it takes to optimise the processes. However, ‘leadership’, ‘strategy’, 'alignment’ and 'optimisation' are all difficult in the ISO context, given the importance of due process, ample consideration, cultural awareness, diplomacy and global consensus. Management has cats to herd, guide, persuade and convince rather than unilaterally pushing through or blocking changes (as happens occasionally). Governance is challenging at the best of times: in such a large, international, busy, largely voluntary and diverse organisation, it’s tough-as.
Looking back, despite all the challenges and all that tar, SC 27 has been remarkably successful, generating and managing a sizeable portfolio of well-respected ISO27k, privacy and other infosec standards. Sure, it could have done better in some areas, but overall the world is in better shape today than it would otherwise have been without SC 27.
Meanwhile, aside from shouting a few choice phrases from the touchline, is there anything we can do to help?
- As we gain knowledge and expertise, we can give something back. Volunteer as subject matter experts, actively engaging with SC 27 through our national standards bodies to help develop better, more forward-thinking standards, for example by contributing to, reviewing and commenting on draft standards, especially in the early, more creative stages of the drafting process;
- Propose, draft and offer possible new ISO27k standards, as is currently happening with, say, security control attributes and professional services;
- Collaborate more, pulling together as a supportive community to develop, understand, adopt and extract value from the standards;
- Think beyond mere certification. Be more creative and innovative, treating the standards as foundational platforms, suggested good practices worth considering, adapting, adopting and building upon rather than targets, hurdles or constraints on progress (as is happening right now with ISO/IEC 27001);
- Be open to novel approaches, such as integrated management systems, peer-group and collaborative working, and cherry-picking whichever approaches hold the most promise for achieving our organisations' business objectives (e.g. supplementing or completely replacing the current '27001 Annex A controls with a more contemporary mix);
- Be more tolerant and considerate of each other, including ISO/IEC, SC 27's management and editorial teams, the accreditation and certification bodies, auditors plus our work and professional colleagues. Remember, we're all on the same side here!