On 2025-11-18 09:44:10 +0000 (+0000), Farruco wrote:
TL;DR: Does Debian (via SPI) have plans or interest in pursuing ISO 27001 certification for its development, maintenance, and operations?
[...]What role do you expect SPI would play in this? (Asking as an officer/director since it may come down to me to support the endeavor from that side.)
Also, having been on point for writing entire ISO/IEC 27001 focused security policies and handbooks from scratch in a former life, I don't see how it would directly apply to Debian, there are a lot of operational controls which would need to be explained as irrelevant.
Perhaps more germane will be looking for alignment with recommendations that come out of ORC and OpenSSF as a response to the EU's harmonized standards for their Cyber Resilience Act, but those are still very much up in the air for the moment (I'm involved there as well, on the Spec Committee for the ORC WG).
-- Jeremy Stanley
Attachment:
signature.asc
Description: PGP signature