Re: Interest in ISO 27001 audit/certification for the Debian Project?

To: debian-devel@lists.debian.org
Subject: Re: Interest in ISO 27001 audit/certification for the Debian Project?
From: Farruco <farruco@envs.net>
Date: Wed, 19 Nov 2025 16:23:10 +0000
Message-id: <[🔎] aR3u7he9bdz17uV6@core.envs.net>
In-reply-to: <[🔎] aRzs8FjbomRQUjwr@yuggoth.org>
References: <aRw/6l3COocrtZ+5@core.envs.net> <[🔎] aRzs8FjbomRQUjwr@yuggoth.org>

On 2025 Nov 18, 22:02, Jeremy Stanley wrote:
> 
> What role do you expect SPI would play in this? (Asking as an
> officer/director since it may come down to me to support the endeavor from
> that side.)

To answer the easier question first (SPI’s role): any certificate
would have to be issued to SPI as the only legal entity behind the Debian
Project. The role for SPI would indeed be mostly that of the “certified
organization” while the scope statement (Clause 4.3) would explicitly
limit the ISMS to Debian-specific infrastructure and processes. Therefore,
I don't think SPI itself would be dragged into heavy bureaucracy.

> Also, having been on point for writing entire ISO/IEC 27001 focused security
> policies and handbooks from scratch in a former life, I don't see how it
> would directly apply to Debian, there are a lot of operational controls
> which would need to be explained as irrelevant.

On applicability in a volunteer-heavy project: I completely share
the concern. Obviously, a large fraction of Annex A controls would
need to be answered as “not applicable” (especially the whole
HR/security-awareness sections, physical entry controls, supplier
contracts, etc.). Nonetheless, a sound, consistent, updated and properly
documented Information Security Management System can be of value in
any collective human endeavour in which cybersecurity is to be heeded,
and indeed the Debian Project can be argued to fall into that category.

> Perhaps more germane will be looking for alignment with recommendations that
> come out of ORC and OpenSSF as a response to the EU's harmonized standards
> for their Cyber Resilience Act, but those are still very much up in the air
> for the moment (I'm involved there as well, on the Spec Committee for the
> ORC WG).

I’m under no illusion that Debian is a typical commercial environment,
and I agree that a lot of Annex A would be N/A. My main motivation for
raising the question is the growing external pressure (CRA, NIS2, large
customers asking for evidence of supply-chain security) and the hope that
an external pair of eyes might surface a few blind spots that haven’t
been noticed (or voiced) internally. Whether full ISO 27001 certification
is the right answer - or whether something lighter (OpenSSF Scorecards,
SLSA level 3, or the emerging ORC recommendations you mentioned) is
more appropriate - is exactly what I wanted to understand from people
who know Debian (and ISO 27001) far better than I do.

So, reframing my original question now that I have better context: Do
you think a scoped, volunteer-friendly external audit (ISO 27001-based
or other framework) could still be useful, or is the project's security
already in a good enough shape to afford dismissing such?

Regards,

-- 
Farruco

Reply to:

Follow-Ups:
- Re: Interest in ISO 27001 audit/certification for the Debian Project?
  - From: Russ Allbery <rra@debian.org>

References:
- Interest in ISO 27001 audit/certification for the Debian Project?
  - From: Farruco <farruco@envs.net>
- Re: Interest in ISO 27001 audit/certification for the Debian Project?
  - From: Jeremy Stanley <fungi@yuggoth.org>

Prev by Date: Re: Interest in ISO 27001 audit/certification for the Debian Project?
Next by Date: Re: Interest in ISO 27001 audit/certification for the Debian Project?
Previous by thread: Re: Interest in ISO 27001 audit/certification for the Debian Project?
Next by thread: Re: Interest in ISO 27001 audit/certification for the Debian Project?
Index(es):
- Date
- Thread