Re: Interest in ISO 27001 audit/certification for the Debian Project?

To: debian-devel@lists.debian.org
Subject: Re: Interest in ISO 27001 audit/certification for the Debian Project?
From: Russ Allbery <rra@debian.org>
Date: Wed, 19 Nov 2025 11:18:11 -0800
Message-id: <[🔎] 877bvl3k7g.fsf@hope.eyrie.org>
In-reply-to: <[🔎] aR3u7he9bdz17uV6@core.envs.net> (farruco@envs.net's message of "Wed, 19 Nov 2025 16:23:10 +0000")
References: <aRw/6l3COocrtZ+5@core.envs.net> <[🔎] aRzs8FjbomRQUjwr@yuggoth.org> <[🔎] aR3u7he9bdz17uV6@core.envs.net>

Farruco <farruco@envs.net> writes:

> Nonetheless, a sound, consistent, updated and properly documented
> Information Security Management System can be of value in any collective
> human endeavour in which cybersecurity is to be heeded, and indeed the
> Debian Project can be argued to fall into that category.

This is one of those statements that is ubiquitous in compliance work to
justify the effort that goes into preparing this document. I think a lot
of compliance professionals truly believe this. However, as someone
adjacent but not part of the process, I am dubious. I don't think there's
all that much hard evidence that this is true.

I think there is much more evidence that an organzation that is capable of
writing Information Security Management System documentation is more
likely to be able to maintain good security. But that's not the same
thing; the causality goes in the other direction. Having full ISO 27001
documentation is a form of effort-signaling: You're showing that you care
enough about security to go through the tedium of maintaining formal
documentation. This does say something about how much you organizationally
value security, or at least the *appearance* of security (there are
criminal enterprises with ISO 27001 certifications), but it's not the only
way to do that.

It is certainly true that having documentation and organizational best
practices is fairly universally of value. But it is not at all obvious to
me that casting that documentation in the specific format of Information
Security Management System documentation has much value except for getting
compliance certifications. I suppose there's some benefit in skimming over
the list of things to document to make sure one is not missing something
obvious, but I can almost guarantee that if one then translates one's
documentation into that format, it will quickly become useless.

It's far more important that the documentation be:

- simple and easy to understand;
- easily and quickly maintanable so that it is kept up-to-date; and
- actually followed.

This is more likely if there is a minimum of boilerplate, as little
formality as it is possible to get away with, and a willingness to let the
little things drop rather than trying to comprehensively document
everything and thus ensure the documentation almost immediately becomes
out of date and therefore not trustworthy.

> So, reframing my original question now that I have better context: Do
> you think a scoped, volunteer-friendly external audit (ISO 27001-based
> or other framework) could still be useful, or is the project's security
> already in a good enough shape to afford dismissing such?

Yes, absolutely. External audits have value; a fresh pair of eyes often
notices things that you've stopped noticing. And taking a moment to think
through a list of possible risks, sort them, and write down some solid
documentation for how we're addressing the top few with checklists for
critical operations (if they don't already exist) is generally useful for
any project.

More useful than what people are already doing? Probably not! Debian does
not have lots of people, particularly people who already have the
knowledge of Debian required to do this sort of work, sitting around bored
and idle. But if someone said "I'm going to join one of the relevant teams
and help them with their existing work while writing documentation of
Debian's security practices, making sure that I do enough other work that
the impact on existing members is at least neutral," I would be entirely
in favor. Sounds great!

I would definitely not say that the project's security is in good enough
shape that I would dismiss something like this! I don't think our security
is *awful*, but it is certainly on the list of things that we could be
doing better. (It's a long list; making a distribution is a lot of work
and resources are scarce.)

I think the critical thing to avoid is any approach that would make
existing volunteers have to deal with certification paperwork if they
aren't actively excited to do that, because a whole lot of people are
going to have the same reaction that I have: No, this is the kind of work
that I only do for a paycheck, and Debian is not in a position to provide
my paycheck.

-- 
Russ Allbery (rra@debian.org)              <https://www.eyrie.org/~eagle/>

Reply to:

References:
- Interest in ISO 27001 audit/certification for the Debian Project?
  - From: Farruco <farruco@envs.net>
- Re: Interest in ISO 27001 audit/certification for the Debian Project?
  - From: Jeremy Stanley <fungi@yuggoth.org>
- Re: Interest in ISO 27001 audit/certification for the Debian Project?
  - From: Farruco <farruco@envs.net>

Prev by Date: Re: Interest in ISO 27001 audit/certification for the Debian Project?
Previous by thread: Re: Interest in ISO 27001 audit/certification for the Debian Project?
Next by thread: Re: Interest in ISO 27001 audit/certification for the Debian Project?
Index(es):
- Date
- Thread