Re: Interest in ISO 27001 audit/certification for the Debian Project?
]] Russ Allbery
> Simon Josefsson <simon@josefsson.org> writes:
>> That pattern applies to Ubuntu, although I guess ISO 27001 on its own
>> may not have been the biggest motivation there. Still, the end result
>> is that Ubuntu has ISO 27k and Debian hasn't.
Ubuntu doesn't have it, though. Canonical's ISMS is ISO27001 certified.
There's no mention of Ubuntu in the press release.
[...]
> Certification compliance is not something I would ever work on without
> being paid, personally. It is not enjoyable or fun; it's a job whose only
> real benefit is the paycheck you get for doing it. That's of course just
> my personal opinion; maybe someone out there finds filling out ISO 27001
> paperwork a great way to spend a lazy Saturday afternoon.
I'm obviously not going to tell you what you enjoy or not, but I think
that's a poor (but sadly quite common) way of doing compliance
work. Compliance work should be like running make check – it's a way of
testing that your procedures are actually as expected and provide
verification that the security properties you put into the system still
hold. If it's compliance for compliance's sake, it'll be thrown out the
window at the first opportunity.
All that said, I don't think we should be doing 27001, SOC2 or
similar. We're not aligned in how we work and doing an audit including
audit trails and such is completely infeasible, even if we were able to
explain it to an auditor. As an example, and as someone who holds some
keys in Debian (such as the cert used to sign uploads to MS for shim
signatures), I'd not be particularly interested in spending time proving
documenting or proving to an auditor what my security controls for that
key particular is.
Cheers,
--
Tollef Fog Heen
UNIX is user friendly, it's just picky about who its friends are
Reply to: