Are Standards worth the paper they are printed on? - Part 1

Mike Thompson

Mike Thompson is the Director of Information Security Products and Services at Linus Information Security Solutions. Mike’s expertise lies in bringing IT and the Business together to improve Information Security outcomes. He has over 25 years of experience across numerous government, commercial and not-for-profit organisations, and is recognised as an ISM expert with the rare ability to articulate complex issues and concepts in plain language and business contexts. Among his many projects he has uncovered computer fraud, ethically hacked a number of organisations, worked as an official adviser to the Victorian Privacy Commissioner and the Victorian Law Reform Commission and designed and developed award-winning software solutions.

There are several Information Security Standards in the marketplace that are designed to assist information technology security (ITS) practitioners in protecting their organisation’s information and systems. I argue, and have done for many years, that they actually do quite the opposite. They confuse practitioners and do not work towards the (assumed) goal of improving information security. Here’s why.

The Check-list Approach

I am often asked if we can certify an organisation as ISO 27002 compliant. My answer is “No - that it is impossible”, because the ISO doesn’t actually stipulate any specific controls or requirements with which to comply.

The ISO is really just a check-list of areas you need to consider for your business, with the risk profile of your business dictating which of those elements you implement and to what extent. You can only be accurately audited for compliance by looking at whether the controls in place actually match your organisation’s risk profile.

I will be discussing Risk Management in more detail in Part 2 (coming soon) but the essence of the problem is that the ISO 27001 certification process relies on the use of unworkable risk management standards such as ISO 27005 to determine what actual controls described in ISO 27002 are appropriate for your organisation. ISO 27002 also refers to business continuity. This may have been relevant in the past, but ISO 22301 is now the correct standard that should be applied for business continuity.

ISO 27001 certification actually is more about compliance to a high level generic process with a risk assessment as the backbone, but no practical and effective risk assessment methods are actually provided beyond motherhood statements. Certification will not provide reliable assurances that you are secure, only that you have completed a set of generic steps. You certainly won’t get a clean bill of health with that.

Don’t get me wrong, ISO 27002 is a great check-list of things you should consider, but it doesn’t specifically say what you should implement. You will still need to adopt a quality risk assessment method to determine the appropriate controls to use in your organisation. Unfortunately ISO 27005 and other generic risk assessment techniques are not the answer.

Old World vs New World

The Australian Government Information Security Manual started out as a standard for use in the Department of Defence and, slowly but surely, made its way into other government areas, including state governments.

While this document and associated references contain some useful material, I’m highly critical of it for two reasons - it re-invented the wheel instead of using or referring to available ISO standards such as ISO 27002 and ISO 22301, and it’s still full of outdated concepts, such as using the document-centric and confidentiality-biased classification scheme as the basis for determining information security needs.

The classification scheme is also applied to controls, assets and equipment which is, quite frankly, a ridiculous concept. It should only apply to data and it should include other equally important sensitivity criteria including integrity. In many cases it doesn’t matter who can see the information, but rather, the accuracy of what they see. For example, if a government agency is publishing details on acceptable levels of chlorine in public pools, I would hope the decimal point was in the right place before my kids went for a swim.

Recently the document has gone through a fresh coat of paint and has begun to recognise the need for a less prescriptive risk-based approach, but it still looks more like a face-lift than a rethink. Some of the concepts may work well for Defence, but are a very poor fit for most other organisations.

Base-line Standards


The PCI Standard applies to the use of payment cards and uses a base-line approach. This mandates a foundation set of controls that organisations should have in place if they are managing payment card data. The problem is that a baseline approach encourages the assumption that just implementing the PCI Standard will ensure you are covered, but ask the ex-CIO and ex-CEO of Target in the US if that worked for them.

It is OK to establish the PCI Standard as the fall-back position, but you run the risk of under-protecting key assets and, in some cases, over-protecting lesser assets if you use a baseline approach. There is no such thing as a ‘one size fits all’ approach for security.

NIST, CSC and ASD Strategies

The National Institute of Standards and Technology (NIST) provides the American Federal Standards for Information Security. It is a very good, practical description on the range of controls you would typically have available and gives an indication of where you would apply those controls, for example, which controls would be relevant in a high-risk environment.

The Critical Security Controls for Effective Cyber Defence (CSC) is another useful reference that describes a simplified set of basic controls that protect against the majority of common threats. The Australian Signals Directorate (ASD) Strategies to Mitigate Targeted Cyber Intrusions also includes similar targeted advice.

I would encourage organisations to have a look at references like these and get some good common-sense, general protection in place quickly.

The recommendations are generally very practical, for example, it always makes sense to regularly patch, but it can still leave you poorly protected in critical areas. The base-line approach encourages organisations to bypass the risk profiling process. It provides an easy way out, but potentially leaves them exposed. While baseline standards can score some quick wins they don’t give you the whole picture. You will still need to perform analysis to profile your organisation’s specific needs.

Relying solely on standards as your blue-print for information security will leave you exposed, they only offer generalised considerations, baseline estimates, or are outdated and misleading. Standards simply lack practical and specific guidance on how to work out the appropriate security for your organisation.

Next month, in Part 2, we will look at privacy and risk standards and what you can do to make sure you achieve better security outcomes.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Tags: information security, risk management, PCI, NIST, CSC and ASD Strategies, Controls for Effective Cyber Defence (CSC)

Show Comments