The Launch of ISO27001.zip
On Thursday I launched my new project website iso27001.zip, a website containing a collection of notes on the International Organisation for Standardisations' management systems standard on Information Security Management Systems (ISMS) - ISO/IEC 27001:2022.
It's a non-commercial venture that's aiming to make documentation and exploratory content about ISO 27001 more accessible and engaging for both veteran users and newcomers alike, in the hopes that more people will engage with this standard as the cybernetic masterpiece that it is. In this brief reflection, I chat over my experiences with this standard, and how they led me to want to build the site..
If this subject matter is new to you - check this out.
😀 TL;DR - I love this thing, I'm hoping to build something that makes more people love this thing.
First eyes on ISO
The standard is not unique amongst it's neighbours in the management systems standard world, following the same harmonised structure that most others do; it is instead my specific experiences that drew me to the standard and eventually developed my desire to write about it. My first exposure to the standard was many years ago in University, when my Applied Cyber Security BSc introduced it to us in our governance and risk management module. I was originally baffled by it, but soon became enamoured by the battle-tested tapestry of mutual dependencies that made up this document. Clearly, some thinking had gone into this! I enjoyed it primarily as an exercise of theory and was taught that the standard was an ideal match for larger organisations that could provide discretionary funding and make dedicated recruitment and staffing decisions.
My output at University challenged this assertion that the standard only had usability in the world of big enterprise - I had found that the Information Assurance for SME Consortium (IASME) had mapped the standard roughly across to some of the efforts it was taking to make accessible cyber security frameworks in the SME space. Further, I myself had used the standard to successfully conduct a gap analysis on both a real SME and a business component of the University - successful enough that both could make impactful changes to their body of policy based on my feedback. It was the first time I had been able to practically translate some best practice guidance to meaningful, context-informed advice, and to do so in an explanatory and justified way. It was very rewarding.
ISO had clearly made efforts to try and make sure that the standard was vendor agnostic, and some very friendly, knowledgable people in industry had informed me that it was more than possible to use 27001 for improvement within SME, and so It was clear to me at this stage in my pre-career that the inaccessibility wasn't in the design of the body of the standard but in the accessibility to the means by which its learning could be applied. I had been able to act as the interpreter of the best practice guidance, and provide meaningful guidance with unquestionable provenance, but clearly I had added value - It wasn't simply transliteration from standard to direction.
I had received some fantastic education on the context of the standard itself, where and how it has been useful, and what a practical application of it actually looks like. This was my induction. From here it was an easy move to start to develop the information security risk management version of 'common sense'. This part of my experience wasn't a component of the standard itself; it wasn't required reading. It came as my network and experience grew (let me say here that it is certainly still developing! I continue to be humbled by the fantastic experiences I encounter), and I believe the development of this 'common sense' is also the development of a blind spot if we do not pay careful attention to it. To those who don't have ready access to the language or understanding that comes with these interactions and experiences, the standard can feel like a very alien thing to 'work'.
The problem
The seemingly ethereal nature of the standard that exists when you don't have a practical base to build it on (or someone to point at it and explain it) resonates with a lot of friends' understanding of ISO management system standards (MSS) such as 27001. They are instruction manuals that aren't attached to anything - an ever undecipherable IKEA step-by-step for something that doesn't tangibly exist. I understood this position: building systems of work involve trying to capture and document interpersonal relationships and expectations (or as the management theorists who don't do hugs would like to call them: Psychological Contracts). If your organisation isn't one of coercive control and you find value in working with people who share your strategic objectives (vital in the not-for-profit space) then it's necessary to find meaningful ways to share goals and objectives at the institutional level and derive our operation from this common understanding.
If that first olive branch of teaching and understanding isn't extended to help you explore the standard in practical terms and then work back towards the theory with a well-developed common sense, then you're unlikely to see the potential of the standard and relegate it to the whopping great pile of boring insurance-satiating box ticking exercises that cause arguments in all-hands meetings.
Heading to work
What little doubts I had of the practicality of the standard were dashed as soon as I hit industry - we successfully and frequently used ISO 27001 and its sibling for business continuity management systems: ISO 22301:2019, to assess whether the body of policy for smaller organisations actually met up with the processes and procedures that informed their normal operations.
Time and again we would be met with policy that was utterly disconnected from the purpose it was supposed to serve and had no clear connection between expectations/responsibilities placed on workers at all levels, and the strategic objective of the organisation. I derived immense satisfaction and engagement from identifying clunky or broken policy, stripping back the corporate jargon, comparing with the relevant clausal requirements - adjusting for context, and then preparing considerations for our client to take home with them. We had 100 percent positive feedback, and without fail we provided value. The system worked.
Badged up
Under the watchful guidance of my seniors at the time, I picked through dozens of these case studies, it became clear to me that I wanted to formally concretise the knowledge base. I was supported to become an ISO 27001 Lead Implementer - attending a week long training course followed by an examination which I passed. It was a very hands-on course, and I was attending alongside people who weren't here to learn for the sake of learning (as I must admit I was), I was joined by people who needed practical understanding of the standard to take home. We had workers from internet service providers, freelance consultants, taciturn defence contractors, and middle management six-sigma black belts.
Putting aside the awesome industry stories we got to hear from all in attendance, and the outstanding trainer we had, I was left hoping for more of a nuts-and-bolts approach to decompose the standard and understand it from a theoretical perspective.
This was the inception of the idea of the website - if hands-on expertise in application and implementation (which comes in many shapes and sizes) is a requirement to understanding the standard, then those who are not directed to use the standard or have access to a colleague who can successfully inspire, are unlikely to naturally stumble into it and find it of interest. I had experienced a unique blend of academic exploration followed by attentive outcome-focused industry application, all under the watchful eyes of some very impressive people who had been doing the work since before I was born - and were applying this expertise in the not-for-profit space. An avid notetaker, I decided to keep track of my efforts and try to write accessibly and without stripping away when I was excited about a certain area, hoping that I would have enough of a body of interest in the subject to produce something at some point.
And so...
I then proceeded to completely forget about the idea. I slowly accrued notes and made supportive diagrams in my own time that consolidated my understanding and satisfied my interest in the standard, wrote a few blog posts, and a service methodology for our ISO informed gap analyses at work. There was no meaningful catalyst that pushed me to structure and publish the site, it was the spring-cleaning of my Obsidian vault where I stumbled across the initial idea in a note and took stock of what I had to share. I had enough to launch it as a public facing work-in-progress!
And here we are. I'm only currently sharing about 30% of the total content and notes I hold on the 27001 standard (and a lot of this bleeds into other areas). This is because a lot of what I have is only really useful to me because it jogs my memory - it isn't useful standalone. My list of content to add to the site is long, and I am looking forward to watching it organically grow in the coming months and years. I love being busy when it's with work I care about, and the most enjoyable part of launching a project is that it isn't the end, it is the beginning!
If you've gotten this far, and you enjoy the site - why not contribute? Make the standard more accessible and get a writing credit by sending me the body of your contribution!