ISO27001

[junglie85]

I'd like to try this with ISO27001. Do you know if anyone has already started working on making this standard available for open control?

[shawndwells]

Feel like I've heard @gregelin or @damcom3030 talk about it in the past.... but could be completely making that up.

Any conversations I've personally had around ISO27001 boiled down to "yes, that'd be nice to have, but need to finish $otherThing first"... and alas there is no 27001 content yet =/

We were more likely to have discussed the ITSG-33 version. ;] The ITSG-33 being the Canadian-ized version of the NIST 800-53. One of these days....

References

• https://github.com/cds-snc/ITSG-33-baselines
• https://github.com/cds-snc/ITSG-33-definitions
• https://www.cse-cst.gc.ca/en/node/265/html/24869

[shawndwells]

@AshleyByeUK looks like it's totally green field for work on ISO27001 :)

[junglie85]

I'll have a look at how this could work. Thinking about it a bit more, the standard isn't free and I seem to remember the license stating that electronic/network copies cannot be made. If that's the case, I'm not sure we'd be able to provide ISO27001 publicly. I'll see what I can figure out.

[gregelin]

@AshleyByeUK we can support the ISO 27001 while respecting ISO's copyright policy. Shellman's blog has a comparison between ISO 2001 and FedRAMP (e.g., NIST 800-53) (https://www.schellman.com/blog/fedramp-vs-iso-27001). Notable in Shellman's comparison is the following: "FedRAMP focuses on NIST 800-53 Rev 4 whereas ISO 27001 focuses on the control set within Annex A of the standard. (Hint – you can find a mapping of these controls in the NIST 800-53 standard!)". Here are a couple of the shots of the cross reference tables in NIST 800-53 Rev 4 below:

OpenControl supports listing a standard purely by Control Identifiers (control numbers) without need to list the actual control text. (We should not list the control text because that could violate the ISO's copyright.) We could talk to ISO also encourage ISO to include an OpenControl version of their control guidance as part of purchasing the standard. So there's no reason not to publish an ISO 27001 standard file listing the control identifiers, or the identifiers and control titles.

For open source security content, we can identify that control implementations are related to specific ISO 27001 controls by referencing the relationships indicated by the published 800-53 cross referencing. The control implementation descriptions should of course be written to be independent work from the ISO 27001. While this would be imperfect, it would provide community with shared reference information.

It's really up to the author of the component's OpenControl to simply state a control implementation narrative block refers to ISO 27001 A.6.1.2 as well as NIST 800-53 CP-2, CP-4, IR-4, PL-1, PL-2, PM-2, SA-2

[shawndwells]

On 10/2/18 5:10 PM, Greg Elin wrote: It's really up to the author of the component's OpenControl to simply state a control implementation narrative block refers to |ISO 27001 A.6.1.2| as well as |NIST 800-53 CP-2, CP-4, IR-4, PL-1, PL-2, PM-2, SA-2|

FWIW, we (Red Hat) asked ISO about creating OpenControl and SCAP content to configure Red Hat products against 27001. ISO considers sharing even control enumerators and titles, such as those @gregelin showed in the screen shots, a violation of their IP.

[shawndwells]

/me guesses ISO isn't going to go after the US Gov for such a violation, but a commercial entity shipping ISO profiles is a different matter.

[gregelin]

@shawndwells Thanks for the insight. I wonder what the precedent is in a case where the federal government has published certain information.

[shawndwells]

@AshleyByeUK bumping this conversation. Were you able to look into how distribution might work?