One Reason ISO 27001 is DOA
So why should we move on and away from ISO 27001?
The international standards community has done great work in establishing standards for many aspects of modern-day technology businesses and companies. It is most typically used to seek and obtain a “stamp of approval” recognized from across the globe. The most popular is ISO 9001: 2015 focused on the “quality management” processes. These are repeatable procedures created, in particular, by a firm to ensure quality software and hardware products are produced; many US government agencies require a ISO 9001 inspection and certification by the organization.
Unfortunately, because ISO 27001 it is a CLOSED and proprietary standard many companies are turning to the US-National Institute of Standards and Technology (NIST) 800-171 Revision 1 standards. It is a constrained and defined 110 security controls that most companies can implement in a matter of weeks. It’s not perfect, but unlike ISO 27001, its an open-standard.
ISO 27001 may already be OBE (Overcome By Events) and is definitely Dead On Arrival (DOA) for this author. Tuck and roll. Other open-standards that can be applied to international development efforts could also use:
- The National Cybersecurity Framework (NCF) – also, fairly streamlined
- The SANS Institutes’ 20 Critical Security Controls – top-down driven, and globally focused on threats
Ms. Columbus has worked in the Intelligence Community (IC) for over 20 years. She retired from the US Air Force in 2014 after working as a  Senior Advisor providing authoritative advice on all aspects of Cyberspace operations, force structure and organizational concepts. She oversaw strategic support activities to enable the right mix of cyber capabilities for future operations.
