Hot take: ISO standards do not meaningfully matter to me, because an extremely impoverished, unbanked person cannot freely access their contents from a smartphone or library computer.
Therefore, I go out of my way to avoid referring to them or relying on them in anyway.
@soatok ISO standards are behind a fuckin paywall?
jesus christ
@sophieschmieg @philpem @joxean @soatok @matildalove NIST's process seems very much like the ISO process, except rather than selling copies of the standard to pay for it, it's funded by the US government.
(I've only participated in the ISO process myself so I'm sure there are details that are different, but the kind of proposal mechanism looked very similar for e.g. SHA-3 from the outside)
@sophieschmieg @malwareminigun @philpem @joxean @soatok @matildalove
Waitwut
“ as far as I know ISO standards are written by volunteers”.
So written by volunteers, and then paywalled? Do they want to be Elsevier when they grow up?!
@malwareminigun @avuko @philpem @joxean @soatok @matildalove
They are arguably worse than Elsevier: at least with journals, you can buy institutional access to their entire portfolio at a huge discount over paying for every single paper separately. With ISO, you can't. You literally have to buy access to every single standard, and you are not allowed to share one copy of the standard between multiple engineers.
@[email protected] It's one of those problems everyone hates but nobody has good solutions for. ISO provides the lawyers + legal framework to allow competitors to work together on a standard without being sued into oblivion under anti-trust laws, and lawyers have to get paid for somehow. There are standards that have left ISO, the most notable being POSIX. I'm not sure how that works.
@ftg i hope you perform that job according to the rules. it sure would be terrible if such a standard were to end up on torrents or something.
(yeah, i know, why take that risk when nearly [or exactly] no one would even seed it. it's all so depressing.)
It is often hard to get the people that fund the making and updating of standards to also pay for publishing, maintdnance of the organisation that publishes and updates, etc.
I do comparable work, and though we would like to see that these costs are paid in advance by the funding parties, they can't go much further than a little contribution for a minimum of dissemination work.
@matildalove
Their roots are in manufacturing and constructions where the price of the standards are almost incidental compared to the costs of producing the final product.
Having said that I do still think they're often massively overpriced.
They're industrial standards. There's an underlying assumption that you're not going to be able to make use of them without massive amounts of capital equipment, and a further assumption that if you're not able to make use of them, they're probably not very interesting or relevant to you.
Maybe those assumptions are flawed. But they're at least not surprising.
@geoffl @publius @aires @matildalove @soatok You have no need to view the standard. If a product/service complies they can present you a valid certificate.
@matildalove @emilion Pretty sure a lot of the ISO nonsense I've pasted into client websites doesn't mean shit.
I didn't even know what it was (well I aorta did but also not really...) until I read this thread.
Yay. Love my job. Writing boring crap and pasting it on the internet. Whilst lying naked in bed, peeling onions with my feet.
@emilion @publius @aires @matildalove @soatok
Yeah. lol. I ain't trusting that. Also, several ISO standards are based on known faulty lookup tables that are still used because it would break consistancy to fix them. If you can't independently verify it complies to a standard and where it might deviate from expectations or other standards then it's a pathetic excuse for a standard.
And that certificate still doesn't say exactly what it's complying with.
@geoffl @publius @aires @matildalove @soatok If you have a problem with a standard's requirements, it is best to reach out to a specific working group (WG).
As for prices, shop around. I bought from evs.ee in the past.
https://openregulatory.com/articles/accessing-standards
@emilion @geoffl @publius @aires @matildalove @soatok
Contrary to popular belief we never accepted their offer of Federation
#NZisAdifferentCountryToOz
Edit: their was your
@emilion @itisiboller @geoffl @publius @aires @matildalove @soatok eh? It isn't up to the auditor to say if the scope is not acceptable. If the business has defined the scope and applicable controls (via a risk management process), then the auditor audits against that. This is why seeing the SoA is important.
The scope is on the cert, but not the controls that have been selected.
Now, the auditor could raise a non-conformity against the risk management process if it was piss-poor.
@puck @itisiboller @geoffl @publius @aires @matildalove @soatok "ISO 27001 Statements of Applicability (SOAs)—a confidential compliance report type—are available upon request."
@puck @itisiboller @geoffl @publius @aires @matildalove @soatok Such as Hetzner. If this is a deal breaker vote with your legs.
The real fun starts when you have purchased two products - both of which are certified to comply with the standard. And then you find that those two products don’t work together anyway.
If you can’t read the standard, how are you ever going to find out which of the two products is faulty?
Soatok Dreamseeker
Matilda Love
Joxean Koret (@matalaz)
Phil M0OFX
Sophie Schmieg
Billy O'Neal
⠠⠵ avuko
0xC0DEC0DE07EA
MKSchmidt
Luna R
Aires
ftg
Samantaz Fox
Marco van Burgsteden 🍋
César Pallares 
halcy 
schrotthaufen
InsertUser
publius
groff 🇺🇦
Emilion
Yaoi Box Balloon
jan AKO (alasa kili olin) 🌱
Raglan Niall 
Martin Boller 
Andrew
kasperd