Soatok DreamseekerMay 30, 2025

Hot take: ISO standards do not meaningfully matter to me, because an extremely impoverished, unbanked person cannot freely access their contents from a smartphone or library computer.

Therefore, I go out of my way to avoid referring to them or relying on them in anyway.

Show threadMatilda LoveMay 30, 2025

@soatok ISO standards are behind a fuckin paywall?

jesus christ

Show threadAiresMay 30, 2025
@matildalove @soatok
ISO: "We created global standards for everyone to follow"
Everyone: "Can we see them?"
ISO: "No"
Show threadpubliusJun 6, 2025

@aires @matildalove @soatok

They're industrial standards. There's an underlying assumption that you're not going to be able to make use of them without massive amounts of capital equipment, and a further assumption that if you're not able to make use of them, they're probably not very interesting or relevant to you.

Maybe those assumptions are flawed. But they're at least not surprising.

Show threadgroff 🇺🇦Jun 6, 2025
@publius @aires @matildalove @soatok
As a comsumer how do I view the standard so I can check a product complies?
Show threadEmilionJun 6, 2025

@geoffl @publius @aires @matildalove @soatok You have no need to view the standard. If a product/service complies they can present you a valid certificate.

example: https://www.ibm.com/support/pages/system/files/inline-files/IBM%20CISO%20ISO%2027001%202022%20Certificate%20US020820%20Expiry%2029%20Nov%202027.pdf

Show threadMartin Boller     Jun 6, 2025
@emilion @geoffl @publius @aires @matildalove @soatok That cert isn't worth the paper it's written on without the SOA and rigorous verification.
Show threadEmilionJun 6, 2025
@itisiboller @geoffl @publius @aires @matildalove @soatok I strongly disagree. The certificate is issued only after an external compliance audit. How can an independent validation be worthless? An SOA is available upon request.
Show threadMartin Boller     Jun 6, 2025
@emilion @geoffl @publius @aires @matildalove @soatok Yes, but the scope could have been for the large corps canteen and they'd still be able to claim an ISO27001 cert in which case the cert is effectively useless w/o thoroughly reading the SOA.
Show threadEmilion
@itisiboller @geoffl @publius @aires @matildalove @soatok The scope is listed on the cert. No external auditor would certify a canteen under ISO 27001.
I think you are trying to say that ISO cert is not a guarantee that everything is top notch. If so, I agree.
Jun 6, 2025 at 10:06pmWeb
Show threadAndrewJun 7, 2025

@emilion @itisiboller @geoffl @publius @aires @matildalove @soatok eh? It isn't up to the auditor to say if the scope is not acceptable. If the business has defined the scope and applicable controls (via a risk management process), then the auditor audits against that. This is why seeing the SoA is important.

The scope is on the cert, but not the controls that have been selected.

Now, the auditor could raise a non-conformity against the risk management process if it was piss-poor.

Show threadEmilionJun 7, 2025

@puck @itisiboller @geoffl @publius @aires @matildalove @soatok "ISO 27001 Statements of Applicability (SOAs)—a confidential compliance report type—are available upon request."

https://www.ibm.com/cloud/compliance/iso-27001

What is ISO/IEC 27001? | IBM

ISO 27001 is the leading globally recognized information security standard, providing a systematic, structured and risk-based approach for managing and protecting sensitive information assets.

Show threadAndrewJun 7, 2025
@emilion @itisiboller @geoffl @publius @aires @matildalove @soatok Some companies refuse to make their SoA available.
Show threadMartin Boller     Jun 7, 2025
@puck That is a huge red flag. That org has something to hide.
Show threadAndrewJun 7, 2025
@itisiboller Totally agreed.
Show threadEmilionJun 7, 2025

@puck @itisiboller @geoffl @publius @aires @matildalove @soatok Such as Hetzner. If this is a deal breaker vote with your legs.

https://docs.hetzner.com/general/others/certificates/

Certificates - Hetzner Docs

Show threadAndrewJun 7, 2025
@emilion @itisiboller @geoffl @publius @aires @matildalove @soatok I do like their statement on SOC 2 though!
Show threadMartin Boller     Jun 7, 2025
@emilion @geoffl @publius @aires @matildalove @soatok Here a scope we recently reviewed (company name removed to protect the guilty) "Planning, building, delivering and running full-scope outsourcing services, end-to-end
support, business solutions, consulting services and security services".
Still without the SOA this does not give me ANY evidence that they are good - So much so that we've often joked that it's faster and easier to become DA in a pentest of a company with ISO27k than one without (based on 10's of companies so not a large enough sample size).
So no what I'm saying is exactly that without the SOA it is not the paper worth it is written on, and even with the SOA all you know is that they have a good ISMS (which I support) but not necessarily does any RealSecurityâ„¢.
For the record just got ISO27k certified for a part of the org I currently work for and that does not change my mind - Time spent on that certification with "renowned" large international orgs would have given soooo much more protection, detection, and response spent elsewhere.
Show threadEmilionJun 7, 2025
@itisiboller @geoffl @publius @aires @matildalove @soatok I know that this is a very frequent disconnect between peoples expectation and what the standard is about. ISO 27001 is a standard for the Information Security Management System. You may have very little controls with low maturity and still get certified if your management system meets requirements.
Using ISO 27001 cert for vendor due diligence is wrong. A SOC 2 report is a much better base for that.
Show threadMartin Boller     Jun 7, 2025
@emilion @geoffl @publius @aires @matildalove @soatok Orgs do believe that they're secure.