S3E01. ISO Series - Of International Standards Ep 1/12

In conventional IP management literature, a very important spec that we talk about a lot is in terms of information management. Usually a management company falls within certain standards. It is normally an artifact with some systematic and instruction known knowledge. That's what I know of on how the information should be and can be managed in organization. And among the many standards, one very one that is widely used STI S Oh.

00:53

Welcome, you're listening to security law podcast, season three.

01:15

Let's talk about what isn't a standard? And then what's ISO? So doc, can you share with us? What is the standard?

01:29

Okay, so before we start off, I just want to make it clear that this standard that we're referring to, is a document that's available for anyone to consume. It should not be confused with policy, governance standards SOPs for an organization. These are standards or reference document that's applicable to anyone and everyone who wants to get it. So what is the standard so the standard gives you information about a particular topic. So today we talk about cybersecurity, IT security, network security, and the whole works. So we are referring to a document that while for ISO standards, you have to purchase this document, it's not something that's freely available for download. So it's it's a copyrighted document that you can purchase and use in your organization. So standards tell you what should be done, or in a lack of better word gives you a frame on how you can make sure that you've done what you need to do. So another way I could answer this question is, say prof, you go into a new organization, and you're the seaso. So the board asks you, have we done enough? How do we know that we're doing everything we need to do? So the best way to answer this question is to say that, let's do a gap analysis or let's identify if the organization actually meets a particular standards. Now, standards can be something that is issued by your local government, it can be a regulatory requirement. Or you can even use a standard that is accepted worldwide. In this case, we refer to the ISO standards, the ancient International Standards Organization. So that's in a way how you could answer that question. But if an organization is already having a standard, then you can use that standard to say, what have we done in totality for the organization? How far have we gone? And what are the areas that we need to do in order to cover the gaps that we see?

03:58

You talk about standards organizations, and also is Oh, are they the same? What's the difference between them? If not,

04:08

so, we have standards organization and we have ISOs. ISO is a group of 160 Sound countries and these countries are represented by their standards organization. So for example, in Malaysia, you have a standard organization called serum si ri M. They are responsible in producing local elbaite national standards, specifically for Malaysia. Right. You also have standards organization that operates in other countries like Singapore and Indonesia and India, who, in their own way, produce standards, specifically for their country. I guess the one that really famous that everyone knows about is NIST. NIS t, which is from the United States of America, they produce a lot of, I call them as bleeding edge, or, you know, really on the cusp kind of standards that influence how a lot of other organizations do their work. Right. So, in some countries, you have to meet your local standards requirements or your regulatory requirements. So let me put a frame here, standards are not mandatory regulatory requirements are mandatory, because regulatory requirements may be a condition for you to meet your licensing requirements. Now, however, a regulation or a law can stipulate that you must meet the minimum requirement of the baseline or even to meet the audit requirements of a particular ISO or a local standard. It really depends on the country and how they want to promulgate standards and a certain level of assurance in whichever area that they want. So let me give you an example. So when we talk about standards, I'm tea lover, right? International Standards Organization, or ISO has ISO 3103, specifically on how to make a cup of tea?

06:31

Oh, okay.

06:33

That's very little known thing about how detailed ISO can go. So take my word for it can open up Google punch in ISO 3103. And you will find that document, right, or at least a reference to that document, which is what I'm doing right now, I'll just want to be read out the title for you. So 3103 standards by ISO, standardized method for brewing tea? That's the title of the document, right? I mean, because I'm a tea level. So I know there's an ISO standard on how you make tea. You know, but this is the British way of making tea, not the Malaysian way of making dataarray. Right. But there is a standard. So maybe Malaysia might come up and say, you know, this is the mean, and the standard requirement and how to make a good cup of dataarray. Right, that can happen. Hey,

07:33

interesting. I did a quick one, also. And I saw this once, specifically for use in sensory tests.

07:41

Yes, there is. So I hope I've given you a clear difference between what a standards organization do what ISO does. Okay, so maybe I have to branch a little bit into what is Oda. So ISO is a collection of 167 countries. And they're represented by their respective standards organization. So they may be standards that is prevalent at the local country, which the country might find that, hey, I want this standard to go so that everyone would recognize it. Because I find benefit in having this standard. It can be a manufacturing standard, it can even be a security standard. So for example, encryption, there are encryption algorithms that are used at national level and their encryption algorithm that's used worldwide. Right? So if a country were to say, Okay, I have this encryption algorithm, which I think is beneficial, because it's in everybody's computer, it's being used widely. We want to make sure we have a standard on how people could use this algorithm or this cipher, effectively. Hence, we want to standardize it. So there can be a reason why you'd want to take a local standard or say a standard from a country X to then be proposed at ISO to become an international standard.

09:01

Is it correct to say that, well, just now you say is Oh is made of 167 countries? And then so I would assume that within the countries itself, then there are standards organization, then is it right to say that the standards organizations do the work of ISO, as in they carry out the work? Is it correct?

09:23

You're absolutely right. So the people who actually do work in ISO, the representatives the country representatives, who are in ISO, so for example, I'm a compute country representative, who does work for ISO I've written standards, ISO standards, specifically on encryption, and also I'm part of the team that produced the ISO 27,000 series and namely the most recent one, which is the 27,001 which was just released in 2022. So we are not paid by ISO No, I don't get paid in Swiss francs, although I would love that. It's a national service, mind you. So we come as representative from our national body. So for example, I come representative of my national body in ISO. And I'm also one of the editors in ISO. So these are all I would say, professional, voluntary work, that you know, you did the work. And one of the funny things about ISO is that you will never ever see the list of editors, or the person who actually contributed to the standards, because it's a collective way of doing work rather than just one person putting in the effort. So there are two types of representatives who work in ISO, the first one is a subject matter expert. So subject matter expert would be the person who would be the check and balance to make sure whatever details that's proposing the standards meet the actual technical accuracy required for an international standard. So for example, if you're proposing an encryption algorithm, then the verbiage how it's described, the test parameters are all properly defined in the document. before it goes out into publication, this is at the technical level or at the experts level. The next level is when the standards are voted by the country standards organization, it can be the same person or depending on who's attending the meeting, or it can be a separate person. So there are two levels of verification. The first one is at the the experts level people who understand the technical nitty gritty details of the subject matter that's being spoken about. Once that gets approved, then it goes to the national level. So at the national level, each country then votes to say whether Yes, standard is okay, go ahead, or no. Which is just a plain No. Or it says no with modification, which means that I will say no, but I'm inclined to say yes, if you make these four or five changes in your document, so it may not just be something technical can be something editorial, or it can even be something on how the whole process is being described, because you might be doing it differently in your respective nativity or country.

12:40

Now I find it interesting that the people who worked on iOS Oh, if I understand you correctly, is that they they are not acknowledged. And we will not see the names of the people who actually work on those standards. Is that a common practice? And what is the rationale for that?

13:00

Well, I guess like what I mentioned earlier, it's more of the ISO standard being an international document, which doesn't tie to an individual effort but a collective effort. So in that instance, I guess the only thing that would validate if you've done some work is the mention when your document finally gets approved, it actually gets minuted, these are the persons who are responsible for this document. So that's as far as it goes. Because it's an international standard doesn't. I guess it's also to remove the stigma of whether the standard was authored by a person from Country X or country y. So since it's international, then I guess it's only fitting that there's no names to it. And I guess it's more of a collective or a global effort rather than a singular party effort.

13:57

Fair enough. Then my next question would be How does one get into this team of ISO experts? does one get voted or is it an application process?

14:15

Enjoying the show sofa? Subscribe now so that you don't miss out on the latest episode. We are available on Spotify, Apple podcast, Google podcasts, and many other platforms busy podcast dot security lock dot Asia to get the links to subscribe.

14:32

So the first thing to do is to be part of your local standards organization community. So each of the standards organization will have their own committee mirroring how the ISO works. So for example, the committee in ISO that looks at cybersecurity is called the SEC 27. Right. So the same structure is there replicate it at the local level standards organization. So for example, in Malaysia, we have serum serum will have similar structure as to which committee corresponds to which committee in the ISO. So as part of the standards working group, I'm also there in the local community, reviewing the documents, putting up proposals, helping the other editors, improving the documents. And we work both at the local level. And we also work at the international level. That's how it works. So if you want to get into ISO, for example, so let me remind you, you don't get paid in Swiss francs, you get a pat in the back and say, well done. Good job, right. So there's a lot of time involved. And there's a lot of meetings, especially when a paper starts getting approved. So when the paper goes in the concept level, then first you vote whether the paper should actually go into an actual, actual ISO standard. Usually, the challenge is to get that, that proposal out of the way to say that, yeah, we're going to work on it. And then the standards organization may decide to say, Okay, we will contribute some resources there. Or they may say that this is not something that we're interested and may not even worry about that particular standard. So as part of being in the committee, you can actually decide to say, Okay, raise my hand, I'm going to work on this standard number 12345, and be one of the technical experts, and you start joining in the meetings, usually the face to face meetings every six months. And in between them, maybe working group discussions or the paper discussions, because, for example, the way it's organized, how is organized, you have the main series. So here we have sc 27, that looks at the 27,000 series of document, and then it's split into six to seven working groups. So for example, working group one is responsible for the main standard 2000 27,001, two and 7002, working group two who's responsible for looking at encryption and cryptography standards. So you can then be which part of the working group that interests you, and you can be part of that working group and you can start looking at papers within within the working group, then you have multiple papers, people may be talking about the next quantum proof encryption. So for example, working group two, we may be talking about quantum proof encryption, or we may be talking about a new algorithm to be proposed into lightweight h max, right? hash based message authentication codes. Or you can be in another Working Group, which talks about aviation security, how do we how are we going to build the next generation black box? What kind of encryption capabilities? How do we have that process? You know, that can also be a topic that you look at? So I'm just giving you some of the normal mundane topics, but you'd be surprised to see the vast width of the kind of topics that you know, the standards organization actually gets to?

18:35

Yeah, no doubt. And last, and last, but there you go, folks, if you're interested to get getting into this committee, you know what to do now. But let's look at the other side the organization's what does it mean when an organization claim to be ISO compliant, so being compliant is the right word to use?

18:53

Okay, so there's a few levels on how you could say you are compliant, you can adopt the standard, and you say, you know, I'm benchmarking myself against ISO 27,001. And that's more of a self attestation type of setup. Now, obviously, that means very little or nothing to anyone else in the outside because you've not gone through a audit process. We don't know which part of the section of your, your standards that that's applicable. There's a whole series of how an organization gets audited, and then get a certification to say I have benchmarked myself, and I've been audited by this organization. Now your local standards organization may provide you that facility. Or you could use an international auditor such as SGS BSI, and many others who may offer such a service. Once they've gone through the audit, then they will actually give you a certificate to say you've now benchmark yourself to an ISO standard. Right? So there so there's, there's two models to it. So the first one is, you just raise your hand and say, Yeah, I'm benchmarking myself against ISO 27,001 doesn't really carry much weight, in my opinion, is just saying that yeah, you know, we we've done some work on it. But the actual work is where you use a third party auditor, to certify yourself to say that you have met all these requirements. Now, certifying an organization to ISO can be both a good thing. And also to people who are not aware can be also misleading.

20:50

Okay, so that means there is no attainment levels, as I know, in some standards, they actually the outcome of the audit could actually great you on a scale where if you're the highest level of attainment, then you become a role model to other organizations is there such a benchmark or comparison,

21:10

in ISO, what's important is you demonstrate how you meet compliance to a particular standard. So for example, we're talking about the ISO 27,000 series, you will demonstrate your compliance to ISO 27,001, specifically. But it's really up to you to show that you've met a certain control. So for example, one of the controls in ISO 27,001 Is your policy document must be reviewed periodically. Very simple statement doesn't give much right. In the upcoming episodes on this 27,000 series, we will go through the mid more detail by just giving you a simple example. So then, as an organization, you now need to decide how are you going to meet the requirements of this particular statement. Because the statement is quite a these are motherhood statements motherhood statement means they're very wide, it's a wide net to cast, then you can almost hit something. So as long as you have a process to show or you can show proof that the document has been reviewed, and you know, it's documented somewhere that I'm just giving an example. It's documented somewhere that all your board level policies are reviewed once once a year or per annum. Right. And you can actually show that this my security policy, and my security policy has been reviewed within a year timeframe. Right?

22:43

Well, this sounds more like a checklist to me, though,

22:47

you can treat it as a checklist. That one, that's one way of looking at it. But what's important for an ISO certification process, which will go into much detail in the coming episodes is how you will demonstrate that now the auditor may see that your controls are insufficient, based on global best practices, we will go through the audit process and we will also explain to you what the audit means. When it says that needs for improvement, or it's a finding, you know, it's a recommendation. So we'll go through different ISO audit terminologies in the upcoming series, so that you understand the whole process of audit. But the idea of audit is for you to certify and say for that year, that timeframe, you have been able to demonstrate that you have all these controls in place in your organization.

23:50

So my final question to you, but how do organizations know which standards they should go to, particularly in information security and cybersecurity?

24:02

The only one document that will be used to certify your organization would be the ISO 27,001. That's the only document you have to worry about. But then if you look at ISO, there's close to about 60 over documents and it's growing. It's not just one document, it's 60 over documents, right. So what about the other documents? Now the other documents gives you a guide on how you can implement security. So for example, in 27,001 we talk about motherhood statements or in Annex II specifically, we talk about the controls what the controls are so one control I mentioned earlier, was your policy document must be updated periodically. Right now, you If you want to know how to do it, then you can refer to ISO 27,002. So ISO 27,002 gives you per control level, what are the suggestions? How could you meet the control requirements in Annex A, of 27,001. Now be reminded, at any point of time, you're only assess based on ISO 27,001. So the first thing any organization should do is if you're looking at international standards, then just the ISO 27,001. First, understand what the document requirements are, by the way, you have to buy the document. My suggestion is get it from your local standards organization, the contents of the document is exactly the same. The only thing is that if you buy from the ISO webstore, you will pay in Swiss francs, and it's actually much, much more expensive. So the local standards organization have localized. Or usually they just add one or two pages, and Fran, to say that this is produced by the local standards organization. And yes, it is a copyrighted document. If you get it from your local standards organization, it's rather affordable, to be honest. And each organization that's looking at cybersecurity or IT security seriously, you should have a license copy or because these are copyrighted documents. And of course, in cybersecurity, we always, we always preach that, you know, you must follow intellectual property rights. So this is this is a copyrighted document, get a copy, you will find that if you try to borrow somebody else's document, there would be a watermark on the document that says where you got it from. And it's rather embarrassing. If you're doing ISO work, and the document reflects someone else's name, right. So you should always make sure you get your own copy so that your name is there. And you're allowed to use it. And they have different models as to how these documents can be used in an organization.

27:23

Right. Okay, I think that's quite a lot of information. On is all alone. Thank you very much for sharing so much useful information with us. In the coming episode, we will move on from here and to talk about the ISO 27,000 series right now.

27:40

Yep. So this is what we've planned, between myself and Prof is that we don't want security law to just be a podcast about what's happening globally. But we want it to be useful for people who just started security trying to understand security. And we thought one of the first things that we could do is talk about what is the security standard gives you a frame into what are the areas you need to implement for security. And also primarily because ISO has just published the most recent version of the 27,001 and 27,002, which is just published in 2022. So we thought this would be a great way for us to bring the awareness about this standards document. So that number one, it becomes a reference point for those who are just starting off cybersecurity. So that they can they can read through they can understand these other controls, they understand the whole ISO process, and helps to get that awareness up and running. And the other reason why we specifically chose ISO is because security law is primarily a pan asian cybersecurity podcast. And if you look at it, in Asia, there is no Asia standard. So if you're a company that's operating from the US, you most likely will refer to the NIST standards. If you're from the European Union and Anissa and the relevant standards, if you're a telecommunications agency, you easily refer to itu T. Whereas for cyber security, we find that if you were to benchmark yourself against your Asian peers, the best way would be to use the ISO standards. Hence that was the reason why we came up with this whole series is going to be a one year kind of series both prof and I will be going back and forth on how the ISO standard works. nitty gritty details. So this is the introductory episode about standards ISO. In the upcoming episodes we will dive deeper into different different areas that you would want to know about ISO standards about 27,000. Specifically, we will go into the standards document. We will Repeat a partner obviously, you will not be able to reconstruct the ISO document from this podcast. So I would suggest that you get a copy. So that as we go through this discussion, you will find it easy that you have a point of reference, which is the the ISO document. And you gotta actually follow through the discussions and understand what are the security requirements better.

30:28

Okay, let's look forward to the next episode then.

30:32

All right, see you guys. Bye bye.

30:38

Thanks for joining us this week on security lab. Make sure to visit our website at security lab Asia, where you can subscribe to this show your iTunes Spotify or your RSS so you'll never miss the show.