On 2025 Nov 18, 22:02, Jeremy Stanley wrote: > > What role do you expect SPI would play in this? (Asking as an > officer/director since it may come down to me to support the endeavor from > that side.)
To answer the easier question first (SPI’s role): any certificate would have to be issued to SPI as the only legal entity behind the Debian Project. The role for SPI would indeed be mostly that of the “certified organization” while the scope statement (Clause 4.3) would explicitly limit the ISMS to Debian-specific infrastructure and processes. Therefore, I don't think SPI itself would be dragged into heavy bureaucracy. > Also, having been on point for writing entire ISO/IEC 27001 focused security > policies and handbooks from scratch in a former life, I don't see how it > would directly apply to Debian, there are a lot of operational controls > which would need to be explained as irrelevant. On applicability in a volunteer-heavy project: I completely share the concern. Obviously, a large fraction of Annex A controls would need to be answered as “not applicable” (especially the whole HR/security-awareness sections, physical entry controls, supplier contracts, etc.). Nonetheless, a sound, consistent, updated and properly documented Information Security Management System can be of value in any collective human endeavour in which cybersecurity is to be heeded, and indeed the Debian Project can be argued to fall into that category. > Perhaps more germane will be looking for alignment with recommendations that > come out of ORC and OpenSSF as a response to the EU's harmonized standards > for their Cyber Resilience Act, but those are still very much up in the air > for the moment (I'm involved there as well, on the Spec Committee for the > ORC WG). I’m under no illusion that Debian is a typical commercial environment, and I agree that a lot of Annex A would be N/A. My main motivation for raising the question is the growing external pressure (CRA, NIS2, large customers asking for evidence of supply-chain security) and the hope that an external pair of eyes might surface a few blind spots that haven’t been noticed (or voiced) internally. Whether full ISO 27001 certification is the right answer - or whether something lighter (OpenSSF Scorecards, SLSA level 3, or the emerging ORC recommendations you mentioned) is more appropriate - is exactly what I wanted to understand from people who know Debian (and ISO 27001) far better than I do. So, reframing my original question now that I have better context: Do you think a scoped, volunteer-friendly external audit (ISO 27001-based or other framework) could still be useful, or is the project's security already in a good enough shape to afford dismissing such? Regards, -- Farruco
