]] Russ Allbery > Simon Josefsson <[email protected]> writes:
>> That pattern applies to Ubuntu, although I guess ISO 27001 on its own >> may not have been the biggest motivation there. Still, the end result >> is that Ubuntu has ISO 27k and Debian hasn't. Ubuntu doesn't have it, though. Canonical's ISMS is ISO27001 certified. There's no mention of Ubuntu in the press release. [...] > Certification compliance is not something I would ever work on without > being paid, personally. It is not enjoyable or fun; it's a job whose only > real benefit is the paycheck you get for doing it. That's of course just > my personal opinion; maybe someone out there finds filling out ISO 27001 > paperwork a great way to spend a lazy Saturday afternoon. I'm obviously not going to tell you what you enjoy or not, but I think that's a poor (but sadly quite common) way of doing compliance work. Compliance work should be like running make check – it's a way of testing that your procedures are actually as expected and provide verification that the security properties you put into the system still hold. If it's compliance for compliance's sake, it'll be thrown out the window at the first opportunity. All that said, I don't think we should be doing 27001, SOC2 or similar. We're not aligned in how we work and doing an audit including audit trails and such is completely infeasible, even if we were able to explain it to an auditor. As an example, and as someone who holds some keys in Debian (such as the cert used to sign uploads to MS for shim signatures), I'd not be particularly interested in spending time proving documenting or proving to an auditor what my security controls for that key particular is. Cheers, -- Tollef Fog Heen UNIX is user friendly, it's just picky about who its friends are
