It’s very early days yet, but as news comes in of the massive hack of Citrix data, allegedly conducted by bad actors from Iran, the role of ISO 27001 is falling under scrutiny.

ISO 27001 is the ISO standard that alleges to provide controls to prevent such incidents, although ISO and its apologists are quick to run from the actual text of the standard and repeat the after-the-fact claim that it’s just a book, and doesn’t assure anything on its own. (Why buy the book, then?)

So far it doesn’t appear that Citrix itself held ISO 27001 certification, but did build its internal controls to comply with the standard, and then flowed down certification as a requirement for various third-party data houses. Now comes the question as to whether any of those houses were victimized in the hack, and why Citrix’s alleged controls didn’t work.

Since the release and worldwide adoption of ISO 27001, the number of data breaches has only increased. It does appear that ISO standards and the resulting certifications are only good at creating overnight cottage industries for consultants and auditing bodies, while having no demonstrable effect on improving their alleged management area.

Nevertheless, governments continue to throw ISO more and more responsibility, happy to “privatize standards” so that politicians can win re-election by claiming they reduced taxes. But as more and more disasters, scandals and breaches show the weaknesses of these schemes, perhaps we are getting closer to having ISO and its attendant bodies be dragged before government investigators to ask why this is happening.

I’ll have more on the Citrix breach as we get more information. As I said, it’s very early days yet.

    About Christopher Paris

    Christopher Paris is the founder and VP Operations of Oxebridge. He has over 30 years' experience implementing ISO 9001 and AS9100 systems, and is a vocal advocate for the development and use of standards from the point of view of actual users. He is the author of Surviving ISO 9001:2015. He reviews wines for the irreverent wine blog, Winepisser.