Anyone who has been through ISO/IEC 27001 alignment, compliance, certification – call it what you will – will know the joke.
But for those that haven’t, the Annex A of ISO/IEC 27001 which details the controls to be considered (more on that later), includes a control called ‘teleworking’ (reference A.6.2.2 to be precise).
You’ll have to cast your mind back to the days of modems and desktop computers that would be installed in the homes of senior executives for teleworking or rather ‘connecting back to the office and associated systems to keep working after hours, on weekends and even on holidays.’
The joke is that those days are long gone (the bit about modems and relying on physical security to protect devices at least), but we’re stuck with control A.6.2.2 in Annex A it seems for eternity (but maybe not).
Why is ISO/IEC 27001, or at least the controls in Annex A, so archaic? Because the standard is only updated approximately once a decade. 1 year is a lifetime in tech and cyber/information security, let alone 10 years. Where’s my dinosaur?
The death by committee approach taken by ISO in drafting, reviewing, approving and then strictly licensing ISO/IEC 27001 means that it takes about 10 years to go through that process.