Painting the Forth bridge

Although ISO/IEC 27000 and most other standards incorporate definitions, the language is often formalised/stilted and very succinct.  Being the product of committees within the larger structure of the global standards bodies means new terms have to be carefully word-crafted to avoid conflict with the existing body of knowledge.  Reducing definitions to their essence may be worthwhile from an academic perspective, although I wonder about the poor reader trying to make sense of it all.

The default approach ISO-land is to cite and re-use terms with their preexisting definitions from current ISO standards, ideally unmodified but in practice changes are almost inevitable, especially in the early days of new developments as the language develops rapidly in line with the field.

Sometimes, committee members differ in their interpretation or understanding of the terms of art, leading initially to confusion, then discussion and eventually agreement over mutually acceptable (or mutually unsatisfactory!) definitions. In the case of ISO/IEC JTC 1/SC 27/WG 1, the debate over "information asset" dragged-on for years due to fundamental discrepancies: some in the committee wanted the ISO27k standards to focus on securing information technology including the tangible hardware such as computer and networking devices, digital storage media etc., while others preferred to emphasise the intangible information content, regardless of the processing, storage and comms machinery, or the form (it's not just digital data!).

That interminable discussion (well, a professional argument!) was brought to a conclusion by 'agreeing to disagree': the term and definition were dropped from the draft standard, reverting from "information asset" to "asset" in ISO/IEC 27002:2022, defined generically as “Anything that has value to the organization”. That leaves a few dangly loose ends since the nondescript definition technically includes a single paperclip - something vaguely relating to information, I guess, but hardly an "asset" or "information asset" as generally understood. The standard's occasionally convoluted and clumsy phrasing such as "information and other associated assets" is unsatisfactory, unnecessary and unhelpful, in my opinion.

As I wrote the Cybersecurity Hyperglossary, definitions from standards formed a substantial basis, particularly for reasonably well-established terms. I quote and cite hundreds of definitions from ISO/IEC standards, plus more from the NIST SP-800 series, and from glossaries compiled by ISACA, SANS and others. As a somewhat neurodivergent geek, comparing, contrasting, critiquing and compiling entries to align common meanings became an absorbing pastime, along with spotting the origins of tech terms defined long ago e.g. ISO 2382 from 1974.

Meanwhile, information risk, security, cyber, privacy, safety And All That, already a complex and convoluted field, continues to evolve apace.  Cryptocurrency, IoT, AI and post-quantum cryptography are topical examples: I've noticed language changes in those and other areas even since the Cybersecurity Hyperglossary manuscript was submitted to the publisher last April. It's like painting the Forth bridge: a fortnight before the first edition even hits the streets, I'm already thinking forward to the second. ISO standards have a typical shelf-life of about 5 or 6 years, though I'm not sure I can wait that long!

The Cybersecurity Hyperglossary is currently being printed and packed for delivery from February 17th - just 2 more weeks remain. The cover price has been set and pre-orders are open for those keen to get their mitts on the first edition of the Cybersecurity Hyperglossary "soon as", as we [adopted] Kiwis say.