What tangled webs we weave -David Lacey. Quotes from David Lacey's latest criticism of the "standards industry" include: "The standard [which became ISO27002] aimed to remove 90% of the effort in risk assessment by documenting commonly applied controls. Unfortunately it was hijacked by a consultancy community who subsequently reintroduced the need for mandatory risk assessment. It was also intended to be sufficiently broad and deep to minimise the need for any further standards. Yet two decades on, it has inspired a family of dozens of near identical standards and guidelines.". What has sparked Lacey's ire is the Cloud Security Standard. At 176 pages: "The real challenge however will be to turn this impressive body of knowledge into something of practical use to busy security managers. "
There is a reason I called this column "Practically Secure". Because I know how Mr. Lacey feels. Pragmatism is way down the list of objectives for the authors of today's security standards.
[NB I have finally edited this post to add my commentary, sorry for the delay!]