Talk:ISO/IEC 27001

History

-- Perhaps someone could flesh this out with its history, as BS 7799-2 etal? 194.247.50.172 (talk)

I can add a little, but not sure on the actual dates. 81.159.231.84 (talk)

It turns out that there is an article on BS7799. The history of 27001 is more or less recorded there.—Preceding unsigned comment added by 81.159.231.84 (talk • contribs) 08:55, 19 October 2008

Supply

I'd like to know why someone keeps putting back the http://www.standardsdirect.org/iso17799.htm link? This link is NOT neutral, it belongs to a company that only distributes the standard for a profit. It makes me feel that it is the owner of that standard store that comes back top put the link back every time this link is removed. So the question I'm asking is why this specific standard store? Why not another one? There are several stores that sell standards, so why promote this one? Why not put a link to ISO's or BSI's standard store instead? At least, all the money would go to standard makers...—Preceding unsigned comment added by 10072osi (talk • contribs) 03:30, 9 October 2008

I am guessing that you are a vendor yourself. But I would imagine that the answer to the question is that this was the original download source for these standards, way back when they were BS7799. It was there before BSI sold them on their site, or obviously anyone else. At the time it was the only source, which is why I used it. It always seem to be first with new releases too, so it looks like BSI rate it. So the question could be, why not this one? The prices are exactly the same as BSI's by the way. 86.165.66.83 (talk) —Preceding undated comment was added at 08:03, 9 October 2008 (UTC).

No, I'm not a standard vendor, nor an employee of BSI or ISO. We don't need to have a financial interest in this to disagree with you. I just think Wikipedia should be neutral and not promote any specific vendor. StandardsDirect is a BSI reseller, out of several BSI standards resellers. It is unfair to the other resellers to put Standardsdirect there. The facts that it was the first one or has the same prices as others is not relevant to this. Do you see links to resellers of Cisco or Checkpoint products under the firewall Wikipedia page? No, because it wouldn't have its place there. Same thing here. (Veridion) 18:53, 18 October 2008

I don't agree either. It only seems to be commercial interests complaining, Veridion being a case in point (edit history proves it). This is a useful link for us 'Joe' users. Snipes from commercial guys are not productive. —Preceding unsigned comment added by 80.189.148.148 (talk) 19:25, 18 October 2008 (UTC)

This comment was added by 194.247.50.172 who erased all previous discussions. MSG TO 194.247.50.172: PLEASE DON'T ERASE CONTENT (Veridion 02:07, 19 October 2008). ---------------------- Perhaps someone could flesh this out with its history, as BS 7799-2 etal? And its actual contents? 194.247.50.172 (talk)

Look at the history of this page - every time someone erases the StandardsDirect links, some nice soul comes back to put it back on. Someone is REALLY interested in maintaining this link there, and this is probably someone who's deriving revenues from this link. Otherwise, I just don't see why someone would spend so much effort to keep putting this link back in again and again over a period of years. Also, every time someone erases the StandardDirect link, someone comes back within HOURS, not days, HOURS, to put it back on. Someone is obviously monitoring this page and putting the StandardsDirect link back every time it gets erased.

I don't have a problem with the StandardsDirect guys making a living, but I just don't think Wikipedia is a place to get free advertisement. Otherwise, we end up with the same issue: why would Wikipedia support these guys rather than any other guys? If Wikipedia supports one standards reseller over any other, how to justify it? And that's the problem. Wikipedia, because it has to be an objective and neutral web-encyclopedia, cannot support any specifi organizations, unless they are the creator of the content, which is clearly not the case with StandardsDirect. StandardsDirect clearly is only a reseller, so Wikipedia cannot link to them. I don't sell standards (I do sell ISO 27001 training courses - but not in competition with StandardsDirect), I have nothing against standardsDirect, I'm just unhappy with the way they use Wikipedia as an advertisement tool. I think Wikipedia shouls either 1) not link to any standards reseller or 2) if it has to link to one, link to the original creators of the standard (either ISO or BSI) (Veridion 02:33, 19 October 2008).

Your point of view is clearly one of a vendor: because you are a vendor. It is fair to link to the original dispensing site because it was the original dispensing site on the internet (which is why it was here from year dot), and it is useful to Joe User. Your outlook is not of Joe User. IMHO you would be better adding useful content than 'squabbling' (not my word) as someone said previously. If you have knowledge of the topic, please add it. 81.159.231.84 (talk) 08:49, 19 October 2008

I have also removed your allegations against SD because anyone could have created those links and probably did. Please be sure to substantiate before you make such remarks about anyone at all. —Preceding unsigned comment added by 81.159.231.84 (talk • contribs) 08:55, 19 October 2008

Second message to 81.159.231.84: I am not a standard vendor. To quote you earlier: Please be sure to substantiate before you make such remarks about anyone at all. ;) But that's beside the point: a vendor could rightfully complain that Wikipedia, a neutral encyclopedia is giving an unfair commercial advantage to StandardsDirect, and that would be a fair remark. Wikipedia can't be seen to promote one vendor over another.

Third message to 81.159.231.84: according to www.register.com, StandardsDirect was created in 2003:

• Domain ID:D103232306-LROR
• Domain Name:STANDARDSDIRECT.ORG
• Created On:27-Nov-2003 16:05:35 UTC
• Last Updated On:18-Nov-2006 12:35:31 UTC
• Expiration Date:27-Nov-2012 16:05:35 UTC
• Sponsoring Registrar:pair Networks Inc. dba pairNIC (R103-LROR)

BSI was selling the BS7799 standard online way before that. So I don't know where you got this line saying that that StandardsDirect was the first one, but they weren't. So this right to be in Wikipedia because they were the first is a fabrication: they weren't the first - BSI was. So following your logic, it should be BSI's site that should be linked on that page, not StandardsDirect (Veridion03:35, 20 October 2008)

Veridion - there are several matters here you need to understand.

You cannot make allegations (such as SD are doing this or that) which are simply allegations and which may be actionable. That is why that comment was edited out. Please consider your actions in wider context. This is important.

BSI were not selling downloads online in 2003

81.159.231.84 says you are a vendor in this market space, which is correct. He doesn't say 'standards vendor'. To the observer, such as I, this may account for your extremely zealous campaign here, and in the past.

I too share the view "you would be better adding useful content than engaging in this commercial 'squabbling'". —Preceding unsigned comment added by 08:34, 20 October 2008 (talk • contribs) IntraSec — IntraSec (talk • contribs) has made few or no other edits outside this topic.

OK, I'll rephrase my previous comments: Someone who REALLY likes Standardsdirect is clearly using Wikipedia to provide it with extra visibility. Just to support my point, that someone who REALLY likes StandardsDirect has put links to its purchase page to the following wikipedia entries: ISO 10006, BS 25999, BS 7799, ISO/IEC 20000, ISO/IEC 27000-series and Business continuity planning. (veridion) —Preceding unsigned comment added by 12.38.54.70 (talk) 20:53, 20 October 2008 (UTC)

Could be that it is a nice clean interface and was the first download source for some of those, as someone already said. Your campaign here is a bit tiresome. 194.217.194.139 (talk) —Preceding undated comment was added at 08:54, 21 October 2008 (UTC).

I'm sorry that you find my squabbling tiresome, but I think this addresses a fundamental issue: should Wikipedia promote one vendor over others? If so, what should be the criteria? (veridion)

Also, am I the only one not aware of Wikipedia's rules regarding links (Links_normally_to_be_avoided)? These rules clearly stipulate that the following are prohibiited:

• 1. Any site that does not provide a unique resource beyond what the article would contain if it became a Featured article.
• 4. Links mainly intended to promote a website.
• 5. Links to sites that primarily exist to sell products or services...

Obviously, this is the case with the presence of StandardsDirect here (veridion). —Preceding unsigned comment added by 12.38.54.85 (talk) 21:51, 21 October 2008 (UTC)

Fundamental? Only to another vendor. There is a link to a pretty useful site, which was once the sole supplier. That's all there is to it. I'll suggest again and agree with the others that you should add useful content instead of campaigning.—Preceding unsigned comment added by IntraSec (talk • contribs) 22:16, 21 October 2008 — IntraSec (talk • contribs) has made few or no other edits outside this topic.

Contents

-- And its actual contents? 194.247.50.172 (talk)

I am not sure how far this can legitimately go. Perhaps a resume of the table of contents? This needs to be discussed. 81.159.231.84 (talk)

A quick check indicates that something based around the ToC would be fine. 81.159.231.84 (talk)

Yes, you can certainly add descriptions of the contents of a standard.

StandardsDirect.org

I removed the link to a standards purchase site, standardsdirect.org. See Wikipedia talk:WikiProject Spam/2008 Archive Nov 1#StandardsDirect.org for more about this site. As I see it, Wikipedia is not a directory and we're not here to help people sell things. Most of these standardsdirect.org links have been added by single purpose accounts who likely have a conflict of interest. See:

• Conflict of Interest Guideline
• What Wikipedia is Not Policy
• External Links Guideline
• Spam Guideline

If an established, high-volume editor wants to add it back to the article, by all means go ahead. Otherwise, it stays out pending resolution at the spam discussion link above. --A. B. ^{(talk • contribs)} 00:40, 23 October 2008 (UTC)

Reacting to a campaign from one vendor to another is usually not the right path. This applies not just on a wiki, but generally. —Preceding unsigned comment added by IntraSec (talk • contribs) 09:52, 23 October 2008 (UTC)

The link to www.iso27000.org looks to me like yet another SD link, at least SD is promoted on that site.

More importantly, though, what happened to the original content on this page about what ISO/IEC 27001 is all about? It seems to have become a very brief introduction then a dubious description about the certification process, not about the standard itself. NoticeBored (talk) 20:09, 2 January 2009 (UTC)

No, that site looks like a direct competitor site to... YOURS (iso27001security.com). That page, and I read it, provides decent content and explains the cert process, and there is clearly no link to SD, even if this was a witch-hunt. Please do NOT use Wikipedia as a competitor market or for indirect self gain. —Preceding unsigned comment added by 81.159.231.84 (talk) 09:16, 3 January 2009 (UTC)

Is it really necessary to have a new page for the 2013 version??

I see that a new page has been added called 'ISO/IEC 27001:2013' - and I question why this is a NEW page and not added to the current ISO/IEC 27001 page (which has newly been changed to 'ISO/IEC 27001:2005'). I think for the uninitiated having separate pages for each version of a standard will be confusing and unhelpful. Especially since it implies that the 2013 version is an entirely different entity from the 2005 version, which isn't the case. What do others think? Alkazzi (talk) 09:06, 3 July 2013 (UTC)

Since 27001:2013 replaces and cancels 27001:2005, and it has different requirements, and plenty of sources discuss it in its own right, I think it's a good idea to have an article dedicated to it. We already have a separate article for the preceding standard - which some editor created a decade ago to distinguish it from ISO/IEC 17799 - so this is hardly a new approach.

Most inbound links are along the lines of "Organisation X is 27001 certified!" or "Principle Y is also used by 27001". Now, we could wilfully mislead readers by implying that the Organisation X has different certification and complies with different rules, and that principle Y is also in 27001:2013 even though the new standard says no such thing. Or we could avoid any confusion, by linking Organisation X and principle Y to 27001:2005, which is accurate and neutral.

The content of this article was wholly about 27001:2005. Various general statements made about "27001" are no longer true; but if statements are reframed around 27001:2005, that's fine. bobrayner (talk) 12:29, 3 July 2013 (UTC)

It might be a good idea to improve ISO/IEC 27000-series so that it discusses the family in more detail (including deeper coverage of the family history and relationships), rather than just listing individual standards. At the moment it doesn't even mention 7799; it's difficult to understand how editors can write an article about a group of standards without discussing the ur-standard that they all descended from, unless of course editors are just focussing on the number of the standard without really considering the content.

We also had various redirects with names like ISO2700x which pointed to 27001 - the old version of 27001, at that - which is sloppy thinking at best, misleading at worst; I pointed them to the article on the family. bobrayner (talk) 13:03, 3 July 2013 (UTC)

I still don't see the merit in ISO/IEC 27001:2013 having its own page. This is a revision of the 2005 version of the same standard.

The changes are related to the new high level format, and less prescriptive information security risk management requirements allowing organizations to take a holistic/single approach to risk management across their organizations. Notwithstanding it is still ISO/IEC 27001: the same standard, with the same purpose, with the same history and background as the 2005 version. To treat it as a new and separate entity just adds confusion in my view.

Would it not be more useful to keep to one article which includes a section on the evolution of the standard, as per the ISO 9000 article? Otherwise you either duplicate the background information or require readers to bounce back and forth between articles to get the whole story - neither approach is very satisfactory, surely? Alkazzi (talk) 09:41, 11 July 2013 (UTC)

Seems merged but wrong title

See at 27 November, The two page are merged, but under the title of "ISO/IEC 27001:2013". Concerning the relationship, it should be more proper to be in name of "ISO 27001", be more generic. and the 2013 version is only one of the revision. And due to ISO revision cycle, there will be version 2018 soon. — Preceding unsigned comment added by 14.0.157.195 (talk) 03:49, 27 November 2017 (UTC)

Merge discussion

Picking up the discussion from above: the two articles "ISO/IEC 27001:2005" and "ISO/IEC 27001:2013" are merely describing several revisions of the same standard and should be merged into "ISO/IEC 27001". Hekerui (talk) 19:51, 3 September 2017 (UTC)

I went forward with this merger. Hekerui (talk) 09:35, 10 January 2018 (UTC)