[Owasp-leaders] ISO/IEC 27034

Sebastien Gioria sebastien.gioria at owasp.org
Tue Jan 21 19:21:23 UTC 2014

Hi All,

Juste to let you know , I do the same things in some French Security
Organisation with ISO/IEC french organisation (AFNOR).

2014/1/21 Jonathan Marcil <jonathan.marcil at owasp.org>:
> Hi Tobias,
> now that I know better what a liaison is from an ISO/IEC point of view
> and I've been thinking about the dynamics while being in the AdHoc
> meeting and seeing how it works, I got some ideas.
> There's some considerations I base my thinking on:
> - ISO/IEC is international organization and meetings/sessions are in
> person all around the world
> - OWASP is very decentralized and that's a good thing
> - Liaison is centralization
> I think we should approach ISO/IEC with a dual strategy that is using a
> main OWASP "liaison agent" while having a "field agent".
> The "liaison agent" would be someone that is in touch with one SC in
> particular within ISO/IEC. That person should know about the wide
> subject related with the SC. One of his task alongside regular liaison
> stuff (transmission of communications between officials) would be to
> find "field agent" and prepare them and send them to meetings.
> The "field agent" is an OWASP representative that is within the
> geographical location of the ISO/IEC meeting and assist in order to do
> the live action stuff such as asking questions or taking notes for the
> liaison agent. He doesn't need to be an expert in the related SC subject
> since he is backed by the liaison agent. He can be a chapter leader, a
> project leader or event just a member as long as the liaison agent trust
> him.
> For example, the liaison agent knows that there is a SC27/WG4 meeting in
> Hong Kong next month. He is aware of what will be going on and prepare
> questions while consulting the OWASP community or board. He then finds
> an OWASP field agent based in Hong Kong, brief him and book him for the
> meeting. Afterwards, the field agent report back to the liaison agent.
> Liaison agent can also act without the need of any field agent by using
> emails or other remote meanings. It can be a small team if desired.
> Field agent can also decide to join in and help the liaison agent online
> as well. A liaison agent can also be field agent at the same time if the
> opportunity is there.
> The major advantage I see is that we encourage collaboration within
> OWASP and we get to use our worldwide reach, by having a spot like any
> company with budget that fly their employees to the meetings.
> The major disadvantage of that strategy is that the liaison agent would
> still be the bottleneck, but we can scale by having WG liaisons instead
> of just SC liaisons.
> Right now, if OWASP desire to go with it, we need to work on having a
> SC27 and SC22 liaison agents for ISO 27034 and TR 24772. I can do the
> field work for Montreal. Sebastien Gioria is a good candidate for
> liaison/kick-off. This week we actually plan on Thursday to kick-off for
> SC22/TR 24772 and it will be open to all on Hangout/YouTube.
> Mid term we can also check what type of liaison we want
> (http://www.iec.ch/members_experts/refdocs/iec/isoiecdir-1%7Bed9.0%7Den.pdf
> page 20 #1.17.2) but this can comes after making connection with ISO/IEC.
> I'll let you decide if the board needs to make a statement or have
> someone to join us in the kick-off or just talk to me and/or Sebastien
> afterwards.
> If anyone wants to join in as a liaison or to help with kick-off, please
> contact me by email I'll arrange something for Thursday from 10AM
> Eastern Time to 5PM EST.
> Thanks,
> - Jonathan
> On 2014-01-17 18:32, Tobias wrote:
>> Hi Jonathan,
>> thanks a lot for the information and update.
>> I like and appreciate your light-weight approach towards ISO as an
>> individual with OWASP expertise.
>> I trust in your judgement and think the current informal way to interact
>> with ISO is a good one.
>> You are part of OWASP and you have the best knowledge of the current
>> stage of the WG. So the question is what do /you/ think? What do you
>> recommend? If you think there is something we should do as an
>> organisation here (e.g. name a liaison or the like), please send me an
>> email and let me know and I will be happy to see how we can best help
>> and support you.
>> Thanks again and all the best, Tobias
>> Tobias Gondrom
>> OWASP Global Board Member
>> email: tobias.gondrom at owasp.org <mailto:tobias.gondrom at owasp.org>
>> mobile: +852 56002975
>> mobile: +44 7521003005
>> skype: tgondrom
>> twitter: @tgondrom
>> On 17/01/14 00:26, Jonathan Marcil wrote:
>>> Hi OWASP Leaders, SAMM people and governance enthusiasts,
>>> I'm here to let you know that I'll be participating in another ISO/IEC
>>> 27034 Ad-hoc Meeting next week in Montreal.
>>> I'll be on site and I noticed that at least Sebastien Gioria and
>>> Sebastien Deleersnyder have been invited to assist remotely as well.
>>> I revised our pasts emails exchange on the subject and noticed that the
>>> discussion leaned towards the importance of collaboration, even
>>> representation as "liaison" between OWASP and ISO/IEC working groups.
>>> Let me assure you, that the meeting I'll be attending is still pretty
>>> much like that last one, and that my position will be informative about
>>> OWASP rather than representative.
>>> My personal implication and role is officially only trough the following
>>> OWASP project that I co-lead with Luc Poulin, the 27034 main editor:
>>> https://www.owasp.org/index.php/OWASP_ISO_IEC_27034_Application_Security_Controls_Project
>>> If OWASP decides to have an official ISO/IEC liaison representative,
>>> I'll be more than glad to make the link between the liaison and the
>>> ISO/IEC 27034 people during the meeting. I'll be live on site and can
>>> manage to remotely setup any communications meaning, from plain text
>>> chat to full video conference. Just hit me up by email.
>>> To reinforce the motion, I've also been asked to find a liaison or a way
>>> to cooperate between OWASP and ISO/IEC JTC 1 SC 22/WG 23 that makes TR
>>> 24772 "Information technology -- Programming languages -- Guidance to
>>> avoiding vulnerabilities in programming languages through language
>>> selection and use".
>>> My strategy on the cooperation part is to simply try to find and reach
>>> projects that fit with what TR 24772 authors want and to initiate
>>> communication.
>>> For the liaison, OWASP just needs to go ahead with the idea and I'll
>>> simply redirect people to them. We can also organize an online meeting
>>> Wednesday next week to discuss about it with the TR 24772 contact.
>>> Finally, consider me available for any online meeting or call during
>>> those dates and times for the corresponding standard:
>>> ISO/IEC 27034: January 21st and 22nd, 9AM to 12PM, 1:30PM to 4:30PM
>>> Eastern Standard Time
>>> ISO/IEC TR 24772: January 23rd, 10AM to 6PM Eastern Standard Time
>>> Thanks,
>>> - Jonathan
>>> On 2013-08-14 22:00, Jonathan Marcil wrote:
>>>> Hi OWASP Leaders,
>>>> The current email is to let you know that I have been invited to
>>>> represent OWASP at an ISO/IEC 27034 (Information technology — Security
>>>> techniques — Application security) meeting by Luc Poulin the main
>>>> project editor. It is held this week at Microsoft office in Montreal.
>>>> Basically I'm here to contribute to the discussion with practical
>>>> application security knowledge and OWASP projects. I'm, of course, just
>>>> really speaking "about OWASP" and not "for OWASP".
>>>> We are also planning to propose some new OWASP projects, and especially
>>>> one that will create Application Security Controls (ASCs) as described
>>>> in the standard from OWASP Top 10 entries and other projects.
>>>> The ASCs in 27034 are actually made in an XML format and are not only
>>>> documentation but a normalized representation of an application security
>>>> control, so the mapping is rather different that was done with OpenSAMM
>>>> on http://www.opensamm.org/2012/04/mapping-samm-to-isoiec-27034/.
>>>> You can find more details about the standard at :
>>>> http://www.iso27001security.com/html/27034.html
>>>> If anyone is interested on the subject, feel free to reply to this
>>>> email. We haven't even started the process to create the new projects
>>>> but will welcome any help.
>>>> Thanks,
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

OWASP French Chapter Leader
GSM: +33 6 70 59 11 44

More information about the OWASP-Leaders mailing list