An Open Letter to Aicpa and ISO Accreditation Bodies (opens in new tab)

(getprobo.com)

3 pointsgearnode6d ago2 comments

2 comments

One of the exploitable mechanics of this scheme is the strategic division of labor between organizations who implement the controls, create the security documentation, and provide the sign-off. Generally, each side distributes their risk by involving others who they can blame when things go wrong. It is intentionally designed so that everyone involved, including the "cyber security experts", each have only a narrow view and must trust the others to do the right thing. Risk management is very much a broken game designed to please suits whose priorities are not real cyber security.

gearnodeOP6d ago

The division of labor between implementation, documentation, and sign-off isn't the bug. It's the design. Independence between those layers is how you get credible assurance (in theory).

The bug is when nobody actually verifies. The audit firm holds the mandate to look at the full picture. When they sign without doing that, independence becomes a gap. And right now, the bodies supervising those firms aren't enforcing anything when that happens.

j / k navigate · click thread line to collapse

2 comments

evanjrowley6d ago

gearnodeOP6d ago

The division of labor between implementation, documentation, and sign-off isn't the bug. It's the design. Independence between those layers is how you get credible assurance (in theory).

j / k navigate · click thread line to collapse