ISO Standards

Question: When is a Standard Not a Standard?

Answer: When it’s an ISO Standard.

But before you get outraged, I believe the problem lies not with ISO, it’s that we don’t really know what a standard actually IS!:

  • Ask one person and they’ll say a standard is something that all ‘like things’ must be. i.e. they all must be the SAME.
  • Ask someone else and they’ll say that a standard is something you must reach   i.e. it’s a minimum bar.
  • Ask yet another person and they’ll say that a standard is an average of all things.

Even the OED backs this up!:

  • Something used as a measure, norm, or model in comparative evaluations;
  • A level of quality or attainment;
  • Something used or accepted as normal or average; and
  • A military or ceremonial flag carried on a pole or hoisted on a rope

OK, forget the last one, but you get the point, which is that the English language itself allows for multiple, often conflicting, interpretations of the SAME word! e.g. does the word ‘minute’ mean 60 seconds, or something very small? Right, this cannot be answered without context, but how about in this sentence; “The mouse was so minute that it fit into the tiniest of gaps.”?

So clearly the implementation of an ISO standard in any organisation depends entirely on the context to which they have chosen to adopt it, or are being forced to abide by it. An organisation looking for a marketing or competitive edge will adopt ISO as a quality attainment for example, and another will choose to use it for comparative purposes in their due diligence processes. Each will focus more heavily on different aspects of the ISO framework, and both can still meet the intent.

For things like information security this is no big deal, which I assume is why ISO 27001 uses the word ‘appropriate’ EIGHTEEN times! “…appropriate security…”, “…appropriate documentation…”, “…appropriate levels…” and so on. An organisation SHOULD choose which aspects of the standard are appropriate, and then go as deep into the framework controls as they deem …well, appropriate.

But what happens when the ISO standard (which is interchangeable with ‘framework’ in my opinion) is something like ‘Financial Transaction Card Originated Messages — Interchange Message Specifications’ (ISO 8583), or ‘Universal Financial Industry Message Scheme’ (ISO 20022) where you would think that everyone should not only interpret, but implement them in EXACTLY the same way to ensure global interoperability. Surely these things are not like an API bridge where you do whatever you want in the back end, surely they are more like a big puzzle where every single piece must meet SPECIFIC criteria to build the big picture?

Sure the message syntax might be defined, but the USE of fields and what actually goes IN the fields is optional. Why do you think the Card Brands, Issuers and Acquirers are going to have such a hard time implementing EMV tokenisation for example?

The mobile phone has changed everything; the way we communicate, the way we shop, and it won’t be long before it changes the way we think. If we are to embrace the enormous potential yet to come, globally, we must agree on a better definition of ‘standard’, or we might as well not bother. Information out of context has been the cause of innumerable wars, terror crimes, religious and lifestyle persecutions, and the continuation of nationalist behaviour to the detriment of the species.

Maybe we should standardise the word ‘standard’ …oh, wait?

[If you liked this article, please share! Want more like it, subscribe!]