What are the common criticisms of standards (Normen)?
1) They're often shaped by individual stakeholder interests rather than purely "best practice", and 2) Many standards are not freely accessible to the public, which hurts oversight and competition.
The two recurring criticisms:
- Einzelinteressen statt Allgemeinwohl — Normungsgremien are voluntary, often funded by industry players whose business depends on the outcome. The resulting standard can entrench incumbents instead of serving the public.
- Keine freie Zugänglichkeit — Many ISO/IEC standards cost hundreds of CHF/EUR per copy. This makes it hard for SMEs, researchers, and the general public to verify whether vendors really comply.
Why this matters in security: When ISO 27001 costs ~120 CHF and you need 27002, 27005, 27006, … just to implement it, the cost barrier alone biases the field towards large organisations and well-funded consultancies.
Counter-trend: The BSI Grundschutz, NIST CSF, and IKT-Minimalstandard are all free to download, which is one reason they spread quickly.
Tip: When evaluating a standard, ask "who paid for the editor's time?" Vendor-dominated committees often produce standards that conveniently match their products.
Go deeper:
Standardization — costs, capture and access (Wikipedia) — the effects of standards on firms and consumers, including who funds committee work.