The main purpose of Cybersecurity Awareness training course is to minimize huma....
Elevating Cybersecurity: Key Changes in ISO/IEC 27032:2023
Cybersecurity
2023-08-15
Robust cybersecurity measures are crucial in today’s digital age. As the threat landscape evolves, organizations face increasing challenges in safeguarding their information and assets from Internet-based risks.
Recognizing this ever-changing landscape, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have significantly updated the ISO/IEC 27032 standard, which was prepared by Joint Technical Committee ISO/IEC JTC 1, Information Technology, Subcommittee SC 27, IT Security techniques.
The standard was first published in 2012, followed by the latest edition on June 28, 2023. Recent updates focus on Internet security, guiding organizations in risk mitigation and defense enhancement. From a revised title to improved risk assessment, ISO/IEC 27032:2023 equips organizations to tackle digital challenges while securing information systems.
What is Internet Security and Why is It Important?
Internet security plays a crucial role in our digital lives by encompassing measures to safeguard online activities, transactions, and data. It provides the safeguards to defend against threats like unauthorized access, malware, and identity theft, as cybercrime rises and sensitive information exchange continues.
It is worth noting that the Internet was not originally designed with security in mind, making it inherently vulnerable to threats. The emergence of the Internet of Things (IoT) and the increasing device interconnectedness further compound Internet security challenges. Advancing technology also brings new attack methods, such as phishing and spyware, used by malicious actors for personal gain or cybercrime.
The Internet's worldwide reach and the stakeholders involved in online activities create complex security risks that need collaborative efforts between the technical and legal communities. By working together globally and adopting comprehensive strategies, Internet challenges can be addressed, fostering a safer online environment for all users.
Internet Security vs. Cybersecurity
When it comes to safeguarding our digital world, Internet security and cybersecurity work hand in hand. They are closely intertwined disciplines that aim to protect systems and online environments from various threats and vulnerabilities. Internet security focuses specifically on securing Internet access and usage, tackling risks tied to online services and ICT systems.
Cybersecurity, on the other hand, covers a wider spectrum. It encompasses Internet security as a crucial part of its scope. This comprehensive approach safeguards systems connected to the Internet—covering hardware, software, programs, and data—from potential attacks. Within cybersecurity, various disciplines such as Internet security, network security, and data protection are effectively addressed.
ISO/IEC 27032:2012
ISO/IEC 27032:2012, also known as “Information Technology — Security Techniques — Guidelines for Cybersecurity,” is an international standard focusing specifically on cybersecurity and providing organizations with comprehensive guidance on managing and mitigating cyber risks. This standard recognizes the critical role of cybersecurity in today’s digital landscape and offers a systematic approach to cybersecurity management.
This edition of the standard covers various critical areas of cybersecurity, including risk assessment, cybersecurity strategy and policy, organizational structure and governance, incident management and response training and awareness, and third-party management.
It emphasizes the importance of conducting thorough risk assessments to identify potential vulnerabilities and developing a clear cybersecurity strategy aligned with organizational objectives. It also highlights the significance of establishing effective incident management plans, providing regular cybersecurity training to employees, and ensuring the implementation of robust cybersecurity practices by third-party suppliers.
ISO/IEC 27032:2012 guidelines can help organizations prevent cyber-attacks and minimize damage from incidents. This standard is a valuable resource for organizations of all sizes, helping them navigate the complex landscape of cybersecurity and establish robust practices to safeguard their digital assets and information from evolving threats.
ISO/IEC 27032:2023 Updates
The new edition of the ISO/IEC 27032 standard, titled “Cybersecurity — Guidelines for Internet security," focuses on addressing Internet security challenges and providing guidance to mitigate common threats. The standard addresses various security issues, including social engineering attacks, zero-day attacks, privacy attacks, hacking, and the proliferation of malicious software. The guidance within the standard equips organizations with the means to prepare for, prevent, detect, monitor, and respond to various types of Internet-based attacks by offering technical and non-technical controls.
The guidance provided in ISO/IEC 27032: 2023 covers multiple aspects of Internet security. It includes controls for preparing for attacks, preventing attacks, detecting and monitoring attacks, and responding to them.
The standard emphasizes the implementation of industry best practices and promotes consumer and employee education to encourage active participation in addressing Internet security challenges. It also highlights the significance of preserving confidentiality, integrity, and availability of information, as well as other properties, such as authenticity, accountability, non-repudiation, and reliability.
It is important to note that ISO/IEC 27032:2023 does not explicitly focus on controls for systems supporting critical infrastructure or national security.
However, most controls mentioned in the document can apply to such systems, enabling organizations to safeguard their critical assets effectively. By leveraging concepts from existing standards corresponding to ISO/IEC 27002, ISO/IEC 27033 series, ISO/IEC TS 27100, and ISO/IEC 27701, the standard establishes a strong relationship between Internet security, web security, network security, and cybersecurity.
The Main Changes between ISO/IEC 27032:2012 and ISO/IEC 27032:2023
First, the title of the standard has been changed to “Cybersecurity — Guidelines for Internet security,” showing a shift in focus towards addressing Internet security challenges specifically. Second, the document has been restructured to make it easier for organizations to understand:
| ISO/IEC 27032:2012 Structure | ISO/IEC 27032:2023 Structure |
| 1 Scope | 1 Scope |
|
2 Applicability |
|
| 2 Normative references | |
| 2.1 Audience | 3 Terms and definitions |
| 2.2 Limitations | 4 Abbreviated terms |
| 3 Normative references | 5 Relationship between Internet security, web security, network security and cybersecurity |
| 4 Terms and definitions | 6 Overview of Internet security |
| 5 Abbreviated terms | 7 Interested parties |
| 6 Overview | 7.1 General |
| 6.1 Introduction | 7.2 Users |
| 6.2 The nature of the Cyberspace | 7.3 Coordinator and standardization organizations |
| 6.3 The nature of Cybersecurity | 7.4 Government authorities |
| 6.4 General model | 7.5 Law enforcement agencies |
| 6.5 Approach | 7.6 Internet service providers |
| 7 Stakeholders in the Cyberspace | 8 Internet security risk assessment and treatment |
| 7.1 Overview | 8.1 General |
| 7.2 Consumers | 8.2 Threats |
| 7.3 Providers | 8.3 Vulnerabilities |
| 8 Assets in the Cyberspace | 8.4 Attack vectors |
| 8.1 Overview | 9 Security guidelines for the Internet |
| 8.2 Personal assets | 9.1 General |
| 8.3 Organizational assets | 9.2 Controls for Internet security |
| 9 Threats against the security of the Cyberspace | 9.2.1 General |
| 9.1 Threats | 9.2.2 Policies for Internet security |
| 9.2 Threat agents | 9.2.3 Access control |
| 9.3 Vulnerabilities | 9.2.4 Education, awareness and training |
| 9.4 Attack mechanisms | 9.2.5 Security incident management |
| 10 Roles of stakeholders in Cybersecurity | 9.2.6 Asset management |
| 10.1 Overview | 9.2.7 Supplier management |
| 10.2 Roles of consumers | 9.2.8 Business continuity over the Internet |
| 10.3 Roles of providers | 9.2.9 Privacy protection over the Internet |
| 11 Guidelines for stakeholders | 9.2.10 Vulnerability management |
| 11.1 Overview | 9.2.11 Network management |
| 11.2 Risk assessment and treatment | 9.2.12 Protection against malware |
| 11.3 Guidelines for consumers | 9.2.13 Change management |
| 11.4 Guidelines for organizations and service providers | 9.2.14 Identification of applicable legislation and compliance requirements |
| 12 Cybersecurity controls | 9.2.15 Use of cryptography |
| 12.1 Overview | 9.2.16 Application security for Internet-facing application |
| 12.2 Application level controls | 9.2.17 Endpoint device management |
| 12.3 Server protection | 9.2.18 Monitoring |
| 12.4 End-user controls | Annex A (informative) Cross-references between this document and ISO/IEC 27002 |
| 12.5 Controls against social engineering attacks | Bibliography |
| 12.6 Cybersecurity readiness | |
| 12.7 Other controls | |
| 13 Framework of information sharing and coordination | |
| 13.1 General | |
| 13.2 Policies | |
| 13.3 Methods and processes | |
| 13.4 People and organizations | |
| 13.5 Technical | |
| 13.6 Implementation guidance | |
| Annex A (informative) Cybersecurity readiness | |
| Annex B (informative) Additional resources | |
| Annex C (informative) Examples of related documents | |
| Bibliography |
One significant modification is including a more comprehensive framework for risk assessment and risk treatment related to Internet security. The updated standard incorporates additional content on threats, vulnerabilities, and attack vectors, providing organizations with a deeper understanding of the risks associated with Internet security and facilitating better risk management practices.
Additionally, Annex A introduces a mapping between the controls for Internet security in ISO/IEC 27032:2023 and the controls found in ISO/IEC 27002. Organizations can use this mapping to systematically compare and align the security measures mentioned in the standard with controls defined in ISO/IEC 27002, which promotes better integration of security frameworks and practices recognized internationally.
Overall, ISO/IEC 27032:2023 emphasizes Internet security, guides a broader range of Internet-based threats, and offers an improved risk assessment and treatment framework. By addressing these key changes, the updated standard better equips organizations to tackle the evolving challenges of cybersecurity in the digital age and safeguard their information and assets from Internet-related risks.
PECB’s Cybersecurity Management Training Courses
The PECB Certified Cybersecurity Management training courses offer a comprehensive and specialized learning experience in the field of cybersecurity and online privacy. Focused on the guidelines for cybersecurity management, the courses equip participants with the necessary skills and knowledge to effectively navigate the complex landscape of cybersecurity risks and challenges.
About the Author
Gresa Shala is the Content Developer for IT Security at PECB. She is responsible for developing, improving, and designing training courses and other supporting materials. If you have any questions, please do not hesitate to contact her at gresa.training@pecb.com.
