How to integrate ISO/IEC 27032 on ISMS?

Today, the term cybersecurity is regularly used, but its exact meaning, its difference from information security, and its relationship with an Information Security Management System (ISMS) are still misunderstood by many. As global regulations and standards continue to progress, understanding these concepts has never been more important.

What Is Cybersecurity?

According to ISO/IEC 27032:2023, Cybersecurity — Guidelines for Internet Security, cybersecurity provides guidance for “Internet-related services and related ICT systems and networks as an extension of network security.”

Previous editions of the standard defined cybersecurity as the preservation of confidentiality, integrity, and availability (CIA) of information within the cyberspace, the interconnected environment created by people, software, and services operating over the Internet.

Relationship Between Cybersecurity, Information Security, and ISMS

Those familiar with information security will recognize the CIA triad, confidentiality, integrity, and availability, as the main protection objectives. Cybersecurity builds upon these values but focuses mainly on the digital and online dimensions of risk, the cyberspace environment.

In organizational terms:

• An ISMS, as established by ISO/IEC 27001, manages information security completely across the organization through policies, procedures, and a continual Plan–Do–Check–Act (PDCA) cycle based on risk management.
• Cybersecurity, on the other hand, can be seen as a subset or addition of an ISMS, focusing specifically on Internet-connected systems, digital services, partner networks, and external threat surfaces.
• It is important to note that ISO/IEC 27032 is a guideline—not a certifiable standard—unlike ISO/IEC 27001.

Why Is Additional Guidance Necessary?

While the PDCA and the risk-based method of ISO/IEC 27001 remains applicable, cybersecurity introduces new and exclusive dimensions that extend beyond the organization’s traditional IT border. Key areas include:

1. Expanded Stakeholder and Partner Landscape

Commitment in cyberspace increases the number of interested parties, including customers, cloud providers, regulators, and business partners. Clearly defining communication channels, shared responsibilities, and information exchange procedures become crucial for secure collaboration.

2. Shared Assets and Multi-Owner Environments

The Internet operates as a public infrastructure. Cloud services, network providers, and third-party vendors may collectively influence security outcomes. Since ISO/IEC 27001 requires every asset to have an identifiable owner, organizations must adapt their asset management and risk assessment frameworks to align with these shared environments.

3. The Internet of Things (IoT) and Edge Devices

The spread of IoT devices, often resource-limited, remotely deployed, and challenging to update, introduces important patch management and ownership complexities. Organizations must strengthen incident response, third-party risk management, and monitoring strategies to mitigate these evolving threats.

4. Emerging and Distinct Threat Vectors

Modern cyber threats include DDoS attacks, phishing, social engineering, supply-chain compromises, zero-day exploits, and more. Organizations must enhance security awareness, threat detection, and incident handling capabilities to counter these evolving risks effectively.

5. Public Visibility and Regulatory Obligations

Cyber incidents often impact multiple stakeholders and can quickly become public. Attempting to cover breaches can damage trust and reputation. Additionally, many authorities order timely incident reporting to regulators. Organizations must, therefore, ensure that communication plans, incident response procedures, and business continuity strategies are aligned with legal and reputational requirements.

Putting It All Together

For organizations with an existing ISMS, achieving cybersecurity readiness does not require starting anew, it requires adapting. Conduct a gap analysis, apply the PDCA methodology, and integrate essential changes into existing frameworks. Most foundational elements, such as policies, risk assessments, monitoring, and incident management, already exist and can be extended to the cyberspace context.

Using ISO/IEC 27032 as complementary guidance can strengthen your ISMS by:

• Planning asset ownership and stakeholder responsibilities within the cyberspace
• Extending risk assessments to cover Internet-facing services and external threats
• Expanding communication and reporting protocols to include regulators, customers, and partners
• Addressing IoT and third-party device management within patching and maintenance programs
• Improving monitoring, detection, and response capabilities to align with modern threat landscapes

How PECB Can Help You

PECB supports individuals in strengthening their cybersecurity posture through internationally recognized certification, training, and guidance.

Whether you are beginning your journey in cybersecurity or seeking to integrate ISO/IEC 27032 with your existing ISMS, PECB offers:

• Cybersecurity Management Training Courses – Helping professionals understand and implement cybersecurity strategies aligned with ISO guidelines.

• • Cybersecurity Foundation
  • Lead Cybersecurity Manager

• ISO/IEC 27001 Training Courses – Equipping organizations and individuals to build, manage, and continually improve an Information Security Management System.

• • ISO/IEC 27001 Foundation
  • ISO/IEC 27001 Lead Implementer
  • ISO/IEC 27001 Lead Auditor
  • ISO/IEC 27001 Transition

• Expert Guidance and Resources – Providing up-to-date insights, best practices, and educational materials to help you stay ahead of emerging threats.

By partnering with PECB, you gain the knowledge, credibility, and confidence to effectively manage cybersecurity risks and improve trust in your organization’s digital operations.

About the Author

Vesa Hyseni is a Senior Content and Campaigns Specialist at PECB. She is responsible for creating up-to-date content, conducting market research, and providing insights about ISO standards. For any questions, feel free to reach out to her at support@pecb.com.