“ISO/IEC 27032:2012 provides guidance for improving the state of Cybersecurity, drawing out the unique aspects of that activity and its dependencies on other security domains, in particular: information security; network security; internet security; and critical information infrastructure protection (CIIP) …”
Officially, ISO/IEC 27032 addresses “Cybersecurity” or “the Cyberspace security”, defined as the “preservation of confidentiality, integrity, and availability of information in the Cyberspace”. In turn “the Cyberspace” (complete with the definite article and spurious CapitaL) is defined as “the complex environment resulting from the interaction of people, software and services on the Internet by means of technology devices and networks connected to it, which does not exist in any physical form”.
Scope and purpose
In reality, despite the title, the standard is actually about plain old Internet security.
The first couple of lines give the game away:
“The focus of this document is to address internet security issues and provides technical guidance for addressing common internet security risks …”
The standard does not directly address cyber safety (such as cyberbullying), cybercrime, Internet safety, Internet-related crime, and protection of critical information infrastructure in cyberwar, although there are oblique references to these aspects.
Structure and content
The main sections are:
- Assets in the Cyberspace
- Threats against the security of the Cyberspace
- Roles of stakeholders in Cybersecurity
- Guidelines for stakeholders
- Cybersecurity controls
- The framework of information sharing and coordination
Annex A. Cybersecurity readiness
Annex B. Additional resources
Annex C. Examples of related documents
As defined, ‘Cyberspace’ appears to mean a complex, highly variable or fluid virtual online environment, and hence it is hard to pin down the associated information risks. While a variety of information risks are connected with ‘Cyberspace’, many (such as network and system hacking, spyware and malware, cross-site scripting, SQL injection, social engineering, plus information security issues relating to “Web 2.0”, cloud computing, and virtualization technologies that typically underpin virtual online environments and applications) could be classed as a normal or conventional system, network, and application security risks. In practice, the standard is largely concerned with information risks associated with the Internet, rather than ‘Cyberspace’ per se. However, since these risks are already pretty well covered by other ISO or ISO/IEC information security standards, either published or under development, it is uncertain what information risks are truly unique to ‘the Cyberspace’. Risks to virtual assets belonging to players of MMORPGs (‘Massively Multiplayer Online Role-Playing Games) are mentioned in the standard but not directly addressed, for example. Frequent innovation in the realm of ‘Cyberspace’ makes it especially tough to set international standards in this area and could itself be classed as information risk, albeit again one not covered by the standard.
Section 7 of the standard distinguishes threats to personal and organisational assets, which appear to boil down to compromises of privacy/identity and corporate information, respectively: there are of course many information security standards covering both aspects. [For some obscure reason, section 7 also mentions threats to online government services and infrastructure including terrorism, although quite what these have to do with ‘the Cyberspace’ is unclear to me since I am not aware of any governments offering virtual environments or MMORPGs, unless perhaps ‘managing the nation’s economy is classed as a game!].
Status of the standard
The standard was published in 2012.
It is being revised (rewritten). The second edition will:
- Give a ‘state of the nation’ overview of Internet security;
- Identify some interested parties with roles in Internet security;
- Offer high-level guidance on addressing common Internet security issues;
- Reference various other standards (such as ISO/IEC 27002) for the details on risk management approaches and security controls.
The second edition is at the Draft International Standard stage and is now due to be published in mid-2023. The title will become “Cybersecurity – Guidelines for Internet security”.
For purchasing an official copy of this standard, please visit www.iso.org