ISO/IEC 27032
Go home

Copyright © 2009 IsecT Ltd.

ISO/IEC 27032 Information technology -- Security techniques -- Guidelines for cybersecurity (draft) Updated following May 2009 meeting in Beijing

 

ISO/IEC 27032 will provide guidance to organizations such as Internet Service Providers and other Internet users on their security responsibilities to themselves and perhaps to the Internet community at large - the application of social corporate responsibility to the Internet realm.

The standard is at WD stage.

The scope is still not fully resolved with divergent views from various national standards bodies on what this standard is intended to cover. The term “cybersecurity” is not helping matters since it means different things to different people. For example, there is significant potential overlap between cybersecurity and network security at a detailed level, while broader national and international cooperation on Internet security matters may not be amenable to an ISO/IEC standard. 

The present draft defines cyberspace as “while not existing in any physical form, a complex environment resulting from the interaction of people, software and services on the Internet by means of technology devices and networks connected to it. The complex environment encompasses the interconnecting networks and systems as well as any ICT devices belonging to different organizations and service providers that allow for the flow of information.” Cyberspace is clearly a complex, highly variable environment with frequent innovation making it especially tough to set international standards. 

In addition to the ‘traditional’ network security threats such as malware and spam, a multitude of novel information security issues may be connected with topical cyberspace usage such as:

  • Web 2.0 including true network applications offering Software As A Service and potentially Security As A Service;
  • Peer-to-peer networking;
  • Blogging and videoblogging;
  • Instant messaging;
  • Voice and video over IP;
  • Global connectivity, with a blend of cultures, laws etc.;
  • Second Life and similar virtual reality environments;
  • Online games;
  • Phishing.

Whether and to what extent these issues are covered by ISO/IEC 27032 remains to be seen. The standard may for example attempt to fill-in the perceived network security gaps by updating existing ISO27k standards, while at the same time promoting the use of ISMS techniques to manage cybersecurity risks in parallel with other information security risks. In addition, it may focus on the social responsibility aspects noted above, for example proposing mechanisms for peers to communicate and collaborate on common cybersecurity issues.

The present WD offers mixed guidance on the nature of known security risks and security controls that are applicable. It mentions, for example, the need for cross-organizational collaboration on security matters between trustworthy partners, particularly around investigating and resolving security incidents, and controls against social engineering.