Sponsor this page!

Contact us to advertise your business here.

ISO/IEC 27032  Information technology — Security techniques — Guidelines for cybersecurity (FDIS)

ISO/IEC 27032 will address “Cybersecurity” or “Cyberspace security”, which is defined as the “preservation of confidentiality, integrity and availability of information in the Cyberspace”. 

In turn “the Cyberspace” is defined as “the complex environment resulting from the interaction of people, software and services on the Internet by means of technology devices and networks connected to it, which does not exist in any physical form”.

The main sections of the FCD version are:

5. Overview
6. Assets in the Cyberspace
7. Threats against the security of the Cyberspace
8. Roles of stakeholders in Cybersecurity
9. Guidelines for stakeholders
10. Cybersecurity controls
11. Framework of information sharing and coordination

Annex A.  Cybersecurity readiness

Annex B.  Additional resources

Annex C.  Examples of related documents

The draft standard does not directly address cybersafety (such as cyberbullying), cybercrime, Internet safety, Internet-related crime or Critical Information Infrastructure Protection, although there are oblique references to these aspects.

Cybersecurity risks

As defined, ‘the Cyberspace’ appears to mean a complex, highly variable or fluid virtual online environment, and hence it is hard to pin-down the associated information security risks.  While a variety of information security risks are connected with ‘the Cyberspace’, many (such as network and system hacking, spyware and malware, cross-site scripting, SQL injection, social engineering, plus information security issues relating to “Web 2.0”, cloud computing and virtualization technologies that typically underpin virtual online environments and applications) could be classed as normal or conventional system, network and application security risks and,  in practice, the standard is largely concerned with information security risks associated with the Internet, rather than ‘the Cyberspace’ per se.  However, since these risks are already pretty well covered by other ISO or ISO/IEC information security standards, either published or under development, it is uncertain what information security risks are truly unique to ‘the Cyberspace’.  Risks to virtual assets belonging players of MMORPGs (‘Massively Multiplayer Online Role-Playing Games’) are mentioned in the standard but not directly addressed, for example.  Frequent innovation in the realm of ‘the Cyberspace’ makes it especially tough to set international standards in this area and could itself be classed as an information security risk, albeit one not covered by the standard.

Section 7 of the standard distinguishes threats to personal and organizational assets, which appear to boil down to compromises of privacy/identity and corporate information, respectively: there are of course many information security standards covering both aspects.  [For some obscure reason, section 7 also mentions threats to online governmental services and infrastructure including terrorism, although quite what these have to do with ‘the Cyberspace’ is unclear to me since I am not aware of any governments offering virtual environments or MMORPGs, unless perhaps ‘managing the nation’s economy’ is classed as a game!].

Status of the standard

The standard is at FDIS stage having been approved by a majority vote despite a number of unresolved technical, language and structural issues.  In short, don’t expect too much of the standard when it is released early in 2012.  Version 2 might be better (in a few years).