ISO/IEC 27032
Go home

Copyright © 2010 IsecT Ltd.

 

 

Sponsor this page!

 

Contact us to advertise here.

 

ISO/IEC 27032  Information technology -- Security techniques -- Guidelines for cybersecurity (CD) Updated Jan 21st

 

ISO/IEC 27032 will give an overview of the unique security challenges in ‘the Cyberspace’, which the latest Committee Draft defines as “the complex environment resulting from the interaction of people, software and services on the Internet by means of technology devices and networks connected to it, which does not exist in any physical form”.

The introduction describes ‘the Cyberspace’ further: “This complex environment is build [sic] on interconnecting networks and systems, as well as any ICT devices, belonging to different organizations and service providers that allow for the flow of information.  However, there are security issues that are not covered by current information security, Internet security, network security and ICT security best practices because of gaps between these domains.  Cyberspace security, or Cybersecurity, is about the security of the Cyberspace.  It provides guidance to address issues arising from the gaps between the different security domains in the Cyberspace environment.  At the same time, Cybersecurity provides an infrastructure for collaboration between security stakeholders in the Cyberspace.” 

Further on, the draft standard states “Cybersecurity is, however, not synonymous with Internet security, network security, information security, or critical information infrastructure protection (CIIP).”

Cyberspace is evidently a complex, highly variable environment, and hence information security risks in cyberspace are tough to pin-down.  Furthermore, constant innovation makes it especially tough to set international standards in this area.

The standard is at 1st CD stage.  The main sections are:

  1. Overview
  2. The stakeholders in the Cyberspace
  3. Assets in the Cyberspace
  4. Threats against the security of the Cyberspace
  5. Roles of stakeholders in Cybersecurity
  6. Guidelines for stakeholders
  7. Cybersecurity controls
  8. Framework of information sharing and coordination

Annex A.  Additional resources

Annex B.  Cybersecurity readiness

Annex C.  Examples of related documents

The standard does not address cybersafety (such as cyberbullying), cybercrime, Internet safety or Internet-related crime.

-----------------

The New Work Item Proposal for this standard clearly stated that the standard would provide, in separate parts:

(a) non-technical security guidance for organizations providing and using the Internet, and would not attempt to address individual Internet users.  However, the 1st CD does offer a fair amount of guidance aimed directly at “consumers” or “end-users”; and

(b) a framework for collaboration (presumably in both national and international settings) on security matters relating to Cyberspace. 

In addition to traditional or conventional network security threats (such as malware and spam) and other threats that are amplified by the ubiquitous Internet (such as social engineering and spyware), a multitude of novel information security issues are connected with cyberspace, such as:

  • Web 2.0 including true network applications offering Software As A Service and potentially Security As A Service;
  • Peer-to-peer networking;
  • Blogging, audioblogging/podcasting and videoblogging;
  • Instant messaging;
  • Voice and video over IP;
  • Global connectivity, with a blend of cultures, laws etc.;
  • Second Life and similar virtual reality environments (‘virtual worlds’);
  • Online games;
  • Phishing.

Whether and if so to what extent these issues are covered by ISO/IEC 27032 remains to be seen.