Topic-specific policies
ISO/IEC 27032

Search this site

ISMS templates

< Previous standard      ^ Up a level ^      Next standard >


ISO/IEC 27032:2023  — Cybersecurity — Guidelines for Internet security (second edition)



“[ISO/IEC 27032:2023] provides:
    • an explanation of the relationship between Internet security, web security, network security and cybersecurity;
    • an overview of Internet security;
    • identification of interested parties and a description of their roles in Internet security;
    • high-level guidance for addressing common Internet security issues.

    [The standard] is intended for organizations that use the Internet.”

[Source: ISO/IEC 27032:2023]


ISO/IEC 27032 addresses Internet security i.e. “protecting Internet-related services and related ICT systems and networks as an extension of network security”.


Scope and purpose

The abstract above covers the scope and purpose.

The introduction notes that “This document does not specifically address controls that organizations can require for systems supporting critical infrastructure or national security. However, most of the controls mentioned in this document can be applied to such systems.” In other words it primarily concerns the ordinary everyday network security threats facing all Internet users, particularly businesses rather than the more extreme spooky threats of concern to the governments and defence world.


Structure and content

The five main sections are:

  1. Relationship between Internet security, web security, network security and cybersecurity.
  2. Overview of Internet security.
  3. Interested parties.
  4. Internet security risk assessment and treatment.
  5. Security guidelines for the Internet.
  6. Annex A. Cross-references between this document and ISO/IEC 27002.

The annex cites a reasonable assortment of 50 controls from ISO/IEC 27002:2022

  • 25 Organizational controls;
  • 2 People controls;
  • 0 Physical controls; and
  • 23 Technological controls.

Status of the standard

The standard was first published in 2012.

The second, thoroughly revised edition was published in June 2023.


Personal comments

See also ISO/IEC 27100.

Over the last decade or so, “cyber” as in “cybersecurity” has gradually become a buzzier buzzword and yet the confusion over what it actually means persists. SC 27 had the opportunity to clarify cyber-related terms when revising this standard but the second edition simply reproduces the definition of cybersecurity from ISO/IEC TS 27100:2020 viz “safeguarding of people, society, organizations and nations from cyber risks  Note 1 to entry: Safeguarding means to keep cyber risk at a tolerable level.” ... but fails to define “cyber risk”, failing yet again to clarify what it is that we are supposedly being safeguarded against. Other cyber terms defined in the first edition have simply been dropped.

Meanwhile, the second edition remains myopically focused on deliberate attacks perpetrated via the Internet by hackers, malware, phishers and spammers.

I’ve taken the liberty of elaborating on the scope diagram from the standard, highlighting in yellow the coverage area and adding an outer circle for the field of information security as a whole:


27032 scope diagram extended by GH


< Previous standard      ^ Up a level ^      Next standard >

Copyright © 2024 IsecT LtdContact us re Intellectual Property Rights