Abstract
ISO/IEC 27032 "provides:
an explanation of the relationship between Internet security, web security, network security and cybersecurity;
an overview of Internet security;
identification of interested parties and a description of their roles in Internet security;
high-level guidance for addressing common Internet security issues.
[ISO/IEC 27032] is intended for organizations that use the Internet.”
[Source: ISO/IEC 27032:2023]
Introduction
ISO/IEC 27032 addresses Internet security i.e. “protecting Internet-related services and related ICT systems and networks as an extension of network security”.
Scope
The abstract above covers the scope and purpose.
The introduction notes that “[ISO/IEC 27032] does not specifically address controls that organizations can require for systems supporting critical infrastructure or national security. However, most of the controls mentioned in [ISO/IEC 27032] can be applied to such systems.” In other words it primarily concerns the ordinary everyday network security threats facing all Internet users, particularly businesses rather than the more extreme spooky threats of concern in the governmental and defence domain.
Structure
Main sections:
5: Relationship between Internet security, web security, network security and cybersecurity.
6: Overview of Internet security.
7: Interested parties.
8: Internet security risk assessment and treatment.
9: Security guidelines for the Internet.
Annex A: Cross-references between this standard and ISO/IEC 27002.
The annex cites a reasonable assortment of 50 controls from ISO/IEC 27002:2022 i.e.:
25 Organizational controls;
2 People controls;
0 Physical controls*; and
23 Technological controls.
* It doesn't explicitly cover physical security for network cabling and equipment, nor the range and remote access concerns with wireless networking.
Status
The first edition was published in 2012.
The second, thoroughly revised edition was published in 2023.
Commentary
See also ISO/IEC TS 27100.
Over the last decade or so, “cyber” as in “cybersecurity” has gradually become a buzzier buzzword and yet doubts and disagreements over what it actually means persists. SC 27 had the opportunity to clarify cyber-related terms when revising this standard but the second edition simply reproduces the definition of cybersecurity from ISO/IEC TS 27100:2020 vis “safeguarding of people, society, organizations and nations from cyber risks Note 1 to entry: Safeguarding means to keep cyber risk at a tolerable level.” ... but fails to define “cyber risk”, failing yet again to clarify what it is that we are supposedly being safeguarded against. Other cyber terms defined in the first edition have simply been dropped.
Meanwhile, the second edition remains myopically focused on deliberate attacks perpetrated via the Internet by hackers, malware, phishers and spammers. If those are your only concerns relating to the Internet, I guess you have led a very sheltered life.