ISO/IEC 27033-1
ISO/IEC 27033-1:2015 — Information technology — Security techniques — Network security — Part 1: Overview and concepts
(second edition)
Abstract
ISO/IEC 27033 part 1 “provides an overview of network security and related definitions. It defines and describes the concepts associated with, and provides management guidance on, network security. (Network security applies to the security of devices, security of management activities related to the devices, applications/services, and end-users, in addition to security of the information being transferred across the communication links.) ... Overall it provides an overview of this International Standard and a 'road map' to all other parts.”
[Source: ISO/IEC 27033-1:2015]
Introduction
Part 1 revised and replaced ISO/IEC 18028 part 1.
It provides:
A roadmap and overview of the concepts and principles underpinning the remaining parts of ISO/IEC 27033.
A glossary of information security terms specific to networking.
Guidance on a structured process to identify and analyse network security risks and hence define network security control requirements, including those mandated by relevant information security policies.
An overview of the controls supporting network technical security architectures and related technical controls, as well as non-technical controls plus other technical controls that are not solely related to network security (thus linking to ISO/IEC 27001, ISO/IEC 27002 and ISO/IEC 27005 plus other ISO27k standards as they are released).
Scope
Extends the security management guidelines provided in ISO/IEC TR 13335 and ISO/IEC 27002 etc. by detailing the specific operations and mechanisms needed to implement network security controls in a wider range of network environments, providing a bridge between general information security management issues and the specifics of implementing largely technical network security controls (e.g. firewalls, IDS/IPS, message integrity controls etc.)
Structure
Main sections:
6: Overview
7: Identifying risks and preparing to identify security controls
8: Supporting controls
9: Guidelines for the detine and implementation of network security
10: Reference network scenarios - risks, design techniques and control issues
11: 'Technology' topics - risks, design techniques and control issues
12: Develop and test security solution
13: Operate security solution
14: Monitor and review solution implementation
Annex A: Cross-references between ISO/IEC 27001/27002 network security related controls and ISO/IEC 27033-1 clauses/subclauses
Annex B: Example template for a SecOPs document
Status
The first edition of part 1 was published in 2009.
The second edition was published in 2015 and confirmed unchanged in 2021.
An extended scope for the ISO/IEC 27033 standards is under consideration covering emerging technologies such as cloud computing, zero trust, IoT and AI, hence a revision project has been stopped and restarted at Preliminary Work Instruction stage.
Commentary
Part 1 mentions requirements such as non-repudiation and reliability in addition to the classical CIA triad (confidentiality, integrity and availability). It provides a reasonably technical overview of network security despite barely any reference to the OSI or TCP/IP network stacks!
At present, the ISO/IEC 27033 standards are largely (entirely?) concerned with digital data networks, but there are other kinds of networks - such as business networks, social networks, professional networks, criminal networks and socio-political/cultural networks - all with differing risks and security concerns. So, should the ISO/IEC 27033 set be extended to cover those too? If so, how? It is not exactly obvious what kinds of guidance might usefully be offered in these other areas - in fact, formally speaking, it is not even entirely clear what ‘networks’ are. Anyway, that’s something to bear in mind. SC 27, meanwhile, tends to stick to the knitting i.e. IT/cyber security, in accordance with its defined scope.
Furthermore, I feel the information risk and security aspects of industrial shop-floor Operational Technology networks are inadequately covered by current ISO/IEC 27033 standards, a significant omission. The networking protocols, risks and controls vary, while the gradual convergence of IT and OT is bound to affect network security in both domains.