ISO/IEC 27033-7
ISO/IEC 27033-7:2023 Information technology — Network security — Part 7: Guidelines for network virtualization security
(first edition)
Abstract
ISO/IEC 27033 part 7 "aims to identify security risks of network virtualization and proposes guidelines for the implementation of network virtualization security. Overall, [ISO/IEC 27033-7] intends to considerably aid the comprehensive definition and implementation of security for any organization’s virtualization environments. It is aimed at users and implementers who are responsible for the implementation and maintenance of the technical controls required to provide secure virtualization environments.”
[Source: ISO/IEC 27033-7:2023]
Introduction
This standard started out as ISO/IEC 5188 before being absorbed into ISO27k.
Scope
As part of the network security standard ISO/IEC 27033, part 7 concerns the information risks and security controls applicable to virtualisation of networks.
Structure
Main sections:
5: Overview
6: Security threats
7: Security recommendations
8: Security controls
9: Design techniques and considerations
Annex A: Use cases of network virtualization
Annex B: Detailed security threat description of network virtualization
Status
The current first edition of part 7 was published in 2023.
Commentary
The standard outlines some “security threats” or “security issues” - generic examples of types of incident (such as “Insider attacks: an administrator tampers image or changes security configurations”) but does not explain which information security controls address the identified “security threats/issues”, nor conversely which information risks the suggested information security controls are intended to mitigate: there is no cross-referencing between the two, hence it is unclear how users are meant to identify, select or prioritise whichever controls are most appropriate for their situations.
So much for the “implementation guidelines”!