ISO/IEC 27032:2023 Cybersecurity — Guidelines for Internet security provides guidance for enhancing cybersecurity measures across multiple domains to combat cybersecurity risks. Specifically, it gives guidance on addressing common internet security threats, for example:
- social engineering attacks;
- zero-day attacks;
- privacy attacks;
- hacking; and
- proliferation of malicious software, spyware and other unwanted software.
ISO/IEC 27032 provides technical and non-technical controls for addressing the Internet security risks, including controls for:
- preparing for attacks;
- preventing attacks;
- detecting and monitoring attacks; and
- responding to attacks.
It includes guidance on:
- roles;
- policies;
- methods;
- processes; and
- applicable technical controls.
Who should use the standard?
It is intended for organizations that use the internet, which basically means all organizations. The guidance focuses on providing industry best practices, broad consumer, and employee education to assist interested parties in playing an active role to address internet security challenges. It also focuses on preservation of confidentiality, integrity, and availability of information over the internet and other properties, such as authenticity, accountability, non-repudiation, and reliability that can also be involved.
What does it cover?
Introduction |
1 Scope |
2 Normative references |
3 Terms and definitions |
4 Abbreviated terms |
5 Relationship between Internet security, web security, network security and cybersecurity |
6 Overview of Internet security |
7 Interested parties |
7.1 General |
7.2 Users |
7.3 Coordinator and standardization organisations |
7.4 Government authorities |
7.5 Law enforcement agencies |
7.6 Internet service providers |
8 Internet security risk assessment and treatment |
8.1 General |
8.2 Threats |
8.3 Vulnerabilities |
8.4 Attack vectors |
9 Security guidelines for the Internet |
9.1 General |
9.2 Controls for Internet security |
Annex A Cross-references between this document and ISO/IEC 27002 |
What are the steps in applying ISO/IEC 27032?
The main steps in applying the guidelines in ISO/IEC 27032 are as follows.
1. Identify and Assess Cybersecurity Risks
This involves identifying potential cybersecurity risks that could threaten the organization’s information assets and assessing their potential impact.
2. Develop a Cybersecurity Policy
Create a cybersecurity policy that outlines the organization’s approach to cybersecurity and sets out the roles and responsibilities of employees in implementing cybersecurity measures.
3. Implement Cybersecurity Controls
Put in place technical and organizational controls to protect the organization’s information assets from cybersecurity threats.
4. Conduct Cybersecurity Training and Awareness Programs
Provide training to employees on cybersecurity best practices and raise awareness about the importance of cybersecurity within the organization.
5. Monitor and Evaluate Cybersecurity Measures
Regularly monitor and evaluate the effectiveness of cybersecurity measures implemented within the organization to ensure they remain effective in addressing cybersecurity risks.
6. Respond to Cybersecurity Incidents
Develop and implement a cybersecurity incident response plan that outlines the steps to be taken in the event of a cybersecurity incident.
7. Continual Improvement
Continuously review and improve cybersecurity measures based on the changing threat landscape and emerging cybersecurity risks.
ISO/IEC 27032 can be purchased through the ISO.org website.
Comments (0)