ISO 27032 – What is it, and how does it differ from ISO 27001?

There are many standards in the ISO 27001 series, all related to security.  You probably don’t know much about ISO 27032:2012 because it is not as well-known as ISO 27001, ISO 27002, or ISO 22301, but it is near you, because it has to do with a place that you habitually visit: cyberspace.

The word “security” is a complex term that involves various disciplines, and it is composed of various domains, like application security, network security … and cybersecurity. So, cybersecurity is not synonymous with information security, application security, network security, etc. The main objective of cybersecurity is to require stakeholders to play an active role in the maintenance of cyberspace (i.e., it requires actions that stakeholders should be taking to establish and maintain security in cyberspace) and in the improvement of its reliability and utility.

ISO 27032 provides guidance for improving the posture of an organization’s cybersecurity, and is particularly focused on:
  • information security,
  • network security,
  • internet security, and
  • critical information infrastructure protection (CIIP).

What is cyber security according to ISO?

First, a few basic things. What is cyberspace? It’s the virtual place where everyone around the world does business, researches, or purchases online. ISO 27032 defines the term in the following manner: “a complex environment resulting from the interaction of people, software and services on the internet by means of technology devices and networks connected to it, which does not exist in any physical form.”

Bill Gates cited on one occasion: “There will be 2 types of business in the 21st century: those that are on the Internet and those that no longer exist.” And he was not wrong, because currently most business is carried out in cyberspace.

And cybersecurity? It is mainly all matters related to the security of cyberspace through the security measures that protect it.

Therefore, this ISO cybersecurity standard is basically going to provide a guide that will help us ensure that our interaction with the virtual environment of cyberspace is much safer.


What is ISO 27032?

ISO 27032 provides guidance for improving the posture of an organization’s cybersecurity, drawing out the unique aspects of activity and its dependencies on security domains, and is particularly focused on:

  • information security,
  • network security,
  • internet security, and
  • critical information infrastructure protection (CIIP).

It covers a baseline security practice for stakeholders in the cyberspace environment. ISO 27032 also gives guidance on:

  • an overview of cybersecurity
  • an explanation of the relationship between cybersecurity and other types of security
  • a definition of stakeholders and a description of their roles in cybersecurity
  • guidance for addressing common cybersecurity issues
  • a framework to enable stakeholders to collaborate on resolving cybersecurity issues

What is the difference between ISO 27001 and ISO 27032?

ISO 27032 is not a standard that you can certify; perhaps this is one of the most important differences with respect to ISO 27001, which allows certifying an Information Security Management System (ISMS).

Therefore, both standards have different objectives, but as we will see in this article, they are closely related. ISO 27032 mainly aims to provide a guide for cybersecurity through specific recommendations, while ISO 27001 sets requirements to establish an ISMS. So, the focus of ISO 27001 is your organization and its ISMS, while ISO 27032 focuses on cyberspace and is a framework for collaboration and to address issues focused on different security domains in cyberspace.

As you will see, there are further differences between the two standards.
ISO 27032 vs ISO 27001 | Cybersecurity standard: main differences

Risk management, assets, threats, and vulnerabilities

Risk can be calculated based on certain parameters like assets, threats, and vulnerabilities, although there are many other ways to calculate risk.

The current version of ISO 27001:2013 does not specify that you need to consider assets, threats, and vulnerabilities to determine the level of risk, which makes it more flexible (e.g., in comparison to the previous version, which was focused on assets and threats). For more information about changes related to risk assessment in ISO 27001:2013, you can read this article: What has changed in risk assessment in ISO 27001:2013?

On the other hand, ISO 27032:2012 specifies different types of assets, and does not contain a catalogue of threats and vulnerabilities like ISO 27005 (it is a code of best practices to develop a risk management methodology). But, this ISO cyber security standard does give some examples, applied of course to cyberspace (threats are mainly divided into two types: those that affect the assets of type person, and those that affect the assets of type organization).

At this point, neither standard details a risk management methodology; they simply refer to ISO 27005 or ISO 31000, which are best practices for risk management (ISO 27005 for risks related to information security, and ISO 31000 for any type of risk). However, ISO 27001 sets various requirements that the methodology developed should cover, e.g., establishment of the criteria for acceptance of risk, owner of the risk, residual risk, etc.).

If you are interested in ISO 31000, consult this article: ISO 31000 and ISO 27001 – How are they related?

Controls

On the other hand, in Annex A ISO 27001:2013 has 114 controls, not all of which are related to technologies. Many are related to the management of suppliers, management of human resources, etc. However, controls that can be found in ISO 27032:2012 are more specific for cybersecurity (level controls application, protection of server, end-user, social engineering attack controls, etc.).

For its part, ISO 27001:2013 only contains a brief description of each control, and none of them refers directly to cybersecurity. The detail of each control and its implementation guide can be found in ISO 27002, while in ISO 27032:2012 you can see a detailed guide for help (if you want more information about the differences between ISO 27001 and ISO 27002, this article may be of interest to you: ISO 27001 vs. ISO 27002). Therefore, ISO 27001:2013 is more extensive and global, while ISO 27032:2012 is more concrete and specific to cybersecurity.

Another important component that you can find in ISO 27032:2012 is a framework for coordination and exchange of information, which is particularly interesting while managing cybersecurity-related incidents that can occur. ISO 27001:2013 also has controls in Annex A to manage incidents, but they are only for incidents related to information security.

New technical controls

Technical controls defined in this international standard rely on organizations having a good cybersecurity practice in place and leveraging existing ISO/IEC 27001 information security controls within the organization. The process of implementing the cybersecurity technical controls is made easier if an organization complies with the ISO 27001 standard. ISO 27032 brings in cybersecurity technical controls to protect against:

  • Social engineering attacks
  • Hacking
  • Malicious software (malware)
  • Spyware
  • Other unwanted software

The technical controls include:

  • Secure coding: Secure coding controls must be implemented to secure information collected by products in the cyberspace.
  • Network monitoring and response: Controls must be implemented to ensure network services remain reliable, secure, and available. The cyberspace should not compromise the quality of network services.
  • Server-level controls: Controls must be implemented to ensure servers are securely accessible from the cyberspace and protected against unauthorized access and malicious content.
  • Application-level controls: Implement controls to protect against unauthorized data edits; carry out transaction logging and error handling.
  • End user workstation controls: Controls must be implemented to protect the end user infrastructure across organizations against known exploits and attacks.

Integrate ISO 27001 and ISO 27032

Personally, I think it is very interesting to see both standards as a whole, not independently, because you can implement ISO 27001:2013 with the security controls of Annex A, which will help you to protect the information of your business, but you can also complement it with the controls of ISO cyber security standard , which will help you to protect your business in cyberspace.

To learn how to comply with ISO 27001, while also implementing privacy and cybersecurity controls, sign up for a 14-day free trial of Conformio, the leading ISO 27001 compliance software.

Advisera Antonio Jose Segovia
Author
Antonio Jose Segovia
Antonio Jose Segovia is an IT Engineer, and he has many professional certifications in the IT sector. He is also ISO 27001 IRCA and Lead Auditor qualified by BUREAU VERITAS in ISO 27001, ISO 20000, ISO 22301, ISO 27018, GDPR, and TISAX, as well as being an expert in information security, an ethical hacker, and a university professor in an online Master of Information Security program. With more than 10 years of experience in the IT sector, he has visited companies of all kinds in Spain, Portugal, Italy, France, United Kingdom, USA, Chile, Peru, and Costa Rica.