Learn in small groups from top experts and real-life examples
  • (0)

    ISO 27001 & ISO 22301 Blog

    ISO 27001 vs. ISO 27032 cybersecurity standard

    There are many standards in the ISO 27001 series, all related to security.  You probably don’t know much about ISO 27032:2012 because it is not as well-known as ISO 27001, ISO 27002, or ISO 22301, but it is near you, because it has to do with a place that you habitually visit: cyberspace.

    The word “security” is a complex term that involves various disciplines, and it is composed of various domains, like application security, network security … and cybersecurity. So, cybersecurity is not synonymous with information security, application security, network security, etc. The main objective of cybersecurity is to require stakeholders to play an active role in the maintenance of cyberspace (i.e., it requires actions that stakeholders should be taking to establish and maintain security in cyberspace) and in the improvement of its reliability and utility.

    Cybersecurity and cyberspace

    First, a few basic things. What is cyberspace? It’s the virtual place where everyone around the world does business, studies, or buys. ISO 27032 defines the term in the following manner: “a complex environment resulting from the interaction of people, software and services on the internet by means of technology devices and networks connected to it, which does not exist in any physical form.”

    Bill Gates cited on one occasion: “There will be 2 types of business in the 21st century: those that are on the Internet and those that no longer exist.” And he was not wrong, because currently most business is carried out in cyberspace.

    And cybersecurity? It is mainly all matters related to the security of cyberspace through the security measures that protect it.

    Therefore, this standard, ISO 27032, is basically going to provide a guide that will help us ensure that our interaction with the virtual environment of cyberspace is much safer.

    Main differences between ISO 27001 and ISO 27032

    ISO 27032 is not a standard that you can certify; perhaps this is one of the most important differences with respect to ISO 27001, which allows certifying an Information Security Management System (ISMS).

    Therefore, both standards have different objectives, but as we will see in this article, they are closely related. ISO 27032 mainly aims to provide a guide for cybersecurity through specific recommendations, while ISO 27001 sets requirements to establish an ISMS. So, the focus of ISO 27001 is your organization and its ISMS, while ISO 27032 focuses on cyberspace and is a framework for collaboration and to address issues focused on different security domains in cyberspace.

    As you will see, there are further differences between the two standards.

    ISO 27001 vs. ISO 27032 cybersecurity standard

    Risk management, assets, threats, and vulnerabilities

    Risk can be calculated based on certain parameters like assets, threats, and vulnerabilities, although there are many other ways to calculate risk.

    The current version of ISO 27001:2013 does not specify that you need to consider assets, threats, and vulnerabilities to determine the level of risk, which makes it more flexible (e.g., in comparison to the previous version, which was focused on assets and threats). For more information about changes related to risk assessment in ISO 27001:2013, you can read this article: What has changed in risk assessment in ISO 27001:2013?

    On the other hand, ISO 27032:2012 specifies different types of assets, and does not contain a catalogue of threats and vulnerabilities like ISO 27005 (it is a code of best practices to develop a risk management methodology). But, it does give some examples, applied of course to cyberspace (threats are mainly divided into two types: those that affect the assets of type person, and those that affect the assets of type organization).

    At this point, neither standard details a risk management methodology; they simply refer to ISO 27005 or ISO 31000, which are best practices for risk management (ISO 27005 for risks related to information security, and ISO 31000 for any type of risk). However, ISO 27001 sets various requirements that the methodology developed should cover, e.g., establishment of the criteria for acceptance of risk, owner of the risk, residual risk, etc.).

    If you are interested in ISO 31000, consult this article: ISO 31000 and ISO 27001 – How are they related?


    On the other hand, in Annex A ISO 27001:2013 has 114 controls, not all of which are related to technologies. Many are related to the management of suppliers, management of human resources, etc. However, controls that can be found in ISO 27032:2012 are more specific for cybersecurity (level controls application, protection of server, end-user, social engineering attack controls, etc.).

    For its part, ISO 27001:2013 only contains a brief description of each control, and none of them refers directly to cybersecurity. The detail of each control and its implementation guide can be found in ISO 27002, while in ISO 27032:2012 you can see a detailed guide for help (if you want more information about the differences between ISO 27001 and ISO 27002, this article may be of interest to you: ISO 27001 vs. ISO 27002). Therefore, ISO 27001:2013 is more extensive and global, while ISO 27032:2012 is more concrete and specific to cybersecurity.

    Another important component that you can find in ISO 27032:2012 is a framework for coordination and exchange of information, which is particularly interesting while managing cybersecurity-related incidents that can occur. ISO 27001:2013 also has controls in Annex A to manage incidents, but they are only for incidents related to information security.

    Integrate ISO 27001 and ISO 27032

    Personally, I think it is very interesting to see both standards as a whole, not independently, because you can implement ISO 27001:2013 with the security controls of Annex A, which will help you to protect the information of your business, but you can also complement it with the controls of ISO 27032:2012, which will help you to protect your business in cyberspace.

    To learn how to comply with ISO 27001, while also implementing privacy and cybersecurity controls, sign up for a 30-day free trial of Conformio, the leading ISO 27001 compliance software.

    Advisera Antonio Jose Segovia
    Antonio Jose Segovia
    Antonio Jose Segovia is an IT Engineer, and he has many professional certifications in the IT sector. He is also ISO 27001 IRCA and Lead Auditor qualified by BUREAU VERITAS in ISO 27001, ISO 20000, ISO 22301, ISO 27018, GDPR, and TISAX, as well as being an expert in information security, an ethical hacker, and a university professor in an online Master of Information Security program. With more than 10 years of experience in the IT sector, he has visited companies of all kinds in Spain, Portugal, Italy, France, United Kingdom, USA, Chile, Peru, and Costa Rica.