Skip to main content

ISO 27001 vs. ISO 27032 cybersecurity standard

Antonio Segovia
There are many standards in the ISO 27001 series, all related to security.  You probably don’t know much about ISO 27032:2012 because it is not as well-known as ISO 27001, ISO 27002, or ISO 22301, but it is near you, because it has to do with a place that you habitually visit: cyberspace.
The word “security” is a complex term that involves various disciplines, and it is composed of various domains, like application security, network security … and cybersecurity. So, cybersecurity is not synonymous with information security, application security, network security, etc. The main objective of cybersecurity is to require stakeholders to play an active role in the maintenance of cyberspace (i.e., it requires actions that stakeholders should be taking to establish and maintain security in cyberspace) and in the improvement of its reliability and utility.

Cybersecurity and cyberspace

First, a few basic things. What is cyberspace? It’s the virtual place where everyone around the world does business, studies, or buys. ISO 27032 defines the term in the following manner: “a complex environment resulting from the interaction of people, software and services on the internet by means of technology devices and networks connected to it, which does not exist in any physical form.”
Bill Gates cited on one occasion: “There will be 2 types of business in the 21st century: those that are on the Internet and those that no longer exist.” And he was not wrong, because currently most business is carried out in cyberspace.
And cybersecurity? It is mainly all matters related to the security of cyberspace through the security measures that protect it.
Therefore, this standard, ISO 27032, is basically going to provide a guide that will help us ensure that our interaction with the virtual environment of cyberspace is much safer.

Main differences between ISO 27001 and ISO 27032

ISO 27032 is not a standard that you can certify; perhaps this is one of the most important differences with respect to ISO 27001, which allows certifying an Information Security Management System (ISMS).
Therefore, both standards have different objectives, but as we will see in this article, they are closely related. ISO 27032 mainly aims to provide a guide for cybersecurity through specific recommendations, while ISO 27001 sets requirements to establish an ISMS. So, the focus of ISO 27001 is your organization and its ISMS, while ISO 27032 focuses on cyberspace and is a framework for collaboration and to address issues focused on different security domains in cyberspace.
As you will see, there are further differences between the two standards.

Risk management, assets, threats, and vulnerabilities

Risk can be calculated based on certain parameters like assets, threats, and vulnerabilities, although there are many other ways to calculate risk.
The current version of ISO 27001:2013 does not specify that you need to consider assets, threats, and vulnerabilities to determine the level of risk, which makes it more flexible (e.g., in comparison to the previous version, which was focused on assets and threats). For more information about changes related to risk assessment in ISO 27001:2013, you can read this article: What has changed in risk assessment in ISO 27001:2013?
On the other hand, ISO 27032:2012 specifies different types of assets, and does not contain a catalogue of threats and vulnerabilities like ISO 27005 (it is a code of best practices to develop a risk management methodology). But, it does give some examples, applied of course to cyberspace (threats are mainly divided into two types: those that affect the assets of type person, and those that affect the assets of type organization).
At this point, neither standard details a risk management methodology; they simply refer to ISO 27005 or ISO 31000, which are best practices for risk management (ISO 27005 for risks related to information security, and ISO 31000 for any type of risk). However, ISO 27001 sets various requirements that the methodology developed should cover, e.g., establishment of the criteria for acceptance of risk, owner of the risk, residual risk, etc.).
If you are interested in ISO 31000, consult this article: ISO 31000 and ISO 27001 – How are they related?

Controls

On the other hand, in Annex A ISO 27001:2013 has 114 controls, not all of which are related to technologies. Many are related to the management of suppliers, management of human resources, etc. However, controls that can be found in ISO 27032:2012 are more specific for cybersecurity (level controls application, protection of server, end-user, social engineering attack controls, etc.).
For its part, ISO 27001:2013 only contains a brief description of each control, and none of them refers directly to cybersecurity. The detail of each control and its implementation guide can be found in ISO 27002, while in ISO 27032:2012 you can see a detailed guide for help (if you want more information about the differences between ISO 27001 and ISO 27002, this article may be of interest to you: ISO 27001 vs. ISO 27002). Therefore, ISO 27001:2013 is more extensive and global, while ISO 27032:2012 is more concrete and specific to cybersecurity.
Another important component that you can find in ISO 27032:2012 is a framework for coordination and exchange of information, which is particularly interesting while managing cybersecurity-related incidents that can occur. ISO 27001:2013 also has controls in Annex A to manage incidents, but they are only for incidents related to information security.

Integrate ISO 27001 and ISO 27032

Personally, I think it is very interesting to see both standards as a whole, not independently, because you can implement ISO 27001:2013 with the security controls of Annex A, which will help you to protect the information of your business, but you can also complement it with the controls of ISO 27032:2012, which will help you to protect your business in cyberspace.

Comments

Post a Comment

Popular posts from this blog

Black swan

A  black swan event  is an incident that occurs randomly and unexpectedly and has wide-spread ramifications. The event is usually followed with reflection and a flawed rationalization that it was inevitable. The phrase illustrates the frailty of inductive reasoning and the danger of making sweeping generalizations from limited observations. The term came from the idea that if a man saw a thousand swans and they were all white, he might logically conclude that all swans are white. The flaw in his logic is that even when the premises are true, the conclusion can still be false. In other words, just because the man has never seen a black swan, it does not mean they do not exist. As Dutch explorers discovered in 1697, black swans are simply outliers -- rare birds, unknown to Europeans until Willem de Vlamingh and his crew visited Australia. Statistician Nassim Nicholas Taleb uses the phrase black swan as a metaphor for how humans deal with unpredictable events in his 2007...
Post a Comment
Read more

A Graphics Processing Unit (GPU)

A graphics processing unit (GPU) is a computer chip that performs rapid mathematical calculations, primarily for the purpose of rendering images. A GPU may be found integrated with a central processing unit (CPU) on the same circuit, on a graphics card or in the motherboard of a personal computer or server. In the early days of computing, the CPU performed these calculations. As more graphics-intensive applications such as AutoCAD were developed; however, their demands put strain on the CPU and degraded performance. GPUs came about as a way to offload those tasks from CPUs, freeing up their processing power. NVIDIA, AMD, Intel and ARM are some of the major players in the GPU market. GPU vs. CPU A graphics processing unit is able to render images more quickly than a central processing unit because of its parallel processing architecture, which allows it to perform multiple calculations at the same time. A single CPU does not have this capability, although multi...
Post a Comment
Read more

6G (sixth-generation wireless)

6G (sixth-generation wireless) is the successor to 5G cellular technology. 6G networks will be able to use higher frequencies than 5G networks and provide substantially higher capacity and much lower latency. One of the goals of the 6G Internet will be to support one micro-second latency communications, representing 1,000 times faster -- or 1/1000th the latency -- than one millisecond throughput. The 6G technology market is expected to facilitate large improvements in the areas of imaging, presence technology and location awareness. Working in conjunction with AI, the computational infrastructure of 6G will be able to autonomously determine the best location for computing to occur; this includes decisions about data storage, processing and sharing.  Advantages of 6G over 5G 6G is expected to support 1 terabyte per second (Tbps) speeds. This level of capacity and latency will be unprecedented and wi...
Post a Comment
Read more