Skip to main content

ISO 27001 vs. ISO 27032 cybersecurity standard

Antonio Segovia
There are many standards in the ISO 27001 series, all related to security.  You probably don’t know much about ISO 27032:2012 because it is not as well-known as ISO 27001, ISO 27002, or ISO 22301, but it is near you, because it has to do with a place that you habitually visit: cyberspace.
The word “security” is a complex term that involves various disciplines, and it is composed of various domains, like application security, network security … and cybersecurity. So, cybersecurity is not synonymous with information security, application security, network security, etc. The main objective of cybersecurity is to require stakeholders to play an active role in the maintenance of cyberspace (i.e., it requires actions that stakeholders should be taking to establish and maintain security in cyberspace) and in the improvement of its reliability and utility.

Cybersecurity and cyberspace

First, a few basic things. What is cyberspace? It’s the virtual place where everyone around the world does business, studies, or buys. ISO 27032 defines the term in the following manner: “a complex environment resulting from the interaction of people, software and services on the internet by means of technology devices and networks connected to it, which does not exist in any physical form.”
Bill Gates cited on one occasion: “There will be 2 types of business in the 21st century: those that are on the Internet and those that no longer exist.” And he was not wrong, because currently most business is carried out in cyberspace.
And cybersecurity? It is mainly all matters related to the security of cyberspace through the security measures that protect it.
Therefore, this standard, ISO 27032, is basically going to provide a guide that will help us ensure that our interaction with the virtual environment of cyberspace is much safer.

Main differences between ISO 27001 and ISO 27032

ISO 27032 is not a standard that you can certify; perhaps this is one of the most important differences with respect to ISO 27001, which allows certifying an Information Security Management System (ISMS).
Therefore, both standards have different objectives, but as we will see in this article, they are closely related. ISO 27032 mainly aims to provide a guide for cybersecurity through specific recommendations, while ISO 27001 sets requirements to establish an ISMS. So, the focus of ISO 27001 is your organization and its ISMS, while ISO 27032 focuses on cyberspace and is a framework for collaboration and to address issues focused on different security domains in cyberspace.
As you will see, there are further differences between the two standards.

Risk management, assets, threats, and vulnerabilities

Risk can be calculated based on certain parameters like assets, threats, and vulnerabilities, although there are many other ways to calculate risk.
The current version of ISO 27001:2013 does not specify that you need to consider assets, threats, and vulnerabilities to determine the level of risk, which makes it more flexible (e.g., in comparison to the previous version, which was focused on assets and threats). For more information about changes related to risk assessment in ISO 27001:2013, you can read this article: What has changed in risk assessment in ISO 27001:2013?
On the other hand, ISO 27032:2012 specifies different types of assets, and does not contain a catalogue of threats and vulnerabilities like ISO 27005 (it is a code of best practices to develop a risk management methodology). But, it does give some examples, applied of course to cyberspace (threats are mainly divided into two types: those that affect the assets of type person, and those that affect the assets of type organization).
At this point, neither standard details a risk management methodology; they simply refer to ISO 27005 or ISO 31000, which are best practices for risk management (ISO 27005 for risks related to information security, and ISO 31000 for any type of risk). However, ISO 27001 sets various requirements that the methodology developed should cover, e.g., establishment of the criteria for acceptance of risk, owner of the risk, residual risk, etc.).
If you are interested in ISO 31000, consult this article: ISO 31000 and ISO 27001 – How are they related?

Controls

On the other hand, in Annex A ISO 27001:2013 has 114 controls, not all of which are related to technologies. Many are related to the management of suppliers, management of human resources, etc. However, controls that can be found in ISO 27032:2012 are more specific for cybersecurity (level controls application, protection of server, end-user, social engineering attack controls, etc.).
For its part, ISO 27001:2013 only contains a brief description of each control, and none of them refers directly to cybersecurity. The detail of each control and its implementation guide can be found in ISO 27002, while in ISO 27032:2012 you can see a detailed guide for help (if you want more information about the differences between ISO 27001 and ISO 27002, this article may be of interest to you: ISO 27001 vs. ISO 27002). Therefore, ISO 27001:2013 is more extensive and global, while ISO 27032:2012 is more concrete and specific to cybersecurity.
Another important component that you can find in ISO 27032:2012 is a framework for coordination and exchange of information, which is particularly interesting while managing cybersecurity-related incidents that can occur. ISO 27001:2013 also has controls in Annex A to manage incidents, but they are only for incidents related to information security.

Integrate ISO 27001 and ISO 27032

Personally, I think it is very interesting to see both standards as a whole, not independently, because you can implement ISO 27001:2013 with the security controls of Annex A, which will help you to protect the information of your business, but you can also complement it with the controls of ISO 27032:2012, which will help you to protect your business in cyberspace.

Comments

Post a Comment

Popular posts from this blog

Understanding the Evolution: AI, ML, Deep Learning, and Gen AI

In the ever-evolving landscape of artificial intelligence (AI) and machine learning (ML), one of the most intriguing advancements is the emergence of General AI (Gen AI). To grasp its significance, it's essential to first distinguish between these interconnected but distinct technologies. AI, ML, and Deep Learning: The Building Blocks Artificial Intelligence refers to the simulation of human intelligence in machines that are programmed to think like humans and mimic their actions. Machine Learning, a subset of AI, empowers machines to learn from data and improve over time without explicit programming. Deep Learning, a specialized subset of ML, involves neural networks with many layers (hence "deep"), capable of learning intricate patterns from vast amounts of data. Enter General AI (Gen AI): Unraveling the Next Frontier Unlike traditional AI systems that excel in specific tasks (narrow AI), General AI aims to replicate human cognitive abilities across various domains. I...
Post a Comment
Read more

Normalization of Database

Database Normalisation is a technique of organizing the data in the database. Normalization is a systematic approach of decomposing tables to eliminate data redundancy and undesirable characteristics like Insertion, Update and Deletion Anamolies. It is a multi-step process that puts data into tabular form by removing duplicated data from the relation tables. Normalization is used for mainly two purpose, Eliminating reduntant(useless) data. Ensuring data dependencies make sense i.e data is logically stored. Problem Without Normalization Without Normalization, it becomes difficult to handle and update the database, without facing data loss. Insertion, Updation and Deletion Anamolies are very frequent if Database is not Normalized. To understand these anomalies let us take an example of  Student  table. S_id S_Name S_Address Subject_opted 401 Adam Noida Bio 402 Alex Panipat Maths 403 Stuart Jammu Maths 404 Adam Noida Physics Updation Anamoly :  To upda...
Post a Comment
Read more

How to deal with a toxic working environment

Handling a toxic working environment can be challenging, but there are steps you can take to address the situation and improve your experience at work: Recognize the Signs : Identify the specific behaviors or situations that contribute to the toxicity in your workplace. This could include bullying, harassment, micromanagement, negativity, or lack of support from management. Maintain Boundaries : Set boundaries to protect your mental and emotional well-being. This may involve limiting interactions with toxic individuals, avoiding gossip or negative conversations, and prioritizing self-care outside of work. Seek Support : Reach out to trusted colleagues, friends, or family members for support and advice. Sharing your experiences with others can help you feel less isolated and provide perspective on the situation. Document Incidents : Keep a record of any incidents or behaviors that contribute to the toxic environment, including dates, times, and specific details. This documentation may b...
Post a Comment
Read more