Skip to main content

ISO 27001 vs. ISO 27032 cybersecurity standard

Antonio Segovia
There are many standards in the ISO 27001 series, all related to security.  You probably don’t know much about ISO 27032:2012 because it is not as well-known as ISO 27001, ISO 27002, or ISO 22301, but it is near you, because it has to do with a place that you habitually visit: cyberspace.
The word “security” is a complex term that involves various disciplines, and it is composed of various domains, like application security, network security … and cybersecurity. So, cybersecurity is not synonymous with information security, application security, network security, etc. The main objective of cybersecurity is to require stakeholders to play an active role in the maintenance of cyberspace (i.e., it requires actions that stakeholders should be taking to establish and maintain security in cyberspace) and in the improvement of its reliability and utility.

Cybersecurity and cyberspace

First, a few basic things. What is cyberspace? It’s the virtual place where everyone around the world does business, studies, or buys. ISO 27032 defines the term in the following manner: “a complex environment resulting from the interaction of people, software and services on the internet by means of technology devices and networks connected to it, which does not exist in any physical form.”
Bill Gates cited on one occasion: “There will be 2 types of business in the 21st century: those that are on the Internet and those that no longer exist.” And he was not wrong, because currently most business is carried out in cyberspace.
And cybersecurity? It is mainly all matters related to the security of cyberspace through the security measures that protect it.
Therefore, this standard, ISO 27032, is basically going to provide a guide that will help us ensure that our interaction with the virtual environment of cyberspace is much safer.

Main differences between ISO 27001 and ISO 27032

ISO 27032 is not a standard that you can certify; perhaps this is one of the most important differences with respect to ISO 27001, which allows certifying an Information Security Management System (ISMS).
Therefore, both standards have different objectives, but as we will see in this article, they are closely related. ISO 27032 mainly aims to provide a guide for cybersecurity through specific recommendations, while ISO 27001 sets requirements to establish an ISMS. So, the focus of ISO 27001 is your organization and its ISMS, while ISO 27032 focuses on cyberspace and is a framework for collaboration and to address issues focused on different security domains in cyberspace.
As you will see, there are further differences between the two standards.

Risk management, assets, threats, and vulnerabilities

Risk can be calculated based on certain parameters like assets, threats, and vulnerabilities, although there are many other ways to calculate risk.
The current version of ISO 27001:2013 does not specify that you need to consider assets, threats, and vulnerabilities to determine the level of risk, which makes it more flexible (e.g., in comparison to the previous version, which was focused on assets and threats). For more information about changes related to risk assessment in ISO 27001:2013, you can read this article: What has changed in risk assessment in ISO 27001:2013?
On the other hand, ISO 27032:2012 specifies different types of assets, and does not contain a catalogue of threats and vulnerabilities like ISO 27005 (it is a code of best practices to develop a risk management methodology). But, it does give some examples, applied of course to cyberspace (threats are mainly divided into two types: those that affect the assets of type person, and those that affect the assets of type organization).
At this point, neither standard details a risk management methodology; they simply refer to ISO 27005 or ISO 31000, which are best practices for risk management (ISO 27005 for risks related to information security, and ISO 31000 for any type of risk). However, ISO 27001 sets various requirements that the methodology developed should cover, e.g., establishment of the criteria for acceptance of risk, owner of the risk, residual risk, etc.).
If you are interested in ISO 31000, consult this article: ISO 31000 and ISO 27001 – How are they related?

Controls

On the other hand, in Annex A ISO 27001:2013 has 114 controls, not all of which are related to technologies. Many are related to the management of suppliers, management of human resources, etc. However, controls that can be found in ISO 27032:2012 are more specific for cybersecurity (level controls application, protection of server, end-user, social engineering attack controls, etc.).
For its part, ISO 27001:2013 only contains a brief description of each control, and none of them refers directly to cybersecurity. The detail of each control and its implementation guide can be found in ISO 27002, while in ISO 27032:2012 you can see a detailed guide for help (if you want more information about the differences between ISO 27001 and ISO 27002, this article may be of interest to you: ISO 27001 vs. ISO 27002). Therefore, ISO 27001:2013 is more extensive and global, while ISO 27032:2012 is more concrete and specific to cybersecurity.
Another important component that you can find in ISO 27032:2012 is a framework for coordination and exchange of information, which is particularly interesting while managing cybersecurity-related incidents that can occur. ISO 27001:2013 also has controls in Annex A to manage incidents, but they are only for incidents related to information security.

Integrate ISO 27001 and ISO 27032

Personally, I think it is very interesting to see both standards as a whole, not independently, because you can implement ISO 27001:2013 with the security controls of Annex A, which will help you to protect the information of your business, but you can also complement it with the controls of ISO 27032:2012, which will help you to protect your business in cyberspace.

Comments

Popular posts from this blog

Ghosting

Ghosting is to cease communications without notification. The use of the word "ghost" as a verb originated in social media in reference to dating, but the term is now used by employers to describe employees and potential employees who suddenly disappear. Typically, ghosting is used to describe: Job candidates who suddenly stop responding to messages. New hires who fail to show up for their first day of work. Employees who do not show up for a shift. Employees who leave work in the middle of the day and never come back. Some analysts blame ghosting on millennial entitlement. The reasoning is that members of the millennial generation have been brought up to feel they are special -- so special, in fact, that they do not need to follow conventional rules of behavior. Other analysts, however, maintain that ghosting behavior stems from changes in the job market and the phenomenon is simply a reflection of the laws of supply and demand in a healthy jo...

Data deduplication

Data deduplication -- often called intelligent compression or single-instance storage -- is a process that eliminates redundant copies of data and reduces storage overhead. Data deduplication techniques ensure that only one unique instance of data is retained on storage media, such as disk, flash or tape. Redundant data blocks are replaced with a pointer to the unique data copy. In that way, data deduplication closely aligns with incremental backup, which copies only the data that has changed since the previous backup. For example, a typical email system might contain 100 instances of the same 1 megabyte (MB) file attachment. If the email platform is backed up or archived, all 100 instances are saved, requiring 100 MB of storage space. With data deduplication, only one instance of the attachment is stored; each subsequent instance is referenced back to the one saved copy. In this example, a 100 MB storage demand drops to 1 MB. Target vs. source deduplication Data deduplica...

A Graphics Processing Unit (GPU)

A graphics processing unit (GPU) is a computer chip that performs rapid mathematical calculations, primarily for the purpose of rendering images. A GPU may be found integrated with a central processing unit (CPU) on the same circuit, on a graphics card or in the motherboard of a personal computer or server. In the early days of computing, the CPU performed these calculations. As more graphics-intensive applications such as AutoCAD were developed; however, their demands put strain on the CPU and degraded performance. GPUs came about as a way to offload those tasks from CPUs, freeing up their processing power. NVIDIA, AMD, Intel and ARM are some of the major players in the GPU market. GPU vs. CPU A graphics processing unit is able to render images more quickly than a central processing unit because of its parallel processing architecture, which allows it to perform multiple calculations at the same time. A single CPU does not have this capability, although multi...