My days in technology began when the Internet, cell phones, and personal computers did not exist; computers were so large at this time that just one would fill an entire room, and putting information into that computer meant typing your program, line by line, on individual punch cards. And all of that was “state of the art”! Back then, the only IT security that we worried about was the joker who might flip your box of neatly ordered punch cards out of your hands and scramble your program source code before you got it dumped into the computer. Things are very different today, however, the two categories of risk we see in the field of technology and data security do have a basis in the earlier technologies that got us here.
Cybersecurity and information security are the two halves of security that we all strive to apply today: cybersecurity deals with what we also refer to as IT security, e.g., securing routers, firewalls, usernames, etc., while information security focuses on security governance, e.g., policies, standards, etc., and the protection of people and data or assets. ISO/IEC 27032 focuses on IT security or cybersecurity, and ISO/IEC 27001 focuses on information security. Thus, ISO/IEC 27032 covers topics related to applied technology and IT security and is, therefore, very useful to frontline IT and security staff. There is often an overlap between information security and cybersecurity, as there should be, and the two concepts are often, as a result, used interchangeably, but separating them can lead to greater clarity when working in security.
The threats that are faced in the realm of cybersecurity include things like social engineering, hacking, malware, spyware, ransomware, etc., and these topics are addressed in ISO/IEC 27032. Now, you might reply that ISO/IEC 27001 also speaks to these topics and, to an extent, it does, however, ISO/IEC 27032 sees these threats through the lens of preparing for such threats, detecting, and monitoring attacks and responding to any attacks or threats.
Historically, IT has sometimes been a background service to the organization, and IT staff were seen as “that group in the basement” or similar (some TV comedies still use this as a vehicle to deliver laughs!). With this in mind, ISO/IEC 27032 addresses the need for collaboration between IT and others, including internal and external IT clients and any third-party providers to the organization. This last point has been an emphasis on building IT 2.0, where IT is being pulled out of its backroom team mentality to become an integrated part of the organization overall, and information sharing, work coordination, and coordinated incident handling are all covered in ISO/IEC 27032.
All of these elements described above and in ISO/IEC 27032 require some processes that are not typical of where IT evolved from, such as: establishing trust between IT and its clients, establishing processes for collaboration and information exchanging and sharing, and defining technical requirements for systems integration and interoperability across the stakeholder audience. To apply ISO/IEC 27032 correctly, you will obviously need some level of skills in communicating with others and this can sometimes require the ability to communicate technical needs or information in non-technical terms. Not to worry though, ISO/IEC 27032 can help to guide you through all of this – at least at a high level! Cybersecurity then, as defined by ISO/IEC 27032, relies upon application security, network security, and Internet security, and it supports information security and critical information infrastructure protection (CIIP).
Stakeholders and assets are a key focus in ISO/IEC 27032, and the efforts required to utilize controls to address vulnerabilities, threats, and risks that relate to your assets form the baseline of this standard. Industry best practices and innovative technology solutions to address risk and employ organizational security awareness can all be part of a holistic risk management strategy. Because stakeholders can be individuals, e.g., an end user accessing a website, or an organization, e.g., a company trying to protect their website from compromise, the processes for managing threats, vulnerabilities, and risks are varied depending upon to whom, what, and where you are applying them.
As we have seen in other recently updated security standards, such as ISO/IEC 27001 and PCI-DSS, the requirements for managing threats have been augmented for both the organization and the individual with increased emphasis on security measures, such as monitoring and alerting for the organization, and requirements for security awareness and involvement all the way to members of the Board. ISO/IEC 27032 addresses these topics from a high level.
Network monitoring and response has its own section in ISO/IEC 27032, which should be a clue to the importance of this security control when it comes to protecting the organization’s network infrastructure and the assets that are accessed via the network. Baselining your network is a critical step in implementing proper monitoring so that you can monitor for deviations from what are normal operations for your network.
In addition, implementing an Intrusion Detection System and an Intrusion Prevention System to help automate the alerting, and possibly automatic blocking of anomalous behavior on your network, are also recommended controls in ISO/IEC 27032. An often-overlooked element of proper protection of your network is having a documented support and escalation process. I have personally assisted with more than a few security incident response events where the client has had to figure out their incident response process in real-time, which is never a good thing when an attacker is already inside your network. Preparing for incidents in advance cannot be over-emphasized as essential for any size of an organization.
The supply chain or third-party relationships are covered in various portions of ISO/IEC 27032, but as we all know, attacks on organizations via third parties that the organization deals with are a new favorite attack vector for hackers. Applying strong third-party security controls, e.g., risk assessments of third parties, security audits of third parties, strong security language in all contracts with third parties, etc., is a common recommendation by security experts globally.
ISO/IEC 27032 also speaks to secure development practices, e.g., code review and testing, protection of source code, etc., and the protection of servers, through regular security testing and scans, vulnerability and patch management, QA/Test environments separate from production, secure configurations, etc. These measures can help to protect your organization’s “crown jewels”.
For the end user, anti-malware, software updates, phishing protection, personal firewalls, and automated updates are all mentioned in ISO/IEC 27032. I would add a few things here to my security controls list, including; using Mobile Device Management software, web content filtering, and file integrity monitoring.
Social engineering has become a favorite hacker vehicle for delivering ransomware and malware, and for committing fraud. Protection against and end-user training on phishing, vishing, smishing, and physical security threats, e.g., an intruder posing as a telecoms employee while trying to gain access to your offices, are part of ISO/IEC 27032’s content although, further details on protecting against these threats are required beyond what is found in ISO/IEC 27032.
Because the world of cybersecurity is constantly evolving, the ISO/IEC 27032 standard must also evolve, and its Annex A helps serve this purpose by providing additional guidance on topics such as Darknet monitoring and utilizing tracebacks, to reconstruct the attack path in a cyber-attack.
Before engaging in anything related to the darknet or the dark web, often two terms are thought to mean the same thing, but they do not research how to use these resources safely. For additional reference material, Annex B and Annex C of ISO/IEC 27032 provide some sample additional reference materials and sources.
Overall, ISO/IEC 27032 is not written like many other ISO standards; it is more conversational in nature and is meant to provide high-level guidance on how to address cybersecurity in your organization. Combining ISO/IEC 27032 with other ISO resources will provide the best result when you are building your full management system for security and privacy.