ISO/IEC 27032:2023 Cybersecurity – Guidelines for Internet security was released in June, replacing ISO/IEC 27032:2012 Information technology – Security techniques – Guidelines for cybersecurity.
The Internet is a global network that organisations use for all communications. As some actors target their attacks on these networks, addressing the relevant security risks is very important.
This standard focuses on Internet security issues and guides how to address common Internet security threats such as social engineering attacks, zero-day attacks, privacy breaches, hacking attacks, and the spread of malware, spyware and other potentially unwanted software.
The guidance in this document provides technical and non-technical controls to address Internet security risks, including controls to prepare for attacks, prevent attacks, detect and monitor attacks, and respond to attacks.
The guidelines focus on providing industry best practices and broad consumer and employee education to help stakeholders actively address Internet security issues. The document also focuses on preserving the confidentiality, integrity and availability of information on the Internet and on other characteristics such as authenticity, accountability, non-repudiation and reliability that may also be considered.
Given the scope of this standard document, these controls are described at a high level. The document references detailed technical standards and guidelines applicable to each area for further explanation. Annex A provides the relationships between the controls in this document and those in ISO/IEC 27002.
This standard does not explicitly address the controls organisations may require for systems supporting critical infrastructure or national security. However, most of the controls in this document can be applied to such systems.
The new ISO/IEC 27032:2023 provides:
An explanation of the relationship between Internet security, web security, network security and cyber security;
- an overview of Internet security;
- identification of stakeholders and a description of their roles in Internet security;
- high-level guidance for dealing with common Internet security issues.
This standard is intended for all organisations that use the Internet.