Cybersecurity according to the ISO 27032 standard

Cybesecurity “, a word sometimes improperly used, is now a business issue that affects organizations of all sectors and sizes, which must address the related risks through the adoption of appropriate operational controls .

The standard ISO / IEC 27032 : 2012 “Information technology – Security techniques – Guidelines for cybersecurity” provides a useful reference in the form of guidelines to address security in the “ Cyberspace “, where” Cyberspace “means the complex environment resulting from the interaction of people, software and services on the Internet through the use of technological devices and network connections, an environment that does not exist in physical form. “Cybersecurity” is therefore understood as the preservation of the objectives of integrity, availability and confidentiality of the information processed in “cyberspace”.

The definition of “Cybersecurity” provided by the ISO27032 standard is perfectly aligned with the definition of Information Security taken from both the ISO 27001 standard for information security management systems (the ISO 27032 standard belongs to the family of the ISO 27000 series), and from the GDPR on the subject of “ privacy ” ( personal data are a particular category of information). & nbsp;

“Cybersecurity” can therefore be correctly understood as that subset of the more general information security issue that specifically addresses IT security aspects (“ IT Security “) such as threats from social engineering attacks, hacking, malware, spyware, & nbsp; etc. & nbsp; (while information security also includes the security of the environmental physical & nbsp; & nbsp; aspects and of the organizational and human resources aspects). & nbsp;

In particular, aspects such as Application Security, Network Security, Internet Security fall within the domain of “Cybersecurity”. The Application Security can be understood as that set of monitoring and operational control processes of the risks aimed at the SW applications used by an Organization. These monitoring and operational controls may concern the software itself, the data and the IT infrastructure that supports it. Network Security concerns the design, implementation and operation of networks in order to pursue security objectives both within the Organization and between it and other Organizations. Internet Security concerns the protection of Internet Services and related IT infrastructure and Network Services. It can be seen as an extension of Network Security where the pursuit of availability and continuity objectives is also particularly important. of the Service.

On the other hand, they are not strictly part of the topic of Cybersecurity & nbsp; but they are related to them & nbsp; such as Critical Information Infrastructure Protection (CIIP), which concerns protection and resilience < / strong> of those systems and related IT infrastructures that & nbsp; support the delivery of critical services (e.g. public services, telecommunications, etc.), Cybercrime, which concerns criminal activities where services and applications in Cyberspace are either the target of a crime or the tool to achieve it and the Cybersafety which concerns the protection against the consequences (physical, social, psychological, & nbsp; economic, political, etc.) & nbsp; of events or accidents that take place in Cyberspace. The increasingly topical scenario of Cyberwar. also falls into this context