ISO/IEC 27032:2023

INTERNATIONAL ISO/IEC
STANDARD 27032
Second edition
2023-06
Cybersecurity — Guidelines for
Internet security
Cybersécurité — Lignes directrices relatives à la sécurité sur l’internet
Reference number
© ISO/IEC 2023
© ISO/IEC 2023
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
© ISO/IEC 2023 – All rights reserved

Contents Page
Foreword .iv
Introduction .v
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 4
5 Relationship between Internet security, web security, network security and
cybersecurity. 5
6 Overview of Internet security. 7
7 Interested parties . 8
7.1 General . 8
7.2 Users . 9
7.3 Coordinator and standardization organisations . 10
7.4 G overnment authorities . 10
7.5 L aw enforcement agencies . 10
7.6 Internet service providers . 10
8 Internet security risk assessment and treatment .11
8.1 General . 11
8.2 Threats . 11
8.3 Vulnerabilities .12
8.4 Attack vectors .12
9 Security guidelines for the Internet .13
9.1 General .13
9.2 Controls for Internet security . 14
9.2.1 General . 14
9.2.2 Policies for Internet security . 14
9.2.3 Access control . 14
9.2.4 Education, awareness and training . 15
9.2.5 Security incident management . 15
9.2.6 Asset management . 17
9.2.7 Supplier management . 17
9.2.8 Business continuity over the Internet . 18
9.2.9 Privacy protection over the Internet . 18
9.2.10 Vulnerability management . 19
9.2.11 Network management . 20
9.2.12 Protection against malware . 21
9.2.13 Change management . 21
9.2.14 Identification of applicable legislation and compliance requirements .22
9.2.15 Use of cryptography . 22
9.2.16 Application security for Internet-facing applications .22
9.2.17 Endpoint device management . 24
9.2.18 M onitoring . 24
Annex A (informative) Cross-references between this document and ISO/IEC 27002 .25
Bibliography .27
iii
© ISO/IEC 2023 – All rights reserved

Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.
The procedures used to develop this document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria
needed for the different types of document should be noted. This document was drafted in
accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or
www.iec.ch/members_experts/refdocs).
ISO and IEC draw attention to the possibility that the implementation of this document may involve the
use of (a) patent(s). ISO and IEC take no position concerning the evidence, validity or applicability of
any claimed patent rights in respect thereof. As of the date of publication of this document, ISO and IEC
had not received notice of (a) patent(s) which may be required to implement this document. However,
implementers are cautioned that this may not represent the latest information, which may be obtained
from the patent database available at www.iso.org/patents and https://patents.iec.ch. ISO and IEC shall
not be held responsible for identifying any or all such patent rights.
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see
www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology,
Subcommittee SC 27, Information security, cybersecurity and privacy protection.
This second edition cancels and replaces the first edition (ISO/IEC 27032:2012) which has been
technically revised.
The main changes are as follows:
— the title has been modified;
— the structure of the document has been changed;
— the risk assessment and treatment approach has been changed, with the addition of content on
threats, vulnerabilities and attack vectors to identify and manage the Internet security risks;
— a mapping between the controls for Internet security cited in 9.2 and the controls contained in
ISO/IEC 27002 has been added to Annex A.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.
iv
© ISO/IEC 2023 – All rights reserved

Introduction
The focus of this document is to address Internet security issues and provide guidance for addressing
common Internet security threats, such as:
— social engineering attacks;
— zero-day attacks;
— privacy attacks;
— hacking; and
— the proliferation of malicious software (malware), spyware and other potentially unwanted
software.
The guidance within this document provides technical and non-technical controls for addressing the
Internet security risks, including controls for:
— preparing for attacks;
— preventing attacks;
— detecting and monitoring attacks; and
— responding to attacks.
The guidance focuses on providing industry best practices, broad consumer and employee education
to assist interested parties in playing an active role to address the Internet security challenges. The
document also focuses on preservation of confidentiality, integrity and availability of information over
the Internet and other properties, such as authenticity, accountability, non-repudiation and reliability
that can also be involved.
This includes Internet security guidance for:
— roles;
— policies;
— methods;
— processes; and
— applicable technical controls.
Given the scope of this document, the controls provided are necessarily at a high-level. Detailed
technical specification standards and guidelines applicable to each area are referenced within the
document for further guidance. See Annex A for the correspondence between the controls cited in this
document and those in ISO/IEC 27002.
This document does not specifically address controls that organizations can require for systems
supporting critical infrastructure or national security. However, most of the controls mentioned in this
document can be applied to such systems.
This document uses existing concepts from ISO/IEC 27002, the ISO/IEC 27033 series, ISO/IEC TS 27100
and ISO/IEC 27701, to illustrate:
— the relationship between Internet security, web security, network security and cybersecurity;
— detailed guidance on Internet security controls cited in 9.2, addressing cyber-security readiness for
Internet-facing systems.
v
© ISO/IEC 2023 – All rights reserved

As mentioned in ISO/IEC TS 27100, the Internet is a global network, used by organizations for all
communications, both digital and voice. Given that some users target attacks towards these networks,
it is critical to address the relevant security risks.
vi
© ISO/IEC 2023 – All rights reserved

INTERNATIONAL STANDARD ISO/IEC 27032:2023(E)
Cybersecurity — Guidelines for Internet security
1 Scope
This document provides:
— an explanation of the relationship between Internet security, web security, network security and
cybersecurity;
— an overview of Internet security;
— identification of interested parties and a description of their roles in Internet security;
— high-level guidance for addressing common Internet security issues.
This document is intended for organizations that use the Internet.
2 Normative references
The following documents are referred to in the text in such a way that some or all of their content
constitutes requirements of this document. For dated references, only the edition cited applies. For
undated references, the latest edition of the referenced document (including any amendments) applies.
ISO/IEC 27000, Information technology — Security techniques — Information security management
systems — Overview and vocabulary
3 Terms and definitions
For the purposes of this document, the terms and definitions given in ISO/IEC 27000, and the following
apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— ISO Online browsing platform: available at https:// www .iso .org/ obp
— IEC Electropedia: available at https:// www .electropedia .org/
3.1
attack vector
path or means by which an attacker can gain access to a computer or network server in order to deliver
a malicious outcome
EXAMPLE 1 IoT devices.
EXAMPLE 2 Smart phones.
3.2
attacker
person deliberately exploiting vulnerabilities in technical and non-technical security controls in order
to steal or compromise information systems and networks, or to compromise availability to legitimate
users of information system and network resources
[SOURCE: ISO/IEC 27033-1:2015, 3.3]
© ISO/IEC 2023 – All rights reserved

3.3
blended attack
attack that seeks to maximize the severity of damage and speed of contagion by combining multiple
attack vectors (3.1)
3.4
bot
automated software program used to carry out specific tasks
Note 1 to entry: This word is often used to describe programs, usually run on a server, that automate tasks such
as forwarding or sorting e-mail.
Note 2 to entry: A bot is also described as a program that operates as an agent for a user or another program or
simulates a human activity. On the Internet, the most ubiquitous bots are the programs, also called spiders or
crawlers, which access websites and gather their content for search engine indexes.
3.5
botnet
collection of remotely controlled malicious bots that run autonomously or automatically on
compromised computers
EXAMPLE Distributed denial-of-service (DDoS) nodes, where the botnet controller can direct the user’s
computer to generate traffic to a third-party site as part of a coordinated DDoS attack.
3.6
cybersecurity
safeguarding of people, society, organizations and nations from cyber risks
Note 1 to entry: Safeguarding means to keep cyber risk at a tolerable level.
[SOURCE: ISO/IEC TS 27100:2020, 3.2]
3.7
dark net
network of secret websites within the Internet that can only be accessed with specific software
Note 1 to entry: The dark net is also known as the dark web.
3.8
deceptive software
software which performs activities on a user's computer without first notifying the user as to exactly
what the software will do on the computer, or asking the user for consent to these actions
EXAMPLE 1 A program that hijacks user configurations.
EXAMPLE 2 A program that causes endless popup advertisements which cannot be easily stopped by the user.
EXAMPLE 3 Adware and spyware.
3.9
hacking
intentionally accessing a computer system without the authorization of the user or the owner
3.10
hacktivism
hacking (3.9) for a politically or socially motivated purpose
3.11
Internet
global system of inter-connected networks in the public domain
[SOURCE: ISO/IEC 27033-1:2015, 3.14, modified — “the” has been deleted from the term.]
© ISO/IEC 2023 – All rights reserved

3.12
Internet security
preservation of confidentiality, integrity and availability of information over the Internet (3.11)
Note 1 to entry: In addition, other properties, such as authenticity, accountability, non-repudiation and reliability
can also be involved.
Note 2 to entry: Please refer to definitions on confidentiality, integrity, availability, authenticity, accountability,
non-repudiation and reliability in ISO/IEC 27000:2018, Clause 3.
3.13
Internet service provider
ISP
organization that provides Internet services to a user and enables its customers access to the Internet
(3.11)
Note 1 to entry: Also, sometimes referred to as an Internet access provider (IAP).
3.14
malicious content
applications, documents, files, data or other resources that have malicious features or capabilities
embedded, disguised or hidden in them
3.15
malware
malicious software
software designed with malicious intent containing features or capabilities that can potentially cause
harm directly or indirectly to the user and/or the user’s computer system
EXAMPLE Viruses, worms and trojans.
3.16
organization
person or group of people that has its own functions with responsibilities, authorities and relationships
to achieve its objectives
Note 1 to entry: In the context of this document, an individual is distinct from an organization.
Note 2 to entry: In general, a government is also an organization. In the context of this document, governments
can be considered separately from other organizations for clarity.
[SOURCE: ISO 9000:2015, 3.2.1, modified — Note 1 to entry and Note 2 to entry have been replaced.]
3.17
phishing
fraudulent process of attempting to acquire private or confidential information by masquerading as a
trustworthy entity in an electronic communication
Note 1 to entry: Phishing can be accomplished by using social engineering or technical deception.
3.18
potentially unwanted software
deceptive software (3.8), including malicious (3.15) and non-malicious software, that exhibit the
characteristics of deceptive software
3.19
spam
unsolicited emails that can carry malicious content and/or scam messages
Note 1 to entry: While the most widely recognized form of spam is e-mail spam, the term is applied to similar
abuses in other media: instant messaging spam, Usenet newsgroup spam, Web search engine spam, spam in
blogs, wiki spam, mobile phone messaging spam, Internet forum spam and junk fax transmissions.
© ISO/IEC 2023 – All rights reserved

[SOURCE: ISO/IEC 27033-1:2015, 3.37, modified — Note 1 to entry has been added.]
3.20
spyware
deceptive software (3.8), that collects private or confidential information from a computer user
Note 1 to entry: Information can include matters such as websites most frequently visited or more sensitive
information such as passwords.
3.21
threat
potential cause of an unwanted incident, which can result in harm to a system, individual or organization
(3.16)
3.22
trojan
malware (3.15) that appears to perform a desirable function for the user but that mislead the user of its
true intent
3.23
vishing
voice phishing done to acquire private or confidential information by masquerading as a trustworthy
entity
Note 1 to entry: Vishing can be conducted by voice email, VoIP (voice over IP), or landline or cellular telephone.
3.24
waterhole technique
technique inciting people to access a website that specifically contains (lots of) malware
Note 1 to entry: Waterhole is also known as watering hole.
3.25
World Wide Web
Web
universe of network-accessible information and services
[SOURCE: ISO 19101-1:2014, 4.1.40]
4 Abbreviated terms
The following abbreviated terms are used in this document.
AI artificial intelligence
API application programming interface
APT advanced persistent threat
BYOD bring your own device
CERT computer emergency response team
DDoS distributed denial-of-service
DLP data loss prevention
DMZ demilitarized zone
DNS domain name system
© ISO/IEC 2023 – All rights reserved

DoS denial-of-service
EDR endpoint detection and response
FTP file transfer protocol
HTTP hypertext transfer protocol
HTTPS hypertext transfer protocol over secure socket layer
ICANN internet corporation for assigned names and numbers
ICT information and communications technology
IDS intrusion detection system
IETF Internet engineering task force
IMT incident management team
IoT internet of things
IP Internet protocol
IPS intrusion prevention system
ISP Internet service provider
ISV independent software vendor
IRT incident response team
ISMS information security management system
OWASP open web application security project
PII personally identifiable information
SDLC software development life cycle
SIEM security information and event management
SME small and medium enterprises
URL uniform resource locator
USB universal serial bus
VPN virtual private network
W3C World Wide Web consortium
WWW World Wide Web
5 Relationship between Internet security, web security, network security and
cybersecurity
Figure 1 shows a high-level view of the relationship between Internet security, web security, network
security and cybersecurity.
© ISO/IEC 2023 – All rights reserved

Figure 1 — Relationship between Internet security, web security, network security and
cybersecurity
The Internet is a global system of inter-connected digital networks in the public domain. The
information exchange on the Internet also uses the mobile telephony network that is hence part of the
Internet. This global network connects billions of servers, computers, and other hardware devices. Each
device is connected with any other device through its connection to the Internet. The Internet creates
an environment which is conducive to information sharing.
Internet security is concerned with protecting Internet-related services and related ICT systems and
networks as an extension of network security. These efforts aim to reduce Internet related security
risks for organizations, customers and other relevant stakeholders.
Internet security also ensures the availability and reliability of Internet services. Over the Internet,
various services are on offer, such as file transfer services, mail services or any services that can be
publicly shared with the end users. In this context, Internet security deals with the secure delivery of
these services over the public network.
The web is one of the ways information is shared on the Internet [others include email, file transfer
protocol (FTP), and instant messaging services]. The web is composed of billions of connected digital
documents that can be viewed using a web browser. A website is a set of related web pages that are
prepared and maintained as a collection in support of a single purpose.
Web security deals with information security in the context of World Wide Web (WWW) and with web
services accessed over the public network. The web service is enabled by the use of HTTP protocol in
which any registered publicly available URL can be accessed. Web security also deals with security of
this HTTP connection used for information exchange.
A network can include components such as routers, hubs, cabling, telecommunications controllers,
key distribution centres, and technical control devices. Network security broadly covers all kinds of
networks that exist within an organization from local area network, wide area network, personal area
network and wireless networks.
© ISO/IEC 2023 – All rights reserved

Network security is concerned with the design, implementation, operation and improvement of
networks, as well as the identification and treatment of network-related security risks within
organizations, between organizations, and between organizations and users.
Cybersecurity concerns managing information security risks when information is in digital form in
computers, storage and networks. Many of the information security controls, methods, and techniques
can be applied to manage cyber risks.
Cybersecurity also deals with protecting Internet-connected systems including hardware, software,
programs and data from potential attacks. Many of these attacks are characterized by targeted and
blended attacks with a high degree of sophistication and persistence. The threats can be Internet-
based and/or threats due to connectivity with other networks and systems within the organization or
customer and service provider’s network, to which the organization communicates during the normal
course of business.
6 Overview of Internet security
The personally identifiable information (PII) of Internet users is captured by many sites and services
offered on the Internet. This includes application service providers who closely track user activities and
use artificial intelligence (AI) techniques to provide recommendations for purchases, healthcare, time
management and a host of other feedback intending to make their lives and tasks easier to manage. Many
of these sites collect this data without the users’ permission and provide this data to other third parties
for monetary gain, again without the users' knowledge. Interested parties have been establishing their
presence on the Internet through websites, conducting e-Commerce on a global scale, providing digital
services on the Internet, using public cloud services to deliver services and using web-based business
applications and services.
Many uses of the Internet involve exchange of information and provision of services that do not concern
people and PII. PII varies by jurisdiction. The security of such information and services can be critical to
interested parties. Furthermore, the range of hardware connected to the Internet as either individual
devices or private networks is increasing rapidly in the so-called Internet of things. Autonomy and
application of artificial intelligence within the Internet of things creates challenging Internet security
requirements.
While the Internet can facilitate significant business outcomes, there are always many security risks
to be managed. It is important to remember that the Internet was not originally designed with security
features in mind. Organizations rely heavily on the use of the Internet to conduct their business. Owing
to a low level of trust associated with the Internet, business operations can face significant adverse
consequences from the loss of confidentiality, integrity, and availability of information and services, if
not adequately controlled.
While some individuals are careful in managing their online identity, most people upload details of
their personal profiles to share with others. Profiles on many sites, in particular social networking
sites and chat rooms, can be downloaded and stored by other parties. This can lead to the creation of a
digital dossier of personal data that can be misused, disclosed to other parties, or used for secondary
data collection. While the accuracy and integrity of this data are questionable, they create links to
individuals and organizations that often cannot be completely erased. These developments in the
communication, entertainment, transportation, shopping, financial, insurance, and healthcare domains
create new risks to interested parties on the Internet. Thus, risks can be associated with loss of privacy
over the Internet.
The convergence of information and communication technologies, the ease of getting into the Internet
from desktops, laptops to mobile and IoT devices, and the narrowing of personal space between
individuals, are gaining the attention of malicious actors and criminal organizations.
These entities are using mechanisms such as phishing, spam and spyware, as well as developing attack
techniques like zero-day attacks, vishing, malicious websites and other deception techniques to exploit
any weaknesses they can discover on the Internet.
© ISO/IEC 2023 – All rights reserved

In recent years, security attacks on the Internet have evolved from hacking for personal fame to
organized crime or cybercrime. A plethora of tools and processes previously observed in isolated
cybersecurity incidents are now being used together in multi-blended attacks, often with far reaching
malicious objectives.
Many of these tools are also available on public software repositories and other publicly available
resources. The objectives of an attack range from personal attacks, identity theft, financial frauds or
thefts, to hacktivism and information manipulation on the Internet. Much of the stolen personal data and
customer data are also made available on the dark net, which can be publicly accessible. Organizations,
and SMEs in particular, should understand the real consequences of “manipulating” information on the
Internet. These security risks are the cyber risks to the users accessing the Internet.
As the Internet is a global public network, transactions can originate from any part of the world, as can
attacks. The multiple modes of business transactions that are carried out on the Internet are becoming
the target of cybercrime syndicates. Ranging from business-to-business, business-to-consumer to
consumer-to consumer services, the risks posed are inherently complex.
Another complexity arises from the fact that all interested parties, even when they are not malicious,
have a different view on their needs, requirements and threats, hence they have a different list of risks
and controls to counter them. This means that there is no “one size fits all” solution.
Criteria such as what constitutes a transaction or an agreement are dependent on the specific legal
and regulatory environments across jurisdictions. These criteria also depend on the interpretation of
the law and how each party in the relationship manages their liability. Often, the issue of using data
collected during the transaction or relationship is not addressed adequately. This can eventually lead to
security concerns such as the leakage of information.
The legal and technical challenges posed by these Internet issues are far-reaching and global in
nature. The challenges can only be addressed through collaboration between the information security
technical community, legal community and different regions to adopt a coherent strategy. This strategy
should take into account the role of each interested party and existing initiatives, within a framework
of international cooperation.
Information travels through the Internet instantly, meaning that attacks can also happen instantly. As
these speeds are not easily apprehended by human mind, the attack is always discovered a long time
after it occurred, and damages are already potentially huge. In most cases, the identity of the attackers
is hidden. Therefore, the use of artificial intelligence (AI) is frequently proposed to counter the attacks.
7 Interested parties
7.1 General
Interested parties of Internet security include those who:
— use services over the Internet;
— use the Internet to provide services;
— provide the infrastructure and communicating capabilities of the Internet;
— globally coordinate the operation of the Internet;
— provide and enforce laws and regulations.
The interested parties of Internet security can be categorized as users (7.2), coordinators and
standardization organizations (7.3), government authorities (7.4), law enforcement agencies (7.5) and
Internet service providers (7.6).
© ISO/IEC 2023 – All rights reserved

7.2 Users
Users is a term that refers to individuals, end-users as well as private and public organizations using
the Internet. Private organizations include small and medium enterprises (SMEs), as well as large
enterprises. Government and other public agencies are collectively referred to as public organizations.
An individual or an organization becomes a user when they access the Internet or any services available
over the Internet. Users can make use of Internet services, view or collect information. They can also
provide certain specific information which is within an application’s space, or open to limited members
or groups within the application’s space, or the general public.
User roles can include, but are not limited to, the following:
— general Internet application user, or general user, such as online game player, instant messenger
user, or web surfer;
— buyer/seller, involved in placing goods and services on online auction and marketplace sites for
interested buyers, and vice versa;
— blogger and other contents contributor (for example, an author of an article on a wiki), in which
information in text and multimedia (for example, video clips) are published for general public or
limited audience’s consumption;
— member of an organization (such as an employee of a company, or other form of association with a
company);
— other roles, whereby a user can be assigned a role unintentionally or without their consent.
EXAMPLE 1 When a user visits a site which requires authorization, and intentionally or unintentionally gains
access, the user can be labelled as an intruder.
EXAMPLE 2 An individual, acting as buyer or seller, can unknowingly participate in criminal transactions of
selling stolen goods or money laundering activities.
Organizations often use the Internet to publicize company and related information, as well as market
related products and services. Organizations also utilize the Internet as part of their network for
delivery and receipt of electronic messages (for example, emails) and other documents (for example,
file transfer).
In line with the same principles of being a good corporate citizen, these organizations should extend
their corporate responsibilities to the Internet by proactively ensuring that their practices and actions
in the Internet usage do not introduce further security risks into the Internet user community.
Some proactive measures include:
— information security management by implementing and operating an effective information
security management system (ISMS) (see ISO/IEC 27001 for requirements for information security
management systems);
— implementing controls based on ISO/IEC 27002 and other relevant standards, without operating an
ISMS;
— security monitoring and incident response;
— incorporating security as part of the software development life-cycle (SDLC), where the level of
security built into systems should be determined based on the organization’s criticality of data;
— regular security education of users in the organization through continuous technology and process
updates and keeping track of latest technology developments; and
— understanding and using proper channels in communicating with vendors and service providers on
security issues discovered during usage.
© ISO/IEC 2023 – All rights reserved

7.3 Coordinator and standardization organisations
Coordinator and standardization organisations (ICANN, IETF, W3C etc.) develop technical standards on
the use of the Internet and the services provided by the service providers. They advise organizations of
their roles and responsibilities on the Internet.
7.4 Government autho rities
Governments hold information on national security, strategic, military, intelligence issues among many
other elements relating to the government and state, but also a vast array of information on individuals,
organizations and society as a whole.
Governments should protect their own country’s infrastructure and information from unauthorized
access and exploitation. There is a growing and expanding trend of offering e-government services using
the Internet. This is a new channel, among others, to launch attacks and access the abovementioned
information which, if successful, can result in serious impact to a region, its government and society.
Government authorities play a coordination role between law enforcement agencies and are the
primary coordinator for disseminating information and orchestrating any required resources, both
at national-level and corporate level, in times of crisis arising from a massive cyber-attack. This also
includes authorities like CERT and similar organizations that are entrusted with such responsibilities
depending on the specific region in context.
Governments mandate cybersecurity education programmes for universities and high schools, and
ensure that an appropriate public-private-partnership is organized with the necessary legal structure,
that organizes the law enforcement agencies and defines their missions.
7.5 La w enforcement agencies
Law enforcement agencies enforce the regulations and hold all interested parties accountable in terms
of their compliance to the relevant regulations within its national jurisdiction.
7.6 Internet service providers
Service providing organizations can include two categories:
— providers of access to the Internet for employees and partners;
— providers of services to consumers of the Internet.
These services are provided either to a closed community (for example, registered users), or the
general public, through the delivery of applications including cloud-service providers over the Internet.
A consumer can also be a service provider, if it in turn provides a service over the Internet or enables
another consumer to access the Internet.
Service providers can also be understood as carriers or wholesalers, versus distributors and retailers
of access services. This distinction is important from a security and, especially, law enforcement
perspective. In the event that a distributor or retailer is unable to provide adequate security or lawful
access, support services often default back to the carrier or wholesaler. Internet service providers
(ISPs) can provide support by supervising the “traffic” and providing alternative routes or hosts for
traffic control. They also can look for "dangerous" transfers over the Internet. With the necessary legal
authorizations and those of the users, they can filter what is dangerous, as it is the case with solutions
providing “sand boxes” to verify transferred files for malware. ISPs can warn their customers when
they discover threat patterns.
© ISO/IEC 2023 – All rights reserved

8 Internet security risk assessment and treatment
8.1 General
ISO 31000 provides principles and generic guidelines on risk management while ISO/IEC 27005 provides
guidelines and processes for information security risk management in an organization, supporting
the requirements of an ISMS according to ISO/IEC 27001. The guidelines and processes provided by
these documents are recommended for addressing risk management in the context of the Internet. It
is the responsibility of the interested parties to define their approach for risk management. Several
existing methodologies can be used under the framework described in ISO/IEC 27005 to conduct a risk
assessment and manage the risks associated with the organization’s use of the Internet, considering the
relevant threats and vulnerabilities and the Internet security issues.
In organizations where there are limited resources available, the controls are required to take into
account the rationality between the organizational needs for security and resources to avoid errors
in the selection of controls. An inappropriate selection of controls may result in additional risks or
ineffective controls.
8.2 Threats
A threat agent is an individual or group of individuals who have any role in the execution or support
of an attack. Thorough understanding of their motives (religious, political, economic, etc.), capabilities
(knowledge, funding, size, etc.) and intentions (fun, crime, espionage, etc.) is critical in the assessment
of vulnerabilities and risks, as well as in the development and deployment of controls.
Malware can result in the compromise of security controls (e.g. capture and disclosure of passwords),
unintended disclosure of information, unintended changes to information, destruction of information,
and/or unauthorized use of system resources. Malware is commonly delivered through viruses, worms,
and trojans with far-reaching consequences.
A virus is an executable and replicable program that inserts its own code into legitimate programs
with the objective of damaging the host computer (i.e. deleting files and programs, corrupting storage
and operating systems). In its simplest state, a worm is a computer program meant to self-replicate and
spread to other computers through outbound messages to all the addresses in a user's contact list to
drain a system’s resources. Additionally, just like a virus, a worm can propagate code that can damage
its host. Such code is referred to as a payload (e.g. the ability to encrypt files in ransomware and the
installation of system backdoors that enable remote access). A trojan is a malicious program disguised
as or embedded within legitimate software
...