Implementation of a Cybersecurity Framework ISO 27032

The concept of Cyberspace requires a broader vision of information security concepts than those considered until now. This new concept brings together aspects related to the interaction of people, software, and services on the Internet, supported by ICT environments distributed around the world with a complexity and uniqueness that was unimaginable a few years ago.

To address the challenges of Cybersecurity, which consists of security in Cyberspace, the ISO/IEC 27032 standard emerges, defining guidelines in this field and focusing on two areas: on one hand, covering the gaps not addressed by previous security standards within this broader conceptual scope, where new attacks and associated risks appear; and on the other hand, the collaboration process among the actors operating in the current environment, commonly referred to as a CyberSecurity Framework or CSF.

Considering the challenge of current Cybersecurity scenarios and thanks to the extensive experience of the Internet Security Auditors team, we designed a methodology that enables the implementation of a CSF based on the ISO/IEC 27032:2012 standard, which includes four work focuses or domains:



Information Security

Information Security

Network Security

Network Security

Internet Security

Internet Security

Protection of Critical Information Infrastructure

Protection of Critical Information Infrastructure

The Cybersecurity Framework to be developed will take a risk management approach in 4 areas:

 

Prevention

Prevention is based on the implementation of measures and controls that limit and contain the impacts of potential cybersecurity events.

Protection and Detection

Where controls aimed at security management and monitoring of security events are implemented in order to detect and protect against such events.

Response and Communication

We must be prepared for potential cybersecurity-related incidents, and this will consist of actions to mitigate adverse elements once they have materialized.

Recovery and Learning

Actions to restore systems and services related to cyberspace, and procedures will be defined to reduce the likelihood of these incidents occurring.

The process followed in our methodology is carried out in five phases.

 

Implementation methodology

Phase I: Understanding the Organization

In this first phase, significant work is carried out to immerse in the company’s processes in order to understand how they operate and how their services make use of Cyberspace. To perform this task, it will be necessary to:

  • Review products and services
  • Review the security regulatory framework in use
  • Gather and review security documentation
  • Understand information flows within processes
  • Understand the technical security measures implemented, etc.

This phase will also allow the creation of an inventory of assets for the services within scope.

 

 

Phase II: Risk Analysis

Decision-making regarding the controls and security measures to be implemented must be based on risk management and alignment with the company’s needs. Therefore, in this phase, this assessment will be carried out considering, among others, aspects such as:

  • Critical assets
  • Threats
  • Vulnerabilities
  • Impact and risk
  • Responsibilities

This task is carried out with alignment to internationally recognized standards, which allow its maintenance and management over time.

 

 

Phase III: Action Plan

In this phase, and thanks to the work carried out in previous phases, the plan will be drafted to determine the prioritization and measures that must be developed to achieve alignment with ISO/IEC 27032:2012 based on business requirements.

This Plan will address different strategies that will include and must be applied at different levels of the organization, including:

  • Policies
  • Role identification
  • Implementation methods
  • Affected processes
  • Technological controls

 

Phase IV: Implementation

This is typically the phase that requires the most effort, as it is where all actions defined in the previous phase are executed according to the Action Plan. It is important to keep in mind that ISO/IEC 27032:2012 aims to require those who implement it to be proactive in security measures, with significant emphasis on prevention mechanisms in processes that make use of Cyberspace.

This project phase will therefore focus on the implementation of controls that must consider the existing maturity level in security management and will take into account, among others, aspects such as:

  • Existence of a Security Policy
  • Security procedures in SDLC
  • Existing frameworks for information exchange
  • Staff awareness plans
  • Risk Analysis and Risk Management methodology
  • ICT monitoring
  • Incident management

 

Additionally, in this phase of the project, additional controls will be established, including:

  • Application-level controls: session management, data validation, protection against attacks, authentication processes, etc.
  • Server-level controls: secure configurations, patch management, monitoring, periodic reviews, etc.
  • Controls for end users: OS updates, application usage, antivirus, security tools and configurations, etc.
  • Controls against social engineering attacks: awareness programs, regular testing, security controls, etc.

What Our Clients Say


At Grupo AR, we highly value the brand protection service provided by Internet Security Auditors for its comprehensive and proactive approach. Their highly qualified team enables us to identify and mitigate risks that could affect the AR Construcciones brand and its different companies. Many thanks for your support!
Nestor Ivan Melo Ballen
Director of Cybersecurity
Grupo AR
As CEO of Beruby, we worked with Internet Security Auditors when we urgently needed to complete a PCI DSS Attestation of Compliance. The entire process was extremely fast, efficient, and professional. Their team provided us with excellent support, demonstrating strong technical expertise and a high level of commitment. Without a doubt, we recommend their services to any company in need of cybersecurity solutions.
Miguel Acosta
Global CEO
Beruby
At Grupo Arbulu, we have worked closely with Internet Security Auditors on the implementation of advanced cybersecurity measures. Thanks to their expertise, we have significantly strengthened our ability to detect and mitigate cyber risks. Their thorough audits and tailored solutions have reinforced our security infrastructure, ensuring the protection of our data and the continuity of our operations.
Marcos Montes de Oca
CIO
Grupo Arbulu
As CISO at Intaremit S.A., the importance we place on logical security is extremely high. Not only because the PCI‑CPP standard requires us to perform four internal and external vulnerability scans and an annual internal and external penetration test, but also because of the security and peace of mind our company aims to provide to each and every one of our customers.We have been working and collaborating with IsecAuditors for more than 10 years thanks to their experience, commitment, and close support, and I therefore recommend them without hesitation.
Sergio Sainz de la Maza
CISO
Intaremit S.A.
As CFO of Fleurop – Interflora Spain, we have been working with Internet Security Auditors for years in the areas of consulting and GDPR compliance. As Interflora is a company fully oriented toward online commerce, the professional services provided by ISEC Auditors give us the support, security, and peace of mind that all our activities remain aligned with GDPR requirements.
Francisco Tébar Prada
CFO Southern Europe (Spain, Italy, Portugal and Romania)
Fleurop - Interflora España
As CFO of Saint Louis University – Madrid Campus, I have had the opportunity to work with Internet Security Auditors, S.L. They have been an indispensable partner in implementing the requirements established by GDPR: preparing the record of processing activities, developing privacy policies, drafting the necessary data‑protection agreements with our service providers, and complementing all of this with thorough training for our staff—an essential element to ensure full compliance with the law. I would like to highlight their availability to address questions and their ability to translate the legal framework into concrete and understandable actions. Their periodic internal audits are efficient and allow us to stay up to date, correcting any deviations in a timely manner.I highly recommend Internet Security Auditors, S.L. to anyone seeking a successful implementation and ongoing oversight of personal data protection within their organization. 
Victoria Villarreal Palazón
Vice-Rector & Associate Vice President Chief Financial Officer
Saint Louis University, Spain
Working with Internet Security Auditors has been a positive experience in every respect. Their team combines strong technical expertise with a great willingness to collaborate, which has strengthened our security posture and regulatory compliance.
Andres Mejia
Head of GRC
PAYVÁLIDA
On behalf of Outsourcing SAS BIC, we would like to express our sincere appreciation for the commitment, professionalism, and dedication demonstrated throughout the implementation of the PCI DSS compliance project in our call center. Thanks to your expertise and guidance at every stage of the process, we were able to establish a secure environment that meets the industry’s most demanding payment‑security requirements, significantly strengthening our security controls and data‑protection practices. We especially value your team’s willingness to provide clear solutions, effective training, and smooth communication, all of which were key to achieving our objectives on time and with full confidence.
Yulian Colmenares
Information Security Officer
OUTSOURCNG SAS BIC
Working with Internet Security Auditors has been a highly satisfactory experience. Their support throughout our migration to the ISO/IEC 27001:2022 standard, the execution of internal audits, and the PCI DSS certification process has been essential in strengthening our information security management system. We especially value the professionalism and interpersonal skills of their team, which have made this collaboration a relationship of trust and great value for Neurona.
Ricardo Andrés Cárdenas Galvis
Information Security and Continuity Officer
Neurona
The strategic support provided by Internet Security Auditors as our CISOaaS has been essential in strengthening our internal team. Their expertise perfectly complements the work of our CISO and has enabled us to accelerate the maturity of our cybersecurity program.
CISO
RACC

Do not hesitate to contact us if you need more information

Send us your questions and we will get in touch with you as soon as possible.

CAPTCHA