ISO/IEC 27033-1:2015(E)
requirement to properly protect networks and their related information systems and information. In
other words:
implementing and maintaining adequate network security is absolutely critical to the success
of any organization’s business operations.
In this context, the telecommunications and information technology
industries are seeking cost-
effective comprehensive security solutions, aimed at protecting networks against malicious attacks
and inadvertent incorrect actions, and meeting the business requirements
for confidentiality, integrity,
and availability of information and services. Securing a network is also essential for maintaining the
accuracy of billing or usage information as appropriate. Security capabilities in products are crucial to
overall network security (including applications and services). However, as more products are combined
to provide total solutions, the interoperability, or the lack thereof, will define the success of the solution.
Security must not only be a thread of concern for each product or service, but must be developed in a
manner that promotes the interweaving of security capabilities in the overall security solution.
The purpose of this International Standard is to provide detailed guidance on the security aspects of
the management, operation and use of information system networks, and their inter-connections. Those
individuals within an organization that are responsible for information security in general, and network
security in particular, should be able to adapt the material in this International Standard to meet their
specific requirements. Its main objectives are as follows.
— ISO/IEC 27033-1, to define and describe the concepts associated with, and provide management
guidance on, network security. This includes the provision of an overview of network security and
related definitions, and guidance on how to identify and analyse network security risks and then
define network security requirements. It also introduces how to achieve good quality technical
security architectures, and the risk, design and control aspects associated with typical network
scenarios and network “technology” areas (which are dealt with in detail in subsequent parts of
ISO/IEC 27033).
— ISO/IEC 27033-2, to define how organizations should achieve quality network technical security
architectures, designs and implementations that will ensure network security appropriate to their
business environments, using a consistent approach to the planning, design and implementation
of network security,
as relevant, aided by the use of models/frameworks (in this context, a
model/framework is used to outline a representation or description showing the structure and high
level workings of a type of technical security architecture/design), and is relevant to all personnel
who
are involved in the planning, design and implementation of the architectural aspects of network
security (for example network architects and designers, network managers, and network security
officers).
— ISO/IEC 27033-3, to define the specific risks, design techniques and control issues associated with
typical network scenarios. It is relevant to all personnel who are involved in the planning, design and
implementation of the architectural aspects of network security (for example, network architects
and designers,
network managers, and network security officers).
— ISO/IEC 27033-4, to define the specific risks, design techniques and
control issues for securing
information flows between networks using security gateways. It is relevant to all personnel who
are involved in the detailed planning, design and implementation of security gateways (for example,
network
architects and designers, network managers, and network security officers).
— ISO/IEC 27033-5, to define the specific risks, design techniques and control issues for securing
connections that are established using Virtual Private Networks (VPNs). It is relevant to all
personnel who are involved in the detailed planning, design and implementation of VPN security
(for example, network architects and designers, network managers, and network security officers).
— ISO/IEC 27033-6
,
to define the specific risks, design techniques and control issues for securing
IP wireless networks. It is relevant to all personnel who are involved
in the detailed planning,
design and implementation of security for wireless networks (for example, network architects and
designers, network managers, and network security officers).
It is emphasized that this International Standard provides further detailed implementation guidance on
the network security controls that are described at a basic standardized level in ISO/IEC 27002.
© ISO/IEC 2015 –
All rights reserved
vii
This is a preview - click here to buy the full publication