ISO IEC 27033-5-2013 PDF

Full title and description

Information technology — Security techniques — Network security — Part 5: Securing communications across networks using Virtual Private Networks (VPNs). This International Standard provides guidance on selecting, implementing and monitoring the technical controls needed to provide network security when using VPNs to interconnect networks and to connect remote users to networks.

Abstract

ISO/IEC 27033-5:2013 gives practical guidance on VPN security: it describes types of VPNs, common threats to VPN deployments, security requirements (confidentiality, integrity, authenticity, authorization, availability and tunnel endpoint security), recommended security controls, design techniques, operational/management considerations, and guidance for product selection and configuration. The intent is to help organizations design and operate VPNs that meet business and regulatory needs while reducing security risks.

General information

• Status: Published (International Standard); reviewed and confirmed in a periodic review.
• Publication date: August 2013 (First edition).
• Publisher: ISO/IEC (International Organization for Standardization and the International Electrotechnical Commission), via ISO/IEC JTC 1/SC 27.
• ICS / categories: 35.030 (IT security).
• Edition / version: Edition 1, 2013.
• Number of pages: 14 (official ISO paginated length).

Scope

Provides guidelines for the selection, implementation and monitoring of technical controls necessary to secure communications across networks using VPNs. It covers VPN types, threat analysis, security requirements, control options, architectural and management considerations, technical design techniques, and guidance for selecting VPN products and carriers. It is intended to support the secure interconnection of networks and secure remote access for users, while addressing regulatory, operational and technical constraints.

Key topics and requirements

• Classification and types of VPNs (site-to-site, remote-access, carrier-managed, overlay vs. routed VPNs).
• Threats to VPN deployments (unauthorised access, interception, replay, tunnelling attacks, denial of service and endpoint compromise).
• Security requirements: confidentiality, integrity, authenticity, authorization, availability and tunnel-endpoint security.
• Security controls and mechanisms (cryptographic protocols such as IPsec, authentication methods, key management, tunnel/transport modes, traffic separation and filtering).
• Design techniques and architectural considerations (segmentation, VPN endpoint hardening, carrier/provider considerations, regulatory and legal aspects).
• Operational aspects: management, monitoring, logging, incident handling, lifecycle and change management for VPNs.
• Guidelines for product and carrier selection, including feature assessment and interoperability considerations.

Typical use and users

Used by network architects, information security managers, system/network administrators, security auditors, IT procurement teams and solution integrators. Organizations deploy this guidance when implementing secure remote access, inter-site connectivity, third‑party connectivity and cloud/VPN integration to ensure technical controls align with business, legal and regulatory requirements.

Related standards

Part of the ISO/IEC 27033 network security series (other parts cover overview, design, wireless access, VPNs, and virtualization); related to ISO/IEC 27001 and ISO/IEC 27002 for information security management and controls. ISO/IEC 27033-6 (wireless IP access) and newer parts such as ISO/IEC 27033-7 (network virtualization guidance) provide complementary guidance. The 27033 series superseded and elaborated material formerly in ISO/IEC 18028.

Keywords

VPN, Virtual Private Network, network security, IPsec, tunnel endpoint security, confidentiality, integrity, authenticity, remote access, VPN design, VPN product selection.

FAQ

Q: What is this standard?

A: ISO/IEC 27033-5:2013 is an International Standard providing guidance on securing communications across networks using Virtual Private Networks (VPNs).

Q: What does it cover?

A: It covers VPN types, threat analysis, security requirements (confidentiality, integrity, authenticity, authorization, availability), security controls, design techniques, operational/management considerations and guidance for product/carrier selection.

Q: Who typically uses it?

A: Network and security architects, IT/security managers, administrators, auditors, procurement and integrators who design, implement, operate or evaluate VPN solutions.

Q: Is it current or superseded?

A: This edition was published in August 2013 and, following ISO review procedures, the publication was confirmed (reviewed) and remains current as confirmed in periodic review. It is not listed as superseded; organizations should check the ISO catalog or national bodies for any subsequent amendments or newer parts in the 27033 series.

Q: Is it part of a series?

A: Yes — it is part of the ISO/IEC 27033 network security series (multiple parts), which collectively provide guidance on network security architecture, VPNs, wireless IP access, and network virtualization.

Q: What are the key keywords?

A: VPN, virtual private network, IPsec, tunnel security, endpoint hardening, remote access, network segmentation, cryptographic controls.