Certification of Information Security Management System (ISMS) to ISO/IEC 27001 ISO/IEC 27001 ??????????

1
Certification of Information Security Management
System (ISMS) to ISO/IEC 27001ISO/IEC 27001
??????????

• Mr. Nick C.C. Leung
• Accreditation Officer, Hong Kong Accreditation
  Service
• ????? ????18 October 2013

2
Content

• Outline of ISO/IEC 27001 Information Security
  Management System Certification
• Hong Kong Accreditation Service (????? )

3
Outline of ISO/IEC 27001Information
SecurityManagement System Certification
4
What is Information Security Management System
(ISMS)?

• Information is an asset, like other important
  business assets, needs to be suitably protected.
• Information can be stored in many forms,
  including digital form (e.g. electronic media),
  material form (e.g. on paper), as well as
  unrepresented information in the form of
  knowledge of the employees.

5
What is Information Security Management System
(ISMS)?

• Information Security includes three main
  dimensions confidentiality, availability and
  integrity.
• Remark According to ISO/IEC 270002009
  Information Technology Security Techniques
  Information Security Management Systems
  Overview and Vocabulary.

6
What is Information Security Management System
(ISMS)?

• Information Security can be achieved through the
  implementation of an applicable set of controls
  selected through the chosen risk management
  process and managed using an ISMS.

7
What is Information Security Management System
(ISMS)?

• ISMS is a management system (or a part of the
  overall management system), based on the approach
  of controlling business risks, to establish,
  implement, operate, monitor, review, maintain and
  improve information security.
• ISO/IEC 27001 is an ISMS Standard

8
Who should implement ISMS?

• ISMS is applicable to organisations of all sizes
  and in all business sectors.
• In particular, for organisations storing and/or
  handling information that is
• personally sensitive, or
• of a commercially sensitive nature and value
  (e.g. product design), or
• business critical (i.e. information that needs to
  be accurate and its integrity assured).

9
Benefits of Implementing ISMS

• Reduction in information security risks
• reducing the probability of information security
  incidents
• reducing the impact caused by information
  security incidents
• Gives greater confidence to business partners,
  authorities and other interested parties

10
ISMS to ISO/IEC 27001

• Source ISO/IEC 270002009 Information
  Technology Security Techniques Information
  Security Management Systems Overview and
  vocabulary

11
ISMS to ISO/IEC 27001

• ISO/IEC 27001 adopts the Plan-Do-Check-Act
  (PDCA) model as shown in the following figure
• Source ISO/IEC 270012005 Information
  Technology Security Techniques Information
  Security Management Systems Requirements

12
ISMS to ISO/IEC 27001

• ISO/IEC 27001 is aligned with ISO 90012000 and
  ISO 140012004
• One suitably designed management system can
  satisfy the requirements of all these standards
  (i.e. IMS)

13
Major Steps of Establishing and Implementing ISMS
to ISO/IEC 27001
Define the scope, boundary and policy of ISMS
Define the risk assessment approach of the
organisation
Identify, analyse and evaluate risks andoptions
for the relevant treatment
14
Major Steps of Establishing and Implementing ISMS
to ISO/IEC 27001 (cont)
Select appropriate control objectives and
controls for the treatment of risks
Obtain management approval of theproposed
residual risks
Obtain management authorisation to implement and
operate the ISMS
Monitor, review, maintain and improve the ISMS
continually
15
ISO/IEC 27001 Requirements

• General requirements (4.1)
• Establishing and managing the ISMS (4.2)
• Documentation requirements (4.3)
• Management commitment (5.1)
• Resource management (5.2)
• Internal ISMS audits (6)
• Management review (7)
• Continual improvement (8.1)
• Corrective action (8.2)
• Preventive action (8.3)
• Annex A Control objectives and controls
• (A total of 35 Control Objectives and 114
  Controls are grouped under 14 main categories as
  listed out in Table A.1 of ISO/IEC 27001)

16
Certification of ISMS to ISO/IEC 27001

• Certification is an attestation issued by a
  third-party body, through a formal conformity
  assessment process, that specified requirements
  (e.g. ISO/IEC 27001) are fulfilled.

17
Figures on ISMS Certification
Source www.iso27001certifciates.com (30 August
2013)
18
Figures on ISMS Certification

• Close to 8000 ISMS Certificates have been
  registered in the website www.iso27001certificate
  s.com
• The actual figure on issued ISMS certificate is
  expected to be higher as not all certificates are
  registered.

19
Where to obtain ISMS Certification Services?

• A number of local certification bodies are
  providing ISO/IEC 27001-based ISMS certification
  services.

20
Hong Kong Accreditation Service (HKAS)?????
21
What is Hong Kong Accreditation Service?

• HKAS is part of Innovation and Technology
  Commission of the Hong Kong Special
  Administration Region (HKSAR) Government.
• Established in 1985 (formerly named as HOKLAS),
  HKAS is the official accreditation body
  (????????) in Hong Kong

22
What is accreditation (??)?

• According to ISO/IEC 170002004 Conformity
  assessment Vocabulary and general principles
• Accreditation Issuance of conformance
  statement by a third party (i.e. accreditation
  body) to a conformity assessment body (i.e.
  laboratory, inspection body or certification
  body, validation and verification body)
• Conveying formal demonstration of its competence
  to carry our specific conformity assessment tasks
  (i.e. testing, inspection, certification, GHG
  validation and verification)

23
What is accreditation (??)?
Accreditation Body (e.g. HKAS) - provides the
assurance
Are they competent?
Test, inspection, certification, GHG validation
and verification
Are they acceptable?
24
HKAS Accreditation

• Support the Hong Kong testing and certification
  industry, provide accreditation services under 3
  schemes
• HOKLAS (?????????)
• HKCAS (??????????)
• Management System Certification
• Product Certification
• GHG Validation and Verification
• HKIAS (??????????)

25
HKAS Accreditation
Testing related
Inspection
198 Organisations (HOKLAS)
19 Inspection Bodies (HKIAS) ISO/IEC 17020
20 Organisations (HKCAS)
Reference Material Producer ISO Guide 34
Proficiency Testing Provider ISO/IEC 17043
GHG Validation/ Verification ISO 14065
26
Hong Kong Certification Body Accreditation Scheme
HKCAS
Management System Certification (ISO/IEC 17021)
Product Certification (ISO/IEC Guide 65)
GHG Validation / Verification (ISO 14065 ISO
14064-3)
Quality Management System (ISO 9001)
Environmental Management System (ISO 14001)
Construction Materials and Products
Occupational Health and Safety Management
System (OHSAS 18001)
Food Safety Management System (ISO 22000)
Consumer Products
Energy Management System (ISO 50001)
Information Security Management System (ISO
27001)
Management System of Residential Care Home for
Elderly
27
Features of HKAS Accreditation

• Voluntary
• Based on international standards
• Rigorous assessment and monitoring
• International recognition
• Independent and impartial

28
Benefits of HKAS Accreditation

• To accredited certification bodies
• formal recognition of their competences in
  performing certification activities
• demonstrate their competences and commitment in
  compliance to accreditation standards
• maintain and improve their management system and
  performance through rigorous accreditation
  assessments and monitoring
• enhance reputation
• deliver confidence to their clients

29
Benefits of HKAS Accreditation

• To clients of accredited certification services
• win new business particularly since the use of
  accredited certification service is increasingly
  a stipulation of specifiers in both public and
  private sectors
• help to identify best practice since the
  accredited certification bodies are required to
  have appropriate knowledge of clients business
  sectors
• control costs with the help of knowledge transfer
  since accredited certification bodies can be a
  good source of impartial advice
• offer market differentiation and leadership by
  showing to others credible evidence of good
  practice
• increase efficiency by reducing the necessity of
  re-audit

(Source Why use an accredited certification
body to certify your management system
brochure, IAF 2011)
30
Accreditation Recognised Internationally

• As a member of Mutual Recognition Agreement (MRA)
  by International Laboratory Accreditation
  Cooperation (ILAC, www.iaf.nu), and Multilateral
  Recognition Arrangement (MLA) by International
  Accreditation Forum (IAF, www.ilac.org)
• Accreditation status of specific scope recognised
  by over 82 accreditation bodies in 66 economies
• HKAS is well recognised by region/international
  accreditation community

31
International Cooperation (Laboratory /
Inspection body)
32
International Cooperation (Certification body)
33
Examples of HKAS MRA Partners
34
How to know a certification body is accredited by
HKAS?
http//www.itc.gov.hk/en/quality/hkas/hkcas/cb_no.
htm
35
How to Identify the Accredited Report/Certificate
?
36
For More Information

• Please visit our website at http www.hkas.gov.hk

37
Accreditation Service for Information Management
System Certification

• Launched in November 2011
• Enquiry contact
• Dr. M. K. Kwok (Senior Accreditation Officer,
  HKAS)
• Tel. 2829 4846
• Email mkkwok_at_itc.gov.hk

For more information about this service, please
visit http//www.itc.gov.hk/en/quality/hkas/hkcas/
about.htm
38
(No Transcript)
39
Thank you