Title: Certification of Information Security Management System (ISMS) to ISO/IEC 27001 ISO/IEC 27001 ??????????
1Certification of Information Security Management
System (ISMS) to ISO/IEC 27001ISO/IEC 27001
??????????
- Mr. Nick C.C. Leung
- Accreditation Officer, Hong Kong Accreditation
Service - ????? ????18 October 2013
2Content
- Outline of ISO/IEC 27001 Information Security
Management System Certification - Hong Kong Accreditation Service (????? )
3Outline of ISO/IEC 27001Information
SecurityManagement System Certification
4What is Information Security Management System
(ISMS)?
- Information is an asset, like other important
business assets, needs to be suitably protected. - Information can be stored in many forms,
including digital form (e.g. electronic media),
material form (e.g. on paper), as well as
unrepresented information in the form of
knowledge of the employees.
5What is Information Security Management System
(ISMS)?
- Information Security includes three main
dimensions confidentiality, availability and
integrity. - Remark According to ISO/IEC 270002009
Information Technology Security Techniques
Information Security Management Systems
Overview and Vocabulary.
6What is Information Security Management System
(ISMS)?
- Information Security can be achieved through the
implementation of an applicable set of controls
selected through the chosen risk management
process and managed using an ISMS.
7What is Information Security Management System
(ISMS)?
- ISMS is a management system (or a part of the
overall management system), based on the approach
of controlling business risks, to establish,
implement, operate, monitor, review, maintain and
improve information security. - ISO/IEC 27001 is an ISMS Standard
8Who should implement ISMS?
- ISMS is applicable to organisations of all sizes
and in all business sectors. - In particular, for organisations storing and/or
handling information that is - personally sensitive, or
- of a commercially sensitive nature and value
(e.g. product design), or - business critical (i.e. information that needs to
be accurate and its integrity assured).
9Benefits of Implementing ISMS
- Reduction in information security risks
- reducing the probability of information security
incidents - reducing the impact caused by information
security incidents - Gives greater confidence to business partners,
authorities and other interested parties
10ISMS to ISO/IEC 27001
- Source ISO/IEC 270002009 Information
Technology Security Techniques Information
Security Management Systems Overview and
vocabulary
11ISMS to ISO/IEC 27001
- ISO/IEC 27001 adopts the Plan-Do-Check-Act
(PDCA) model as shown in the following figure - Source ISO/IEC 270012005 Information
Technology Security Techniques Information
Security Management Systems Requirements
12ISMS to ISO/IEC 27001
- ISO/IEC 27001 is aligned with ISO 90012000 and
ISO 140012004 - One suitably designed management system can
satisfy the requirements of all these standards
(i.e. IMS)
13Major Steps of Establishing and Implementing ISMS
to ISO/IEC 27001
Define the scope, boundary and policy of ISMS
Define the risk assessment approach of the
organisation
Identify, analyse and evaluate risks andoptions
for the relevant treatment
14Major Steps of Establishing and Implementing ISMS
to ISO/IEC 27001 (cont)
Select appropriate control objectives and
controls for the treatment of risks
Obtain management approval of theproposed
residual risks
Obtain management authorisation to implement and
operate the ISMS
Monitor, review, maintain and improve the ISMS
continually
15ISO/IEC 27001 Requirements
- General requirements (4.1)
- Establishing and managing the ISMS (4.2)
- Documentation requirements (4.3)
- Management commitment (5.1)
- Resource management (5.2)
- Internal ISMS audits (6)
- Management review (7)
- Continual improvement (8.1)
- Corrective action (8.2)
- Preventive action (8.3)
- Annex A Control objectives and controls
- (A total of 35 Control Objectives and 114
Controls are grouped under 14 main categories as
listed out in Table A.1 of ISO/IEC 27001)
16Certification of ISMS to ISO/IEC 27001
- Certification is an attestation issued by a
third-party body, through a formal conformity
assessment process, that specified requirements
(e.g. ISO/IEC 27001) are fulfilled.
17Figures on ISMS Certification
Source www.iso27001certifciates.com (30 August
2013)
18Figures on ISMS Certification
- Close to 8000 ISMS Certificates have been
registered in the website www.iso27001certificate
s.com - The actual figure on issued ISMS certificate is
expected to be higher as not all certificates are
registered.
19Where to obtain ISMS Certification Services?
- A number of local certification bodies are
providing ISO/IEC 27001-based ISMS certification
services.
20Hong Kong Accreditation Service (HKAS)?????
21What is Hong Kong Accreditation Service?
- HKAS is part of Innovation and Technology
Commission of the Hong Kong Special
Administration Region (HKSAR) Government. - Established in 1985 (formerly named as HOKLAS),
HKAS is the official accreditation body
(????????) in Hong Kong
22What is accreditation (??)?
- According to ISO/IEC 170002004 Conformity
assessment Vocabulary and general principles - Accreditation Issuance of conformance
statement by a third party (i.e. accreditation
body) to a conformity assessment body (i.e.
laboratory, inspection body or certification
body, validation and verification body) - Conveying formal demonstration of its competence
to carry our specific conformity assessment tasks
(i.e. testing, inspection, certification, GHG
validation and verification)
23What is accreditation (??)?
Accreditation Body (e.g. HKAS) - provides the
assurance
Are they competent?
Test, inspection, certification, GHG validation
and verification
Are they acceptable?
24HKAS Accreditation
- Support the Hong Kong testing and certification
industry, provide accreditation services under 3
schemes - HOKLAS (?????????)
- HKCAS (??????????)
- Management System Certification
- Product Certification
- GHG Validation and Verification
- HKIAS (??????????)
25HKAS Accreditation
Testing related
Inspection
198 Organisations (HOKLAS)
19 Inspection Bodies (HKIAS) ISO/IEC 17020
20 Organisations (HKCAS)
Reference Material Producer ISO Guide 34
Proficiency Testing Provider ISO/IEC 17043
GHG Validation/ Verification ISO 14065
26Hong Kong Certification Body Accreditation Scheme
HKCAS
Management System Certification (ISO/IEC 17021)
Product Certification (ISO/IEC Guide 65)
GHG Validation / Verification (ISO 14065 ISO
14064-3)
Quality Management System (ISO 9001)
Environmental Management System (ISO 14001)
Construction Materials and Products
Occupational Health and Safety Management
System (OHSAS 18001)
Food Safety Management System (ISO 22000)
Consumer Products
Energy Management System (ISO 50001)
Information Security Management System (ISO
27001)
Management System of Residential Care Home for
Elderly
27Features of HKAS Accreditation
- Voluntary
- Based on international standards
- Rigorous assessment and monitoring
- International recognition
- Independent and impartial
28Benefits of HKAS Accreditation
- To accredited certification bodies
- formal recognition of their competences in
performing certification activities - demonstrate their competences and commitment in
compliance to accreditation standards - maintain and improve their management system and
performance through rigorous accreditation
assessments and monitoring - enhance reputation
- deliver confidence to their clients
29Benefits of HKAS Accreditation
- To clients of accredited certification services
- win new business particularly since the use of
accredited certification service is increasingly
a stipulation of specifiers in both public and
private sectors - help to identify best practice since the
accredited certification bodies are required to
have appropriate knowledge of clients business
sectors - control costs with the help of knowledge transfer
since accredited certification bodies can be a
good source of impartial advice - offer market differentiation and leadership by
showing to others credible evidence of good
practice - increase efficiency by reducing the necessity of
re-audit
(Source Why use an accredited certification
body to certify your management system
brochure, IAF 2011)
30Accreditation Recognised Internationally
- As a member of Mutual Recognition Agreement (MRA)
by International Laboratory Accreditation
Cooperation (ILAC, www.iaf.nu), and Multilateral
Recognition Arrangement (MLA) by International
Accreditation Forum (IAF, www.ilac.org) - Accreditation status of specific scope recognised
by over 82 accreditation bodies in 66 economies - HKAS is well recognised by region/international
accreditation community
31International Cooperation (Laboratory /
Inspection body)
32International Cooperation (Certification body)
33Examples of HKAS MRA Partners
34How to know a certification body is accredited by
HKAS?
http//www.itc.gov.hk/en/quality/hkas/hkcas/cb_no.
htm
35How to Identify the Accredited Report/Certificate
?
36For More Information
- Please visit our website at http www.hkas.gov.hk
37Accreditation Service for Information Management
System Certification
- Launched in November 2011
- Enquiry contact
- Dr. M. K. Kwok (Senior Accreditation Officer,
HKAS) - Tel. 2829 4846
- Email mkkwok_at_itc.gov.hk
For more information about this service, please
visit http//www.itc.gov.hk/en/quality/hkas/hkcas/
about.htm
38(No Transcript)
39Thank you