Certification of Information Security Management Certification of Information Security Management System (ISMS) to ISO/IEC 27001System (ISMS) to ISO/IEC 27001

ISO/IEC 27001 資訊安全管理系統認證

Mr. Nick C.C. LeungMr. Nick C.C. Leung

Accreditation Officer, Hong Kong Accreditation Accreditation Officer, Hong Kong Accreditation ServiceService

香港認可處 認可主任香港認可處 認可主任

18 October18 October 2013 2013

Content

Outline of ISO/IEC 27001 Information Security Management System Certification

Hong Kong Accreditation Service ( 香港認可處 )

Outline of ISO/IEC 27001Outline of ISO/IEC 27001Information SecurityInformation Security

Management System CertificationManagement System Certification

What is Information Security Management System (ISMS)?

Information is an asset, like other important business assets, needs to be suitably protected.

Information can be stored in many forms, including digital form (e.g. electronic media), material form (e.g. on paper), as well as unrepresented information in the form of knowledge of the employees.

What is Information Security Management System (ISMS)?

Information Security * includes three main dimensions: confidentiality, availability and integrity.

* Remark: According to ISO/IEC 27000:2009 – Information Technology – Security Techniques – Information Security Management Systems – Overview and Vocabulary.

What is Information Security Management System (ISMS)?

Information Security can be achieved through the implementation of an applicable set of controls selected through the chosen risk management process and managed using an ISMS.

What is Information Security Management System (ISMS)?

ISMS is a management system (or a part of the overall management system), based on the approach of controlling business risks, to establish, implement, operate, monitor, review, maintain and improve information security.

ISO/IEC 27001 is an ISMS Standard

Who should implement ISMS?

ISMS is applicable to organisations of all sizes and in all business sectors.

In particular, for organisations storing and/or handling information that is:

- personally sensitive, or

- of a commercially sensitive nature and value (e.g. product design), or

- business critical (i.e. information that needs to be accurate and its integrity assured).

Benefits of Implementing ISMS

Reduction in information security risks;

• reducing the probability of information security incidents

• reducing the impact caused by information security incidents

Gives greater confidence to business partners, authorities and other interested parties

ISMS to ISO/IEC 27001

Source: ISO/IEC 27000:2009 Information Technology – Security Techniques – Information Security Management Systems – Overview and vocabulary

ISMS to ISO/IEC 27001

ISO/IEC 27001 adopts the “Plan-Do-Check-Act” (PDCA) model as shown in the following figure:

Source: ISO/IEC 27001:2005 Information Technology – Security Techniques – Information Security Management Systems – Requirements

ISMS to ISO/IEC 27001

ISO/IEC 27001 is aligned with ISO 9001:2000 and ISO 14001:2004

One suitably designed management system can satisfy the requirements of all these standards (i.e. IMS)

Major Steps of Establishing and Implementing ISMS to ISO/IEC 27001

Define the scope, boundary and policy of ISMS

Define the risk assessment approach of the organisation

Identify, analyse and evaluate risks andoptions for the relevant treatment

Major Steps of Establishing and Implementing ISMS to ISO/IEC 27001 (cont’)

Select appropriate control objectives and controls for the treatment of risks

Obtain management approval of theproposed residual risks

Obtain management authorisation toimplement and operate the ISMS

Monitor, review, maintain and improve the ISMS continually

ISO/IEC 27001 Requirements

General requirements (4.1)

Establishing and managing the ISMS (4.2)

Documentation requirements (4.3)

Management commitment (5.1)

Resource management (5.2)

Internal ISMS audits (6)

Management review (7)

Continual improvement (8.1)

Corrective action (8.2)

Preventive action (8.3)

Annex A – Control objectives and controls

(A total of 35 Control Objectives and 114 Controls are grouped under 14 main categories as listed out in Table A.1 of ISO/IEC 27001)

Certification of ISMS to ISO/IEC 27001

Certification is an attestation issued by a third-party body, through a formal conformity assessment process, that specified requirements (e.g. ISO/IEC 27001) are fulfilled.

Figures on ISMS Certification

Source: www.iso27001certifciates.com (30 August 2013)

Figures on ISMS Certification

Close to 8000 ISMS Certificates have been registered in the website “www.iso27001certificates.com”

The actual figure on issued ISMS certificate is expected to be higher as not all certificates are registered.

Where to obtain ISMS Certification Services?

A number of local certification bodies are providing ISO/IEC 27001-based ISMS certification services.

Hong Kong Accreditation Service (HKAS)香港認可處

What is Hong Kong Accreditation Service?

HKAS is part of Innovation and Technology Commission of the Hong Kong Special Administration Region (HKSAR) Government.

Established in 1985 (formerly named as HOKLAS), HKAS is the official accreditation body ( 認可資格頒授機構 ) in Hong Kong

What is accreditation ( 認可 )?

According to ISO/IEC 17000:2004 Conformity assessment – Vocabulary and general principles:

“Accreditation” – Issuance of conformance statement by a third party (i.e. accreditation body) to a conformity assessment body (i.e. laboratory, inspection body or certification body, validation and verification body)

Conveying formal demonstration of its competence to carry our specific conformity assessment tasks (i.e. testing, inspection, certification, GHG validation and verification)

Are they acceptable?

Are they competent?

Test, inspection, certification, GHG validation and verification

Start

Accreditation Body (e.g. HKAS)- provides the assurance

What is accreditation ( 認可 )?

Support the Hong Kong testing and certification industry, provide accreditation services under 3 schemes:

HOKLAS ( 香港實驗所認可計劃 )

HKCAS ( 香港認證機構認可計劃 )

Management System Certification

Product Certification

GHG Validation and Verification

HKIAS ( 香港檢驗機構認可計劃 )

HKAS Accreditation

HKAS Accreditation

198 Organisations(HOKLAS)

Reference Material Producer

ISO Guide 34

Proficiency Testing ProviderISO/IEC 17043

Testing related

19 Inspection Bodies(HKIAS)

ISO/IEC 17020

Inspection

20 Organisations(HKCAS)

GHG Validation/VerificationISO 14065

Quality Management System

(ISO 9001)

Environmental Management System

(ISO 14001)

Occupational Health and Safety Management

System(OHSAS 18001)

Management System Certification(ISO/IEC 17021)

Product Certification(ISO/IEC Guide 65)

Consumer Products

Construction Materials and Products

HKCASHKCAS

Food Safety Management System

(ISO 22000)

Energy Management System

(ISO 50001)

GHG Validation / Verification

(ISO 14065 + ISO 14064-3)

Information Security Management System

(ISO 27001)

Management System of Residential Care Home

for Elderly

Hong Kong Certification Body Accreditation Scheme

Voluntary

Based on international standards

Rigorous assessment and monitoring

International recognition

Independent and impartial

Features of HKAS Accreditation

To accredited certification bodies

formal recognition of their competences in performing certification activities

demonstrate their competences and commitment in compliance to accreditation standards

maintain and improve their management system and performance through rigorous accreditation assessments and monitoring

enhance reputation

deliver confidence to their clients

Benefits of HKAS Accreditation

To clients of accredited certification services

win new business particularly since the use of accredited certification service is increasingly a stipulation of specifiers in both public and private sectors;

help to identify best practice since the accredited certification bodies are required to have appropriate knowledge of clients’ business sectors;

control costs with the help of knowledge transfer since accredited certification bodies can be a good source of impartial advice;

offer market differentiation and leadership by showing to others credible evidence of good practice;

increase efficiency by reducing the necessity of re-audit

(Source: “Why use an accredited certification body to certify your management system brochure”, IAF 2011)

Benefits of HKAS Accreditation

Accreditation Recognised Internationally

As a member of Mutual Recognition Agreement (MRA) by International Laboratory Accreditation Cooperation (ILAC, www.iaf.nu), and Multilateral Recognition Arrangement (MLA) by International Accreditation Forum (IAF, www.ilac.org)

Accreditation status of specific scope recognised by over 82 accreditation bodies in 66 economies

HKAS is well recognised by region/international accreditation community

International Cooperation (Laboratory / Inspection body)

International

Economies AccreditationBodies

Regional APLAC IAAC

Laboratories

ILAC

EA

Mutual recognition arrangement (MRA)through international and regional co-operations

International Cooperation (Certification body)

International

Economies Accreditation

Bodies

Regional PAC IAAC

IAF

EA

Multilateral recognition arrangement (MLA)through international and regional co-operations

CertificationBodies

Certified Organisations

Examples of HKAS MRA Partners

How to know a certification body is accredited by HKAS?

http://www.itc.gov.hk/en/quality/hkas/hkcas/cb_no.htm

How to Identify the Accredited Report/Certificate?

Please visit our website at http: www.hkas.gov.hk

For More Information

Launched in November 2011

Enquiry contact:

Dr. M. K. Kwok (Senior Accreditation Officer, HKAS)

Tel.: 2829 4846

Email: mkkwok@itc.gov.hk

For more information about this service, please visithttp://www.itc.gov.hk/en/quality/hkas/hkcas/about.htm

Accreditation Service for Information Management System Certification

Thank youThank you