1 / 39

Mr. Nick C.C. Leung Accreditation Officer, Hong Kong Accreditation Service

Certification of Information Security Management System (ISMS) to ISO/IEC 27001 ISO/IEC 27001 資訊安全管理系統 認證. Mr. Nick C.C. Leung Accreditation Officer, Hong Kong Accreditation Service 香港認可處 認可主任 18 October 2013. Content.

malo
Download Presentation

Mr. Nick C.C. Leung Accreditation Officer, Hong Kong Accreditation Service

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Certification of Information Security Management System (ISMS) to ISO/IEC 27001ISO/IEC 27001 資訊安全管理系統認證 Mr. Nick C.C. Leung Accreditation Officer, Hong Kong Accreditation Service 香港認可處 認可主任18 October 2013

  2. Content • Outline of ISO/IEC 27001 Information Security Management System Certification • Hong Kong Accreditation Service (香港認可處 )

  3. Outline of ISO/IEC 27001Information SecurityManagement System Certification

  4. What is Information Security Management System (ISMS)? • Information is an asset, like other important business assets, needs to be suitably protected. • Information can be stored in many forms, including digital form (e.g. electronic media), material form (e.g. on paper), as well as unrepresented information in the form of knowledge of the employees.

  5. What is Information Security Management System (ISMS)? • Information Security * includes three main dimensions: confidentiality, availability and integrity. * Remark: According to ISO/IEC 27000:2009 – Information Technology – Security Techniques – Information Security Management Systems – Overview and Vocabulary.

  6. What is Information Security Management System (ISMS)? • Information Security can be achieved through the implementation of an applicable set of controls selected through the chosen risk management process and managed using an ISMS.

  7. What is Information Security Management System (ISMS)? • ISMS is a management system (or a part of the overall management system), based on the approach of controlling business risks, to establish, implement, operate, monitor, review, maintain and improve information security. • ISO/IEC 27001 is an ISMS Standard

  8. Who should implement ISMS? • ISMS is applicable to organisations of all sizes and in all business sectors. • In particular, for organisations storing and/or handling information that is: • personally sensitive, or • of a commercially sensitive nature and value (e.g. product design), or • business critical (i.e. information that needs to be accurate and its integrity assured).

  9. Benefits of Implementing ISMS • Reduction in information security risks; • reducing the probability of information security incidents • reducing the impact caused by information security incidents • Gives greater confidence to business partners, authorities and other interested parties

  10. ISMS to ISO/IEC 27001 Source: ISO/IEC 27000:2009 Information Technology – Security Techniques – Information Security Management Systems – Overview and vocabulary

  11. ISMS to ISO/IEC 27001 ISO/IEC 27001 adopts the “Plan-Do-Check-Act” (PDCA) model as shown in the following figure: Source: ISO/IEC 27001:2005 Information Technology – Security Techniques – Information Security Management Systems – Requirements

  12. ISMS to ISO/IEC 27001 • ISO/IEC 27001 is aligned with ISO 9001:2000 and ISO 14001:2004 • One suitably designed management system can satisfy the requirements of all these standards (i.e. IMS)

  13. Major Steps of Establishing and Implementing ISMS to ISO/IEC 27001 Define the scope, boundary and policy of ISMS Define the risk assessment approach of the organisation Identify, analyse and evaluate risks andoptions for the relevant treatment

  14. Major Steps of Establishing and Implementing ISMS to ISO/IEC 27001 (cont’) Select appropriate control objectives and controls for the treatment of risks Obtain management approval of theproposed residual risks Obtain management authorisation to implement and operate the ISMS Monitor, review, maintain and improve the ISMS continually

  15. ISO/IEC 27001 Requirements • General requirements (4.1) • Establishing and managing the ISMS (4.2) • Documentation requirements (4.3) • Management commitment (5.1) • Resource management (5.2) • Internal ISMS audits (6) • Management review (7) • Continual improvement (8.1) • Corrective action (8.2) • Preventive action (8.3) • Annex A – Control objectives and controls • (A total of 35 Control Objectives and 114 Controls are grouped under 14 main categories as listed out in Table A.1 of ISO/IEC 27001)

  16. Certification of ISMS to ISO/IEC 27001 • Certification is an attestation issued by a third-party body, through a formal conformity assessment process, that specified requirements (e.g. ISO/IEC 27001) are fulfilled.

  17. Figures on ISMS Certification Source: www.iso27001certifciates.com (30 August 2013)

  18. Figures on ISMS Certification • Close to 8000 ISMS Certificates have been registered in the website “www.iso27001certificates.com” • The actual figure on issued ISMS certificate is expected to be higher as not all certificates are registered.

  19. Where to obtain ISMS Certification Services? • A number of local certification bodies are providing ISO/IEC 27001-based ISMS certification services. Selecting an appropriate certification body to certify your organisation’s ISMS is a strategic decision. How to select the right certification service?

  20. Hong Kong Accreditation Service(HKAS)香港認可處

  21. What is Hong Kong Accreditation Service? • HKAS is part of Innovation and Technology Commission of the Hong Kong Special Administration Region (HKSAR) Government. • Established in 1985 (formerly named as HOKLAS), HKAS is the official accreditation body(認可資格頒授機構) in Hong Kong

  22. What is accreditation (認可)? • According to ISO/IEC 17000:2004 Conformity assessment – Vocabulary and general principles: • “Accreditation” – Issuance of conformance statement by a third party (i.e. accreditation body) to a conformity assessment body (i.e. laboratory, inspection body or certification body,validation and verification body) • Conveying formal demonstration of its competence to carry our specific conformity assessment tasks (i.e. testing, inspection, certification, GHG validation and verification)

  23.    Start What is accreditation (認可)? Accreditation Body (e.g. HKAS) - provides the assurance Are they competent? Test, inspection, certification, GHG validation and verification Are they acceptable?

  24. HKAS Accreditation • Support the Hong Kong testing and certification industry, provide accreditationservices under 3 schemes: • HOKLAS(香港實驗所認可計劃) • HKCAS(香港認證機構認可計劃) • Management System Certification • Product Certification • GHG Validation and Verification • HKIAS(香港檢驗機構認可計劃)

  25. HKAS Accreditation Testing related Inspection 20 Organisations (HKCAS) 198 Organisations (HOKLAS) 19 Inspection Bodies (HKIAS) ISO/IEC 17020 Reference Material Producer ISO Guide 34 Proficiency Testing Provider ISO/IEC 17043 GHG Validation/ Verification ISO 14065

  26. Hong Kong Certification Body Accreditation Scheme HKCAS GHG Validation / Verification (ISO 14065 + ISO 14064-3) Management System Certification (ISO/IEC 17021) Product Certification (ISO/IEC Guide 65) Construction Materials and Products Quality Management System (ISO9001) Environmental Management System (ISO 14001) Food Safety Management System (ISO22000) Occupational Health and Safety Management System (OHSAS18001) Consumer Products Energy Management System (ISO 50001) Information Security Management System (ISO 27001) Management System of Residential Care Home for Elderly

  27. Features of HKAS Accreditation • Voluntary • Based on international standards • Rigorous assessment and monitoring • International recognition • Independent and impartial

  28. Benefits of HKAS Accreditation • To accredited certification bodies • formal recognition of their competences in performing certification activities • demonstrate their competences and commitment in compliance to accreditation standards • maintain and improve their management system and performance through rigorous accreditation assessments and monitoring • enhance reputation • deliver confidence to their clients

  29. Benefits of HKAS Accreditation • To clients of accredited certification services • win new business particularly since the use of accredited certification service is increasingly a stipulation of specifiers in both public and private sectors; • help to identify best practice since the accredited certification bodies are required to have appropriate knowledge of clients’ business sectors; • control costs with the help of knowledge transfer since accredited certification bodies can be a good source of impartial advice; • offer market differentiation and leadership by showing to others credible evidence of good practice; • increase efficiency by reducing the necessity of re-audit (Source: “Why use an accredited certification body to certify your management system brochure”, IAF 2011)

  30. Accreditation Recognised Internationally • As a member of Mutual Recognition Agreement (MRA) by International Laboratory Accreditation Cooperation (ILAC, www.iaf.nu), and Multilateral Recognition Arrangement (MLA) by International Accreditation Forum (IAF, www.ilac.org) • Accreditation status of specific scope recognised by over 82 accreditation bodies in 66 economies • HKAS is well recognised by region/international accreditation community

  31. International ILAC Regional APLAC IAAC EA Economies AccreditationBodies Laboratories Mutual recognition arrangement (MRA)through international and regional co-operations International Cooperation (Laboratory / Inspection body)

  32. IAF International EA Regional PAC IAAC Economies AccreditationBodies CertificationBodies Certified Organisations Multilateral recognition arrangement (MLA)through international and regional co-operations International Cooperation (Certification body)

  33. Examples of HKAS MRA Partners

  34. How to know a certification body is accredited by HKAS? http://www.itc.gov.hk/en/quality/hkas/hkcas/cb_no.htm

  35. How to Identify the Accredited Report/Certificate?

  36. Please visit our website at http: www.hkas.gov.hk For More Information

  37. Accreditation Service for Information Management System Certification • Launched in November 2011 • Enquiry contact: • Dr. M. K. Kwok (Senior Accreditation Officer, HKAS) • Tel.: 2829 4846 • Email: mkkwok@itc.gov.hk For more information about this service, please visit http://www.itc.gov.hk/en/quality/hkas/hkcas/about.htm

  38. Thank you

More Related