- Количество слайдов: 39
Certification of Information Security Management System (ISMS) to ISO/IEC 27001 資訊安全管理系統認證 Mr. Nick C. C. Leung Accreditation Officer, Hong Kong Accreditation Service 香港認可處 認可主任 18 October 2013
Content Outline of ISO/IEC 27001 Information Security Management System Certification Hong Kong Accreditation Service (香港認可處 )
Outline of ISO/IEC 27001 Information Security Management System Certification
What is Information Security Management System (ISMS)? Information is an asset, like other important business assets, needs to be suitably protected. Information can be stored in many forms, including digital form (e. g. electronic media), material form (e. g. on paper), as well as unrepresented information in the form of knowledge of the employees.
What is Information Security Management System (ISMS)? Information Security * includes three main dimensions: confidentiality, availability and integrity. Availability Integrity Confidentiality Information Security * Remark: According to ISO/IEC 27000: 2009 – Information Technology – Security Techniques – Information Security Management Systems – Overview and Vocabulary.
What is Information Security Management System (ISMS)? Information Security can be achieved through the implementation of an applicable set of controls selected through the chosen risk management process and managed using an ISMS.
What is Information Security Management System (ISMS)? ISMS is a management system (or a part of the overall management system), based on the approach of controlling business risks, to establish, implement, operate, monitor, review, maintain and improve information security. ISO/IEC 27001 is an ISMS Standard
Who should implement ISMS? ISMS is applicable to organisations of all sizes and in all business sectors. In particular, for organisations storing and/or handling information that is: - personally sensitive, or - of a commercially sensitive nature and value (e. g. product design), or - business critical (i. e. information that needs to be accurate and its integrity assured).
Benefits of Implementing ISMS Reduction in information security risks; • reducing the probability of information security incidents • reducing the impact caused by information security incidents Gives greater confidence to business partners, authorities and other interested parties
ISMS to ISO/IEC 27001 Source: ISO/IEC 27000: 2009 Information Technology – Security Techniques – Information Security Management Systems – Overview and vocabulary
ISMS to ISO/IEC 27001 adopts the “Plan-Do-Check-Act” (PDCA) model as shown in the following figure: Source: ISO/IEC 27001: 2005 Information Technology – Security Techniques – Information Security Management Systems – Requirements
ISMS to ISO/IEC 27001 is aligned with ISO 9001: 2000 and ISO 14001: 2004 One suitably designed management system can satisfy the requirements of all these standards (i. e. IMS)
Major Steps of Establishing and Implementing ISMS to ISO/IEC 27001 Define the scope, boundary and policy of ISMS Define the risk assessment approach of the organisation Identify, analyse and evaluate risks and options for the relevant treatment
Major Steps of Establishing and Implementing ISMS to ISO/IEC 27001 (cont’) Select appropriate control objectives and controls for the treatment of risks Obtain management approval of the proposed residual risks Obtain management authorisation to implement and operate the ISMS Monitor, review, maintain and improve the ISMS continually
ISO/IEC 27001 Requirements General requirements (4. 1) Establishing and managing the ISMS (4. 2) Documentation requirements (4. 3) Management commitment (5. 1) Resource management (5. 2) Internal ISMS audits (6) Management review (7) Continual improvement (8. 1) Corrective action (8. 2) Preventive action (8. 3) Annex A – Control objectives and controls (A total of 35 Control Objectives and 114 Controls are grouped under 14 main categories as listed out in Table A. 1 of ISO/IEC 27001)
Certification of ISMS to ISO/IEC 27001 Certification is an attestation issued by a third-party body, through a formal conformity assessment process, that specified requirements (e. g. ISO/IEC 27001) are fulfilled.
Figures on ISMS Certification Source: www. iso 27001 certifciates. com (30 August 2013)
Figures on ISMS Certification Close to 8000 ISMS Certificates have been registered in the website “www. iso 27001 certificates. com” The actual figure on issued ISMS certificate is expected to be higher as not all certificates are registered.
Where to obtain ISMS Certification Services? A number of local certification bodies are providing ISO/IEC 27001 -based ISMS certification services.
Hong Kong Accreditation Service (HKAS) 香港認可處
What is Hong Kong Accreditation Service? HKAS is part of Innovation and Technology Commission of the Hong Kong Special Administration Region (HKSAR) Government. Established in 1985 (formerly named as HOKLAS), HKAS is the official accreditation body (認可資格頒授機構) in Hong Kong
What is accreditation (認可)? According to ISO/IEC 17000: 2004 Conformity assessment – Vocabulary and general principles: Ø “Accreditation” – Issuance of conformance statement by a third party (i. e. accreditation body) to a conformity assessment body (i. e. laboratory, inspection body or certification body, validation and verification body) Ø Conveying formal demonstration of its competence to carry our specific conformity assessment tasks (i. e. testing, inspection, certification, GHG validation and verification)
What is accreditation (認可)? Accreditation Body (e. g. HKAS) - provides the assurance Are they competent? Test, inspection, certification, GHG validation and verification Start Are they acceptable?
HKAS Accreditation Support the Hong Kong testing and certification industry, provide accreditation services under 3 schemes: Ø HOKLAS (香港實驗所認可計劃) Ø HKCAS (香港認證機構認可計劃) ü ü Product Certification ü Ø Management System Certification GHG Validation and Verification HKIAS (香港檢驗機構認可計劃)
HKAS Accreditation Testing related 198 Organisations (HOKLAS) Reference Material Producer ISO Guide 34 Proficiency Testing Provider ISO/IEC 17043 Inspection 19 Inspection Bodies (HKIAS) ISO/IEC 17020 20 Organisations (HKCAS) GHG Validation/ Verification ISO 14065
Hong Kong Certification Body Accreditation Scheme HKCAS Management System Certification (ISO/IEC 17021) Product Certification (ISO/IEC Guide 65) Quality Management System (ISO 9001) Environmental Management System (ISO 14001) Construction Materials and Products Food Safety Management System (ISO 22000) Occupational Health and Safety Management System (OHSAS 18001) Consumer Products Energy Management System (ISO 50001) Information Security Management System (ISO 27001) Management System of Residential Care Home for Elderly GHG Validation / Verification (ISO 14065 + ISO 14064 -3)
Features of HKAS Accreditation Voluntary Based on international standards Rigorous assessment and monitoring International recognition Independent and impartial
Benefits of HKAS Accreditation To accredited certification bodies Ø formal recognition of their competences in performing certification activities Ø demonstrate their competences and commitment in compliance to accreditation standards Ø maintain and improve their management system and performance through rigorous accreditation assessments and monitoring Ø enhance reputation Ø deliver confidence to their clients
Benefits of HKAS Accreditation To clients of accredited certification services Ø win new business particularly since the use of accredited certification service is increasingly a stipulation of specifiers in both public and private sectors; Ø help to identify best practice since the accredited certification bodies are required to have appropriate knowledge of clients’ business sectors; Ø control costs with the help of knowledge transfer since accredited certification bodies can be a good source of impartial advice; Ø offer market differentiation and leadership by showing to others credible evidence of good practice; Ø increase efficiency by reducing the necessity of re-audit (Source: “Why use an accredited certification body to certify your management system brochure”, IAF 2011)
Accreditation Recognised Internationally As a member of Mutual Recognition Agreement (MRA) by International Laboratory Accreditation Cooperation (ILAC, www. iaf. nu), and Multilateral Recognition Arrangement (MLA) by International Accreditation Forum (IAF, www. ilac. org) Accreditation status of specific scope recognised by over 82 accreditation bodies in 66 economies HKAS is well recognised by region/international accreditation community
International Cooperation (Laboratory / Inspection body) International ILAC Regional APLAC Economi es Accreditation Bodies EA IAAC Laboratori es Mutual recognition arrangement (MRA) through international and regional co-operations
International Cooperation (Certification body) IAF International Regional PAC Economi es EA Accreditation Bodies IAAC Certification Bodies Certified Organisations Multilateral recognition arrangement (MLA) through international and regional co-operations
Examples of HKAS MRA Partners
How to know a certification body is accredited by HKAS? http: //www. itc. gov. hk/en/quality/hkas/hkcas/cb_no. htm
How to Identify the Accredited Report/Certificate?
For More Information Please visit our website at http: www. hkas. gov. hk
Accreditation Service for Information Management System Certification Ø Launched in November 2011 Ø Enquiry contact: Dr. M. K. Kwok (Senior Accreditation Officer, HKAS) Tel. : 2829 4846 Email: [email protected] gov. hk For more information about this service, please visit http: //www. itc. gov. hk/en/quality/hkas/hkcas/about. htm