Accreditation Officer, Hong Kong Accreditation Service Certification of Information Security Management System (ISMS) to ISO/IEC 27001 ISO/IEC 27001 資訊安全管理系統認證 Mr. Nick C.C. Leung Accreditation Officer, Hong Kong Accreditation Service 香港認可處 認可主任 18 October 2013

Content Outline of ISO/IEC 27001 Information Security Management System Certification Hong Kong Accreditation Service (香港認可處 )

Outline of ISO/IEC 27001 Information Security Management System Certification

What is Information Security Management System (ISMS)? Information is an asset, like other important business assets, needs to be suitably protected. Information can be stored in many forms, including digital form (e.g. electronic media), material form (e.g. on paper), as well as unrepresented information in the form of knowledge of the employees.

What is Information Security Management System (ISMS)? Information Security * includes three main dimensions: confidentiality, availability and integrity. * Remark: According to ISO/IEC 27000:2009 – Information Technology – Security Techniques – Information Security Management Systems – Overview and Vocabulary. Information Security Confidentiality Availability Integrity

What is Information Security Management System (ISMS)? Information Security can be achieved through the implementation of an applicable set of controls selected through the chosen risk management process and managed using an ISMS.

What is Information Security Management System (ISMS)? ISMS is a management system (or a part of the overall management system), based on the approach of controlling business risks, to establish, implement, operate, monitor, review, maintain and improve information security. ISO/IEC 27001 is an ISMS Standard

Who should implement ISMS? ISMS is applicable to organisations of all sizes and in all business sectors. In particular, for organisations storing and/or handling information that is: personally sensitive, or of a commercially sensitive nature and value (e.g. product design), or business critical (i.e. information that needs to be accurate and its integrity assured).

Benefits of Implementing ISMS Reduction in information security risks; reducing the probability of information security incidents reducing the impact caused by information security incidents Gives greater confidence to business partners, authorities and other interested parties

ISMS to ISO/IEC 27001 Source: ISO/IEC 27000:2009 Information Technology – Security Techniques – Information Security Management Systems – Overview and vocabulary

ISMS to ISO/IEC 27001 ISO/IEC 27001 adopts the “Plan-Do-Check-Act” (PDCA) model as shown in the following figure: Source: ISO/IEC 27001:2005 Information Technology – Security Techniques – Information Security Management Systems – Requirements

ISO/IEC 27001 is aligned with ISO 9001:2000 and ISO 14001:2004 ISMS to ISO/IEC 27001 ISO/IEC 27001 is aligned with ISO 9001:2000 and ISO 14001:2004 One suitably designed management system can satisfy the requirements of all these standards (i.e. IMS)

Major Steps of Establishing and Implementing ISMS to ISO/IEC 27001 Define the scope, boundary and policy of ISMS Define the risk assessment approach of the organisation Identify, analyse and evaluate risks and options for the relevant treatment

Major Steps of Establishing and Implementing ISMS to ISO/IEC 27001 (cont’) Select appropriate control objectives and controls for the treatment of risks Obtain management approval of the proposed residual risks Obtain management authorisation to implement and operate the ISMS Monitor, review, maintain and improve the ISMS continually

ISO/IEC 27001 Requirements General requirements (4.1) Establishing and managing the ISMS (4.2) Documentation requirements (4.3) Management commitment (5.1) Resource management (5.2) Internal ISMS audits (6) Management review (7) Continual improvement (8.1) Corrective action (8.2) Preventive action (8.3) Annex A – Control objectives and controls (A total of 35 Control Objectives and 114 Controls are grouped under 14 main categories as listed out in Table A.1 of ISO/IEC 27001)

Certification of ISMS to ISO/IEC 27001 Certification is an attestation issued by a third- party body, through a formal conformity assessment process, that specified requirements (e.g. ISO/IEC 27001) are fulfilled.

Figures on ISMS Certification Source: www.iso27001certifciates.com (30 August 2013)

Figures on ISMS Certification Close to 8000 ISMS Certificates have been registered in the website “www.iso27001certificates.com” The actual figure on issued ISMS certificate is expected to be higher as not all certificates are registered.

Where to obtain ISMS Certification Services? A number of local certification bodies are providing ISO/IEC 27001-based ISMS certification services. Selecting an appropriate certification body to certify your organisation’s ISMS is a strategic decision. How to select the right certification service?

Hong Kong Accreditation Service (HKAS) 香港認可處

What is Hong Kong Accreditation Service? HKAS is part of Innovation and Technology Commission of the Hong Kong Special Administration Region (HKSAR) Government. Established in 1985 (formerly named as HOKLAS), HKAS is the official accreditation body (認可資格頒授機構) in Hong Kong

What is accreditation (認可)? According to ISO/IEC 17000:2004 Conformity assessment – Vocabulary and general principles: “Accreditation” – Issuance of conformance statement by a third party (i.e. accreditation body) to a conformity assessment body (i.e. laboratory, inspection body or certification body, validation and verification body) Conveying formal demonstration of its competence to carry our specific conformity assessment tasks (i.e. testing, inspection, certification, GHG validation and verification)

Are they competent? Are they acceptable? What is accreditation (認可)?  Accreditation Body (e.g. HKAS) - provides the assurance Are they competent? Test, inspection, certification, GHG validation and verification Start Are they acceptable?

HKAS Accreditation Support the Hong Kong testing and certification industry, provide accreditation services under 3 schemes: HOKLAS (香港實驗所認可計劃) HKCAS (香港認證機構認可計劃) Management System Certification Product Certification GHG Validation and Verification HKIAS (香港檢驗機構認可計劃)

HKAS Accreditation Testing related Inspection 198 Organisations (HOKLAS) 19 Inspection Bodies (HKIAS) ISO/IEC 17020 20 Organisations (HKCAS) Reference Material Producer ISO Guide 34 Proficiency Testing Provider ISO/IEC 17043 GHG Validation/ Verification ISO 14065

Hong Kong Certification Body Accreditation Scheme HKCAS Management System Certification (ISO/IEC 17021) Product Certification (ISO/IEC Guide 65) GHG Validation / Verification (ISO 14065 + ISO 14064-3) Quality Management System (ISO 9001) Environmental Management System (ISO 14001) Construction Materials and Products Food Safety Management System (ISO 22000) Occupational Health and Safety Management System (OHSAS 18001) Consumer Products Energy Management System (ISO 50001) Information Security Management System (ISO 27001) Management System of Residential Care Home for Elderly

Features of HKAS Accreditation Voluntary Based on international standards Rigorous assessment and monitoring International recognition Independent and impartial

Benefits of HKAS Accreditation To accredited certification bodies formal recognition of their competences in performing certification activities demonstrate their competences and commitment in compliance to accreditation standards maintain and improve their management system and performance through rigorous accreditation assessments and monitoring enhance reputation deliver confidence to their clients

Benefits of HKAS Accreditation To clients of accredited certification services win new business particularly since the use of accredited certification service is increasingly a stipulation of specifiers in both public and private sectors; help to identify best practice since the accredited certification bodies are required to have appropriate knowledge of clients’ business sectors; control costs with the help of knowledge transfer since accredited certification bodies can be a good source of impartial advice; offer market differentiation and leadership by showing to others credible evidence of good practice; increase efficiency by reducing the necessity of re-audit (Source: “Why use an accredited certification body to certify your management system brochure”, IAF 2011)

Accreditation Recognised Internationally As a member of Mutual Recognition Agreement (MRA) by International Laboratory Accreditation Cooperation (ILAC, www.iaf.nu), and Multilateral Recognition Arrangement (MLA) by International Accreditation Forum (IAF, www.ilac.org) Accreditation status of specific scope recognised by over 82 accreditation bodies in 66 economies HKAS is well recognised by region/international accreditation community

International Cooperation (Laboratory / Inspection body) Economies Accreditation Bodies Regional APLAC IAAC Laboratories ILAC EA Mutual recognition arrangement (MRA) through international and regional co-operations

International Cooperation (Certification body) International Economies Accreditation Bodies Regional PAC IAAC IAF EA Multilateral recognition arrangement (MLA) through international and regional co-operations Certification Bodies Certified Organisations

Examples of HKAS MRA Partners

How to know a certification body is accredited by HKAS? http://www.itc.gov.hk/en/quality/hkas/hkcas/cb_no.htm

How to Identify the Accredited Report/Certificate?

Please visit our website at http: www.hkas.gov.hk For More Information Please visit our website at http: www.hkas.gov.hk

Accreditation Service for Information Management System Certification Launched in November 2011 Enquiry contact: Dr. M. K. Kwok (Senior Accreditation Officer, HKAS) Tel.: 2829 4846 Email: mkkwok@itc.gov.hk For more information about this service, please visit http://www.itc.gov.hk/en/quality/hkas/hkcas/about.htm

Thank you