1. Accreditation Officer, Hong Kong Accreditation Service
Certification of Information Security Management System (ISMS) to ISO/IEC ISO/IEC 資訊安全管理系統認證
Mr. Nick C.C. Leung
Accreditation Officer, Hong Kong Accreditation Service
香港認可處 認可主任 18 October 2013

2. Content
Outline of ISO/IEC Information Security Management System Certification
Hong Kong Accreditation Service (香港認可處 )

3. Outline of ISO/IEC 27001 Information Security Management System Certification

4. What is Information Security Management System (ISMS)?
Information is an asset, like other important business assets, needs to be suitably protected.
Information can be stored in many forms, including digital form (e.g. electronic media), material form (e.g. on paper), as well as unrepresented information in the form of knowledge of the employees.

5. What is Information Security Management System (ISMS)?
Information Security * includes three main dimensions: confidentiality, availability and integrity.
* Remark: According to ISO/IEC 27000:2009 – Information Technology – Security Techniques – Information Security Management Systems – Overview and Vocabulary.
Information Security
Confidentiality
Availability
Integrity

6. What is Information Security Management System (ISMS)?
Information Security can be achieved through the implementation of an applicable set of controls selected through the chosen risk management process and managed using an ISMS.

7. What is Information Security Management System (ISMS)?
ISMS is a management system (or a part of the overall management system), based on the approach of controlling business risks, to establish, implement, operate, monitor, review, maintain and improve information security.
ISO/IEC is an ISMS Standard

8. Who should implement ISMS?
ISMS is applicable to organisations of all sizes and in all business sectors.
In particular, for organisations storing and/or handling information that is:
personally sensitive, or
of a commercially sensitive nature and value (e.g. product design), or
business critical (i.e. information that needs to be accurate and its integrity assured).

9. Benefits of Implementing ISMS
Reduction in information security risks;
reducing the probability of information security incidents
reducing the impact caused by information security incidents
Gives greater confidence to business partners, authorities and other interested parties

10. ISMS to ISO/IEC 27001
Source: ISO/IEC 27000:2009 Information Technology – Security Techniques – Information Security Management Systems – Overview and vocabulary

11. ISMS to ISO/IEC 27001
ISO/IEC adopts the “Plan-Do-Check-Act” (PDCA) model as shown in the following figure:
Source: ISO/IEC 27001:2005 Information Technology – Security Techniques – Information Security Management Systems – Requirements

12. ISO/IEC 27001 is aligned with ISO 9001:2000 and ISO 14001:2004
ISMS to ISO/IEC 27001
ISO/IEC is aligned with ISO 9001:2000 and ISO 14001:2004
One suitably designed management system can satisfy the requirements of all these standards (i.e. IMS)

13. Major Steps of Establishing and Implementing ISMS to ISO/IEC 27001
Define the scope, boundary and policy of ISMS
Define the risk assessment approach of the organisation
Identify, analyse and evaluate risks and options for the relevant treatment

14. Major Steps of Establishing and Implementing ISMS to ISO/IEC 27001 (cont’)
Select appropriate control objectives and controls for the treatment of risks
Obtain management approval of the proposed residual risks
Obtain management authorisation to
implement and operate the ISMS
Monitor, review, maintain and improve the ISMS continually

15. ISO/IEC 27001 Requirements General requirements (4.1)
Establishing and managing the ISMS (4.2)
Documentation requirements (4.3)
Management commitment (5.1)
Resource management (5.2)
Internal ISMS audits (6)
Management review (7)
Continual improvement (8.1)
Corrective action (8.2)
Preventive action (8.3)
Annex A – Control objectives and controls
(A total of 35 Control Objectives and 114 Controls are grouped under 14 main categories as listed out in Table A.1 of ISO/IEC )

16. Certification of ISMS to ISO/IEC 27001
Certification is an attestation issued by a third- party body, through a formal conformity assessment process, that specified requirements (e.g. ISO/IEC 27001) are fulfilled.

17. Figures on ISMS Certification
Source: (30 August 2013)

18. Figures on ISMS Certification
Close to 8000 ISMS Certificates have been registered in the website “
The actual figure on issued ISMS certificate is expected to be higher as not all certificates are registered.

19. Where to obtain ISMS Certification Services?
A number of local certification bodies are providing ISO/IEC based ISMS certification services.
Selecting an appropriate certification body to certify your organisation’s ISMS is a strategic decision.
How to select the right
certification service?

20. Hong Kong Accreditation Service (HKAS) 香港認可處

21. What is Hong Kong Accreditation Service?
HKAS is part of Innovation and Technology Commission of the Hong Kong Special Administration Region (HKSAR) Government.
Established in 1985 (formerly named as HOKLAS), HKAS is the official accreditation body (認可資格頒授機構) in Hong Kong

22. What is accreditation (認可)?
According to ISO/IEC 17000:2004 Conformity assessment – Vocabulary and general principles:
“Accreditation” – Issuance of conformance statement by a third party (i.e. accreditation body) to a conformity assessment body (i.e. laboratory, inspection body or certification body, validation and verification body)
Conveying formal demonstration of its competence to carry our specific conformity assessment tasks (i.e. testing, inspection, certification, GHG validation and verification)

23. Are they competent? Are they acceptable?
What is accreditation (認可)? 
Accreditation Body (e.g. HKAS)
- provides the assurance
Are they competent?
Test, inspection, certification, GHG validation and verification
Start
Are they acceptable?

24. HKAS Accreditation
Support the Hong Kong testing and certification industry, provide accreditation services under 3 schemes:
HOKLAS (香港實驗所認可計劃)
HKCAS (香港認證機構認可計劃)
Management System Certification
Product Certification
GHG Validation and Verification
HKIAS (香港檢驗機構認可計劃)

25. HKAS Accreditation Testing related Inspection 198 Organisations
(HOKLAS)
19 Inspection Bodies
(HKIAS)
ISO/IEC 17020
20 Organisations
(HKCAS)
Reference
Material Producer
ISO Guide 34
Proficiency
Testing Provider
ISO/IEC 17043
GHG Validation/
Verification
ISO 14065

26. Hong Kong Certification Body Accreditation Scheme
HKCAS
Management System Certification
(ISO/IEC 17021)
Product Certification
(ISO/IEC Guide 65)
GHG Validation /
Verification
(ISO
ISO )
Quality Management System
(ISO 9001)
Environmental Management System
(ISO 14001)
Construction Materials and Products
Food Safety Management System
(ISO 22000)
Occupational Health and Safety Management System
(OHSAS 18001)
Consumer Products
Energy Management System
(ISO 50001)
Information Security Management System
(ISO 27001)
Management System of Residential Care Home for Elderly

27. Features of HKAS Accreditation
Voluntary
Based on international standards
Rigorous assessment and monitoring
International recognition
Independent and impartial

28. Benefits of HKAS Accreditation
To accredited certification bodies
formal recognition of their competences in performing certification activities
demonstrate their competences and commitment in compliance to accreditation standards
maintain and improve their management system and performance through rigorous accreditation assessments and monitoring
enhance reputation
deliver confidence to their clients

29. Benefits of HKAS Accreditation
To clients of accredited certification services
win new business particularly since the use of accredited certification service is increasingly a stipulation of specifiers in both public and private sectors;
help to identify best practice since the accredited certification bodies are required to have appropriate knowledge of clients’ business sectors;
control costs with the help of knowledge transfer since accredited certification bodies can be a good source of impartial advice;
offer market differentiation and leadership by showing to others credible evidence of good practice;
increase efficiency by reducing the necessity of re-audit
(Source: “Why use an accredited certification body to certify your management system brochure”, IAF 2011)

30. Accreditation Recognised Internationally
As a member of Mutual Recognition Agreement (MRA) by International Laboratory Accreditation Cooperation (ILAC, and Multilateral Recognition Arrangement (MLA) by International Accreditation Forum (IAF,
Accreditation status of specific scope recognised by over 82 accreditation bodies in 66 economies
HKAS is well recognised by region/international accreditation community

31. International Cooperation (Laboratory / Inspection body)
Economies
Accreditation Bodies
Regional
APLAC
IAAC
Laboratories
ILAC EA
Mutual recognition arrangement (MRA) through international and regional co-operations

32. International Cooperation
(Certification body)
International
Economies
Accreditation Bodies
Regional
PAC
IAAC
IAF EA
Multilateral recognition arrangement (MLA) through international and regional co-operations
Certification Bodies
Certified Organisations

33. Examples of HKAS MRA Partners

34. How to know a certification body is accredited by HKAS?

35. How to Identify the Accredited Report/Certificate?

36. Please visit our website at http: www.hkas.gov.hk
For More Information
Please visit our website at http:

37. Accreditation Service for Information Management System Certification
Launched in November 2011
Enquiry contact:
Dr. M. K. Kwok (Senior Accreditation Officer, HKAS)
Tel.:
For more information about this service, please visit

39. Thank you