2008年8月2日星期六

Seminar on ISO 9001:2000 UPGRADE to 2008 Version & Secure your information with ISO 27001

The seminar was co-organized by HKSQ and HKSTP with the support of TQM, HKQMA and HKIE MIE Division on 1st August 2008. There were 3 topics and an open discussion forum for exchanging ideas with different participants. The event was very successful with more than 100 participants and I would like to summarize the whole process for memory.

The agenda is attached for your reference.
In the beginning, Dr. Albert Tsang (The chairman of Hong Kong Society of Quality) introduced HKSQ background. Then I introduced services provided by Technology Support Centre (TSC) of Hong Kong Science and Technology Park, which has ISO 9001 certified. Moreover, IC Design Centre (ICDC) and IP Servicing Centre (IPSC) in TSC have got ISO 27001 certification.


The first speaker was Dr. Aaron Tong, who is an observer of the ISO/TC-176 Committee. He explained the differences of ISO 9001 requirements, between 2000 and 2008 (draft) version.

He summarized some main changes as follows:
1. To remove “Terms and definitions”
2. To add the importance on outsourced processes
3. To clarify record is a kind of documents
4. To affirm Management Representative shall be a member of the organization’s management
5. To consider the necessary competence of employees which affecting conformity to product requirements
6. To add Information System in the clause of Infrastructure
7. To consider the preservation of product during design and development status
8. To include personal data into customer property
9. To confirm the ability of computer software which satisfy the intended use
10. To define the controls and responsibilities for dealing with NC product

Dr. Aaron Tong also told us “What’s Next in Quality Management?” The following two points will be as part of quality management.
1. Work on time, speed and agility
2. Deal with innovation
The second speaker was Mr. William Wong, who is product manager in HKQAA. His topic was “Secure Your Information with ISO 27001”. He introduced the core elements of information security management, which assure the information asset’s confidentiality, integrity and availability.Then he emphasized the consequences of failures of information security.


After that, he introduced the family of ISO 27000:
· ISO/IEC 27000 Fundamentals and vocabulary
· ISO/IEC 27001 ISMS - Requirements
· ISO/IEC 27002 Code of practice for information security management
· ISO/IEC 27003 ISMS implementation guidance (under development)
· ISO/IEC 27004 Information security management measurement (under development)
· ISO/IEC 27005 Information security risk management
· ISO/IEC 27006 Requirements for bodies providing audit and certification of information security management systems

The following was several key points in risk assessment and risk treatment:
· To assess, within the scope of certification, the risk levels of various types of information assets are facing
· To device corresponding controls and measures, including cost considerations, to lower the levels of risk to acceptable levels
Two terms are important. They are “Threat” and “Vulnerability”.
where
Threat means “any event which could have an undesirable impact” or “a potential cause of an unwanted impact to a system or organization”.
Vulnerability means “absence or weakness of a risk-reducing safeguard, to allow a potential threat to occur with greater frequency, greater impact, or both” or “Any weakness, administrative process, or act or physical exposure that makes an information asset susceptible to exploit by a threat”.

He also introduced the cost of information security and Plan-Do-Check-Act approach for Information security management system.


The last speaker was myself and I shared experience for achieving ISO 27001 certification in this year. Our risk assessment is employed the tools “Failure Mode and Effects Analysis (FMEA)” in which risk is calculated: Risk Priority Number (RPN) = Severity (S) * Occurrence (O) * Detection (D). We have reviewed the risk on 133 Control Points (ISO 27001) and 9 findings from external audits, as well as, 95 risk assessment items from operations flow. Moreover, we also modify FMEA to combine with Information Asset Evaluation in which our information asset’s confidentiality, integrity and availability are considered. I also shared the experience on preparing Statement of Applicability (SOA), developing Supplementary ISMS Manual, establishing ISMS document system and integrating systems between ISO 9001 and ISO 27001. Lastly, I showed our future upgrade plan to extend ICDC and IPSC service to the worldwide.
After all speakers’ presentation, open discussion forum was modulated by Dr. Samson Tam. Precipitates raised the following questions:
· how to achieve the new ISO 9001 standard
· why many companies certified ISO 9001 but performed badly
· how popular of ISO 27001 in HK
· what is the initial steps for SME to start ISO 27001



Mr. Lotto Lai and Dr. Albert Tsang represented HKSTP and HKSQ respectively, to present souvenirs to all speakers.
To organizer Dr. Albert Tsang
To organizer Mr. Lotto Lai

To speaker Dr. Aaron Tong


To speaker Mr. William Wong


To modulator Dr. Samson Tam


Photos for all speakers and organizers



After the seminar, HKSQ ex-co member took photos in HKSTP.




沒有留言:

發佈留言