HKCTC & HKAS Workshop on ISO 27001 ISMS Certification 2016

The Hong Kong Council for Testing and Certification (HKCTC), Hong Kong Accreditation Service (HKAS) and The Hong Kong General Chamber of Small and Medium Business co-organized a Workshop entitled “Workshop on ISO/IEC 27001 Information Security Management System Certification 2016” on 26 Oct 2016.  Certification of ISMS to ISO/IEC 27001 allows an organization to demonstrate that its information asset is adequately protected against information security risk. The workshop aimed to give an overview of ISO/IEC 27001 and discussed how to get prepared for the certification process.  Hong Kong Society for Quality (HKSQ) and Hong Kong Science and Technology Parks Corporation (HKSTP) are supporting organization.  Ms. Angela Wong (Vice-chairman, HKSQ) and I attended the workshop and took a photo for memory.

In the beginning, Mr. Kesson Lee (Secretary-General, HKCTC) give an opening remarks and he said ISO 27001 was increasing concern to avoid business potential loss and ICT was one of areas in Testing & Certification Industry to be focused.  

And then Dr. YAU Bun, Oliver (Vice President, The Hong Kong General Chamber of Small and Medium Business) gave a welcoming remark. 

All guest speakers took a group photo.

The first speaker was Mr. Ronald Pong (CEO, Nexusguard Consulting Limited (NCL); Adjunct Lecturer, HKU SPACE) and his topic entitled “Practical Implementation of ISO/IEC 27001 in Your Environment”.  Mr. Pong briefed the ISO 27001:2013 and other ISO 27000 series such as ISO 27004, ISO 27005, ISO 27006, ISO 27007, ISO 27013 and ISO 27037, etc.

Then Mr. Ronald Pong introduced ISO 27005:2011 risk management.  He said Risk included Vulnerability and Threat (Environment Factors).  And he discussed the Scope and Objective. Since resource was limited, he suggested to focus on the key business process (major process and sub-process).  Objectives were based on Confidentiality, Integrity and Availability (CIA).  

ISO 27004 was used for risk calculation (measurement) to evaluation the safeguard effectiveness.  He also told us to check the inventory first in which was consisted by fix part and dynamic part.  Such as Network Diagram + Data Flow Diagram.

Finally, Mr. Ronald Pong briefed the development of the Threat Model based on PDCA cycle.  He also discussed impact criteria based on ISO 27005 that Vulnerability Scanning (for individual system) and Penetration Testing (for End to End Business Process) used scenario.  For DR and BCP, he advised to consider Operation Level Agreement (OLA) and Service Level Agreement (SLA).  For security incident, he used ISO 27037 to keep evidences for evaluation.  At the end, he said the awareness training was important but it should use Role-based Approach (e.g. Management, General User and Technical User). 

The second speaker was Mr. Norman PAN (Managing Consultant, Doctor A Security Systems (HK) Ltd.) and his topic named “Getting Certified ISO/IEC 27001 – Experience Sharing”.  Mr. Pan introduced his company first.  They had certified ISO 27001 since 2003 (at that time named BS 7799). He said ISO 27001 included Risk Evaluation plus Management System.

Mr. Norman Pan then shared the case about Firewall & Antivirus against Ransomware.  He said the antivirus was not able to screen the ransomware (0% detection) and the URL scan was only 5% success rate!  He suggested two preventive actions that were:

i)                    Network Separation (e.g. separated File Server and Email Server)

ii)                  Remove all Flash Player in your computers.

After that Mr. Pan shared about Risk Management but he said we needed to understand ISO 27001 management system clause first and then using annex objectives for risk evaluation.  If without risk evaluation, we were not able to complete the Statement of Applicability (SOA).  Finally, he summarized that certified ISO 27001 could be differentiated in the market and got customer confidence.  He also said that top management support could be found if the information security item appeared in the budget.  

Mr. Leung Chi-chiu (Accreditation Officer, HKAS) was the last speaker and his topic named “Hong Kong Accreditation Service (HKAS) – How its Services Help You”.  Mr. Leung introduced that Accreditation which was issuance of conformance statement by a third party (i.e. accreditation body) to a conformity assessment body (i.e. laboratory, inspection body or certification body, validation and verification body) and conveying formal demonstration of its competence to carry our specific conformity assessment tasks (ISO/IEC 17024).

He used the diagram to explain the relationship among Industry, Certification Body and Accreditation Body.  HKAS is followed the ISO/IEC 17021-1 and ISO/IEC 27006 for certification body accreditation.  

The summary of MRA/MLA partners was showed.  Finally, Mr. Leung briefed the benefits of HKAS accreditation included formal recognition of CB competences to enhance reputation and to deliver confidence to their clients.

Reference:

HKCTC - http://www.hkctc.gov.hk/en/home.html

HKCTC Seminar presentation file - http://www.hkctc.gov.hk/en/work_seminars.html#b44

HKAS - http://www.itc.gov.hk/en/quality/hkas/about.htm

HKSQ - http://www.hksq.org/index.asp

HKSTP - https://www.hkstp.org/zh-hk/index.aspx

20150619: HKCTC & HKAS Workshop on ISO 27001 ISMS Certification - https://qualityalchemist.blogspot.hk/2015/06/hkctc-hkas-workshop-on-iso-27001-isms.html