The Hong Kong Council for Testing
and Certification (HKCTC), Hong Kong Accreditation Service (HKAS) and The Hong
Kong General Chamber of Small and Medium Business co-organized a Workshop
entitled “Workshop on ISO/IEC 27001 Information Security Management System
Certification 2016” on 26 Oct 2016. Certification
of ISMS to ISO/IEC 27001 allows an organization to demonstrate that its
information asset is adequately protected against information security risk. The
workshop aimed to give an overview of ISO/IEC 27001 and discussed how to get
prepared for the certification process. Hong Kong Society for Quality (HKSQ) and Hong
Kong Science and Technology Parks Corporation (HKSTP) are supporting organization. Ms. Angela Wong (Vice-chairman, HKSQ) and I attended
the workshop and took a photo for memory.
In the beginning, Mr. Kesson Lee
(Secretary-General, HKCTC) give an opening remarks and he said ISO 27001 was
increasing concern to avoid business potential loss and ICT was one of areas in
Testing & Certification Industry to be focused.
And then Dr. YAU Bun, Oliver (Vice
President, The Hong Kong General Chamber of Small and Medium Business) gave a
welcoming remark.
All guest speakers took a group
photo.
The first speaker was Mr. Ronald
Pong (CEO, Nexusguard Consulting Limited (NCL); Adjunct Lecturer, HKU SPACE)
and his topic entitled “Practical Implementation of ISO/IEC 27001 in Your
Environment”. Mr. Pong briefed the ISO
27001:2013 and other ISO 27000 series such as ISO 27004, ISO 27005, ISO 27006,
ISO 27007, ISO 27013 and ISO 27037, etc.
Then Mr. Ronald Pong introduced
ISO 27005:2011 risk management. He said
Risk included Vulnerability and Threat (Environment Factors). And he discussed the Scope and Objective.
Since resource was limited, he suggested to focus on the key business process
(major process and sub-process).
Objectives were based on Confidentiality, Integrity and Availability
(CIA).
ISO 27004 was used for risk
calculation (measurement) to evaluation the safeguard effectiveness. He also told us to check the inventory first
in which was consisted by fix part and dynamic part. Such as Network Diagram + Data Flow Diagram.
Finally, Mr. Ronald Pong briefed the
development of the Threat Model based on PDCA cycle. He also discussed impact criteria based on
ISO 27005 that Vulnerability Scanning (for individual system) and Penetration
Testing (for End to End Business Process) used scenario. For DR and BCP, he advised to consider
Operation Level Agreement (OLA) and Service Level Agreement (SLA). For security incident, he used ISO 27037 to
keep evidences for evaluation. At the
end, he said the awareness training was important but it should use Role-based
Approach (e.g. Management, General User and Technical User).
The second speaker was Mr. Norman
PAN (Managing Consultant, Doctor A Security Systems (HK) Ltd.) and his topic named
“Getting Certified ISO/IEC 27001 – Experience Sharing”. Mr. Pan introduced his company first. They had certified ISO 27001 since 2003 (at
that time named BS 7799). He said ISO 27001 included Risk Evaluation plus
Management System.
Mr. Norman Pan then shared the
case about Firewall & Antivirus against Ransomware. He said the antivirus was not able to screen
the ransomware (0% detection) and the URL scan was only 5% success rate! He suggested two preventive actions that
were:
i)
Network Separation (e.g. separated File Server and Email Server)
ii)
Remove all Flash Player in your computers.
After that Mr. Pan shared about Risk
Management but he said we needed to understand ISO 27001 management system
clause first and then using annex objectives for risk evaluation. If without risk evaluation, we were not able
to complete the Statement of Applicability (SOA). Finally, he summarized that certified ISO
27001 could be differentiated in the market and got customer confidence. He also said that top management support
could be found if the information security item appeared in the budget.
Mr. Leung Chi-chiu (Accreditation
Officer, HKAS) was the last speaker and his topic named “Hong Kong
Accreditation Service (HKAS) – How its Services Help You”. Mr. Leung introduced that Accreditation which
was issuance of conformance statement by a third party (i.e. accreditation
body) to a conformity assessment body (i.e. laboratory, inspection body or
certification body, validation and verification body) and conveying formal
demonstration of its competence to carry our specific conformity assessment
tasks (ISO/IEC 17024).
He used the diagram to explain
the relationship among Industry, Certification Body and Accreditation Body. HKAS is followed the ISO/IEC 17021-1 and
ISO/IEC 27006 for certification body accreditation.
The summary of MRA/MLA partners was
showed. Finally, Mr. Leung briefed the
benefits of HKAS accreditation included formal recognition of CB competences to
enhance reputation and to deliver confidence to their clients.
Reference:
HKCTC Seminar presentation file -
http://www.hkctc.gov.hk/en/work_seminars.html#b44
20150619: HKCTC & HKAS
Workshop on ISO 27001 ISMS Certification - https://qualityalchemist.blogspot.hk/2015/06/hkctc-hkas-workshop-on-iso-27001-isms.html
沒有留言:
發佈留言