HKCTC & HKAS Workshop on ISO 27001 ISMS Certification 2016

The Hong Kong Council for Testing and Certification (HKCTC), Hong Kong Accreditation Service (HKAS) and The Hong Kong General Chamber of Small and Medium Business co-organized a Workshop entitled “Workshop on ISO/IEC 27001 Information Security Management System Certification 2016” on 26 Oct 2016.  Certification of ISMS to ISO/IEC 27001 allows an organization to demonstrate that its information asset is adequately protected against information security risk. The workshop aimed to give an overview of ISO/IEC 27001 and discussed how to get prepared for the certification process.  Hong Kong Society for Quality (HKSQ) and Hong Kong Science and Technology Parks Corporation (HKSTP) are supporting organization.  Ms. Angela Wong (Vice-chairman, HKSQ) and I attended the workshop and took a photo for memory.

ASTRI visit to HKSTP Technology Support Centre for ISO 27001 experience sharing

I was honor to share our experience on ISO 27001 implemented in Technology Support Centre in HKSTP in which was the first laboratory certified ISO 27001 in Hong Kong.  ASTRI team visited us on 30 Jun 2015 morning.  The following photo is our ISO 27001 certificate with our service scopes.

Visitor of ASTRI Team as follows:

-          Chris Chen (IT Director)

-          Daeman Chan (IT Manager)

-          Jim Hui (Quality Manager)

-          Calvin Shum (Quality Engineer)

-          Winston Oey (Quality Engineer)

-          Astley Wan (Senior Manager, Facility)

The schedule showed below:

(10:30am – 11:00am)

i)                    Briefing the background and implementation issue.

(11:00am – 12:00pm)

ii)                  Visit to WCTL & RL

iii)                Visit to ICFAL & MAL

iv)                Visit to BSC

v)                  Visit to PDTC

Hopefully our experience could assist ASTRI certified ISO 27001 in near future.

Reference:

HKSTPC - http://www.hkstp.org/  

ASTRI - http://www.astri.org/main/

Related activities:

20150619: HKCTC & HKAS Workshop on ISO 27001 ISMS Certification - https://qualityalchemist.blogspot.com/2015/06/hkctc-hkas-workshop-on-iso-27001-isms.html

20150424: PMI Seminar on QMS based Information Security Management - https://qualityalchemist.blogspot.com/2015/04/pmi-seminar-on-qms-based-information.html

20090827: Challenges on Information Security - https://qualityalchemist.blogspot.com/2009/08/challenges-of-information-security.html

20080802: Seminar on ISO 9001:2000 UPGRADE to 2008 Version & Secure your information with ISO 27001 - https://qualityalchemist.blogspot.com/2008/08/seminar-on-iso-90012000-upgrade-to-2008.html

HKCTC & HKAS Workshop on ISO 27001 ISMS Certification

The Hong Kong Council for Testing and Certification (HKCTC), Hong Kong Accreditation Service (HKAS) and Working Group on Cloud Security and Privacy co-organized a Workshop entitled “Workshop on ISO/IEC 27001 Information Security Management System Certification” on 19 Jun 2015. Given the increasing concern over information security in society, more organizations are aware of the advantages of being certified ISO/IEC 27001, which is one of the most well-recognized ISMS standards globally. The workshop aimed to give an overview of ISO/IEC 27001 and discussed how to get prepared for the certification process.

Before the workshop, we took a photo with Mr. Kesson Lee (Secretary-General, HKCTC) and guest speakers. (Left: I, Mr. Ronald Pong, Mr. Kesson Lee (HKCTC), Mr. Ronald Tse, Dr. Kwok Moon-keung (HKAS))

In the beginning, Mr. Kesson Lee (Secretary-General, HKCTC) give an opening remarks and he said ICT was one of focus areas in Testing & Certification Industry.

And then Mr. Vincent Chan (Convenor of the Working Group on Cloud Security and Privacy under Office of the Government Chief Information Officer) gave a welcoming remark. He said public concerned the cloud computing security and introduced InfoCloud website which was established as a one-stop portal for the general public and enterprises (especially the small and medium-sized enterprises) to effectively access information and resources on cloud computing technologies.

All guest speakers took a group photo.

The first speaker was Mr. Ronald Pong (CEO, Nexusguard Consulting Limited) and his topic entitled “Practical Implementation of ISO/IEC 27001 in Your Environment”. Mr. Pong briefed the agenda of his talk included ISO 27001, Different various documents in ISO 27001:2014 series, Vulnerability and Threat, as well as, ISO 27005:2011 risk assessment requirement.

Firstly, Mr. Pong briefed different standards under ISO 27001:2014 series and classified those standards to be “Must”, “Major”, “Reference” and “Supportive”. He explained to us the different between Vulnerability and Thread. Vulnerability was technical problem which could be fixed by updating patch and installation the advance equipment. However, Thread was come from management and human error such as configuration problem and bad practices.

Then he introduced ISO 27005:2011 risk management and its scope included “Constraints related to Methods and Know-How”, “Time Constraints”, “Organization Constraints”, “Environmental Constraints” and “Financial Constraints”. In Organization Constraints, it involved “Development Management”, “HR Management”, “Operation”, “Administrative Management” and “Maintenance”. The standard risk matrix was also mentioned.

Finally, Mr. Ronald Pong briefed ISO 27003:2010 for ISMS implementation guidance and the first thing to do was your information inventory classification. ISO 27006 & ISO 27007 was related to certification body such as auditor manday criteria for Large/Small and Simple/Complex companies.

During the break, I took a photo with Dr. Kwok Moon-keung (Senior Accreditation Officer, HKAS) who was one of assessor to audit our laboratories before.

I was honor to represent HKSTP to be the second speaker and my presentation named “QMS based Information Security Management System – Case Study”. Our Technology Support Centre (TSC) achieved ISO 27001 since 2008 and I reviewed many security incident happened in Hong Kong at that time. We had upgraded the standard to ISO 27001:2013 for whole TSC at the end of 2014.

Then I introduced the development of InfoSec FMEA Circle as our key risk assessment tools (where FMEA stands for Failure Mode and Effect Analysis). Then its implementation philosophy was mentioned. It was based on ISO 27001 Control Objectives & Controls as fundamental level and then evaluation risk level on each operation information flow accordingly.

After that 24-steps QISM Implementation Roadmap was introduced and its development was based on TQM Roadmap. We focused on 7 phase including “Awareness”, “Preparation”, “Plan”, “Do”, “Check”, “Act” and “Validation”. I also discussed how to establish our risk assessment criteria. The details was published in the Journal (See reference).

At the end, I used the term “SECURE” to conclude our ISMS implementation and it indicated “Standardization”, “Effectiveness”, “Clearance”, “Unique Identification”, “Recovery” and “Efficiency”.

The third speaker was Mr. Ronald Tse (Founder of Ribose) and his topic was “The SME pocket guide to achieving ISO/IEC 27001 certification”. Mr. Tse introduced his company which provided a secure cloud collaboration service.

Then Mr. Ronald Tse briefed his ISO 27001 journey and shared some tips to achieve it. He briefed ISO 27001 was suitable for SME. He added “Big names say: We are ACME therefore your data is secure. SMEs can say: We are independently certified for ISO/IEC 27001!” Then he showed different security management maturity level which ISO 27001 could help to improve it.

Mr. Tse said leadership commitment was crucial to a successful ISMS implementation. He shared to list each specific duty unit and subunit to perform risk management and set appropriate IS objectives. Finally, Mr. Tse told us the fastest way to implement ISMS successfully was to lead by yourself but not shortcut!

Dr. Kwok Moon-keung (Senior Accreditation Officer, HKAS) was the last speaker and his topic named “Hong Kong Accreditation Service (HKAS) – How its Services Help You”. Dr. Kwok introduced that Accreditation which was issuance of conformance statement by a third party (i.e. accreditation body) to a conformity assessment body (i.e. laboratory, inspection body or certification body, validation and verification body) and conveying formal demonstration of its competence to carry our specific conformity assessment tasks. (ISO/IEC 17024)

Accreditation helps managing the risk. The relationship among accreditation body, certification body/laboratory and users was showed in the following diagram. Dr. Kwok described how to monitor accredited organization including “Reassessment”, “Surveillance visit”, “Monitoring organization change”, “Complaints” and “Proficiency Testing / Inter-laboratory Comparison Study”, etc.

Finally, Dr. Kwok introduced HKCAS services which extended to ISO 27001.

Reference:
HKCTC - http://www.hkctc.gov.hk/en/home.html
HKCTC Seminar presentation file - http://www.hkctc.gov.hk/en/work_seminars.html#b44
HKAS - http://www.itc.gov.hk/en/quality/hkas/about.htm
OGCIO - Working Group on Cloud Security and Privacy (WGCSP) - http://www.ogcio.gov.hk/en/about_us/committees/egccss/previous_term/wgcsp_tor_membership_2013.htm 

InfoCloud website - http://www.infocloud.gov.hk/home/20
20150424: PMI Seminar on QMS based Information Security Management - http://qualityalchemist.blogspot.hk/2015/04/pmi-seminar-on-qms-based-information.html
Lai, Lotto K.H. and K.S. Chin (2014) “Development of a Failure Mode and Effects Analysis Based Risk Assessment Tool for Information Security”, Industrial Engineering & Management Systems, Vol 13, No. 1, pp.88-101.
Lai, Lotto K.H., Chin, K.S. & Tsang, A.H.C. (2010) “Risk Management of Information Security – Information Security FMEA Circle” The eighth ANQ Congress, paper HK01. (Reprinted in SQI Yearbook 2011, pp.66-72)
Lai, Lotto K.H., Chin, K.S. & Tsang, A.H.C. (2009) “Integration of Quality Management System and Information Security Management System – HKSTP implementation case” Proceedings CD-ROM of The seventh ANQ Congress, paper HK02.

PMI Seminar on QMS based Information Security Management

I was honor to be invited as speaker for the PMI seminar entitled "Case Study on the Project Implementation of Quality based Information Security Management" was organized by Project Management Institute (PMI) Hong Kong Chapter on 24th Apr 2015. The aim of this seminar to share the system approach through integrated implementation of an Information Security Management System (ISMS – ISO 27001) and Quality Management System (QMS – ISO 9001), as well as, case study in Technology Support Centre (TSC) of Hong Kong Science and Technology Parks Corporation (HKSTP).

In the beginning, I (Former Chairman, HKSQ; Manager, Quality System, TSC-HKSTP) introduced some background of ISO 27001 and ISO 9001. Our ISO 27001 has certified since 2008. So I briefed many security incidents which had happened in 2008 initially.

Then I classified different Control Objectives and Controls into five groups and they were “Policy”, “Process & Procedure”, “Organization Structure”, “Hardware” and “Software”.

The comparison of company registration on ISO 9001 and ISO 27001, it was found that number of ISO 9001 certified companies were much higher than number of ISO 27001 certified companies. It should be a barrier for company to achieve ISO 27001. Therefore, my study was to develop a model so as to fill the gap.

ISO 9001 and ISO 27001 principles and standard comparison was discussed. In next stage, I explained how to extract the core elements of both standards and developed “QMS based Information Security Management (QISM) Model”. However, the core element of this model was Risk Assessment. “Information Security FMEA Cycle” was introduced and 24-steps QISM Implementation Roadmap was mentioned.

At the end, I used the term “SECURE” to be my concluded. Its meaning showed below:
S – Standardization
E – Effectiveness
C – Clearance
U – Unique Identification
R – Recovery
E – Efficiency

Q&A Session

Mr. Anthony Tsui (VP-Programs, PMI-HK) presented a certificate to me.

Reference:
HKSQ - www.hksq.org
HKSTP - http://www.hkstp.org/
PMI-HK - http://www.pmi.org.hk/

Other Related Seminars & Conferences:
20141229 - My ISO Journey of 10 years in Science Park
http://qualityalchemist.blogspot.hk/2014/12/my-iso-journey-of-10-years-in-science.html
20121129 - Hong Kong IT Security Summit 2012
http://qualityalchemist.blogspot.hk/2012/11/hong-kong-it-security-summit-2012.html
20120620 - Meeting with Prof. Edward Humphreys (Father of ISMS Standard)
http://qualityalchemist.blogspot.hk/2012/06/meeting-with-prof-edward-humphreys.html
20110121 - Seminar on Data Privacy
http://qualityalchemist.blogspot.hk/2011/01/seminar-on-data-privacy.html
20100902 - The 8th Asia Network for Quality (ANQ) Congress
http://qualityalchemist.blogspot.hk/2010/09/8th-asia-network-for-quality-anq.html
20090916 - ANQ 2009 Opening & Technical Seminar I
http://qualityalchemist.blogspot.hk/2009/09/anq-2009-opening-technical-seminar-i.html
20090827 - Challenges on Information Security
http://qualityalchemist.blogspot.hk/2009/08/challenges-of-information-security.html
20080802 - Seminar on ISO 9001:2000 UPGRADE to 2008 Version & Secure your information with ISO 27001
http://qualityalchemist.blogspot.hk/2008/08/seminar-on-iso-90012000-upgrade-to-2008.html

Challenges on Information Security

I was invited to be one of the speakers to give a talk about the implementation of information security management system, for the seminar entitled “Embracing the Challenges of Emerging Information Security Threats” organized by Hong Kong Quality Assurance Agency (HKQAA) and supported by Hong Kong Society for Quality (HKSQ) on 27th August 2009. The summaries of different speeches were shared below.

The first speaker was Mr. You Cheng Hwee (Managing Director, Maximus Consulting Pte Ltd.) and his topic was “2009 Information Security Trend and Protect Yourself using ISO/IEC 27001 ISMS”.


Mr. You shared the independent information security reports and presented the trend of different threats (such as Virus, Insider Abuse, Laptop Theft, Unauthorized Access, Bots, Financial Fraud and DNS) from 1999 to 2008. He said new threats like Bots* and DNS** are emerging.

{* A bot (short for "robot") is a program that operates as an agent for a user or another program to simulate a human activity.
** The Domain Name System (DNS) is a hierarchical naming system for computers, services, or any resource connected to the Internet or a private network.}

He emphasized the importance of internal audits for compliance verification, which indicates “human” factor in managing security is one of critical success factors.
Information security management is more than just technology and proper protection by formalized mechanism is required. He pointed out the risk management would let you know what the things you wish to know. Then he summarized four critical success factors when considering ISMS as follows:
i) Understand the ISO 27001 standards
ii) Understand your business objectives
iii) Choose your ISMS framework and risk management methodology
iv) Select your ISMS implementation scope

I, Lotto Lai, was the second speaker (Quality Manager in HKSTP and the Chairman of HKSQ) and my topic entitled “A Case Study of ISO/IEC 27001 implementation in IC Design & IP Servicing Centre of HKSTP”. After introduced the background of ISMS, five control objectives groups were discussed as Policy, Process & Procedure, Organization Structure, Software Systems, and Hard ware Systems. The objectives of IC Design Centre and IP Servicing Centre were then outlined as follows:
i) To support IC development in a protected environment
ii) To facilitate the use of and license of Semiconductor Intellectual Properties through the Centres

Five steps for ISO 27001 implementation were listed as:
1st Step – Perform Information Asset Evaluation (based on Confidentiality, Integrity & Availability)
2nd Step – Perform Risk Priority Assessment (based on Severity, Occurrence and Detectability)
3rd Step – Perform Risk Treatment Plan (based on the result of risk assessment)
4th Step – Develop Supplementary ISMS Manual (based on PDCA)
5th Step – Record Statement of Applicability (SOA)

In my conclusion, I stated that ISMS framework created value on our new business model “Secure Virtual IP Chamber” in which operational model has been changed from physical service to virtual service and it caused world-class IP companies willing to sign agreement with HKSTP.
Lastly, I summarized the execution tactic of information security management system (ISMS) into one word “SECURE”. It means:
“S” – Standardization
“E” – Effectiveness
“C” – Clearance
“U” – Unique Identification
“R” – Recovery
“E” - Efficiency

The third speaker was Mr. Ronald Pong (Consultant, Technology & Special Project, CNLINK Networks Limited) and his topic was “ISO 27001 in IDC Environment”
In the beginning, Mr. Pong introduced the IDC* security adopted nowadays in the business world

{* Internet data centers (IDCs) provide businesses with a range of solutions for systems deployment and operation. It generally includes redundant or backup power supplies, redundant data communications connections, environmental controls (e.g., air conditioning, fire suppression) and security devices, etc.}

Mr. Pong shared problems he encountered such as Security Management mapping with IT operation management and which required to fulfill different compliance criteria. He said IDC provided co-location service, virtual hosting, facility management, netheath & security, as well as, SOC.

Mr. Pong elaborated the risks they faced as follows:
i) Distributed denial-of-service attack (DDoS attack): it involves saturating the target (victim) machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable.
ii) Botnet: It is often associated with malicious code/software but it can also refer to the network of computers using distributed computing software.
iii) Hacking (it breaks into computers, usually by gaining access to administrative controls)
iv) Economic Espionage (the theft or misappropriation of a trade secret a federal crime)
v) Crime
(and more, every thing can happen in IDC)

Mr. Pong continued that knowledge/understanding and appropriate documentation were the requirements to make IT operation management effective. The key word for security management and incidence response strategy is “Compliance”. In order to organize your IT security management, using framework of ISMS (such as ISO 27001) was recommended to make people understand what they should do.

The last speaker was Mr. Philip Chan (Auditor, HKQAA) and his topic entitled “Security Incident Zero-day Attack”. He explained security incident and zero-day attack as follows:
Security Incident – “Any real or suspected adverse event in relation to the security of computer systems or computer networks.”
Zero-day Attack – “The day a new vulnerability is made known. In some case, a “zero-day” exploits is referred to an exploit for which no patch is available yet.”

The following photo briefed the concept.

Then Mr. Chan mentioned three risk management theories.
Theory 1 is Control Type
- Preventive
- Detective
- Corrective
Theory 2 is Defense-in-Depth
- Determine
- Detective
- Delay
- Response
Theory 3 is risk management like AS/NZS 4360.

In the next section, Mr. Chan carried on different Six Sigma methodologies employed for information security especially on zero-day attack such as DMAIC, SIPOC, Process Flow, FMEA, Tree Diagram, Force Field Analysis, Critical Path Analysis, Value Stream Mapping, etc.

Lastly, the most important items of ISO 27001 (ISMS) were summarized as his conclusive remarks:
- Process Approach
- Risk Based Approach
- Security Policy
- Asset Management
- Communications & Operations Management
- Access Control
- Information Security Incident Management
- Business Continuity Management
- Compliance

Seminar on ISO 9001:2000 UPGRADE to 2008 Version & Secure your information with ISO 27001

The seminar was co-organized by HKSQ and HKSTP with the support of TQM, HKQMA and HKIE MIE Division on 1st August 2008. There were 3 topics and an open discussion forum for exchanging ideas with different participants. The event was very successful with more than 100 participants and I would like to summarize the whole process for memory.

The agenda is attached for your reference.

In the beginning, Dr. Albert Tsang (The chairman of Hong Kong Society of Quality) introduced HKSQ background. Then I introduced services provided by Technology Support Centre (TSC) of Hong Kong Science and Technology Park, which has ISO 9001 certified. Moreover, IC Design Centre (ICDC) and IP Servicing Centre (IPSC) in TSC have got ISO 27001 certification.

The first speaker was Dr. Aaron Tong, who is an observer of the ISO/TC-176 Committee. He explained the differences of ISO 9001 requirements, between 2000 and 2008 (draft) version.

He summarized some main changes as follows:
1. To remove “Terms and definitions”
2. To add the importance on outsourced processes
3. To clarify record is a kind of documents
4. To affirm Management Representative shall be a member of the organization’s management
5. To consider the necessary competence of employees which affecting conformity to product requirements
6. To add Information System in the clause of Infrastructure
7. To consider the preservation of product during design and development status
8. To include personal data into customer property
9. To confirm the ability of computer software which satisfy the intended use
10. To define the controls and responsibilities for dealing with NC product

Dr. Aaron Tong also told us “What’s Next in Quality Management?” The following two points will be as part of quality management.
1. Work on time, speed and agility
2. Deal with innovation

The second speaker was Mr. William Wong, who is product manager in HKQAA. His topic was “Secure Your Information with ISO 27001”. He introduced the core elements of information security management, which assure the information asset’s confidentiality, integrity and availability.Then he emphasized the consequences of failures of information security.

After that, he introduced the family of ISO 27000:
· ISO/IEC 27000 Fundamentals and vocabulary
· ISO/IEC 27001 ISMS - Requirements
· ISO/IEC 27002 Code of practice for information security management
· ISO/IEC 27003 ISMS implementation guidance (under development)
· ISO/IEC 27004 Information security management measurement (under development)
· ISO/IEC 27005 Information security risk management
· ISO/IEC 27006 Requirements for bodies providing audit and certification of information security management systems

The following was several key points in risk assessment and risk treatment:
· To assess, within the scope of certification, the risk levels of various types of information assets are facing
· To device corresponding controls and measures, including cost considerations, to lower the levels of risk to acceptable levels
Two terms are important. They are “Threat” and “Vulnerability”.
where
Threat means “any event which could have an undesirable impact” or “a potential cause of an unwanted impact to a system or organization”.
Vulnerability means “absence or weakness of a risk-reducing safeguard, to allow a potential threat to occur with greater frequency, greater impact, or both” or “Any weakness, administrative process, or act or physical exposure that makes an information asset susceptible to exploit by a threat”.

He also introduced the cost of information security and Plan-Do-Check-Act approach for Information security management system.

The last speaker was myself and I shared experience for achieving ISO 27001 certification in this year. Our risk assessment is employed the tools “Failure Mode and Effects Analysis (FMEA)” in which risk is calculated: Risk Priority Number (RPN) = Severity (S) * Occurrence (O) * Detection (D). We have reviewed the risk on 133 Control Points (ISO 27001) and 9 findings from external audits, as well as, 95 risk assessment items from operations flow. Moreover, we also modify FMEA to combine with Information Asset Evaluation in which our information asset’s confidentiality, integrity and availability are considered. I also shared the experience on preparing Statement of Applicability (SOA), developing Supplementary ISMS Manual, establishing ISMS document system and integrating systems between ISO 9001 and ISO 27001. Lastly, I showed our future upgrade plan to extend ICDC and IPSC service to the worldwide.

After all speakers’ presentation, open discussion forum was modulated by Dr. Samson Tam. Precipitates raised the following questions:
· how to achieve the new ISO 9001 standard
· why many companies certified ISO 9001 but performed badly
· how popular of ISO 27001 in HK
· what is the initial steps for SME to start ISO 27001

Mr. Lotto Lai and Dr. Albert Tsang represented HKSTP and HKSQ respectively, to present souvenirs to all speakers.

To organizer Dr. Albert Tsang

To organizer Mr. Lotto Lai

To speaker Dr. Aaron Tong

To speaker Mr. William Wong

To modulator Dr. Samson Tam

Photos for all speakers and organizers

After the seminar, HKSQ ex-co member took photos in HKSTP.