Popular Standard

Scope of standards? Information Security Management Systems (ISMS)
What does certify to the standard means?
An organisation has established a systematic approach to protect especially sensitive information from wide range of threats to ensure business continuity, minimize business damage due to attacks, leakages and natural disasters, maximise return on investment and business opportunity. It encompasses people, processes and information technology systems. In the context of this standard, the term information includes all forms of data, documents, messages, communications, conversations, recordings, and photographs.
Who should apply? Any organisation of any size
Standards used?

National Standards

  • MS ISO/IEC 27001:2007 – Information technologies – Security techniques – Information Security Management Systems - Requirement

          (ISO/IEC 27001:2005, IDT)
          or
International Standard

  • ISO/IEC 27001:2005 – Information technologies – Security techniques – Information Security Management Systems – Requirement
  • ISO/IEC 27001:2013 – Information technologies – Security techniques – Information Security Management Systems– Requirement

*ISO/IEC 27001:2013 was published in October 2013. Visit www.iso.org for further details.  
This document is making reference to ISO/IEC 27001:2005

*The MS ISO/IEC27000 family of standards on Information Security Management is also available for further reference.  Please visit www.msonline.gov.my to get your standards. More ISO/IEC 27000 family standards are available in www.iso.org

Certification cycle?

Certification process and cycle

MS ISO 9001

How to apply?

List of accredited certification body by Standards Malaysia can be accessed through the following URL
http://www.jsm.gov.my/cab-directories

*URL may change from time to time.  Please revert to Standards Malaysia's website at www.jsm.gov.my should the URL did not work.

Benefit of certification
  1. ISMS secure business continuity by protecting information which has now become your business critical assetin terms of confidentiality, integrity and availability. This is done by ensuring the right people, processes, procedures and technologies are in place to protect information assets
  2. By complying to the systems, you are safeguarding your business and providing your customer, supplier and stakeholders with confidence that you are aware and capable of managing information security risk and implement adequate controls to mitigate or eliminate the risk
  3. Your business will save more money of security incidents as the cost of preventing security incidents will be lesser than cost of handling and corrective actions after incidents occurred.
  4. The systems promote continual improvement, which will provide your business with the competitive edge to compete in the market place and for those who have succeeded, to become more successful and resilient
  5. The systems also look into the needs of your human resource which will also increase staff morale and commitment in safeguarding critical business information
  6. Complying to standards provide you with the accolades for competitive edge
  7. All of the above will increase profitability and business security
ISMS made simpler

Clause 4 – ISMS Requirements

  1. Establish Information Security Management Systems based on process approach, implement and improve
    • Define and plan your systems by :
      • defining scope and boundaries of ISMS
      • definingyour organisation's ISMS policy
      • defining your approach on assessing risk
      • identifyingthe security risks by identifying the asset involved, the threats to those asset, the vulnerabilities exploited by the threats and impact of the risk incidents on the assets
    • Analyze and evaluate your organisation's security risks.
    • Identify and evaluate risk options and actions for treatment
    • Select control objectives and controls to treat risks to meet the requirements identified by the risk assessment and risk treatment process
    • Ensure that management approves the residual risks (the remaining risk that are still available after risk assessment has been implemented)
    • Obtain management approval to implement and operate your organisation's ISMS
    • Prepare a Statement of Applicability (SoA) that lists your organisation's specific control objectives and controls as listed in Annex A of the standard.
  2. Implement and operate ISMS
    • Develop and implement a risk treatment plan to manage your organisation's information security risks
    • Implement your organisation's security controls and define how to measure the effectiveness of the security control
    • Implement training and awareness programmes
    • Manage and operate your organisation's ISMS
    • Manage ISMS resources
    • Establish procedures on identifying security events and response to security incident
  3. Monitor and review the ISMS by :
    • Implement monitoring and reviewing procedure to detect errors, identify attempted and successful security breaches and incidents, enable management to determine that the security activities and performing as expected, prevent security events and ensure effectiveness of actions taken to breach of security
    • Perform regular reviews of your ISMS and measure the effectiveness of the controls
    • Review your risk assessments, residual risks and acceptable levels of risk on a regular basis
    • Conduct internal audits of your ISMS
    • Conduct management reviews of your ISMS and update your information security plans
    • Maintain a record of ISMS events and actions
  4. Maintain and improve ISMS
    • Implement identified improvement for your systems
    • Perform suitable corrective and preventive actions and learn from the breach and incidents
    • Communicate action and improvement and ensure the improvement applied achieved its intended objectives
  5. Document your systems and explain how it works in your organisation through manual, procedures, work instructions etc. and must include statement of ISMS policy, procedures and controls required by the ISMS, risk methodology, risk assessment report and risk treatment plan
  6. Document Control Procedure to control documents used for ISMS
  7. Record Control Procedure to control records that are used for ISMS

Clause 5 –Management Requirements
The management of your organisation need to show evidence of commitment to the establishment, implementation, operation, monitoring, review, maintenance and improvement of the ISMS as required by :

  1. establishing an ISMS policy, objectives and plans
  2. establishing roles and responsibilities for information security
  3. communicating to the organisation the importance of meeting information security objectives andconforming to the information security policy, its responsibilities under the law and the need for continual improvement
  4. providing sufficient resources to establish, implement, operate, monitor, review, maintain and improve the ISMS
  5. deciding the criteria for accepting risks and the acceptable levels of risk
  6. ensuring that internal ISMS audits are conducted as planned
  7. conducting management reviews of the ISMS in specified intervals
  8. Identify resources needed for the systems and provide them for the ISMS
  9. Ensure competency of human resource, identify what training are required and provide them. Evaluate competency after training

Clause 6 – Internal Audits

Establish internal audit procedure and conduct audit as planned

Clause 7 – Management Review

Conduct management review meeting to evaluate the effectiveness of ISMS through assessing the review inputs and by ensuring the review output include the decision and action required to improve the ISMS

Clause 8 – Measurement, analysis and improvement

  1. Ensure results of continual improvement and the effectiveness of the ISMS through the use of the information security policy, information security objectives, audit results, analysis of monitored events, corrective and preventive actions and management review
  2. Establish procedure on Corrective and preventive action

**Disclaimer: The interpretation may vary in specific situation, scope and environment.  This is to be used as guideline and general overview of complying with the standard.  Guidance and assistance by trained resources is required to ensure proper interpretation and implementation of the standards.