ISMS Consultancy for JPKN

Project Kick-off Meeting

12th May 2011

Agenda
Project Objective & Key Stakeholders
Overview of ISMS
Project Management Plan

Project Organization
Project Phases
Activities & Deliverables
Project Plan (WBS)

Project Risks & Critical Success Factors

Project Monitoring & Communication Plan
Project Scope & Not in Scope

Project Objective
The main objective of this project is to achieve
ISO/IEC 27001:2005 Certification for the
JPKN Head Quarters (JPKN HQ)
Scope of certification to be decided / agreed upon

State Government Data Centre (JPKN DC)

Key Stakeholders
JPKN Sabah State Government organization,
responsible for providing efficient IT services to
various state government organizations and
citizen services
HeiTech Padu A leading ICT service provider in
Malaysia. It manages many mission critical
projects for both public and private sector
organizations
Paladion An Information Security and Risk
Management service provider, serviced many
public and private institutions around the world
for their various needs in Information Security

ISMS Overview

Overview of ISMS
ISMS is
An organizational approach to Information
Security
Business risk based approach to

establish,
implement, operate,
monitor, review,
maintain and improve information security

ISO/IEC 27001 Standard

A management standard that helps to build,
maintain and improve an Information Security
Management System (ISMS)
Based on

Risk Assessment, Treatment

Plan-Do-Check-Act model (similar to ISO/IEC 9001)
8 main clauses
11 domains & 133 controls

Global acceptance
No. of certifications worldwide 7136 (as at April 2011 )

Number of Certifications
COUNTRY

TOTAL

Japan

3790

India

516

China

495

UK

460

Taiwan

410

Germany

154

Korea

106

Czech Republic

101

USA

99

Hungary

72

Spain

67

Italy

64

Poland

58

Malaysia

52

84 countries
embarked on ISMS
Malaysia is at no. 14
as at April 2011

ISO/IEC 27001 Requirements

8 Main Clauses
Clause 1
Clause 2
Clause 3
Clause 4
Clause 5
Clause 6
Clause 7
Clause 8

: Scope
: Normative Reference
: Terms and Definitions
: Info. Security Management System
: Management Responsibility
: Internal ISMS Audits
: Management Review of the ISMS
: ISMS Improvement

ISO/IEC 27001 Annexure A Controls

A.15
Compliance
A.14
Business Continuity
Management

A.5
Information
Security Policy
A.6
Organisation of
Information Security

A.13
Information Security
Incident Management

A.7
Asset
Management

A.12
Information Systems
Acquisition, Development
and Maintenance
A.11
Access
Controls

A.8
Human
Resource
Security

A.10
Communication
& Operations
Management

A.9
Physical &
Environmental
Security

ISMS Process Roadmap

Identify how far to where we want to reach

Find out where

are we today

Get audited and

verified by
Certification
Body. Achieve
certification

FIXING THE GAPS

RISK
ASSESSMENT

Do the necessary to bridge the gap

AUDIT & CERTIFICATION

RISK
MANAGEMENT

We are here today

IMPLEMENT
CONTROLS

TRAINING &
AWARENESS

Good ISMS in place.

Level defined by ISO
27001 Standard.

ISO 27001
Certified

Project Management Plan

Project Organization
PROJECT DIRECTOR
Wan Zailani Wan Ismail
Deepak Jacob

PROJECT ADVISORY BOARD

Abdul Halim Md Lassim
Abdullah Ahmad
Firosh Ummer

PROJECT MANAGER
CONSULTANT
Manjot Singh
Hariharan (Backup)

CORE TEAM LEADER &

QUALITY ASSURANCE
Siti Rozani Abd Razak
Norisah Othman

BACK-END SUPPORT TEAM

Paladion - Offsite
HeiTech Izah Suziah /
Mas Dewi Murni

SECURITY CONSULTANT
Paladion Offsite
HeiTech Anan Adli /
Erman Halimi

JPKN PROJECT SPONSOR

Dr Hj. Mingu Hj. Jumaan

JPKN PROJECT LIAISON

Daniel Ng

JPKN CORE TEAM

Technical & Operations Team

Project Phases
Phase I

Scope and Security Organization

Phase II

Risk Assessment & Risk Treatment

Phase III

ISMS Documentation

Phase IV

Security Training & ISMS Implementation

Phase V

Pre-Certification Internal Audits

Phase VI

Achieve ISO/IEC 27001 Certification

Activities & Deliverables

Phase I Scope &
Security
Organization

Phase II Risk
Assessment & Risk
Treatment

[~ 2 Weeks]

[~ 6 Weeks]

Project Initiation & Kickoff

Formulate Scope
Document
Establish Organization
Structure
Security Coordinators
Roles & Responsibilities
System Study Report

Asset Classification
Guidelines & Asset
Register
Vulnerability Assessment
for a Sample of IT
Systems
Risk Assessment
Risk Treatment Plan &
Implementation Plan
Statement of Applicability

Phase III ISMS

Documentation
[~ 3-4 Weeks]
Review & Enhancement
of Security Policies &
Procedures
High-level BCP/DR
Framework
Security Program Metrics
for ISMS Effectiveness

Activities & Deliverables

Phase IV Security
Training & ISMS
Implementation

Phase V PreCertification
Internal Audits

Phase VI Achieve
ISO/IEC 27001
Certification

[~ 2-3 Weeks]

[~ 2 Weeks]

[1 + 1 Week]

Security Awareness
Training for all levels of
Management
Implementation Support

Conduct Internal Audits

Assisting in closing any
gaps found during the
Internal Audits

Phase I & Phase II

External Audit Support
Phase I & Phase II Followup support

Project Plan

Project Risks
Risks / Impacts

Mitigation

Communication gaps between

HeiTech -Paladion and JPKN
project teams during system
study phase - leading to re-work
on existing controls and gaps in
Asset identification

Information Gathering Questionnaire to stay focused

Continuous availability of JPKN process and asset owners
of all processes and assets, during the system study phase
Sign-off from JPKN team on the information gathered

Delay in implementation of
identified gaps in technical and
process controls

Training on identified risk treatment to the core

implementation team of JPKN
Formal approval & acceptance of the Risk Treatment Plan
by JPKN Project Liaison and close tracking of
implementation

Delayed response from

stakeholder teams on open
queries and decision making

Service Level Agreements (SLA) on response time

Escalation process shall be defined

Attrition & Transfer of JPKNs

core team resources responsible
for the implementation of
technical and process controls

Documentation of risk treatment shall mitigate this risk to

an extent
Train the trainer on the risk treatment and trainer train the
new core team resources

Project Critical Success Factors

Management Commitment

Appointing a Management Representative (CISO)

Involve Internal Auditors from other department / areas of
operation

Timely review, response, resolution and endorsements

Availability & Involvement of the core team throughout
the project
Provide all necessary documents and information
related to JPKN Operations
Prioritization of control implementation to generate
records / evidence at the earliest
Information Security Awareness to all users

Monitoring & Communication Plan

Project Monitoring
Weekly meeting on every
Friday
Milestone review meeting
as per the project plan
Management review
meeting once in a month
Ad-hoc meetings based on
the necessity

Project Communication
Messages & Documents
(Deliverables) shall be
delivered through e-mail to
the concerned
e-mail communication of
minutes and action points
to all the core team
members
Presentation to
Management on the status
and progress of the project
in a periodic manner

Project Scope
Project Scope / In-Scope
System Study, GAP Analysis, Asset Inventory
Risk Assessment (includes VA for sample IT Assets), SoA
Development of Technical Controls, Development of
Process Controls, Training on Risk Treatment, Best
Practices Documentation / Guide
Product Comparison & Advice (if required)
Recommendations, Development & Documentation of
Security Policies and ISMS Manual
User Awareness Training
Metrics Identification

Out of Scope
Not in Scope / Out of Scope
Supply of products (Software tools, hardware, etc.)
Technical Security Implementation
Process Security Implementation
Generation and maintenance of Records
Extensive (expertise) security training on various or
specific expertise, areas and tools.
And other things not mentioned in scope

Questions