No replies to this topic

[wipoo]

Program Summary Card



Issue
Program Rules/Comments



Standard
ISO27001

Any other relevant documentation
Nil

Target Audience
Any organisation, company, or business unit with a modern IT infrastructure.

Global-Mark output document
Certificate of Approval

Other Global-Mark output document
Certification Schedule (used if all information cannot be displayed on the Certificate of Approval)

Certificate Validity Period
3 years

Certification Mark that can be used by the Client
Trust-Mark® ISMS

Can this mark be used on product?
No

Periodicity of Post-certification Reviews
6, 9, 9, 12 (then stays at 12) monthly

Periodicity of Re-certification Review
3 years

Steps to and Post-certification


Application
ü

Document Review
ü

Pre-certification Review
Optional

Certification Review
ü

Technical File Review
Nil

Follow-up Review
ü

Post-certification Review
ü

Re-certification Review
ü




1 Overview



With the increasingly important reliance on IT systems, security should be considered as key aspect of the IT infrastructure.



IT security is not only about passwords and firewalls, but also requires a system approach to its management. ISO27001 provide a framework for developing and implementing Information Security Management Systems, and organisations like Global-Mark are able to certify compliance with these standards.



This provides your organisation, its Board, staff, and customers assurance that proper systems and accountabilities are in place and can be relied upon.



The standards are totally technology independent, and focus on the management of security using a systems approach.



The standards require organisations to have in place systems (policies, procedures and records) to control the following:

- Security policy

- Security organisation

- Security of third party access

- Outsourcing

- Asset classification and control

- Personnel security

- Physical and environmental security

- Communication and operations management

- Access control

- Systems development and maintenance

- Business continuity management

- Compliance (legal, review of policy and technical compliance, system audit)

2 In Simple Terms



If you care about your security, you are organised and you can prove it, Information Security Certification should be a simple, yet important step. Certification will assist you to prove and demonstrate that you have sound systems, and you are keeping them up-to-date, and in continued compliance.





3 Specific Program Conditions

Understanding the framework

It is for your organisation to define the criteria by which information security related threats to assets, vulnerabilities and impacts are identified as significant, and to develop procedure(s) and controls for doing this. In addition,, all information related threat to assets, vulnerability or impact on the organisation identified as being significant, should be managed and controlled by the ISMS.



Global-Mark will require the organisation to demonstrate that the analysis of security related threats is relevant and adequate for the operation of the organisation. Global-Mark will establish whether the procedures employed in analysis of significance are sound and properly implemented.



Any inconsistency between the organisation's policy, objectives and targets and its procedure(s) or the results of their application will be reported by Global-Mark.



The maintenance and evaluation of legal compliance is the responsibility of your organisation. Global-Mark will restrict itself to checks and samples in order to establish confidence that the ISMS functions in this regard.



An organisation with a Certified ISMS has a management system that should achieve continuing compliance with regulatory requirements applicable to the information security impacts of its activities, products and services. Our aim is to confirm that your ISMS has the ability to provide continued compliance.



Our reviews (Certification, Post-Certification and re-Certification) will include review of the following:

The effectiveness of the System in light of changes, and;
The commitment to maintain an effective System.
The degree of reliance that can be placed on internal security reviews/audits.
Whether the procedures employed in analysis of the significance information security related threats to assets, vulnerabilities and impacts on the organization are identified, effective, sound and properly implemented
If an information related threat to assets, vulnerability or an impact on the organization is identified as being significant, it should be managed within the Client’s ISMS
3.1 Minimum system implementation before certification

The ISMS needs to be submitted for review to Global-Mark for a Document Review: this is typically completed off site and includes a review of the top level document (policy manual), and a sample of lower level documents (2 or 3 procedures).



After the Document Review, Global-Mark will also complete the Pre-certification Review to review and verify that the organisation must have completed as a minimum one full:

Management review
Internal management system audit
Security review, and
Must have evaluated legal and regulatory compliance and can show that action has been taken in cases of non-compliance with relevant regulations.
Ideally these activities should have been completed before the Global-Mark Certification Review and records should be available to demonstrate their effectiveness. These requirements are not specifically called for in the above mentioned standards, but should be based on the ISO9001 requirements.



The aim of the Pre-certification Review is also to review the Statement of Applicability, and confirm its relevance to the certification process.

3.2 Sensitive Records

Before the Business Review, the Client is allowed to advise Global-Mark of what records are to be considered as confidential or sensitive: after review of the records identified, Global-Mark will confirm which records will not be examined. Global-Mark will judge whether the records to be excluded will affect the validity of the business review. If not Global-Mark will confirm that the business review can take place only when appropriate access arrangements have been accepted by the organization.

3.3 Records of breaches, complaints, incidents, corrective and preventive action

The Client should have procedures in place to deal with these and the procedure should include measures for:

notification to appropriate authorities if required by regulation
restoring conformity as quickly as possible
preventing recurrence
evaluating and mitigating any adverse security incidents and their associated impacts
ensuring satisfactory interaction with other components of the ISMS
assessing the effectiveness of the remedial / corrective measures adopted


3.4 Statement of Applicability

The Client needs to prepare a Statement of Applicability describing which parts of the ISMS standard or normative document are relevant and applicable to its ISMS.

The Statement of Applicability should be forwarded to Global-Mark prior to the certification review and will be part of the working documents provided to the review team.

3.5 Shared services or facilities

Interfaces with services or activities that are not completely within the scope of the ISMS should be addressed within the ISMS subject to certification and included in the organisation's information security risk assessment. An example of such a situation is the sharing of facilities (e.g. computers, telecommunication systems, etc.) with others, or hardware or software being maintained by others.

3.6 Multi-sited Clients

The sampling model and conditions will be as presented in Global-Mark’s Guide Note for multi-sited Clients, G-02.



The important considerations include:

all sites are operating under the same ISMS, which is centrally administered and audited and subject to central management review;
all sites have been audited in accordance with the organization’s internal security review procedure(s);
a representative number of sites will be sampled by Global-Mark, taking into account the requirements below:
the results of internal audits of Head Office and sites
the results of management review
variations in the size of the sites
variations in the business purpose of the sites
complexity of the ISMS
complexity of the information systems at the different sites
variations in working practices
variations in activities undertaken
potential interaction with critical information systems or information systems processing sensitive information
differing legal requirements
the sample should be partly selective based on the above and partly non-selective and should result in a range of different sites being selected, without excluding the random element of site selection
every site included in the ISMS which is subject to significant threats to assets, vulnerabilities or impacts should be audited by Global-Mark prior to certification
the Post-certification Plan should be designed in the light of the above requirements and should, within a reasonable time, cover all sites of the organisation or within the scope of the ISMS certification included in the Statement of Applicability
in the case of a review finding classed as nonconformity by Global-Mark being observed either at the Head Office or at a single site, the corrective action procedure should apply to the head office and all sites covered by the certification.
3.7 Certification review

This will take place at your office(s), and aims to confirm compliance with the certification standard but will also include:

An assessment of information security related risks and the resulting design of the ISMS
the Statement of Applicability
objectives and targets derived from this process
performance monitoring, measuring, reporting and reviewing against the objectives and targets
security audits, management system audits and management reviews
management responsibility for the information security policy
links between policy, the results of information security risk assessments, objectives and targets, responsibilities, programs, procedures, performance data, and security reviews


4 What Documents/Records Are Needed To Understand This Program

In order to understand our Program, you should also access and be aware of the following documents:

· G-00: Welcome Pack

· MSP-00: Introduction to our Management Systems

· MSP-01: Nomenclature and Definitions

· MSP-24: Appeals


Please contact K. Kung T. 081 699 6359