Project Description

ISO 27001 Certification

– Information Security Management System (ISMS)

ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization.

The ISO 27000 family of standards helps organizations keep information assets secure. Using this family of standards will help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties. ISO 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS).

What is an ISMS?

An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.
It can help small, medium and large businesses in any sector keep information assets secure.

ISO 27001:2013

This International Standard has been prepared to provide requirements for establishing, implementing, maintaining and continually improving an information security management system. The adoption of an information security management system is a strategic decision for an organization.

The information security management system preserves the confidentiality, integrity and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.

This International Standard can be used by internal and external parties to assess the organization’s ability to meet the organization’s own information security requirements.

Certification to ISO 27001:2013 ISMS

Certification to ISO/IEC 27001 is adopted by more and more organizations in order to benefit from the best practice it contains to reassure customers and clients that its recommendations have been followed.

What Organizations can be Certified to ISO 27001?

The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.

In reality, some may think that ISO 27001 can be applied to IT sector only, but it’s a misunderstanding. No doubt, a company in IT sector may be vulnerable to data leakage at a scalable size. Therefore, quite some companies in intensive IT operation have been the pioneers to go for ISO 27001 certification.

As time goes by, more and more companies in other industries realizes that the information security is no less important to them, so they are also going for Information Security Management System (ISMS) certification against ISO 27001.

How does ISO 27001 Work?

Most organizations have some information security controls in place. However, without an information security management system (ISMS), controls tend to be somewhat disorganized and disjointed, having been implemented often as point solutions to specific situations or simply as a matter of convention.

Security controls in operation typically address certain aspects of information technology (IT) or data security specifically; leaving non-IT information assets (such as paperwork and proprietary knowledge) less protected on the whole.

Moreover, business continuity management and physical security may be managed quite independently of IT or information security while Human Resources practices may make little reference to the need to define and assign information security roles and responsibilities throughout the organization.

ISO/IEC 27001 requires that the management to:

  • systematically evaluate the organization’s information security risks, taking into account the threats, vulnerabilities, and impacts;
  • establish and implement a comprehensive suite of information security controls and risk treatment (such as risk avoidance, reduction, or transfer) to address those risks that are deemed unacceptable; and
  • adopt a management process to ensure that the information security controls and residual risks meet the organization’s information security needs on a continuous basis.

Structure of ISO 27001:2013

The official title of the ISO 27001 standard is “Information technology — Security techniques — Information security management systems — Requirements”

ISO/IEC 27001:2013 has ten clauses and an annex, including:

  1. Scope of the standard
  2. How the document is referenced
  3. Reuse of the terms and definitions in ISO/IEC 27000
  4. Organizational context and stakeholders
  5. Information security leadership and high-level support for policy
  6. Planning an information security management system; risk assessment; risk treatment
  7. Supporting an information security management system
  8. Making an information security management system operational
  9. Reviewing the system’s performance
  10. Corrective action
  • Annex A: List of controls and their objectives

Controls within ISO 27001:2013

There are 114 controls in 14 groups and 35 control categories in ISO 27001:2013 standard:

A.5: Information security policies (2 controls)
A.6: Organization of information security (7 controls)
A.7: Human resource security – 6 controls that are applied before, during, or after employment
A.8: Asset management (10 controls)
A.9: Access control (14 controls)
A.10: Cryptography (2 controls)
A.11: Physical and environmental security (15 controls)
A.12: Operations security (14 controls)
A.13: Communications security (7 controls)
A.14: System acquisition, development and maintenance (13 controls)
A.15: Supplier relationships (5 controls)
A.16: Information security incident management (7 controls)
A.17: Information security aspects of business continuity management (4 controls)
A.18: Compliance; with internal requirements, such as policies, and with external requirements, such as laws (8 controls)

As you can see, the controls are not limited to IT related processes. For a particular organization, there may be certain controls not applicable to it.

Certification Roadmap

  • Training as necessary, such as standard understanding training or internal auditor training.
  • Establishment of an ISMS, with optional support by a consultant.
  • Risk management.
  • Implementation of ISMS for a few months.
  • Internal Audit, with following improvement actions.
  • Management Review.
  • Initial Certification Audit by a Certification Body with accreditation, such as ANAB.
    • Stage 1 Readiness Review is a preliminary document review of the ISMS, checking the existence and completeness of key documentation such as information security policy and objectives, Statement of Applicability (SoA) and Risk Treatment Plan (RTP), internal audit and management review results. It’s to judge whether the organization is ready for Stage 2 Audit.
    • Stage 2 Audit is a more detailed and formal audit. The auditors will seek evidence to confirm that the ISMS has been properly established and implemented in an effective way with Plan-Do-Check-Act (PDCA) approach.
    • Closure of NCs, in any from the Stage 2 Audit.
  • Issuance of Certificate with a validity of 3 years. After it, the certified organization can use the DQS certification mark for marketing purpose according to the defined rules.
  • Annual Surveillance Audits in the following 2 years to confirm that the organization remains in compliance with the ISO 27001 standard.
  • Recertification Audit well before the expiration of the certificate in the 3rd year, to renew the certificate with another 3-year cycle.

Introduction to GDPR

The General Data Protection Regulation (GDPR), EU’s new regulation for data protection will become effective from 25 May 2018.  The GDPR applies to the handling of personal identification information of EU citizens. It not only applies to the organizations in EU, but also to the organizations, out of EU, processing and keeping above mentioned personal data.

The local organizations shall have a full and serious review on its practice in the handling of personal data in its business operation. Significant changes may be necessary to the operation related to personal data, from collection, storage, identification, analysis, usage, transferring, etc.

Depending on the impact and its due diligence, the offending organization to GDPR may be subject to a fine up to the higher amount of EUR 20,000,000 and 4% of its annual global revenue.

Key Terms in GDPR:

  • Personal data: “Any information that relates to an identified or identifiable living individual.”
  • Data controller: “The entity that determines the purposes, conditions and means of the processing of personal data.”
  • Data processor: “An entity which processes personal data on behalf of the controller.”

Key Requirements of GDPR

As compared to Directive 95/46/EC, the requirements are enhanced. The key points include, but are not limited to:

  • Territorial scope: Not limited to organizations within EU.
  • Purpose limitation: Collected for specified, explicit and legitimate purpose.
  • Data minimization: Adequate, relevant and limited to what is necessary in relation to the purpose.
  • Accuracy: Accurate and, where necessary, kept up to date.
  • Storage limitation: Kept in a form which permits identification of data subjects for no longer than is necessary.
  • Integrity and confidentiality: Processes in a manner to ensure security.
  • Conditions for consent: Organizations must request permission using easy-to-understand terms. Assuming consent or requiring users to opt out is not allowed.
  • Right to access: Increased transparency by requiring controllers to provide data subjects with confirmation of data processing.
  • Right to be forgotten: Data subjects can request controllers to erase their personal data and stop distributing the data.
  • Automated processing: Data subject have right not to be subject to a decision solely on automated processing.
  • Data portability: Data subjects have right to receive their data upon request and to transfer that data to another controller.
  • Data protection officers:  Some organizations, such as those with a primary purpose for processing personal data or sensitive information, shall appoint Data Protection Officer(s) — an employee or a third party.
  • Data breach notification: Within 72 hours after a data breach, the controller shall notify supervisory authorities and data subjects affected, “unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.” Data processors shall also inform the controllers for a known data breach.
  • Parental consent: Processing the personal data of children under age of 16 for online services shall obtain parental consent. Member states can designate a lower required age (down to 13) for consent.
  • Special categories of data: Some types of data have more stringent requirements for consent, such as the data that reveals “racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.”
  • Third countries: Specific rules for transferring data to third countries or international organizations.
  • Due diligence: Establish technical and organizational measures to demonstrate compliance to GDPR.
  • Subcontractor Control: Data Controllers shall ensure Data Processors have ability to fulfil the requirements of GDPR.
  • Certification: Voluntary data protection certification to show compliance to this regulation.

Relation between ISMS and GDPR

Relations Between GDPR And ISO 27001 ISMS


  • Confidentiality, integrity and availability of data.
  • Risk assessments.
  • Breach notification.
  • Access control.
  • Data identification.


  • GDPR applies only to personal data, while ISO 27001 has a broader scope on the information.
  • GDPR covers the right to be forgotten, data portability and the right to be informed about your personal data, which is not mandatory requirement in ISO 27001.


A management system based on ISO 27001 can support the achievement of compliance with GDPR.

Possible Solutions by the Organizations

  • Arrange management and front-line employees to attend GDPR related training courses.
  • Implement an Information Security Management System (ISMS) based on ISO 27001:2013.
  • Implement controls on outsourced processes
  • Implement regular internal and external audits on operations.
  • Improve the ISMS based on risk levels.

Relation with ISO 27701:2019 for Privacy Information Management

ISO 27701:2019 is an extension to ISO 27001 and ISO 27002 for privacy information management.

If personal data management is important to your business, you may consider to go for ISO 27701 PIMS certification together with ISO 27001:2013 ISMS certification, to address the significant risks and challenges from a large number of privacy information related regulations, like GDPR of EU, CPRA of USA, PDPO of HK, and PIPL of Mainland China.


ISO 27001:2013  資訊安全管理國際標準之制定為企業經營者及其員工提供了一套建立和確保資訊安全的系統管理模式。組織策略性決策應包含資訊安全管理。

ISO 27001 認證能為企業帶來許多重要的策略與營運優勢,包括:

  • 強化企業安全: 透過27001 認證,可減少企業通訊的弱點,並提高企業的風險控管能力。
  • 提高安全規劃效率:ISO 27001 列舉了分屬於11個領域共39個管制目標與133個安全控制措施,引導企業進行人力資源、法務與突發事件應變的規劃。這些針對資訊安全而提出的全面性詳細建議,可使得企業開始導入安全措施時,作到更完善、更容易管控且非常符合經濟效益。
  • 提高安全管理成效:所有企業都必須開始制定或重新檢視其資訊安全政策與程序。與企業一般的安全計劃不同的是,ISO 27001 已證實是資訊安全的最佳實務準則法則。
  • 持續保護:企業經過認證及其持續更新與審核將確保企業隨時了解最新的弱點以及最佳的實務準則法則。
  • 改善合作關係:為了讓企業網路受到更好的保護,同時又要能進行電子資料交換(EDI),企業可以27001驗證作為合作夥伴與供應商的安全要求。
  • 提高客戶信心:隨著客戶對組織資訊安全漏洞的愈發關注,他們也會開始尋求具體的安全保障,ISO 27001 認證提供客戶需要的信心。
  • 降低法律風險:企業通過ISO 27001 認證後,將可減少因為安全突發事件而面臨的法律問題,因為法庭將會把企業符合該項標準的事實,認定為企業已經做到足夠程度的安全防護。

Related Training Courses | 相關培訓課程

Related News 相關新聞:


March 5th, 2020|Comments Off on 借助優化的[科技券]獲取ISO認證

Updated on Mar 5, 2020. - Technology Voucher Programme (TVP) - 資助額高達60萬的香港政府「科技卷」計劃 -- 適用於 DQS的部分ISO管理體系認證服務 科技券計劃於2016年11月推出,旨在資助本地企業使用科技服務和方案,以提高生產力或升級轉型。該計劃在2018年2月末做出修訂,放寬了企業的申請資格。自2019年2月27日起,該計劃得到了修訂優化。 2020-2021年度《財政預算案》公布,政府將於2020年4月1日起將科技券的資助上限由40萬提升至60萬,資助比例由2/3提高至3/4,獲批項目數目上限由4個增至6個。 預算案獲得通過後,香港的企業和機構將有機會獲得由創新及科技基金提供上限爲HKD 600,000的資助,使用科技服務提高生產力或升級轉型。資助會以3:1(政府:企業)的配對模式進行,當中受資助的項目包括 DQS [...]