MS ISO/IEC 27001:2007 Information Security Management System (ISMS) Implementation and Certification for Critical National Information Infrastructure (CNII) under Communication and Multimedia Industry
About MS ISO/IEC 27001 Certification Exercise in Malaysia
To provide details information on the MS ISO/IEC 27001:2007 Information Security Management System (ISMS) implementation and certification for communication and multimedia industry in Malaysia.
On 24 February 2010, the Jemaah Menteri had decided that:-
• Critical National Information Infrastructure (CNII) entities of Malaysia to be certified under MS ISO/IEC 27001:2007 Information Security Management System (ISMS);
• Implementation of ISMS certification is to be coordinated by the relevant ministries and agencies that are responsible over the specific CNII; and
• The CNII entities to be certified within 3 years.
Critical National Information Infrastructure is defined as those (real and virtual), systems and functions that are vital to the nation that their incapacity or destruction would have a devastating impact on:
a. National Economic Strength - Confidence that the nation’s key growth area can successfully compete in the global market while maintaining favourable standards of living.
b. National Image – Projection of national image towards enhancing stature and sphere of influence.
c. National defence and security – Guarantee sovereignty and independence whilst maintaining internal security.
d. Government capability to function – Maintain order to perform and deliver minimum essential public services.
e. Public health and safety – Delivering and managing optimal health care to the citizen.
In line with the cabinet decision, Malaysian Communications and Multimedia Commission (MCMC) as the regulator of the communications and multimedia industry in consultation with the Ministry of Information, Communication and Culture (MICC) has identified eleven (11) critical organizations within the communications and multimedia industry that requires ISMS certification within the stipulated timeline. The identified organizations are as follows:
1. Telekom Malaysia Berhad
3. Maxis Berhad
4. Digi Telecommunications Berhad
5. U-Mobile SdnBhd
6. MeasatBroadcast Network Systems SdnBhd (ASTRO)
7. Media Prima Berhad
8. Jaring Communications SdnBhd
9. .my Domain Registry
10. NTT MSC SdnBhd
11. Time dot Com Berhad
All CNII entities or organizations under communication and multimedia industry will report their progress of ISMS implementation to MCMC in every quarter, who then will report to National Cyber Security Coordination Committee (NC3) and National Cyber Security Advisory Committee (NaSCAC).
In terms of verification:-
a. for CNIIs gazetted as SasaranPenting, CGSO’s Tim Naziran will check on the validity of the reports as well as the actual implementation of ISMS, and
b. for CNIIs identified but not gazetted as Sasaran Penting, MCMC shall request the CNIIs under purview to provide regular progress reports on ISMS certification.
MCMC as governing agency for communication and multimedia industry has the responsibility to ensure both proper enforcement and accurate reporting on the ISMS implementation by the CNII entities under purview.
Benefits of MS ISO/IEC 27001:2007 Certification
• MS ISO/IEC 27001:2007 is an internationally accepted as information security management standard and has been adopted by many public and private sector organizations from various industries.
• It is an auditable standard that will give an assurance to the management of the organization that the appropriate policies, procedures and controls are in place.
• The standard defines the top down, risk based and business driven approach in developing the ISMS.
• Stakeholders being confident with the commitment of the ISMS certified company in keeping their information safe. This in turn will give commercial credibility, trust and confidence to the said company.
• Improve employee awareness of security issues and their responsibilities within the organization because the weakest link in ensuring information security is unavoidably human.
• The regular assessment process will help organization to continually use, monitor and improve your management and processes.