Frequently Asked Questions
Why the need for certification?
Direction from the Malaysian Government requires the CNIIs to implement adequate security measures to ensure that the delivery of critical services and products are not disrupted because of problems with the information assets and information systems that are used to manage, control or deliver such services and products.
Is my organization a CNII entity?
If the services or products delivered to the public and the nation fall under the description explained as Critical Services or Products. The Critical Services or Products are those that are delivered to the external organization or the organization’s consumers and satisfy the critical services or product availability needs of the external organizations or consumers i.e industry, public, the economy and the nation. This external organization or consumers may be other CNII entities.
However intra-services or products, i.e services from one department that serves other departments in the same organization e.g. Human Resources, Procurement and Finance, are NOT considered critical UNLESS those intra-services or products delivered to the external organization.
What is the difference between Adopting, Complying and Certified ISMS?
The terms adoption, compliance and certification or certified has occasionally been used interchangeably and warrants clarification in order to ensure that all the parties involved have the same understanding.
If an organization claims that it is Adopting ISMS, it is merely a statement of intent of that organization expresses. It does not necessarily mean that the organization has actually implemented ISMS or in the process of implementing ISMS.
If an organization claims that it is Complying to ISMS, it is a statement of claim that it is adopting and has implemented ISMS. It does not mean that its implementation is ‘really’ in compliance as verified by an independent party.
If an organization claims to have been Certified ISMS, it means that an accredited certifying body has independently certified the organization’s ISMS implementation to the satisfaction of the standard.
What scope of the organization’s ISMS implement needs to be reported to MCMC?
An organization may implement one or more ISMS covering different scopes. These ISMS may be implemented concurrently or in sequence and some of the deliverable documents may be applicable across ISMS boundaries.
In brief, the scope of ISMS and the progress of the ISMS implementation that must be reported to MCMC are those that cover the delivery of critical services and products.
What sorts of disruptions to services are considered critical?
In general points to assist CNII entities:-
a. The interruption is immediate and no gradual or deferred or delayed,
b. The services performance level deteriorates significantly from the norm,
c. The quality of service deviates from the normal or acceptable quality of services, and
d. The impact of disruption or compromise has significant and noticeable effect to industry or commerce, government operations, image, safety or defence.
Will MCMC Fund the Cost of ISMS Implementation?
ISMS implementation is similar to the Quality Management System (QMS) in many respects. Essentially it is aimed to benefit the organization in its operations. Both the management systems (ISMS and QMS) will result in a verified and auditable process that will give assurance to the Management of the organization that the appropriate policies, procedures, and controls are in place.
In line with good Corporate Governance therefore, it is expected that the entity will take the necessary steps to ensure that ISMS is in place for the good of the organization.
MCMC will provide CNII entities under purview with training, workshop and seminar initiative in supporting government decision on the ISMS certification.
Network Security Management Department
Malaysian Communications and Multimedia Commission
MCMC Tower 1
Jalan Impact, Cyber 6
Tel: +603-8688 8000
Fax: +603-8688 1003