ISO 27001 is an internationally recognised standard for establishing an Information Security Management System (ISMS). An ISO 27001 Certified ISMS is a testament to the organisation’s commitment to ensuring information security, which presents excellent security assurance as a third party.
In today’s digitalised world, contractual and regulatory requirements often include information security clauses or prerequisites that use ISO 27001 as the standard of references or baseline. This is especially so for highly regulated Critical Infrastructure Infrastructure (CII) Sector, like Government, Banking and Finance, Healthcare, etc.
Check out this article as we share how ISO 27001 certification can help meet your compliance needs and the various regulatory requirements, in some countries like Singapore, Australia and Indonesia.
In Singapore, ISO 27001 was used as a standard of reference by the Cyber Security Agency (CSA) for its recently launched Cyber Safe Certification Scheme, consisting of the Cyber Essentials Mark and Cyber Trust Mark. Catered for larger or more digitalised organisations with extensive IT infrastructure, the Cyber Trust Mark is based on ISO 27001 and designed to help organisations with maturing cybersecurity posture by providing specific controls to guide them on their cybersecurity journey.
Similar to ISO 27001, the Cyber Trust mark takes on a risk-based approach, which aims to enable organisations to adopt and implement relevant cybersecurity practices that are commensurable with their cybersecurity risk profile. Also, up to 65% of the controls in the Cyber Trust Mark can be mapped to ISO 27001. In addition, depending on the organisation’s readiness level, integrated options to certify with the ISO 27001 standard are available.
ISO 27001 in Australia
Highlighted in the Information Systems Audit 2018 report by the Western Australia Office of the Auditor General (OAG), information security weakness could heavily affect the operations of the government and potentially compromise sensitive information held by agencies.
Often mandated in high-risk industries such as Information and Communication Technology (ICT) and data centre hosting, ISO 27001 is a popular standard at the State Government level in Australia. In 2017, the Western Australian (WA) government has also updated the Digital Security Policy developed by the Office of the Government Chief Information Officer, with the aim of elevating the state’s IT security practices in line with international standards such as ISO 27001.
The Digital Security Policy consists of 4 main requirements to ensure the confidentiality, integrity and availability of digital information:
- Implementation of an ISMS (information security management system),
- Establishment of governance and accountability,
- Assessment and treatment of security risks.
- Inclusion of mechanisms for continuous improvement.
A supplementary guide to aid the implementation of Digital Security Policy is also released by the WA Office of the government CIO, which states, “agencies are strongly encouraged to utilise the ISO/IEC 27000 series, particularly […] as the basis for their ISMS”.
ISO 27001 In Indonesia for PSE Certification
In Indonesia, one of the most important regulatory requirements for organisations to operate online is the PSE certificate (“Penyelenggara Sistem Elektronik” or “Electronic System Provider”), issued by the Ministry of Information and Communication (“Menkominfo” or “MOI”).
With the aim to improve public trust in using the internet, the PSE certificate certifies that a company’s electronic system is secure and compliant with Indonesian data protection standards. As defined by MOI, any company that collects any user information online as an online business will require a PSE certificate to operate. The PSE certificate is also often a prerequisite for other mandatory permits required to do business.
For the certification, applicants without an Information Security Certificate will need to fill in an MOI questionnaire to assess the kind of information security certificate required.
- Organisations that are deemed low risk will need to obtain a KAMI Index rating and certificate issued by the Indonesian National Cyber Security Agency, BSSN.
- However, organisations that are deemed medium or high risks will need to obtain an ISO 27001 certification.
Also, high-risk companies may also need to comply with additional regulatory requirements from the respective industry-specific regulatory bodies like OJK or BI for financial services.
While there are other information security standards and certifications available in the market, many industries and governments have adopted ISO 27001 as the de facto standard for information security management practices. Therefore, organisations can consider ISO 27001, an internationally recognised certification, which is a great cyber security governance investment to elevate your security posture and meet contractual and regulatory requirements.
Privasec is an ISO 9001 and ISO 27001 certified independent cyber security consulting firm with a Governance, Risk and Compliance (GRC) team of highly experienced and certified professionals, each with an average of 10 years of cyber security consulting experience.
With great expertise and a commendable proven track record of implementing an Information Security Management System (ISMS) that is certifiable to ISO 27001, we are glad to assist and support organisations on their ISO 27001 Certification journey.