In this event recap, catch up on what the Privasec team has been up to in the recent “ISO 27001 Certification Journeys” joint webinar with Association of Information Security Professionals (AiSP).
To start off, let’s dive into the definitions of terms talked about in the webinar.
What is an ISMS?
Information Security Management System (ISMS) is a system that prescribes an organization's approach to information security.
What is ISO 27001?
ISO 27001 is an international standard that sets out the specification for an ISMS. It contains a set of best practices to allow organisations to implement a world class risk management system to strategise and coordinate their security investments whilst getting marketable recognition for it.
An ISO 27001 certification can provide assurance to clients and stakeholders, where it shows that the company is taking the risk-based approach for their system. It also gives confidence to clients that the product comes from a company that is secure and alert about the risks.
In this webinar, our panel of industry professionals shared and discussed their perspectives on the the topic of ISMS and ISO 27001 certification.
The session started off with Leonard Ong, the Regional Information Security Officer of GE Healthcare, sharing the GE Healthcare ISO 27001 Certification Journey and unique ISMS challenges the company faced in the Healthcare/MedTech industry.
Next, we had our own Regional Head, Lim Quan Heng, who shared about Privasec’s implementation approach for ISO 27001 Certification, using the Plan, Do, Check, Act Framework and also addressed six common misconceptions surrounding ISO27001 Certification.
Afterwards, Wong Onn Chee, representing Rajah & Tann Cybersecurity and AiSP, then shared on the use of ISO 27001 as an over-arching security governance standard where its certifiability means that it is subjected to regular surveillance audits by Certifying Bodies. He expanded the discussion by sharing more detailed technical standards like CIS Controls v8.
Lastly we have Shirish Bapat from Lloyd’s Register Quality Assurance Limited, who shared about the assessment process for ISO 27001 certification from the perspective of a Certification Body.
Lastly, the event is concluded with a meaningful, thought-provoking Q&A session that moderated by Joey Cheng, Regional Account Manager at Privasec . Check out the Q&A below.
We hope you all enjoyed the event as much as we did! It has been very insightful session hearing from the speakers across various industries. Thank you to all our esteemed speakers and wonderful participants and we hope to see everyone again!
Questions & Answers (Q&A)
As the AISP SIG lead for Data and Privacy special interest groups, Wong Onn Chee addresses the question by highlighting the different Personal Data Protection Act (PDPA) editions.
The Personal Data Protection Act (PDPA) 2010 is used in Malaysia, and Singapore uses the Personal Data Protection Act (PDPA) 2012. Both Acts are pretty similar, other than the recent revision in February 2021 for Singapore’s Act.
Firstly, ISO 27001 would form a pretty good demonstration of your organisation complying with the protection principles enshrined in the PDPA. However, in PDPA, principles like consent are not covered in ISO 27001, where there are no specific controls related to consent in ISO 27001. Also, in Singapore’s recent revision of PDPA, there are updates for Accountability, the Right to Access personal data, the Right to Update personal data, etc.
Secondly, PDPA has simple data protection requirements, with a few clauses drafted for it. However, depending on the industry and sector your organisation operates in, like Healthcare or Financial Services, there will be more detailed requirements for data protection.
At a high level, the ISO 27001 does demonstrate your organisation’s ability to meet the minimum threshold expected to protect personal data.
Shirish Bapat also shared his perspective about organisations wanting to know what acts they need to consider.
He mentioned that this depends on the organisation’s type of industry, country of operations, and the local context and regulations. The standards are just a framework, and do not define which legislation the organisation should follow.
The organisation needs to identify the applicability of the legal requirements. For example, the payment industry would need to comply with payment legislations like Payment Card Industry Data Security Standard (PCI DSS). All in all, the organisation would have to identify the context and the risk processes involved.
There are many legislations out there, where some are mandatory, and some are stipulated by the local regulations and government. Some can also be used as guidelines, where organisations can learn and take reference from to better your organisation’s systems.
Wong Onn Chee also raised a discussion about the recent increase in Singapore’s data breach news. He highlighted the concern regarding the selection of third-party vendors where many of the data breaches are due to outsourced vendors.
In his experience of handling data breaches in Singapore, he stated, none of the vendors involved in the data breaches were ISO 27001 certified. Thus, he mentioned that while direct causation cannot be concluded, a correlation could be drawn from there.
And that he brought a point, highlighting the question of how do we select our vendors? And are we selecting vendors based on cost and quality but the expense of security?
Lim Quan Heng also added on the discussion of third-party risk, many recent incidents of data breaches have been associated with external organisations that businesses rely on as part of their supply chain. The lack of third-party risk management is also commonly identified in a general assessment of an organisation.
From the legal point of view, the first layer of addressing this would be the right to audit your vendor. However, most organisations do not have terms in their contracts to do so, which would exclude the organisation’s ability to do due diligence on third parties. Also, many organisations lack the proper framework to manage third party due diligence.
In the recent revision of the Monetary Authority of Singapore Technological Risk Management (TRM) Guidelines, there is also more emphasis on Third-Party Risk. This should be part of any organisation’s arsenal, especially if the organisation deals with technology as the core element of the organisation.
Lim Quan Heng first pointed out that regulations (including PDPA) are not explicitly included because ISO 27001 is not designed to be prescriptive.
However, he mentioned that if the organisation operates in an industry where these regulations apply, this would be a business risk. It would be a business risk of not adhering to PDPA where if the organisation have more than 500 records breached or there is an iminent threat to the person due to the breach, an investigation would be launched. Thus, it indicates an actual risk to the organisation, at least for Singapore’s PDPA.
And if so, where there is a risk, the organisation should be attempting to address that risk under the ISO 27001 process requirement of Plan-Do-Check-Act. (PDCA) Also, there is an ISO 27701 Standard: 2019, which is a data privacy extension to ISO 27001 Standards.
Furthermore, looking at general trends and recent developments in Cambodia and Vietnam, newer privacy legislations are being introduced. Organisations can also see a general uplift across entire southeast Asia on the emphasis on data privacy. The regulations came across as a surprise for him; many of these countries started from having with no regulations, to modeling their regulations across some of the strictest international regulations.
Firstly, from the perspective of GE Healthcare, many of our clients are CII Operators (Critical Infrastructure Industry Operators), where they are bound by the national cybersecurity law in their country, be it in European Region, China, or Singapore
Although GE Healthcare does not have the status of CII Operators and would not need to comply with regulations set out for CIIs, we do have to fulfill some of the commercial contractual obligations. This is part of our client’s expectations, where GE Healthcare is expected to help them and fulfill their obligations.
For GE Healthcare, the security involves pre-market product development security and post-market for developed products. This includes how GE Healthcare can monitor the vulnerabilities, ensure the vulnerabilities are being remediated on time, and how we can operate our services to be secured above a typical baseline. This is also due to the heightened requirements from our clients, that are CII operators.
Secondly, regulations are different in every country, and new regulations are coming up every now and then. This is with an example of the new China Data Security Law (DSL) and China’s Personal Information Protection Law (PIPL) which is similar to General Data Protection Regulations (GDPR) in the European Region. In Southeast Asia, many countries like Thailand or Vietnam are also developing and revising their regulations. As GE Healthcare operates globally, the team needs to understand the different local regulations to meet the local requirements. However only common requirements would be driven globally, where it would be inefficient for GE Healthcare to have local requirements on a global scale.
Thus, at GE Healthcare, a hybrid approach is adopted globally, where they have a global risk management framework, global risk inventory, and risk treatment. However, at the regional point of view, the view that certain risks are increasingly high for specific counties or certain markets will be maintained.
Firstly, depending on the business areas that the organisation is certifying, the area, country, and the statement of applicability can differ the certification. For the consumers, my advice would be to look at the ISO 27001 Certification of service providers to ensure that the certification scope is comprehensive for your organisation. Also, suppose your organisation shares Personal Identifiable Information (PII) or Protected Health Information (PHI) with a particular service provider; it is important that your organisation ensure they have the right level of controls, not just the bare minimum level.
Secondly, ISO certification is never a replacement for a proper third-party due diligence or a risk assessment. For GE Healthcare, we work very closely with our clients like public hospitals and Integrated Health Information Systems (IHiS), regulators such as Health Sciences Authority (HSA), where we seek to understand their requirements. At GE Healthcare, we do not stop at the common requirements as a standard, and when required, we have to go beyond that.
Both GE Healthcare and Privasec are ISO 9001 and ISO 27001 Certified, where these ISO standards focus on different things.
For example, the ISO 14001 Certification is for Environmental Management System, and ISO 9001 Certification is about quality management systems. The latter focuses on quality and how an organisation can maintain a quality process with a quality management system.
However, ISO 27001 is more cybersecurity-focused, where it is about information security management.
Before looking at the sector, the organisation should look at their IT dependence, which now would have increased over time. For example, in India, for three of the largest logistics players today, about 80-90% of the shipments would not need a layer of security. However, for the 5-10%, they would need that layer of security.
This comes to the logistic process that is highly dependent on IT, where now many of the processes are digitalised and IT-enabled with little to no logistics paperwork. In consideration of this, organisations will need to understand that the layer needs to be secured. As if that layer gets compromised, your organisation and customer data is also exposed.
All in all, the viewpoint should not be whether a logistics company needs ISO 27001 Certification. Organisations need to understand that if your operations and processes is highly IT-dependent, and that your organisation manages data that need security, you would need an ISO 27001. This is regardless of the sector or industry your organisation is in.
To add on, during the course of our work at Privasec, we do talk to some of the largest delivery organisations, especially for last-mile delivery around Asia. ISO 27001 would be a relevant standard for them to explore, as one of the core requirements for these organisations is their ability to track the parcels and update their customers about it, which inevitably involves technology and Personal Identifiable Information (PII).
In a general statement, ISO 27001 would be relevant for your organisation if technology is involved to a great extent or is the core focus of your organisation.
There is a requirement given in ISO 27006, a standard that outlines the requirement on how to become an auditor.
Firstly, it would to have experience, where there is a requirement for a minimum of 4 years experience in the IT field, and out of which, two years would need to be in the field of information security. The candidate will need to have fairly good exposure to information security.
Secondly, the candidate can enroll in a Lead Auditor Course by one of the registered bodies. This is where the candidate will need to do the ISO 27001 Lead Assessor course. After that, the candidate will need to have auditing experience, which can begin in various ways.
It can be conducting audits in a consulting firm where the candidate can be involved in doing internal audits or maintaining logs, which is recognised by registration bodies like the International Register of Certificated Auditors (IRCA). Apart from this, it would be beneficial to associate with third parties or certification bodies. As it will provide the candidate with experience of third-party auditing, allowing the candidate to experience flavours of different organizations. All in all, these can help the candidate meet the requirements of the certification agencies like IRCA where they can then register themselves as an auditor.