Professional Documents
Culture Documents
Accreditation body
Information Management Systems Promotion Center, JIPDEC
Assess Assess
Apply Apply
(accredit) (accredit)
Apply Approve
Apply
Assess Auditor training
(certify) Apply Evaluate
bodies
Issue
Attend a certificates of
training course successful
completion
4000 3,636(15
3,636(15Oct,
Oct,2010)
2010)
3635
3636
3567
3800
3518
3458
3350
3600
3274
3197
3400
3065
3200
2892
2775
3000
2662
2535
2800
2404
2600
2300
2180
2400
2008
2200
1837
1727
2000
1592
1800
1341
1600
Sum Total
1151
1400
999
1200
Quarterly Total
858
1000
658
800
557
491
423
600
321
242
400
144
79 102 68 66 101 135 110 171 172 120 104 131 127 113 117 173 132
77 76 108 60 49 68
82
24 28 30 62 46 52
52
200
24
1
0
4-6
7-9
10-12
1-3
4-6
7-9
10-12
1-3
4-6
7-9
10-12
1-3
4-6
7-9
10-12
1-3
4-6
7-9
10-12
1-3
4-6
7-9
10-12
1-3
4-6
7-9
10-12
1-3
4-6
7-9
10-12
1-3
4-6
7-9
10-12
Month
CISO
• Set the ISMS objectives of
security management in the
1’st audit
organization
External support Internal Audit team • Set the ISMS commitment and
Certification Body
Gap 400:education
fulfillment
analysis Phase 3
100:Organization
establishment
Preparation
500:Physical
for risk
environment
analysis
200: fulfillment 800:Audit & self
Policy, standards, assessment
Security policy establishment
arrangements procedures fulfillment
600:Information System
development
300: Asset
Implementation management
plans
700:Business continuity
management
Phase 1
x/200x x/200x x/200x
13
(3) C-Telecommunication
z ISMS scope
Business unit of products and services
development
z Organizational size
5 departments, 200 employees
z Period
9 months
z Implementation steps (main)
ISMS policy, risk assessment including gap
analysis based on 27002 controls, controls
selection and implementation, internal audit,
management review, measurements
Security Gap analysis by 27002
control
Information Security Tub
9
Security reviews
10 Information 8 Scaled score
Security Systems Interviews
11 Business 7
Incident development A.(100) Interviewee
Continuity management Access
& maintenance
Compliancemanagement control z Security organization
z Owner/user/provider
B. (75) z Outsource
Security level to be conformed
6 z Vendor etc.
1
5 Document reviews Site reviews
2 Communications
Security
3 4 C. (50) O Security policy O Computer center
and O Current guidelines O office
policy operations O Network configuration O Network
Organizational management O Operation procedures O System
Personnel
Security Security Physical D. (25) O User guides etc. O Etc.
Asset
and
classification
environmental
and control
Security E. (0) Gap analysis is performed using evaluation criteria
( A – E ).
Evaluation Criteria 11
10 9
7
8
A – Excellent: Management cycle and improvement activities are performing for controls to be effective.
1
B - Above average: There exists standardized documentations/procedures, which are in operations. 6
C - About average done: There exists standardized documentations/procedures which are not in 2 3 4
5
operations.
D - little done: There does not exist standardized documentations/procedures, and operations are by
oral basis or by each person.
E - Nothing done
(4) D-Consulting company
z ISMS scope
Whole company
z Organizational size
30 departments, 2,000 employees
z Period
9 months
z Implementation steps (main)
ISMS policy, risk assessment, controls
selection and implementation, internal
audit, management review,
measurements scheme
ISMS measurements scheme
establishment
PC Security ( one of Objectives )
z Objectives : All of PC of the Organization shall
be secured based on the organization’s
regulated setting and maintenance.
z Measure
Conformed PCs / total PCs (Actions by Indicators)
z Targets : 100% ①In case of Yellow zone, some
individuals do not conform.
z Indicators →Reassess inconformity items and
Green zone : 100% - 99% identify the causes.
→Identify the controls relating the
Yellow zone : 99% - 95% causes ( For example Screen
Red zone : 95% - 0% saver) and re-define the
z Controls to be implemented safeguards.
②In case of Red zone, it is totally risky
z A9.2/A.9.2.5, A.9.2.7 situation for the organization.
z A10.4/A.10.4.1, A10.4.2
→Identify the weak department and
request improvement actions
z A11.3/A.11.3.1, A.11.3.2, A.11.3.3 from CISO.
z A11.7A.11.7.1, A.11.7.2
z A15.1/A.15.1.5
z A15.2/A.15.2.1
(5) E-Manufacturing (group)
z ISMS scope
Unified ISMS certifications by total group companies
z Organizational size
20 group companies + 100 departments,
30,000 employees
z Period
10 months
z Implementation steps(main)
ISMS objectives setting, ISMS policy, risk
assessment, controls selection and
implementation, internal audit, management
review, measurements, integrating privacy
ISMS Objectives Establishment
What objectives are developed from Business/Security directions?
What targets are set to evaluate to achieve objectives?
Management’s (CEO’s Business
Directions on Business Directions )
(CISO’s Security
Management’s Directions,
Directions on Security ISMS Policy)
CEO
Management Report z Measure
Committee Recommend z Collect
improvement
Report actions
Security z Calculate
CISO Staff z Analyze
Report
Indicate actions Organization z Evaluate
Security z Report
Committee Web
Indicate
publish z Indicate
actions
Dept Dept group
actions
Committee Committee Committee
Member Member Member
Agenda
Type of Assets
P mark
Privacy data Privacy data Privacy data
ISMS
Application of ISMS (or ISM)
security level
required level
Information
Plan
Check Current
lowest level
Inspect and evaluate the Act Do
Review of standards of
implementation status Agency A Agency B Agency CAgency D Agency E Agency F government agency in
The NISC inspects and evaluates Check compliance with the
(Future) Standards for Measures
the implementation status at the
central government agencies, and Achievement
security level
National Information
Information
the ISPC makes recommendations of higher level
Security Center (NISC) for improvement based on the
inspection/evaluation results. Raise the
lowest level
C Clause 10 CloudGuide
ISO/IEC 27034
2
Clause 11 CloudGuide Application security
7
0 Clause 12 CloudGuide
0
ISO/IEC 27035
Clause 13 CloudGuide Incident management
2
Clause 14 CloudGuide
Maintain &
improve
Security*
Monitor &
review
Security*