SUMMARY REPORT

ON

ISO/IEC JTC 1/SC 27 IT SECURITY TECHNIQUES

WORKING GROUP

MEETINGS

04 - 08 May 2015

BCCK Kuching/MALAYSIA

Prepared by:

Dr. Suresh Ramasamy

Azleyna Ariffin Nur Shahidah Senin

On Behalf

MALAYSIAN TECHNICAL STANDARDS

FORUM BHD

i

TABLE OF CONTENTS

Page

1. Abstract ................................................................................................ 1

2. List of Participants .................................................................................. 1

3. Introduction /Background ........................................................................ 1

4. Agendas/Topics ...................................................................................... 1

5. Findings ................................................................................................ 2

6. Conclusion ............................................................................................. 5

7. Acknowledgement .................................................................................. 5

Annex A ...................................................................................................... 6

1

1. Abstract

ISO/IEC JTC 1/SC 27 IT Security techniques is a standardization subcommittee of the Joint Technical Committee ISO/IEC JTC 1 of the International Organization for Standardization (ISO) and the International Electrotechnical

Commission (IEC), that develops and facilitates International Standards, Technical Reports, and Technical Specifications within the field of IT security techniques.

Standardization activity by this subcommittee includes general methods, techniques and guidelines to address both security and privacy aspects. Drafts of International Standards by ISO/IEC JTC 1 or any of its subcommittees are sent

out to participating national standardization bodies for ballot, comments and contributions, the meeting of ISO/IEC JTC 1/SC 27

This report outlines the attendance of selected participants from MTSFB and the

Information/Network Security Working Group.

2. List of Participants

With the assistance from MTSFB and SKMM, these are the participants participating in this event.

i. Nur Shahidah Senin (MTSFB staff, INS Secretariat)

ii. Dr. Suresh Ramasamy (INS Chairman)

iii. Azleyna Ariffin (INS Secretary)

3. Introduction /Background The SC27 meeting that is held in Kuching, Sarawak is to hold the ISO/IEC JTC/SC27 Working Group, Study Group and Plenary Meetings. The SC27 is responsible for managing and maintaining the standards responsible for

Information Security Management System.

The Information/Network Security Working Group is a working group under the Malaysian Technical Standards Forum which is tasked to produce the technical

papers regarding Information/Network Security, using the ISO/IEC 27000 series standards.

4. Agendas/Topics

i. WG participation

Participation on WG gives clear understanding into the current documents being discussed. The document discussion involved in includes the change proposal for

ISO 27011 – guidelines for telecommunications industry and ISO 27021 – a new ISO standard for competence. This also includes emergence of ISO 31000 which is

to standardize the risk management approach and request to align existing 27000 series to that document. Participation on WG2 reveals the details and changes on

2

the ISO 29192 for addition of new ciphers as well as submission of new hash algorithms for ISO 14888 and ISO 10118.

As part of the participation, the process of standards production becomes clear.

Dr. Toshito from IISEC, JP was kind enough to explain the whole process, which is documented on Annex 1 & 2 of the publicly available ISO standards.

ii. National Seminar on “Information Security and Economic Growth”

The seminar was held over 1 days conducted by SIRIM BERHAD. This seminar

provides an overview of the following ISO standards and the benefits that organizations can derive from the implementation of these Standards.

iii. ISO 27001 Implementation Training

The Implementation training was held over 2 days conducted by Cyber Security

Malaysia. The implementation training covers the ISO document outline, what are the required steps for organizations to perform. This is the excerpt of the training

requirements.

Introduction to Information Security

Introduction to Information Security Management Systems (ISMS) Objective of ISMS, scope and roles of management

ISO/IEC 27001:2013 ISMS - Requirements ISO/IEC 27002:2013 - Code of Practice For Information Security Controls

The ISO 27000 Series of Standards The following modules were covered and completed

Module 1- Introduction to ISMS

Module 2 - Establishing ISMS Module 3 - ISMS Risk Assessment Module 4 - Measurement of Controls

Module 5 - Internal ISMS Audits Module 6 - Training, Awareness and Competency

Module 7 - Management Responsibility Module 8 - ISMS Improvement

The Agenda is on Annex A

5. Findings

WG1 Meeting Defect Report - Concerning ISO/IEC 27001:2013

Based on the participation in the WG1 Meeting, especially on Defect Report,

does expose participant with the overall process of handling defects in the existing published standards. This includes processes between the WG Convenor and Submitter.

3

Even though the defect only affect the grammatical of the Clauses, it took

quite an effort by the Editor to ensure consensus obtained from all, prior registering the defect report.

Summary of voting on ISO/IEC DIS 27006:2015-01-20(E) (3rd

edition) (SC27 N14936) -- Information technology -- Security techniques – Requirements for bodies providing audit and certification of information security management systems

Participant has attended this session, on request basis by WG 1 Chairman – YM

Raja Azrina Raja Othman – as reps for MALAYSIA. This document is being

circulated for consideration at the Ballot Consultation Meeting for ISO/IEC DIS

27006. Findings :

Most of the comments made to this Standard came from JAPAN. Their

comments mainly to ensure consistency of terms used in this Standard with

the recent published and enforced ISO/IEC 27001:2013.

Nevertheless, Editor advices required as some of the sentences became

either ‘too long’ or ‘too ambiguous’.

ISACA did suggested quite number of comments / amendments, however

REJECTED by the Secretariat, as to no JUSTIFICATION made for the

changes proposed.

MY and GB, do share same views that Members that have given suggestion

for change, must provide the examples to be discuss prior to the meeting,

to give ample time for members to digest and make decision, rather than

having to discuss the matter on spot and prolong the session.

The members reviewing this Standard agreed to convert the document

status from Working Group (‘WG’) to Committee Draft (‘CD’) in the next

SC27 Meeting, schedule in Jaipur, India.

Disposition of Comments on Summary of National Body comments (SC

27 N14374) on SC 27 N13914 -- ISO/IEC CD 27011 - Information technology - Security techniques – Information security management

guidelines for telecommunications organizations based on ISO/IEC 27002

Participant has attended this session, this document was approved at the Ballot

Consultation Meeting for ITU-T X.1051 | ISO/IEC 1st CD 27011 in Mexico City,

Mexico, during the SC 27/WG week, 20th - 24th October 2014. Findings:

Main issues in completing the draft are due to the non-attendance by those

that has submitted their comments.

Aggressive attitude from members also contributed to the not-so-harmony

ways in getting the draft accepted by the Working Group (‘WG’).

4

National Seminar on “Information Security and Economic Growth”

The seminar discussed the various issues related to the "information security and

economic growth" to the organization. There are four major topics were discussed and presented by each representative of WG ISO IEC JTC 1 / SC 27. The topics discussed by the panelist very interesting and allow participants to understand the

importance of ISO standards. This makes the players can play a role in every organization.

There are several sub topics that were discussed on major topics:

Discussion 1 The Importance of Information Security Standards for Economic Growth

This topic discussed in detail the importance of SC27 standards, case study, need for security and privacy technology. Participants can obtain benefits and

challenges in implementing information security standards

Discussion 2 Information Security Best Practices for Economic Growth

This Best Practices assist organisation significantly in serving their services, process & products. Security and privacy are essential for the digital economy to

continue to serve the platform. Professor Dr. Kai Rannenberg give an explanation to the audiences regarding Frameworks & Architectures in Identify management & privacy technologies project overviews. It also discussed the Security controls &

services is part of the Best Practices.

Discussion 3

Malaysian Private Sector Participation in Information Security and Economic Growth

This topic has been discussed the Malaysian Private Sector Participation in the

formation of internet security and economic growth. Among the topics discuss is the driving factor in, turn off & key success factor in pursuing ISMS certification.

Create trust in business is one of benefit to practice ISMS. Lack of support from top management is the factors challenges to maintain the ISMS.

Discussion 4 The Role of Government in Ensuring Information Security for Economic Growth

Government and statutory agencies involved in this topic is the Sabah SCSD, MCMC, MAMPU and Sarawak ICTU. They share the government's role in ensuring

information security for economic growth. MAMPU was given a role to maintain information security peninsular Malaysia, MCMC also in the communication

industry while Sabah and Sarawak have run their own agencies such as Sabah SCSD and Sarawak ICTU. Sabah SCSD is a state government department responsible for rendering ICT services to other state agencies. Sabahnet is a main

gateway for SABAH SCSD. Sarawak ICTU responsible for coordinating and providing the lead in the application of ICT, including formulating ICT policies, and

5

Information Security in Sarawak. They explain security is not a product, it is a process.

ISO/IEC 27001 Information Security Management System (ISMS)

Implementation

The training materials and ways of presenting can be further improved by CyberSecurity Malaysia. Training should be emphasizing on HOW an organization

can align their processes against ISO 27001, in a practical way. This can be achieve thru more workgroups and exercises.

6. Conclusion

The ISO/IEC JTC1 SC27 meeting that was held in Kuching was a testament to

Malaysia’s commitment to global standards. SKMM’s role was pivotal, together with Standards Malaysia & SIRIM helped to create conducive environment for development and propagation of standards. Participation of the INS Working

Group and MTSFB representative not only shows Malaysia’s alignment and commitment to global standards, but also presents avenue for learning,

understanding and peer networking which gives long term benefits for the drafting of industry technical code under MTSFB. It is highly recommended that INS Working Group continues to be part of SC27 to keep abreast with the

developments of the standards, as well as supplement the WG ability to contribute locally and globally to place Malaysia at the forefront of nations.

7. Acknowledgement

The participants would like to thank MCMC & MTSFB for organising and funding

the participants to attend and carry forward the knowledge.

6

Annex A

7

8

9

10

11

THE MALAYSIAN TECHNICAL STANDARDS FORUM BHD

4805-2-2, Block 4805,

Persiaran Flora, CBD Perdana 2,

Cyber 12,

63000 Cyberjaya

Selangor Darul Ehsan

Malaysia

Tel: (+603) 8322 1441

Fax: (+603) 8322 0115

Website: www.mtsfb.org.my