ISO 27001
With the promulgation of laws and regulations such as the Network Security Law of the People's Republic of China and the Data Security Law of the People's Republic of China, the management of information security has risen from business needs to compliance needs. With the continuous advancement of information technology construction and the gradual expansion of the scale and application scope of computer networks, the role of information technology has gradually moved from business support to the integration with business. At the same time, while information technology brings development and benefits to enterprises and public institutions, the nature of the risks formed by information technology has changed fundamentally from that of traditional operational risks. Many information security problems have emerged: the disclosure of business secrets, the loss of client information, system breakdown, hacker intrusion, virus infection, phishing, web page rewriting and so on. Significant information security incidents in various industries also occur frequently and are growing fast.
1. Information security risk assessment
Information security risk assessment is an important part of information security engineering, and it is the foundation and premise of establishing an information security management system. Information security risk assessment analyzes the vulnerabilities of information assets within the scope of the user's information security management system, the threats faced by them, and the possible impact when the vulnerabilities are used to understand their risk status. The assessment defines the characteristics and hierarchical processing mechanism of various risks, so that users can choose appropriate risk controls to manage information security risks more effectively. By identifying information security risks and conducting the assessment and analysis, the management can fully understand the current situation of information security risks, cover multiple dimensions such as personnel, management and technology, and formulate targeted risk treatment plans.
2. ISO/IEC 27001 Certification
Provide ISO/IEC 27001 conformity certification for organization based on their applications. If the requirements of the current standards are met, the relevant certificate will be issued to the organization.
In particular, the ISO/IEC 27001 introduces an extensible certification mode. When an organization wants to demonstrate its strength in specific fields such as cloud security and privacy management, it can apply for ISO/IEC 27017, ISO/IEC 27018, and ISO/IEC 27701 certification additionally. ISO/IEC 27701 certification especially meets the requirements from the Personal Information Protection Law of the People's Republic of China for organizations to prove their due diligence.
3. Information security training
1. Compliance with legal requirements: The implementation of the information security management system assists the organization in confirming that all applicable laws and regulations have been complied with. So as to protect the information system security, intellectual property rights, business secrets and so on of the organization and interested parties.
2. Maintain the reputation, brand and clients’ trust in the organization: The implementation of the information security management system shows partners, shareholders and clients the organization's efforts to protect information and it will increase their confidence in the organization. That helps to create the competitive advantage of the organization in the same industry and enhance its market position.
3. Fulfill the responsibility of information security management: The implementation of the information security management system can prove that the organization has made effective efforts in security protection at all levels, and that the management has fulfilled the relevant responsibilities.
4. Enhance employees' awareness, sense of responsibility and related skills: The information security management system can strengthen employees' awareness of information security, standardize organizational information security behavior, and reduce unnecessary losses caused by human factors.
5. Maintain sustainable business development and competitive advantage: The establishment of the information security management system indicates that the information assets on which the core business of the organization relies have been properly protected, and an effective business continuity plan framework has been established to enhance the core competitiveness of the organization.
6. Achieve business risk management: The implementation of the information security management system helps to better understand the information system, find out any existing problems and the protection methods, ensure that the organization's own information assets can be properly protected under a rational and complete framework, and ensure the orderly and stable operation of the information environment.
7. Reduce losses and costs: The implementation of the information security management system can reduce the losses caused by potential security incidents to the organization, and ensure the continuous operation of the business and minimize the losses when the information system is attacked.
An information security management system in accordance with the requirements of ISO/IEC 27001:2013 has been established by the applicant organization. The internal audit and management review has been completed before the application, and the information security management system has been for at least three months;
The organization shall provide CEPREI Certification Body with sufficient information on the operation of the information security management system. For multiple sites, the certification scope, address and personnel distribution of each site shall be stated. CEPREI Certification Body will determine the relevant audit program.
The certification is divided into two stages: The stage 1 audit mainly includes the review the documents and confirming the readiness for the stage 2 audit. The stage 2 audit is mainly to evaluate the conformity and effectiveness of the system and make the recommended conclusion of the on-site audit.
The certificate is valid for 3 years, and surveillance is carried out once a year after the certification is granted.
In case of any change in the information security management system of the organization, or any major change that affects the conformity of the information security management system, CEPREI shall be notified in a timely manner. CEPREI Certification Body will conduct special audits as appropriate to maintain the validity of the certificate.
CEPREI Certification Body is one of the largest certificationbodies covering the widest business scope in China.
As a Class-I unit involved with state secretes, CEPREI ensuresinformation security when providing services for governments and enterprises.
As a supportive research institution directly under the Ministryof Industry and Information Technology of the PRC, CEPREI has long been engagedin tracking and studying the up-to-date international standards and technicaltrends as well as making them applicable to enterprises and organizations inChina.
It is a member of Information Security Certification Committeeof CNAS.
CEPREI currently owns over 40 service management auditors,including 3 with doctoral degrees and over 20 with master’s degrees. Most ofthe auditors have obtained professional certificates of information securitymanagement like CISSP and CISA.
CEPREI is one of the first pilot institutions carrying outinformation security management system certification supported by the Ministryof Industry and Information Technology of the PRC and approved by Certificationand Accreditation Administration of the PRC.
By far, CEPREI has successfully provided training, riskassessment and certification services of information security management systemfor customers from industries like finance, IT, telecommunications, high-endmanufacturing and electric power including HSBC, Foresea Life Insurance, RuralCredit Banks Funds Clearing Center, Shenzhen Financial Electronic SettlementCenter, Shenzhen Gold Investment Co., Ltd., Shenzhen Stock Exchange, Cigna CMB,Liaoning Mobile, PCCW, Xiamen Telecom, Neusoft, Inspur Group, Coolpad, Nantian,Kingdee, Nikoyo (China), Chinasoft International, LY.com, CRRC Yangtze,Brilliance Auto, Knorr-Bremse (Asia Pacific), Sany Heavy Industry, Amway(China), BGI, The People's Printing Plant of Guangzhou, JNPC and State GridHeilongjiang Electric Power Co., Ltd.