BRIEF DESCRIPTION / BACKGROUND OF THE PROJECT
Organizations today have an increased awareness of the value of information and perceive the importance of protecting their information assets. Therefore, designing and maintaining comprehensive, cost-effective ISMS have become ongoing challenges for many institutions.
An ISMS is a risk management approach to maintain the confidentiality, integrity and availability of an organization’s information, which has become a vital management system in many organizations. The APO introduced an e-learning course on ISMS based on the ISO27000 series in 2010, which attracted widespread interest and was completed by more than 360 participants from member countries.
Building on the results of the e-learning course, the APO has organized this training course to provide more in-depth, comprehensive learning opportunity for the previous participants in the e-learning course on the requirements of ISO27000 series. This course illustrates step-by-step compliance process with the standard, which includes establishing, implementing, monitoring, maintaining and improving the ISMS system in an organization.
OBJECTIVES FOR PARTICIPATION
Michael John del Mundo
The undersigned expected to learn the theoretical underpinnings and practical applications of the Information Security Management System so I could use and apply ISMS in our organization. He also expected to be able to interact and share experiences with other co-participants in implementing information security, and to become part of a network of information security professionals in the Asia-pacific region.
This course on ISMS is relevant in what they are currently doing in KSDO. They have already conducted four batches of ISMS course in the first quarter of 2011 and slated two more before the end of the year. They also plan to provide assistance to government and private organizations in implementing ISMS through consultancy.
She expects the course will equip and provide her in-depth understanding how a formal information security management system should be using an international benchmark – ISO/IEC 27001. She also expect to share from other country participants experiences and initiatives in ISMS implementation.
PROFILE OF PARTICIPANTS AND RESOURCE SPEAKERS
A total of 19 participants attended the training. 16 are foreign delegates and 3 from the host country of Indonesia. the breakdown of participants by country are: Bangladesh – 1, Cambodia – 1, Fiji – 1, Indonesia – 3, IR. of Iran – 1, R. of Korea – 1, Malaysia – 1, Mongolia – 1, Nepal – 1, Pakistan – 1, Philippines – 2*, Sri Lanka – 2, Thailand – 2, and Vietnam – 1;
*Participants representing the Philippines are both from the NPO. Ms. Jenalyn Ferrer is a Project Officer from the Center for Knowledge Management (CKM). Mr. Michael John del Mundo represents the APO Liaison/International Relations Office (APO/IRO). Both have participated in the 2010 APO e-learning course on ISMS.
The organizers have invited two (2) resource speakers for the training course, Mr. Sathya Prakash and Mr. S.T. Zaidi. Both are Indian nationals from Det Norske Veritas As (DnV). They have delivered excellent presentations on ISMS topics and Auditing practices. The participants have found them very well versed in the ISMS practices and is very accommodating to the questions of participants.
SCOPE, CONTENT AND METHODOLOGY
Status Report Presentations
Each participant presented status reports of their respective organizations. The focus of the report is on the status of the ISMS implementation, the issues and challenges, and future plans for improvements. Since the participants from the Philippines are both from the same organization (DAP), they have submitted only one report, but have presented jointly. Mr. Del Mundo provided the participants a brief background about DAP, and presented some of the issues and concerns on its Information Security Management. Ms. Ferrer, on the other hand, presented on the measures DAP has taken to improve its Information Security Management and its future plans for improvement.
Site Visit and Auditing
The participants were toured to PT Panasonic Gobel Energy during the 3rd day of the training course. They were given the opportunity to observe the best practices of ISMS implementation in the company.
The participants were instructed to ask questions and interview select personnel about the ISMS implementation in the organization. The data gathered served as input to the group workshop that followed the next day. The participants were asked to make a report about their findings during the site visit.
Examination and Group Presentation
Examination was administered during the fourth (4th) day of the training, a combination of multiple choice and essay. Ms. Ferrer topped the exams followed by the participant from Bangladesh. During the fifth (5th) day of the training, the participants were asked to present their audit findings in the site visit. The resource persons have noted the effort of the groups and also gave some tips to better improve the presentation during actual audit reporting.
OUTCOMES AND EVALUATION
The course is beneficial for an aspiring ISMS implementer because it will enable them to learn the basic concepts, principles and aspects of Information Security Management.
The participants learned a great deal about ISMS implementation. Compared with the e-learning mode, they found the face-to-face training much better because there is direct interaction between the participants and the resource speakers. Questions can be raised and be answered more quickly and efficiently whereas it is very limited in the e-learning.
Background on ISO9001 auditing has been beneficial also because of the similarities in the framework and auditing procedures with ISO27000. It is therefore recommended that participants to future ISMS trainings have at least the familiarity or basic background of ISO9001.
RECOMMENDATIONS AND ACTION STEPS
Recommendation to the NPO
The DAP should continue to spearhead the promotion of ISMS, as the NPO of the country, through public offering of technical training, information security awareness, and technical assistance/consultancy to other government agencies or even SME companies.
Recommendation to APO and member countries
It is suggested that APO run an advanced course on ISMS for practitioners, focusing on Auditing, or an Observational Study Mission to provide participants in member countries to study the best practices from ISMS implementing companies/organizations in Asia or other parts of the world. This will enable them to benchmark and adopt the best practices especially from the advanced NPO countries (Japan, Republic of Korea or even Singapore).
The Filipino participants will cascade awareness on ISMS and share their learning to their colleagues in DAP thru echo session.
MICHAEL JOHN DEL MUNDO
Development Academy of the Philippines
Development Academy of the Philippines