ISMS Consulting Proposal Template

October 26, 2017 | Author: Falco Lee Lap Shun | Category: Indemnity, Information Security, Confidentiality, Audit, Internal Audit
Share Embed Donate


Short Description

Download ISMS Consulting Proposal Template...

Description

Doc Ref: CS/021/KC

CONSULTING SERVICES PROPOSAL ON ISO27001 (INFORMATION SECURITY MANAGEMENT SYSTEM) TO

Information Classification Label Red

Orange

Yellow

Blue

Classification

Blue3

Controller

KC Wong / Yantie

Author

Rodney Especkerman

Document Ref

CS/021/ KC

Expiry Date

31 September 2008

Upon Expiry: Evergreen

Public

Destroy

Review

Published Date: 29-8-2008

Green

RESTRICTED DOCUMENT! This document contains highly sensitive information! Contained within this document are proposed countermeasures and description of risks pertaining to Group Unauthorized use and dissemination of this information can be detrimental to the security and operations of Group Each copy of this document is individually registered. If additional copies are required, please contact, Rahayu Binti Lop at [email protected] . Any unauthorized distribution and reproduction is illegal and any person or persons found committing such activities will be prosecuted to the fullest extent of the law. HTU

By proceeding to read the remainder of this document, you are agreeing to the above mentioned terms and conditions. If you do not agree to those terms and conditions, please return this document to the document controller immediately.

Confidentiality Notice This document may contain secret and sensitive information, which if improperly disclosed, may have significant negative impact on the operations of the stakeholders. This is a classified document with restricted distribution. By reading this document, or being in possession of this document your have agreed to all the conditions and prerequisite of the confidentiality terms as described in http://www..com.my/confidentiality_terms.htm. If you do not agree with the terms and conditions set forth, return the document to the address stated below or destroy the document immediately. Accessing privileged information without proper authorization may / can result to legal and / or criminal prosecution. Copyright Info Group All Rights Reserved Printed in Malaysia Disclaimer Group has prepared this document as a reference or Guideline. The information contained herein is protected by Copyright. No part of this document may be reproduced, translated, or transmitted in any form or by any means, electronically, mechanically or chemically, without prior written permission from Group Group shall not be liable for technical or editorial errors or omissions contained herein; nor for incidental or consequential damages resulting from the furnishing, performance, or use of this document. Group reserves the right to revise this document and to make changes in the content hereof without notice. This document is published by Group without any warranty. Improvements and changes to this document necessitated by typographical errors, inaccuracies, or improvements to programs, may be made by Group, at any time and without notice. Such changes will, however, be incorporated into new editions of this document. Revision History Version Number 0

Date 29-8-2008

Document Ref. Date: 29-8-2008 Total number of pages: 11 Control and Publisher's Address: < insert Company Address>

Table of Contents

Background and Objectives.........................................................................................................5 Benefits............................................................................................................................................5 Deliverables..................................................................................................................................... 6

Value Added Services........................................................................................................6

Forensic Readiness...........................................................................................................,............6 Total Project Commitment...................................................................................................,......7 Training Certificates................................................................................................................,....7 Support Capabilities........,,...........................................................................................................7 Key Milestones and Duration.,,..................................................................................................8 Resource Requirement..............,,,...............................................................................................8 Company Overview......................,,,,...........................................................................................9 ISO Profile..........................................,,,.......................................................................................9 Terms and Conditions.........................,,,....................................................................................10 Appendix 1: Document Required in Certified ISO 27001………………………………12 Appendix 2: Implementation Process Flow ISO 27001…………………………………13 Apendix 3: Answer to Request for Proposal Appendix 4: CV

ISO 27001 CONSULTATION PROPOSAL 1. Background and Objectives: Commerce Dot Com(herein after refer as “CDC”),< insert Description of CDC>. CDC is seeking consulting services to develop and finally be certified to ISO 27001, Information Security Management System also known as (ISMS). is an ICT security solutions provider offering one-stop end-to-end solution

services encompassing all aspects of ICT security, including managed security solutions, implementation and consultancy. is seeking to offer its services to CDC to achieve its objective in conforming the ISMS. ISMS has been chosen as the framework for information security governance as well as improving information security risk posture. The consultancy service shall lead to a successful ISO certification for CDC The major scope of this solicitation encompasses four (4) major tasks. The major tasks are as follows:

1. Review of the existing CDC information security framework and data center including policies and processes in accordance with the ISO 27001 standard

2. Enhancement of the existing CDC information security framework and data center including policies and processes in accordance with the ISO 27001 standard

3. Provide consultancy in the development and implementation of ISMS in accordance to ISO 27001 and to achieve certification

4. Equip CDC personnel with knowledge and expertise in the requirements of implementing ISO27001 ISMS by end of 2008. , is submitting a proposal to assist CDC in its drive towards information security. The objective of this program is to assist CDC’s IT Governance & QA Department in gap analysis, consulting and documentation and internal audit training to enable CDC to comply with the requirements of ISO 27001. The consulting services for the project shall be within a period of 4 months upon execution of the contract. 2. Benefits: ISO 27001 Improves •Management Understanding of the Value of Organizational Information •Customer Confidence, Satisfaction and TRUST • Business Partner Confidence, Satisfaction and TRUST (e.g. Handling Sensitive Information of Customers & Business Partners) •Level of Assurance in Organizational Security & QUALITY •Conformance to Legal and Regulatory Requirements •Organizational Effectiveness of Communicating Security Requirements •Employee Motivation and Participation in Security (Best Practices) __________________________________________________________________________ Page 5

•Organizational Profitability •Management and Handling of Security Incidents •Ability to Differentiate Organization for Competitive Advantage •Organizational Credibility & Reputation Certification Demonstrates •Commitment •Continuous Improvement •Preparedness for Independent Review •Measure Against Best Practice Certification Provides •Means to Benchmark o Industry & Competitors o Business Partners o Customers •Increased Level of Certainty The Scope of this proposal will perform and/or shall cover the following activities for CDC. •Gap Analysis •Internal Audit Training •Consulting, Guides and Documentation 3. Deliverables: The following will be some of the key deliverables that will be facilitated by for this project:



Conduct initial assessment and need-gap analysis to identify key process improvement areas •Guides on documenting the system •Guide implementation •Internal Audit Training • Set of training materials for CDC QA team to train internal staff.

As a value-added service to CDC, will be present during the appraisal to assist CDC. will facilitate the Internal ISMS Audit trainings, orientation and workshops for CDC. together with the CDC team shall accomplish this project within Four (4) months provided CDC gives the maximum support and commitment to towards achieving the ISO 27001 certification. 4. Value Added Services: To ensure that provides the highest quality of service possible to its clients, it commits to extend the following value added services to CDC.

__________________________________________________________________________ Page 6

The proposal will hold should the implementation be delayed for any reason, will not charge any additional amount to the client. However if there is additional service requested by CDC beyond the scope stated in this proposal, shall render a separate proposal with separate costing addressing those needs and request, believes that there should not be any hidden costs attached to the proposal. To strike for the best for CDC, will furnish our consultant to be present to assist CDC during the 2 days appraisal period by SIRIM. Our consultant will support and assist personnel from CDC to achieve smooth process in the appraisal exercise. will also facilitate as required, training materials and presentation materials for CDC internal staff trainings. To enhance the CDC IT department, will provide an extra service of Forensic Readiness. 4.1 Forensic Readiness In the event of any security incident, it is imperative that sufficient information is collected to allow both internal and external investigators to piece together the sequence of events. This is done mostly by investigating log files. will review current log collection facilities for critical systems within CDC and determine if the logs are adequate to the task of a forensic investigation should the need arise. This will also cover the testing of log backups as typical forensic investigations are conducted on data that is typically offline. Another important aspect of forensic readiness is the allocation of resources to facilitate a forensic investigation by either internal or external parties. Documents such as Non-Disclosure Agreements, Evidence Collection & Evidence Storage Forms should already be in place. Forensic tools need to set aside and checked periodically for functionality. Access cards to track the movement of external investigators can also be set aside and held securely by the Quality Assurance or Audit department. Last but not least, as speed is of the essence in piecing together a forensic investigation, a quick awareness campaign will be conducted to ensure that all CDC staff is aware on who to call in the event of a suspected security incident. Proper escalation procedures to internal investigators need to be in place, and a detailed documentation of contacts in relevant services required by investigators such as Internet Service Providers, Law Enforcement, 3rd Party Vendors, Auditors and Legal Advisors are crucial as well. The Forensic Readiness will cover these areas, measuring how much CDC already has in place and fill in the gaps where necessary in order for CDC to be forensic ready. 5. TOTAL PROJECT COMMITMENT will make available resources to assist the personnel of CDC for assuring ISO 27001 appraisal and certification under the leadership of . Rodney is a qualified lead auditor for ISMS (ISO 27001) and for QMS (ISO9001) process. Presently, he is actively involved in the WG1 (working group 1) which contributes to the ISO charter located at Geneva. This working group is through the leadership of SIRIM and they meet monthly. There will also be one document associate (DA) on site until completetion of necessary documents. Apart from the 1 DA another 1 consultant will also be at site for 2-3 days in a week until certification. Access will be provided to the client for ’s learning materials such as books, manuals, etc. as needed during the consultation period. will also take the lead in the handling of __________________________________________________________________________ Page 7

activities designed to promote ISO 27001 within CDC which has been included as part of the value added services. together with the CDC team shall accomplish this project by end of December 2008 where all necessary documentation and implementation of the Information Security Management System in place complying to the ISO 27001 with forensic readiness and ready for recommendation for certification provided CDC gives the maximum support and commitment to towards achieving the ISO 27001 initiative. 6. TRAINING CERTIFICATES Internal Audit Training Certificates shall be given by to the attendees of the training after its completion. 7. SUPPORT CAPABILITIES understands that support mechanisms are necessary to effectively implement a project and monitor its implementation progress to ensure the success of the project, hence the following support mechanisms specifically for the ISMS set-up, may be added where applicable, after an evaluation of the gap analysis of CDC; Relief Consultants The proposed project team is carefully selected with full considerations of a ready “back-up” or “Relief Consultants”, capable and qualified Consultants to handle ISO 27001 projects, who are primarily assigned as Secretariat and will, among others, maintain and trouble-shoot, when applicable, assist in the documentation of processes. Their secondary functions include, only when necessary, relieving other Consultants, who under inevitable circumstances, may not be available during prescheduled visits or other activities. A document associates (DA) will be stationed at site to assist in the production of the necessary documents that will be needed for certification. The DA will be at site for at least 1 ½ month until all documents are completed. 8. Key Milestones and Duration

Referred Appendix 9. Resource Requirements During the conduct of the trainings, the client will arrange for the following: • Training Rooms in CDC Premises •reproduction of course / training material only (if needed) •hiring equipment (TV/VCR/OHP etc.), if needed • LCD and Data Projection System (laptops provided by ) •Any other such infrastructural arrangements as required (if any) During the whole duration of the project, CDC shall provide the resources as listed below to facilitate the consulting, training and assessment activities. • Computers for use of consultants and lead assessors ( for creation of CDC documents only)

__________________________________________________________________________ Page 8

• Network Connection and Internet Access Facility (during on site work for printing of documents related to ISMS implementation). will seek prior permission from CDC ISMS representative if it requires Network Access for downloading Consultant emails and information from Server. • Server Space (for storage of CDC documents) •Office Space for consultants, assessors and trainers (during on site work) •Telephone facility 10. Company and Partner Overview has a partnership with a consultation company which is a management systems solutions provider with a combined experience of over 9 years in Philippines, Malaysia, Singapore, China and India.

. The guiding principle of the capabilities is based on a K-CAT business model:

Through on-site consulting, assessments, and training – proven methods that have certified more than 200 organizations in Asia against international standards - we teach our clients how to effectively manage knowledge so that this is optimized to their advantage. The international network of 32 full time consultants, assessors, and trainers, 12 of which have handled information technology and communications-related projects, are multi-cultural and speaks a combination of seven (7) major languages. With an Information Technology Department, among 4 other departments, one of our strength is in its ability to provide innovative products and services, full service support, and cutting-edge solutions that fully complement our partners’ needs. Through this capability, we have developed several multi-media, fully interactive computer based training (CBT) software programs. One has been fully funded by Europe-Aid, a European Commission initiative, and all three (3) are currently endorsed and promoted by Malaysia’s SIRIM Berhad and Product Safety and Management Board, and marketed in 3 languages in Malaysia, Philippines, Singapore, China, India, Thailand, Indonesia, Vietnam, Japan, and Brazil.

10.1 ISO Profile

__________________________________________________________________________ Page 9

Our staff is comprised of highly qualified individuals with proven expertise and practical experience Technical Knowledge & partners have sound knowledge and associated training experience/ skills of ISO 27001, ISO 9001, CMMI, SDLC Development, IT Project Management, Software Engineering, Assessment Techniques and some related Soft Skills. Project Management Skills and partners have proven and practiced skills on getting things done right on time every time. This can be attributed to the trainings provided to them and experienced build up over several projects. Time management, effective communication, delegation and efficient organization skills are some of their prowess.

People Management Skills & Change Management All organizations are different and, more so, the people working within the organization. Our consultants have been trained to bring many heads together to a table and come up to the most efficient and effective solution. All of them are trained on culture sensitivity and possess multilanguage skills and have been catalysts of teamwork even in the most difficult situations. All associates share pride in our company and dedication to its goals. We focus on our client’s needs and are committed to deliver quality products and services for our client’s pursuit excellence. 11. Terms and Conditions I.

Termination of the contract. Client may terminate the contract by paying for all services received up to that point through a written notice, at least 7 days prior to the next scheduled activity date. The contract would be deemed terminated should there be material breach of agreement by the client.

II.

liability. is not responsible for any loss or damage while undertaking the assignment at the client site except to the extent resulting out of negligence or deliberate misconduct by professional. In an event of damage or loss incurred by the client as a result of negligence or deliberate misconduct from professionals, ’s maximum liability shall be limited to the amount of the professional fees paid by the client.

III.

Billing. • Invoices shall be raised for professional services rendered and are payable within seven (7) days upon the receipt of invoice. • The entire amount will be payable in Malaysian Ringgit (RM) • Any amount not paid within 30 days of the date of invoice may be subject to additional fee of 2% per month on the invoice amount. • All cheque / draft payments to be in favor of ‘

IV.

Alterations.

__________________________________________________________________________ Page 10

The clauses of the Agreement can be modified or altered only through communication exchanged between two parties in writing. Such communication giving effect to the changes shall be read along with agreement to incorporate any such changes. V.

VI.

Indemnity. The client will indemnify and hold harmless . and its professionals from any liabilities, damages and expenses (including reasonable attorney’s fees) resulting from, relating to, or arising out of the misuse or alleged misuse by the client of any registration, certificate, logo or mark of conformity provided by pursuant to this agreement. Validity of the prices. This price offer is valid for acceptance until sixty days from date of submission

VII.

Force Majeure. Neither party will be deemed in default of this agreement to the extent that the performance of its obligations or attempts to cure any breach are delayed or prevented by reasons of force majeure, such as acts of God, Fire, Flood, Earthquake, acts of government and the like, provided that such party gives the other party written notice thereof promptly and, in any event, within fifteen (15) days of discovery of such delay or prevention and uses its best efforts to continue to perform its obligations or cure any breach.

VIII.

Governing Laws. This agreement shall be governed by, and constructed in accordance with, the substantive laws of Malaysia. All claims arising out of this agreement shall be decided solely and exclusively by a binding arbitration, which shall be conducted in accordance with the rules of the Malaysian Legal system.

IX.

Confidentiality. agrees that it shall hold all Confidential Information in confidence and shall take all reasonable steps to safeguard the Confidential Information including, without limitation, those steps that it takes to protect its own Confidential Information of a similar nature. shall not disclose or otherwise provide any Confidential Information to any third party without the prior written consent of . Non-Disclosure Agreement can be signed to this effect if need be. agrees to limit its internal disclosure of Confidential Information to only those of its employees or contractors who are bound by confidentiality agreements prohibiting further disclosure of the Confidential Information.

__________________________________________________________________________ Page 11

Appendix 1 Documents required in certifying ISO 27001 No. Document 1 2 3 4 5 6 7 8 9 10 11 12

Control Section

Assets Register 4.2.1 (d) 1 to 4 4.2.1 (d) 1 to 4 IIndentify risks Risk Register & Risk Assessment Report 4.2.1 (d) 1 to 4 Indentify risks Risk Treatment Plan 4.2.1 (d) 1 to 4 Indentify risks Statement of Application 4.2.1 (d) Prepare a Statement of Applicability Internal audit procedure 4.2.3 (e) Conduct internal ISMS audits at planned internal (see 6) ISMS Policy and Objectives 4.3 Documentation requirements Scope of ISMS 4.3 Documentation requirements Procedures & Controls in support of ISMS 4.3 Documentation requirements Documentation Controls 4.3.2 Control of documents Quality Records 4.3.2 Control of records Management Review 5.1 Management commitment, 7 Management review of the ISMS Corrective Action & Prevention Action 8.1 Continual improvement 8.2 Corrective Action 8.3 Preventive Action

Appendix 2 __________________________________________________________________________ Page 12

Implementation Process Flow – ISO 27001

__________________________________________________________________________ Page 13

COMMERCE DOT COM

PRIVATE & CONFIDENTIAL

IMPLEMENTATION OF INFORMATION SECURITY MANAGEMENT SYSTEMS TO ATTAIN ISO 27001 CERTIFICATION

Version 1.1 Date: 11 August 2008

__________________________________________________________________________ Page 14

ISO 27001 PROPOSAL

Appendix 4

ACTI ON PLAN F

MI LESTONE 1 (Prepara Collection of Documents

Documents review by EXT TABLE OF CONTENTS

Gap Analysis - Thorough

Gap Analysis Report Brief Awareness Training

Value Added Services........................................................................................................6........4 1. Background and Objectives:................................................................................................... 5 2. Benefits:................................................................................................................................. 5 3. Deliverables:.......................................................................................................................... 6 4. Value Added Services:............................................................................................................ 6

Forming Task Force Grou

5. TOTAL PROJECT COMMITMENT............................................................................................... 7 6. TRAINING CERTIFICATES......................................................................................................... 8 7. SUPPORT CAPABILITIES.......................................................................................................... 8 8. Key Milestones and Duration.................................................................................................. 8

Page 15 of 23

ISO 27001 PROPOSAL

Appendix 4

ACTI ON PLAN F

MI LESTONE 1 (Prepara Collection of Documents

Documents review by EXT 9. Resource Requirements......................................................................................................... 8 10. Company and Partner Overview .......................................................................................... 9 10.1 ISO Profile.......................................................................................................................... 9

Gap Analysis - Thorough

11. Terms and Conditions......................................................................................................... 10 Introduction.............................................................................................................................. 18 Requirements...................................................................................................................... 18

Appendix E – Project Team Structure....................................................................................... 20

Gap Analysis Report Brief Awareness Training 21

Forming Task Force Grou Page 16 of 23

ISO 27001 PROPOSAL

Appendix 4

ACTI ON PLAN F

MI LESTONE 1 (Prepara Collection of Documents

Documents review by EXT Gap Analysis - Thorough

Gap Analysis Report Brief Awareness Training

Forming Task Force Grou Page 17 of 23

ISO 27001 PROPOSAL

Appendix 4

ACTI ON PLAN F

MI LESTONE 1 (Prepara Collection of Documents

Documents review by EXT Intr oduction

Gap Analysis - Thorough Requirements

Prospective Participants (PP) are invited to provide consultancy service for the implementation of ISO27001 Information Security Management System (ISMS) for COMMERCE DOT COM(CDC).

Gap Analysis Report Brief Awareness Training

ISMS has been chosen as the framework for information security governance as well as improving information security risk posture. The consultancy service shall lead to a successful ISO certification for CDC.

The major scope of this solicitation encompasses four (4) major tasks. The major tasks are as follows:

5. Review of the existing CDC information security framework including policies and processes in accordance with the ISO 27001 standard

Forming Task Force Grou 6. Enhancement of the existing CDC information security framework including policies and processes in accordance with the ISO 27001 standard

7. Provide consultancy in the development and implementation of ISMS in accordance to ISO 27001 and to achieve certification

Page 18 of 23

ISO 27001 PROPOSAL

Appendix 4

ACTI ON PLAN F

MI LESTONE 1 (Prepara Collection of Documents

Documents review by EXT 8. Equip CDC personnel with knowledge and expertise in the requirements of

Gap Analysis - Thorough

Gap Analysis Report Brief Awareness Training

Forming Task Force Grou Page 19 of 23

ISO 27001 PROPOSAL

Appendix 4

ACTI ON PLAN F

MI LESTONE 1 (Prepara Collection of Documents

Documents review by EXT Gap Analysis - Thorough

A ppendix E – Pr oject Team Str ucture

Gap Analysis Report Brief Awareness Training

Forming Task Force Grou Page 20 of 23

ISO 27001 PROPOSAL

Appendix 4

ACTI ON PLAN F

MI LESTONE 1 (Prepara Collection of Documents

Documents review by EXT CONSULTING TEAM

Gap Analysis - Thorough Project Head

Gap Analysis Report Brief Awareness Training Secretariat

Lead Consultant

Doc Associate

Forming Task Force Grou Relief Consultant

Page 21 of 23

ISO 27001 PROPOSAL

Appendix 4

ACTI ON PLAN FOR TASK Appendix 4 MI LESTONE 1 (Preparation) ACTI ON PLAN FOR TASKS Collection of Documents MI LESTONE 1 (Preparation) Documents review by EXTOL Collection of Documents Gap Analysis - Thorough Documents review by EXTOL

ISO 27001 PROPOSAL

Appendix 4

ACTI ON PLAN FOR TASK MI LESTONE 1 (Preparation) Collection of Documents Documents review by EXTOL M IL E S T O N E S :

Gap Analysis -arThorough 1-P re p a tio n

View more...

Comments

Copyright ©2017 KUPDF Inc.
SUPPORT KUPDF