What is the CSM27001 Scheme?The CSM27001 Scheme provides a model for certifying organisations' ISMS Scopes against internationally recognised MS ISO/IEC 27001 standard.
Who is the certification body for CSM27001 Scheme?CyberSecurity Malaysia, an agency under the Ministry of Science, Technology and Innovation.
Is MS ISO/IEC 27001 an internationally recognised standard?Yes. IDT on the front cover indicates an identical standard i.e. a standard where the technical content, structure, and wording (or is an identical translation) of a Malaysian Standard is exactly the same as in an International Standard or is identical in technical content and structure although it may contain the minimal editorial changes specified in clause 4.2 of ISO/IEC Guide 21-1.
What are the steps towards achieving certification?Please read our Services to find out the certification steps.
How much is the certification fee?The total certification fee involves the professional fee, number of auditors involved and number of audit days. It will vary depending on the clients certification requirements.
What other fees are involved apart from the certification fee?Application fee and Annual Fee (for successful clients).
How much is the Application Fee?RM 500 per application. The application is considered unsuccessful when a formal rejection letter is received from CyberSecurity Malaysia; after which the organisation has to submit a fresh application.
Who can apply for the CSM27001 Scheme certification?Organisations that have implemented ISO/IEC 27001 can apply for the CSM27001 certification.
How much is the Annual Fee?RM 1000 upon successful initial certification.
When should the Application Fee and Annual Fee be paid?The Application fee should be paid together with the submission of the Application Form. The Annual Fee should be paid prior to receiving the certificate.
How does the certification body handles complaints?Please read our Appeal, Disputes and Complaints procedure.
How do I know it is time for Surveillance audit?Annual surveillance audit is required, in which the certified client organisation will be prompted by the certification body.
What is the validity period of the certificate?Three (3) years, after which, the client organisation will be prompted for a re-certification audit.
How do I confirm whether CyberSecurity Malaysia is an accredited certification body?CyberSecurity Malaysia is listed under the Directory of Accredited Certification Bodies at http://www.standardsmalaysia.gov.my/accreditation-of-certification-bodies-acb-/directory-of-acb
Will I be entitled for a single or double tax deduction?Clients of CyberSecurity Malaysia are eligible for a double tax deduction for their Initial Certification fee, and single tax deduction for their Surveillance and Recertification fees.
What is MyTrustSEAL?MyTrustSEAL is a collaboration of trustmark service between CSM and its partner. CSM provides its expertise in validating web application security and other partners may contribute their expertise based on their field work.
How much is the validation fee for the web certification?You can view the fee here. Further clarification or inquiry, please contact us @MyTrustSEAL team.
What is the benefit in obtaining MyTrustSEAL certification?MyTrustSEAL is a third party attestation to provides assurance that the company has taken an initiative to ensure their website is secure and comforms to the relevant law and regulations.
Who will be involved during the assessment process?Prior to assessment, the company is required to identify the person in charge for the project to ease the communication with MyTrustSEAL evaluation team. During the assessment phase, the evaluation team also need to communicate with website administrator for any technical clarification.
What needs to be prepared upon the assessment process?Before assessment process, the company need to submit a complete application form and to settle the necessary documents.
How do I maintain the certification validity?MyTrustSEAL is a yearly validation. This is part of security requirement due to frequently changes in technology and information vulnerabilities. However, the company may contact MyTrustSEAL team to clarify on the service packages to maintain the MyTrustSEAL trust mark.
What will happen when the certification has expired?Upon expiry of certification, there will be a reminder send to the company. If not continuation, the logo shall be removed from the website.
What if user have dispute with the certified company?MyTrustSEAL only investigate to the complaints pertaining to the certification scope. Breaches to the certification policy, will result to suspend / revoke / removal of logo on the website.
What is MyCC scheme?Malaysian Common Criteria Evaluation and Certification Scheme (MyCC Scheme) is a systematic process for evaluating and certifying the security functionality of ICT products against defined criteria or standards.
MyCC Scheme evaluates and certifies the security functionality within ICT products against International standard:
- ISO/IEC 15408 (Information technology -- Security techniques-- Evaluation criteria for IT security) also known as Common Criteria (CC) and;
- ISO/IEC 18405 (Information technology -- Security techniques-- Methodology for IT security evaluation) also known as Common Evaluation Methodology (CEM).
Malaysian Common Criteria Certification Body (MyCB) is a department under CyberSecurity Malaysia. The primary responsibility is to carrying out certification and overseeing day-to-day operation of the MyCC Scheme.
What is MyCC scheme mission?MyCC Scheme mission is "to increase Malaysia's competitiveness in quality assurance of information security based on the Common Criteria (CC) standards and to build consumers' confidence towards Malaysian ICT products."
Who owns the MyCC scheme?MyCC scheme is owned by CyberSecurity Malaysia.
Are there policies explaining the MyCC framework for CC evaluations?The Malaysian Certification Body (MyCB) administers the regulations for conducting CC evaluations through the following MyCC Publications:
- PRODUCT_SP: MyCC Scheme Policy;
- MyCC_P2: MyCC Certified Product Register;
- ISCB_EFM: MyCC Scheme Evaluation Manual;
How can I contact the MyCB?For more information about MyCC Scheme, please contact us.
Where can I get training on the MyCC Scheme?We provide training for any parties that are interested to get training on the MyCC Scheme. You can view our training calender here.
What is MyCC Scheme Maintenance of Assurance?Maintenance of assurance is a voluntary process that leverages a certified TOE baseline as changes are made to the certified TOE. The MyCC Scheme has adopted the CCRA compliant process for assurance continuity or for maintenance of assurance in a TOE certified within the MyCC Scheme and in conformance with MyCC Scheme Rules. This service provides customers with a cost effective method of maintaining a level of confidence in the security provided by a TOE as it is updated. Details of the MyCC Scheme Maintenance of Assurance service can be found in PRODUCT_SP: MyCC Scheme Policy.
Common Criteria and Mutual Recognition
What is the Common Criteria (CC)Common Criteria (CC) was created to harmonise criteria produced by a number of nations including the United States (TCSEC), European (ITSEC) and Canada (CTCPEC) for carrying out security evaluations, into a single set of common criteria. The CC is now recognised as the ISO (International Organization for Standardization) standard, ISO/IEC 15408 (Information technology -- Security techniques-- Evaluation criteria for IT security), and regarded as the international benchmark for IT security evaluation criteria.
What is the Common Criteria Recognition Arrangement (CCRA) and mutual recognition?Common Criteria Recognition Arrangement (CCRA) is a formal international arrangement between a great numbers of countries. This mutual recognition ensures that certificates issue by one of the member states certification body is recognised by all member states. This will helps vendors to cut their costs by having a single product or system evaluation which is recognisable by all participating nations. Common Criteria certifications from EAL1 to EAL4 are mutually recognised by all CCRA members. Further information about the CCRA can be found at http://www.commoncriteriaportal.org/
Which nations participate in the CCRA?The CCRA membership includes CC certificate producing and certificate consuming nations. All CCRA participants are listed on the CC portal with the name and contact details of each CC scheme, which can be found at http://www.commoncriteriaportal.org/.
What is an Evaluation Assurance Level (EAL)?Common Criteria (CC) operates the concept of assurance levels which is called Evaluation Assurance Level (EAL). For CC, the levels are EAL1 to EAL7. These scales represent ascending levels of confidence that can be placed in the ICT product which corresponded with security objectives. The higher the EAL the greater the degree of rigour is applied in assessing whether the ICT product has met its security requirements.
What is Assurance Continuity?The purpose of Assurance Continuity is to enable developers to provide assured products to the IT consumer community in a timely and efficient manner. The awarding of a Common Criteria evaluation certificate signifies that all necessary evaluation work has been performed to convince the evaluation authority that the TOE meets all the defined assurance requirements as grounds for confidence that an IT product or system meets its security objectives. Assurance Continuity recognises that as changes are made to a certified TOE or its environment, evaluation work previously performed need not be repeated in all circumstances. Assurance Continuity therefore defines an approach to minimising redundancy in IT Security evaluation, allowing a determination to be made as to whether independent evaluator actions need to be re-performed.