CyberSecurity Malaysia Information Security Management System Audit and Certification (CSM27001) Scheme
The CSM27001 Scheme supports the ‘National Security and Public Safety’ pillar under the Economic Transformation Program (ETP) by way of building resiliency in both Critical National Information Infrastructure (CNII) and the industry; as well as to support the pillar of ‘Catalyst of Growth for Industry’ by providing ISO/IEC 27001 certified organisation a benchmark to compete effectively against similar organisations on a global scale.
With the Scheme, various information security goals, such as protecting the confidentiality, availability, authenticity, non-repudiation, and integrity of information handled by the organisation could be achieved through a certification programme based on the internationally recognised standard ISO/IEC 27001. Given the information-intense characteristics of a modern economy, information security is a growing spending priority among most companies. Based on a research by the University of Maryland, this growth in spending is occurring in a variety of areas including antiviruses, sophisticated encryption techniques, intrusion detection systems, automated data backup, and hardware devices.
As of today, more than 20 local organisations had been certified under the CSM27001 Scheme and more than 7,000 organisations had been certified worldwide.
The benefits of ISO/IEC 27001 certification are:
- Enhance competitiveness and bench mark your organisation within peer community globally
- Increase trust from your clients and partners via management's transparency to demonstrate due diligence
- Opportunity to maximize shareholders' value via optimizing risk
- Recognise your established information security as integral part of your business
- Promote cost optimization via pragmatic structure and system interoperability
CyberSecurity Malaysia undertakes to manage impartiality and to ensure that certification activities undertaken are conducted in an impartial manner. We do not permit commercial, financial or other pressures to compromise its commitment to impartiality.
The credibility, integrity and objectivity of a certification is fundamental to our client’s needs and for those that subsequently rely on it. We commit to ensure that any threats to the impartiality and confidentiality in the certification activities are managed robustly and pro-actively.
We practice impartiality and monitors this closely through an impartiality committee made up of members representing key interested parties. We also commit to identify and assess risks in related certification activities which may result in a conflict of interest or pose a threat to impartiality. The risk assessment covers possible sources of conflict of interests, regardless of their origin.
- INTRODUCTION
These Terms of Service have been structured in accordance with the applicable requirements of the accreditation bodies.
-
SCOPE
CyberSecurity Malaysia provides services to firms or companies (each a "Client"). CyberSecurity Malaysia may provide its services directly or, in its absolute discretion, through (a) its own employees, (b) any affiliated company or (c) any other person or organisation, as may be entrusted by CyberSecurity Malaysia. Where part of the work is subcontracted to others, CyberSecurity Malaysia retains full responsibility for granting, maintaining, extending, reducing, suspending or withdrawing certification and for ensuring that properly documented agreements are in place. CyberSecurity Malaysia will notify its clients of any changes to the requirements for certification within a reasonable timeframe. -
CONFIDENTIALITY
CyberSecurity Malaysia maintains confidentiality at all levels of its organisation concerning information obtained in the course of its business. No information will be disclosed to any third party unless in response to legal process or required by an accreditation body as part of the accreditation process. The client's name, location, scope of certification and contact numbers may be entered into relevant directories. CyberSecurity Malaysia protects your personal data, the data collected by CyberSecurity Malaysia in this form will not be used for any other purpose than the purpose it was collected unless consented by you ,will not sell, transfer, share with a third party, will not retain for longer period than necessary, will take necessary measures to protect your personal data. -
ORGANISATIONAL STRUCTURE
A copy of the organisation chart of CyberSecurity Malaysia, showing the responsibility and reporting structure of the organisation, and documentation identifying the legal status of CyberSecurity Malaysia are available on request. -
APPLICATION FOR CERTIFICATION
On receipt of a completed Application Form (provided by CyberSecurity Malaysia upon request), a quotation is sent to the Client outlining the costs of the services together with an acceptance slip. Once the acceptance slip is returned, together with any due payments and controlled copies of relevant documentation and samples, the project will be allocated to auditor(s) who will be responsible for ensuring that the services are carried out in accordance with the procedures of CyberSecurity Malaysia. -
INITIAL CERTIFICATION
The initial certification audit is conducted in two stages, namely Stage 1 and Stage 2 audit. The purpose of Stage 1 audit is to verify that the client's management system is implemented and the client's preparedness of Stage 2 audit. Meanwhile, the Stage 2 audit will evaluate the implementation of the client's management system. -
CLIENT'S OBLIGATIONS
In order to obtain and retain certification, the Client shall comply with the following procedures and rules: the Client shall make available to CyberSecurity Malaysia all documents, samples of products, drawings, specifications and other information required by CyberSecurity Malaysia to complete the CSM27001 audit and certification service and shall appoint a designated person who is authorised to maintain contact with CyberSecurity Malaysia; CyberSecurity Malaysia, if not satisfied that all certification requirements are met, shall inform the Client of those aspects in which the application has failed; when the Client can show that remedial action has been taken by it, within the time limit specified by CyberSecurity Malaysia, to meet all the requirements, CyberSecurity Malaysia will arrange, at additional cost to the Client, to repeat only the necessary parts of the assessment; if the Client fails to take acceptable remedial action within the specified time limit it may be necessary for CyberSecurity Malaysia, at additional cost, to repeat the assessment in full; identification of conformity shall refer only to the sites or products assessed as specified in the Certificate and Assessment Schedule (if any) or other attachments which may accompany the Certificate; fees may be paid by a nominee or appointed vendor of the Client, on behalf of the Client. Notwithstanding the foregoing, the Client shall remain responsible for the performance of its obligations under this Terms & Conditions. -
GRANTING OF CERTIFICATION
ISMS certification is granted upon successful completion of the certification audit process and verification that the organization complies with the applicable ISMS standard and certification requirements. Certification is subject to an independent certification decision based on the audit findings and satisfactory closure of any identified nonconformities. -
REFUSAL OF CERTIFICATION
Certification may be refused where the organization fails to demonstrate compliance with the applicable certification requirements, fails to address identified nonconformities within the required timeframe, or where the audit process cannot be completed effectively due to insufficient cooperation, access, or information. -
ISSUANCE OF CERTIFICATE
When CyberSecurity Malaysia is satisfied that the Client meets all the certification requirements, it will inform the Client and issue a Certificate. The Certificate shall remain the property of CyberSecurity Malaysia and may only be copied or reproduced for the benefit of a third party if the word "copy" is marked thereon. The Certificate will be published at International Accreditation Forum (IAF) portal (https://www.iafcertsearch.org/) and will remain valid unless surveillance reveals that the management system of the Client no longer meet the standards, norms, regulations or this Terms & Conditions. -
CERTIFICATION MARKS
Upon issuance of a Certificate, CyberSecurity Malaysia may authorise the Client to use a designated certification mark. A Client's right to use any such mark is contingent on maintaining a valid Certificate in respect of the certified management system and compliance with the regulations governing the use of the mark issued by CyberSecurity Malaysia which is available at https://iscb.cybersecurity.my/index.php/certification/management-system-certification/csm27001. A Client who has been authorised to use the mark of an accrediting body must also comply with the rules governing the mark of such body. Improper use of such a mark is non-conformity with certification requirements and could result in suspension of certification. -
MAINTAINING CERTIFICATION
Certified organizations are required to maintain continual compliance with the applicable ISMS standard throughout the certification cycle. Periodic surveillance audits will be conducted to verify continued effectiveness and conformity of the certified management system. The Client shall give access to all sites or products for surveillance purposes whenever deemed necessary and CyberSecurity Malaysia shall reserve the right to make unannounced visits as required. The Client shall be informed of the results of each surveillance visit. The Client shall inform the Certification Body of any significant changes that may affect the certified ISMS. -
RENEWAL OF CERTIFICATION
Clients wishing to renew the Certificate for successive terms of three (3) years shall apply prior to the expiry of the current validity period under the procedure set forth in Clause 5. Clients are generally informed of the renewal requirement during the pre-renewal visit, which constitutes the last surveillance visit of each certification cycle. Upon notification, CyberSecurity Malaysia shall carry out Re-Certification Services to verify the Scope of Certification and the Client's compliance therewith. Where Re-Certification is successfully completed, the Client shall continue to be subject to the terms and conditions herein. Throughout the certification period, CyberSecurity Malaysia or its nominated auditor shall conduct periodic surveillance visits, including unannounced visits, covering the Client's management system and documentation as applicable. The Client shall provide access to all relevant sites or products for such purposes and shall be informed of the results of each surveillance visit. -
EXTENSION OF CERTIFICATION
In order to extend the scope of a Certificate to cover additional sites or processes, Client shall complete a new Application Form. The application procedure outlined in Clause 5 will be followed and an assessment will be carried out on those areas/processes not previously covered. The cost of extending the scope of certification will be based on the nature and programme of work. Following a successful assessment an amended Certificate or Assessment Schedule, as the case may be, will be issued covering those aspects covered by the extended Certificate. Although the original Certificate will normally remain in force, it may be necessary in some instances to issue a new Certificate. In such cases the Client must return the superseded Certificate to CyberSecurity Malaysia. -
REDUCTION OF CERTIFICATION
In order to reduce the scope of a Certificate to exclude any sites, processes, or services, the Client shall submit a formal written request to CyberSecurity Malaysia. The request shall be processed in accordance with Clause 5, and an assessment may be carried out where necessary to verify the areas or processes affected by the proposed reduction. The cost of reducing the scope of certification shall be based on the nature and extent of the changes requested and the required assessment activities. Following a successful review, an amended Certificate or revised Assessment Schedule, as applicable, will be issued reflecting the reduced scope of certification. Where applicable, the original Certificate shall be superseded, and the Client shall return the superseded Certificate to CyberSecurity Malaysia. -
SYSTEM/PROCESS MODIFICATION
The Client shall inform CyberSecurity Malaysia, in writing, of any intended modification to the management system or process which may affect compliance with the standards, norms or regulations. CyberSecurity Malaysia will determine whether the notified changes require additional assessment. Failure to notify CyberSecurity Malaysia of any intended modification may result in suspension of the Certificate. -
PUBLICITY BY CLIENT
In compliance with the applicable Regulations governing the relevant mark(s), a Client may render public that its relevant management system or products have been certified and may print the relevant certification mark on stationery and publicity materials relating to the scope of certification. In any case, the Client shall ensure that its announcements and advertising material do not create confusion or could otherwise mislead third parties about certified and non-certified systems, products or sites. -
MISUSE OF CERTIFICATE AND CERTIFICATION MARK
CyberSecurity Malaysia shall take suitable action, at the expense of the Client, to deal with incorrect or misleading references to certification or use of Certificates and certification marks. These include suspension or withdrawal of Certificate, legal action and/or publication of the transgression. -
SUSPENSION OF CERTIFICATE
A Certificate may be suspended by CyberSecurity Malaysia for a limited period in cases such as the following: if a Corrective Action Request has not been satisfactorily complied with within the designated time limit; if a case of misuse as described in Clause 18 is not corrected by suitable retractions or other appropriate remedial measures by the Client; if a Client ceases to supply the product, process or service or some part of it (which is the subject matter of the certification) for an extended period of time, exceeding two (2) months; if a Client does not allow CyberSecurity Malaysia to conduct surveillance or re-certification audits in the required time frame; if a Client fails or refuses to pay to CyberSecurity Malaysia any part of the fees which may have become due and payable; Improper use of certification mark in accordance with the certification requirements. CyberSecurity Malaysia will confirm in writing to the Client the suspension of a Certificate. At the same time, CyberSecurity Malaysia shall indicate under which conditions the suspension will be removed. At the end of the suspension period, an investigation will be carried out to determine whether the indicated conditions for reinstating the Certificate have been fulfilled. On fulfilment of these conditions the suspension shall be lifted and the Client notified of the Certificate reinstatement. If the conditions are not fulfilled the Certificate shall be withdrawn. All costs incurred by CyberSecurity Malaysia in suspending and reinstating a Certificate will be charged to the Client. -
WITHDRAWAL OF CERTIFICATE
A Certificate may be withdrawn if the Client voluntary withdraw the certificate and advises CyberSecurity Malaysia in writing; the Client takes inadequate measures in case of suspension; the certified process, service, product etc do not conform to the standards, norms or regulations or are no longer offered; CyberSecurity Malaysia terminates its contract with the Client. In any of these cases, CyberSecurity Malaysia has the right to withdraw the Certificate by informing the Client in writing. The Client may give notice of appeal (see Clause 24). In cases of withdrawal, no reimbursement of assessment fees shall be given and withdrawal of the Certificate shall be published by CyberSecurity Malaysia and notified to the appropriate accreditation body, if any. -
RESTORING CERTIFICATION
Where certification has been suspended, restoration may be considered upon satisfactory resolution of the issues that resulted in the suspension. The Certification Body may conduct additional assessments or reviews to verify that the organization has re-established compliance with the applicable certification requirements prior to reinstatement of certification. -
CANCELLATION OF CERTIFICATE
A Certificate will be cancelled if the Client advises CyberSecurity Malaysia in writing that it does not wish to renew the Certificate or goes out of business; the Client no longer offers the certified process, service, product etc; the Client does not timely commence application for renewal; the Client fails or refuses to pay to CyberSecurity Malaysia any part of the fees which may have become due and payable. In cases of cancellation no reimbursement of assessment fees shall be given and cancellation of the Certificate shall be published by CyberSecurity Malaysia and notified to the appropriate accreditation body, if any. -
RECOGNITION OF ACCREDITED ORGANISATIONS
CyberSecurity Malaysia, in its absolute discretion, generally recognises the certificates issued by other accredited organisations where this does not compromise the integrity of information security management system certification scheme. -
APPEALS
The Client may, through the Complaints and Appeals Procedure request reconsideration of a decision made by CyberSecurity Malaysia. Refer to https://iscb.cybersecurity.my/index.php/contact-us for details of the procedure. -
COMPLAINTS
Any complaint regarding the certification activities of CyberSecurity Malaysia or relating to a certified client shall be made in writing, without delay, and addressed to the Client Relationship Manager (CRM). Refer to https://iscb.cybersecurity.my/index.php/contact-us for details of the complaint procedure.