PESAN ISO UPM : ISO 9001 (ISMS) - Information Security Management System | CENTRE FOR QUALITY ASSURANCE (CQA)
» ARTICLE » PESAN ISO UPM : ISO 9001 (ISMS) - Information Security Management System

List of Articles
PESAN ISO UPM : ISO 9001 (ISMS) - Information Security Management System

     

STANDARD HISTORY

 

The history of the ISO/IEC 27001 standard starting in 1996 is as shown in Figure 4.

                                                 Figure 4: History of the IS0/IEC 27001 Standard (1996 -2013)

 

IMPLEMENTATION HISTORY

 

Information Security Management Systems or better known by the abbreviation ISMS that is 'Information Security Management Systems' exist as a result of the rapid growth in the use of information and communication technology (ICT), especially through internet facilities that expose information more widely and allow for intrusions that may result in the leakage of secret information official and official information of the Government. If this situation is not controlled, it can cause many bigger problems in the future. In addition, there needs to be a balance between security controls that are too strict to limit the dissemination of service delivery information, with controls that are too loose that could harm the security or interests of the Public Service and the State.

Recognizing the importance of efforts to ensure ICT security, a framework of the Government's ICT Security Policy has been drafted based on strong ICT security principles, responsibility for information security, awareness of threats and measures to increase the level of information security. Accordingly, General Circular Number 3 of 2000 has instructed all government agencies to implement Information Security Management Systems (ISMS).

In line with that, UPM implements ISMS to guarantee the continuity of information security management by minimizing the impact of ICT incidents so that information is always preserved, obtained quickly and its security is controlled. The implementation of ISMS is also to facilitate the sharing of information in accordance with the operational needs of the entities involved in UPM. This can only be achieved by ensuring that all ICT assets within the ISMS scope are protected.

UPM took steps towards ISMS from 8th December 2011 at the Information and Communication Development Center (iDEC) with the initial scope focusing on the operation of the UPM Data Center including hardware (server and storage), data and information for critical applications as follows:

a.      University Main Website;

b.      Financial Management System;

c.      Human Resources Management System;

d.      Undergraduate Student Information System (SMP); and

e.      Postgraduate Student Information System (iGIMS).

The University Management has appointed Ts. Mohd Faizal Daud from iDEC, UPM as the first ISMS Deputy Management Representative (TWP) on 16th March 2012 to lead the implementation of ISMS at UPM. Then on 17th January 2019, the position of TWP ISMS was assumed by Ts. Krishnan Mariappan. Starting  1st July 2021 until now, Ts. Shahril Iskandar Amir is the new TWP ISMS appointed to replace the former TWP ISMS who has retired.

The First Stage Audit was held on 24th October 2012, followed by the Second Stage Audit on 19-20 December 2012. UPM has successfully passed the audit and obtained ISMS MS ISO/IEC 27001:2007 certification on 4th January 2013.

 

Transition of the 2007 Standard to the 2015 Standard

Certification maintenance activities continue the following year. Next in 2015 there was a standard shift to the MS ISO/IEC 27001:2013 Standard through the Revision 2 Monitoring Audit on 29 - 30 January 2015. This standard shift involved an increase in sections from 11 to 14 as well as a decrease in the number of controls in Annex A from 133 to 114. Through the 2013 Version, there is the addition of two new elements which are risk owners (Clause 6.1.2c) and stakeholders (Clause 4.2).

Next, through the SIRIM Recertification Audit on 8 - 10 December 2015, UPM has successfully maintained ISMS certification with the following new scope:

a.      New Undergraduate Student Registration Process during Serdang Campus' Perkasa Putra Week in the Student Information System;

b.      Operation of the Data Center for the Pre-Student New Student Registration process; and

c.      Operation of the Disaster Recovery Center for the Pre-Student New Student Registration process

In 2017, UPM has successfully expanded the Scope of New Undergraduate Student Registration during Putra Perkasa Week to UPM Bintulu Campus through the 2nd Review Monitoring Audit by SIRIM. Next in 2018, through the SIRIM Recertification Audit which was held on 2nd September 2018 and 1-3 October 2018, UPM has achieved success by expanding the ISMS certification scope to the Undergraduate Teaching Evaluation Process at the Faculty for the Serdang and Bintulu Campuses with the following certification scope :

a.      The Undergraduate New Student Registration process includes Offer Review activities up to Residential College Registration; and

b.      Evaluation Process of Undergraduate Teaching at the Faculty.

In 2021, UPM has successfully maintained its ISMS certification through the Recertification Audit that was conducted on 13-17 December 2021. UPM continues the efforts to expand the scope of ISMS that was started at the beginning of 2022, which is for the scope of New Graduate Student Registration at Serdang Campus and Bintulu Campus. This ISMS scope expansion is expected to enter the UPM ISMS certification in 2023.

 

CERTIFICATION NUMBER

The MS ISO/IEC 27001:2007 ISMS certification registration number obtained in 2013 is AR5761. In 2018, UPM's ISMS certification number was amended to ISMS 00150 based on the latest ruling by SIRIM.

 

INFORMATION SECURITY MANAGEMENT SYSTEM POLICY

The Information Security Management System Policy is made by the University's Board of Directors as authorized by section 20(1) of the UPM Constitution. The following is the statement of Universiti Putra Malaysia Policy (Information Security Management System):

Universiti Putra Malaysia is committed to establishing an effective Information Security Management System through:

a.      Compliance with organizational requirements and legislation and regulations;

b.      Development of objectives and goals based on safety objectives;      

c.      Commitment to meeting information safety related requirements; and

d.      Re-evaluation and modification of policies, objectives and targets for continuous improvement.

 

UPM's Information Security Management System Policy Information is as shown in Figure 5.

Figure 5 :  UPM's Information Security Management System (ISMS) Policy

[confirmed by the Chairman of the University Board of Directors dated 10th December 2019]

 

ISO 27001 CERTIFICATION MAINTENANCE PHASE

 

Figure 6 shows the phase of maintaining ISO 27001 certification at the UPM level with the chronology of the implementation of the UPM ISMS from 2012 to 2022.

 Figure 6 :  UPM ISMS Implementation Chronology

Date of Input: 13/02/2023 | Updated: 23/08/2023 | aidawati

MEDIA SHARING

SEE ALSO
Quality Main Factor International Students Choose Malaysian HEIs
MQA Suggestions IPT Offer Short Courses for Employee Skill Levels
Flexible Study Opens Wider Opportunities for Students
CENTRE FOR QUALITY ASSURANCE (CQA)
Universiti Putra Malaysia
43400 UPM Serdang
Selangor Darul Ehsan
03-9769 1508
03-9769 1489
cqa@upm.edu.my
SXETCAQ~