Iso 27001-2013 - MRM [PDF]

Zitiervorschau

MEETING MINUTES FORM ITS-FM02

MEETING INFORMATION Title Objective

: Management Review Meeting for ISO/IEC 27001:2013 : First Meeting for ISO/IEC 27001:2013 ISMS Implementation

Date & Time Attendees

:2 :

nd

August 2017, 10.00 am

Venue

: Setapak Office

Present

Mr. Veerachai Charoensilpskul Mr. Rawee Chaimongkol (Via Skype Conference) Ms. Norlina Ramli (NR) Mr. Cheong Wong Wai Mr. Leong Choon Siew (LE) Mr. Mohd Noor Fadli (FD) Ms. Raihan Mohamed Isa (RA) Apologies

Minute Recorder: Raihan Mohamed Isa AGENDA No.

Topic

1

Chairman welcomed all members to the first ISO/IEC 27001: 2013 Management Review Meeting

2

Previous Meeting Action Follow Up

3

Change in External & Internal Issues

3

Status of IS Implementation

Discussion

Action

Brief ISMS objectives, scope and nd implementation starts on 2 May 2017 There was no previous meeting since this is the first management review meeting for ISMS implementation Internal: Employee: Disclosure of information, lack of awareness, misuse company properties, not practice screen lock out. HR: Not provide updated user list, late notification for resigned staff. Policies: Lack of awareness. Asset: Not update record, lack of maintenance, over lifespan External Partner/Vendor: Disclosure of information, unreliable service and not meet SLA, misunderstanding Customer: Customer dissatisfaction Regulation: Legal requirement Utilities: Service disruption IS Policy have been endorsed by CFO. Three manuals have been created and approved.15 procedures have been created and approved. Statement of Applicability (107 out of 114 are applicable to ISMS scope). Certification body th th audit by BSI (8 -9 August 2017).

HR need to inform resigned staff on monthly basis

ISMS Steering Committee & ITSO are required to prepare for the certification body audit

INTERNAL USE th

Effective Date : 25 April 2017



1



MEETING MINUTES FORM ITS-FM02

4

5

6

7 8

9

Status of NonConformities & Corrective Action

Monitoring and Measurement Result

Internal Audit Result

Feedback from Interested Parties Result of Risk Assessment & Status of Risk Treatment Plan Recommendation for Improvement

Issued CA: a) Infrastructure and System Management : 7 b) Technical Support & Service : 3 c) Other :1 d) Procurement & Account Management : 1 e) Application Implementation & Support : 0 f) Application & Multimedia Development: 0 Based on Performance Measurement parameters: a) Meeting b) Seminar and Training c) Service Desk Management d) Availability Management e) Capacity Planning Review f) Backup & Restoration g) Desktop Maintenance h) Server Maintenance i) Network Maintenance j) Vulnerability Assessment k) Data Center Maintenance l) Disaster Recovery Simulation m) Internal Audit for ISO 27001:2013 n) IT Asset Declaration 2017 o) Certification Body Audit for ISO 27001:2013 p) Telco Router Maintenance q) Supplier Performance Evaluation th th The internal audit was conducted on 26 -27 July 2017 Non Conformity: a) Event log history only up to 2 days for application event and 6 days for system event. b) No change record in Manage IT Change for Sangfor Proof of Concept (POC) installation. c) Storage VM is under agreed metric. Capacity Planning Result for quarter show 3 LUN is low. d) No action taken for computers with critical warning in Sophos Central e) Some assets recorded by intern student are improper. Observation: Information Security Incident Management Sampled of incident records, root cause and solution are not defined for each incident Promote ISMS awareness. (Isms.cpmalaysia.com) Based on Risk Assessment Chart: High Risk – Hardware and Services a) To prepare service catalog page for related ISMS scope b) Install temperature and humidity sensor in server room. Remove unattended key

ITSO may expedite the technology refreshment due to low storage availability in order to support new project implementation.

a) Increase log history at least 1 month for log event system, security, and application. b) Add change request in Manage IT Change. c) Remove unused vm and control new project implementation. d) Reinstall Sophos software in effected computers e) Recheck the inventory record

Technology refreshment target on next year a) Done in it2017.cpmalaysia.com b) FA to open PR and Infra Team will arrange for

INTERNAL USE th

Effective Date : 25 April 2017



2



MEETING MINUTES FORM ITS-FM02

c) Add ‘Rollback Plan’ in CHM-FM05 Software Deployment Checklist form d) Expedite the technology refreshment for primary data center due to low storage availability. (CFO agreed) e) Install Centralized Log Management to monitor event logs for servers, network appliances and other to improve monitoring process. f) Increase storage capacity to store more backup coverage

c) RA is require to update CHM-FM05 and fill DCCFM2 form. d) NR will call vendors for further discussion e) Infra team is require to study top centralized log management. FA is require to open IO, PR and PO once finalized. f) NR will call vendors for further discussion

OTHER No. 1.

Topic

Action

Mr Veerachai would like to have meeting with ITSO on monthly basis to discuss about IT project implementation status and other issues.

INTERNAL USE th

Effective Date : 25 April 2017



3