Asset Management Iso27001 - DOC by wci49656

VIEWS: 138 PAGES: 19

Asset Management Iso27001 document sample

More Info
									UNITED NATIONS ECONOMIC AND SOCIAL COMMISSION FOR ASIA
               AND THE PACIFIC (UNESCAP)



         Quality management system document No.: QDOC/IMCTU/ISO27001-1



                                             DOCUMENT TITLE:



           UNESCAP ISO27001 CERTIFICATION PROJECT PLAN

This is a section level quality management system document which has been written by
Adnan Aksel, reviewed by Kalman Andrasi and Anne Matthews. It has been approved by
the Project Board, and issued to the copy holder in accordance with the quality
management system documentation procedures as shown below.



APPROVED BY:

SIGNED:                           ________________________                   DATE: _________________

COPY No.:                         1

HELD BY:             Adnan Aksel, Information Systems Officer, Information
Management, Communications and Technology Unit (IMCTU).

SIGNED:                           ________________________                   DATE: _________________



ISSUE No.:                        1                                          REVISION No.:

EFFECTIVE DATE:

CONTROL STATUS OF THIS DOCUMENT IS1




1
 A hard copy of this document is considered uncontrolled if it does not have the original signature of the authorised
person. The electronic version of this document, maintained in the quality system document database, is considered as the
controlled electronic version.
                                        Version History



   Version             Date            Author                           Description

     1.0         17 Nov. 2006          A. Aksel       Initial version
                                                      First revision incorporating feedback from
     1.1         21 Dec. 2006          A. Aksel       Messrs Anne Matthews and Kalman
                                                      Andrasi.




                                        Distribution List

  All staff members have access to the latest electronic version of this document on a “read-
  only” basis. Hard copies have been issued to the following copy holders on a controlled
  basis:


The Central Registry
The Office of the Chief of Administration Services Division (ASD)
The Office of the Chief of Central Support Services Section (CSSS)
The Office of the Chief of Information Management, Communications and Technology Unit
(IMCTU)
The Project Board Registry




  UNESCAP ISO27001 CERTIFICATION PROJECT – Project Plan                                         2
  By A. Aksel (Ver. 1.1 as of 21 Dec. 2006)
                                        References



                           Document                                         Available
“International Standard ISO/IEC 17799, Information technology –    H:\ESS\ADNAN
Security techniques – Code of practice for information security    SHARE\UNESCAP AND
management” Second Edition 2005-06-15, Reference number            ISO27001\STANDARDS
ISO/IEC 17799:2005 (E)                                             THEMSELVES
“International Standard ISO/IEC 27001, Information technology –    H:\ESS\ADNAN
Security techniques – Information security management systems -    SHARE\UNESCAP AND
Requirements” First Edition 2005-10-15, Reference number ISO/IEC   ISO27001\STANDARDS
27001:2005 (E)                                                     THEMSELVES
“ISO27001:2005 ISMS Implementation”, July 2005, by BSI
                                                                   In hard copy.
Management Systems.
“UN – Scope of Work: ISO 17799 Compliance Project for LAN and      H:\ESS\ADNAN
MAN Services of the United Nations Secretariat, Headquarters”,     SHARE\UNESCAP AND
Nov. 2004, Ver. 2.0, ITSD, UN Secretariat                          ISO27001\SCOPE
“UNOG – Scope of Work: ISO 27001 Certification Project for LAN     H:\ESS\ADNAN
and MAN Services of the United Nations Office at Geneva            SHARE\UNESCAP AND
Secretariat, Geneva”, Mar. 2006, Ver. 1.0, UNOG ICTS               ISO27001\SCOPE




  UNESCAP ISO27001 CERTIFICATION PROJECT – Project Plan                                 3
  By A. Aksel (Ver. 1.1 as of 21 Dec. 2006)
                                   Definitions and Acronyms
                                               Definitions


     Term                                              Explanation

     Asset          Anything that has value to the Organization.
                    Preservation of Confidentiality, Integrity and Availability; in addition, other
  Information
                    properties such as authenticity, accountability, non-repudiation and reliability
    Security
                    can also be involved.
 Residual Risk      The risk remaining after risk treatment.
Risk Acceptance     Decision to accept risk.
Risk Assessment     Overall process of risk analysis and risk evaluation.
                    Process of comparing the estimated risk against given risk criteria to determine
Risk Evaluation
                    the significance of risk.
    Risk            Coordinated activities to direct and control an organization with regard to risk.
 Management
 Statement of       Document statement describing the control objectives and controls that are
 Applicability      relevant and applicable to the Organization’s ISMS.
                    A potential cause of an unwanted incident, which may result in harm to a system
    Threat
                    or organization.
 Vulnerability      A weakness of an asset or group of assets that can be exploited by a threat.



                                               Acronyms


 Acronym                                              Full Name

   ASD          Administrative Services Division (of UNESCAP)
  CSSS          Central Support Services Section (of UNESCAP)
   FSS          Financial Services Section (of UNESCAP)
  HRMS          Human Resources Management Section (of UNESCAP)
  ICSTD         Information, Communication and Space Technology Division (of UNESCAP)
   ICT          Information and Communication Technologies
 IMCTU          Information Management, Communications and Technology Unit (of UNESCAP)
  ISMS          Information Security Management System
   ITSD         Information Technology Services Division (of the United Nations, New York, USA)
   KM           Knowledge Management

  UNESCAP ISO27001 CERTIFICATION PROJECT – Project Plan                                            4
  By A. Aksel (Ver. 1.1 as of 21 Dec. 2006)
Acronym                                          Full Name

 LAN       Local Area Network
 OES       Office of the Executive Secretary (of UNESCAP)
PDCA       Plan – Do – Check – Act (the Deming cycle)
 SSS       Security and Safety Section (of UNESCAP)
UNLB       United Nations Logistics Base (Brindisi, Italy)
UNOG       United Nations Office in Geneva (Geneva, Switzerland)
WAN        Wide Area Network




UNESCAP ISO27001 CERTIFICATION PROJECT – Project Plan              5
By A. Aksel (Ver. 1.1 as of 21 Dec. 2006)
                                      Table of Contents

                                                                                    Page No.

 1      Introduction                                                                   7

 2      Purpose                                                                        9
        2.1 Project Benefits                                                          10
        2.2 Why Certify?                                                              10

 3      Plan Description                                                              11
        3.1 Organizational Overview                                                   11
        3.2 Scope                                                                     11

 4      Project Pre-requisites                                                        12

 5      External Dependencies                                                         13

 6      Planning Assumptions                                                          13

 7      Project Plan                                                                  14
        7.1 Project Management Stages                                                 14
        7.2 Product Descriptions                                                      14
        7.3 Project Funding                                                           16
        7.4 Resource Requirements                                                     16

 ANNEXES                                                                              17
          I    Organizational Chart Reflecting Roles and Responsibilities for the
               Management of UNESCAP IMCTU                                            18
          II   UNESCAP ISMS Scope Topology Map                                        19




UNESCAP ISO27001 CERTIFICATION PROJECT – Project Plan                                      6
By A. Aksel (Ver. 1.1 as of 21 Dec. 2006)
1         Introduction
Without information only few business processes are able to perform as intended. Quick
automated processing and sharing of information increases its importance even more.



    “Information is an important asset, like other important business assets, is essential to an
    organization’s business and consequently needs to be protected. … Information can exist
    in many forms. It can be printed or written on paper, stored electronically, transmitted by
    post or by using electronic means, shown on films, or spoken in conversation. Whatever
    form the information takes, or means by which it is shared or stored, it should always be
    appropriately protected.” ISO/IEC 17799:2005, Introduction.

    “Information security: Preservation of confidentiality, integrity and availability of
    information; in addition, other properties such as authenticity, accountability, non-
    repudiation and reliability can also be involved.” ISO/IEC 27001:2005, clause 3.4.


Success of the work of the United Nations heavily depends on a reliable information and
communication technologies (ICT) infrastructure. Therefore, the information security has
been a high-priority of the Secretary General through various documents, examples shown in
Table 1.



Table 1.
              Date                               Reference Document
            Sep. 2002      “Strengthening of the United Nations: an agenda for further change”,
                           Report of the Secretary-General, A/57/387, 9 Sep. 2002.
                           “Information and communication technology strategy”, Report by the
            Nov. 2002
                           Secretary-General, A/57/620, 20 Nov. 2002.
                           “Strengthened and unified security management system for the
            Oct. 2004      United Nations”, Report by the Secretary-General, A/59/365, 11 Oct.
                           2004 (and subsequent corrections and amendments).
                           “Information and communication technology security, business
            Feb. 2006      continuity and disaster recovery”, Note by the Secretariat, A/60/677,
                           14 Feb. 2006.


During the last couple of years, UNESCAP has been specifically requested on more than one
occasion to improve its information security controls and demonstrate their effectiveness.
Four key reference requests are shown in Table 2.

There are many alternative ways and approaches to information security with a large number
of standards to choose from: ISO27xxx series, CoBiT, ITIL, CMMI, and so on. Among all
these standards, ISO27001 certification provides a globally-recognized formal documentation
of successful establishment and maintenance of an information security management system
(ISMS) of an organization.



UNESCAP ISO27001 CERTIFICATION PROJECT – Project Plan                                              7
By A. Aksel (Ver. 1.1 as of 21 Dec. 2006)
Table 2.

     Date                                    Reference to the Requests
                  UNHQ ITSD’s Risk Assessment Report:

                  4.2 first paragraph “… An Information Security Management Systems (ISMS)
                  policy is a requirement for ISO 17799 certification which must be promulgated
                  based on a legitimate organizational process.”


                  5. Plan of Action, first and sixth items “….The six initiatives are:


                  1. Policy: ESCAP/ESS maintains significant control over most ICT assets and
   Nov. 2004      services; however the “control base” and authority, as well as delegation of
                  responsibility, is largely undocumented and not supported through official policy. It
                  is recommended ESCAP implement and maintain a Policy Framework to develop,
                  support, and implement best practices and effective management for security and
                  business continuity. This includes endorsing the Secretariat policy on the Use of
                  ICT Resources and the creation of an ISO 17799 complaint ISMS policy.”


                  “6. Risk Management: Initiate a dedicated effort to sustain security and continuity
                  posture that should include quarterly self-assessments, ad hoc risk assessments
                  and business impact analysis. A self-assessment capability is a requirement for
                  ISO 17799 Certification.”
   May 2006       UNHQ’s Request following a global training in Brindisi, Italy in may of 2006.
                  OIOS Audit Recommendation 15: “To ensure that an appropriate security
                  management system is implemented which meets the needs of ESCAP, ESCAP
                  should obtain from United Nations Headquarters Information Technology and
   Sep. 2006
                  Service Division a copy of the 2004 risk assessment report and undertake an
                  exercise to determine a costed implementation plan, including the linkage with the
                  current ISO 27001 project (Rec. 15).”
                  External Auditor’s Preliminary Risk Matrix placed “Information and communication
   Nov. 2006      technology (security)” as the second highest concern after “Contributions” on the
                  LIKELIHOOD VS. IMPACT matrix.



Technical, administrative, and management efforts of an organization for such a certification
is immense. Furthermore, the certification is only valid for three years during which a
number of surveillance audits are held every 6-9 months. After three years, re-certification is
required with a relatively larger scope. The whole exercise is very serious requiring extensive
documentation and continuous technical, administrative, and management commitment.

The ISO27001 certification process is an evolutionary one; the whole implementation
presents a learning process and discipline within which a security maturity is developed. W.
Edwards Deming proposed that business processes should be continuously analyzed and
measured to help managers identify and change the parts of the processes that need
improvement. ISO27001 uses the Deming PDCA cycle (Plan-Do-Check-Act) to gradually
increase the security maturity level while maintaining effective quality improvement and
Business-IT alignment.




UNESCAP ISO27001 CERTIFICATION PROJECT – Project Plan                                                8
By A. Aksel (Ver. 1.1 as of 21 Dec. 2006)
2         Purpose

Information security threats continue to grow daily. Global cyber crimes are on the rise
costing many industries billions of dollars. UNESCAP urgently needs to review, maintain,
and improve its information security practices.


    “Information security management system - ISMS: that part of the overall
    management system, based on a business risk approach, to establish, implement, operate,
    monitor, review, maintain and improve information security.

    Note: The management system includes organizational structure, policies, planning
    activities, responsibilities, practices, procedures, processes and resources.” ISO/IEC
    27001:2005, clause 3.7.


The purpose of this project is to achieve and sustain ISO27001 security certification for the
service delivery of Local Area Network (LAN) and Wide Area Network (WAN) resources
within the United Nations Economic and Social Commission for Asia and the Pacific
(UNESCAP) community.

Through the certification efforts, UNESCAP will address, develop and thoroughly review
measures against security threats such as access violations, breaches of security, loss of
services or facilities, system malfunctions, human errors, uncontrolled system changes,
malfunctions, and many others. This project will also demonstrate UNESCAP’s seriousness
in addressing the calls made by the Secretary General’s in the programme of reform as well as
all subsequent requests from the UN Headquarters and auditors as shown in Table 1 and 2.

In order to achieve this certification, UNESCAP will determine precisely what critical
information assets need to be secured, and then establish, maintain, and improve the
corresponding information security management system (ISMS).

Further expectations are:

          -   Compliance with the best practices and standards in ICT;

          -   Bringing clarity to UNESCAP ICT investments needed to run the business,
              facilitating executive decision making by moving focus from technical issues to
              business needs;

          -   Achieving demonstrably higher utilization of assets, resources and investments;
              thus, reducing IT investment cost and risks; and

          -   Bringing in the accumulated technical know-how to the service of the UNESCAP
              community..

Hence, the overall purpose of this project is to improve IT-governance of IMCTU operations
vis-à-vis security, thus contributing to efficient, effective, and high-quality ICT services.



UNESCAP ISO27001 CERTIFICATION PROJECT – Project Plan                                         9
By A. Aksel (Ver. 1.1 as of 21 Dec. 2006)
2.1 Project Benefits

Through this project, UNESCAP will:

   -   Review its information security management, administration and operations;
   -   Examine its ICT infra-structure, organization, operations, and IT governance;
   -   Bring in a complete technology architecture;
   -   Bring in best practices and globally-accepted common standards;
   -   Increase security maturity level; and
   -   Create a new culture and mind-set.


Main benefits of this project will be:

   -   A mature UNESCAP ICT infrastructure with a well-established security policies and
       procedures;

   -   Pictorial, graphical, numerical representations and other evaluation views of the ICT
       infra-structure and services to reduce project risks and improve decision making;

   -   A new enhanced modus-operandi within IMCTU;

   -   A well-catalogued, up-to-date, and high-quality IMCTU documentation;

   -   Provision of industry-standard rigorous information security controls to UNESCAP;

   -   Direct support for all other ISO processes and similar standards; and

   -   Addition of detail to some key management control processes.


2.2 Why Certify?

There are major benefits for UNESCAP to become ISO27001-certified.                Certification
particularly will:

   -   Create heightened security awareness within UNESCAP;

   -   Allow the identification and awareness of the critical processes and assets;

   -   Provide structure and motivation to continuous improvement;

   -   Ensure that local legislative, the United Nations, and the Member States’ needs are
       complied with;

   -   Provide an independent judgment on the existing information security maturity;

   -   Demonstrate management commitment to the goals and objectives of this globally-
       recognized standard;


UNESCAP ISO27001 CERTIFICATION PROJECT – Project Plan                                       10
By A. Aksel (Ver. 1.1 as of 21 Dec. 2006)
    -       Establish that UNESCAP has competent personnel, high-quality services and
            corresponding infrastructure; furthermore, the effectiveness of all three are
            continuously being evaluated; and

    -       Display that UNESCAP has taken a major technological, administrative, and
            managerial initiative.



3           Plan Description
The project has already started in October 2006, and will last for 15 months completing at the
end of 2007. It will be managed by a full-time fixed-term P4 staff member, and implemented
by a project team from the Information Management, Communications and Technology Unit
(IMCTU). A 6-member Project Board –consisting of one executive, four users, and one
supplier- is proposed. Quality management will be provided by the Chief of Central Support
Services Section (CSSS). The project will be supported by the Information Technology
Services Division (ITSD) at the United Nations Headquarters through two experts from the
ITSD ICT Quality Assurance and Risk Management Section. Cooperation with two other UN
offices (aiming identical certifications) is foreseen.


3.1 Organizational Overview

IMCTU maintains the local and wide area network infrastructure of UNESCAP. The Service
is comprised of four segments:

        1. The Office of the Chief (together with the business systems administration and
           quality management functions);

        2. Systems Development and Operations (including network operations, IT operational
           security and IMIS support);

        3. Telecommunications (including telephony); and

        4. Client Services (including IT Help Desk).

The Chief of IMCTU reports directly to the Chief of Central Support Services Section (CSSS)
of the Administrative Services Division (ASD). The strategic direction for IT resources is
overseen by the UNESCAP Information and Communication Technology / Knowledge
Management (ICT/KM) Committee. Annex I shows the relevant organizational chart.


3.2 Scope

The areas of focus for this Information Security Management System (ISMS) are:

        -    The Office of the Chief;
        -    The Enterprise Data Centre and Network Operations; and
        -    The IT Operational Security.

UNESCAP ISO27001 CERTIFICATION PROJECT – Project Plan                                      11
By A. Aksel (Ver. 1.1 as of 21 Dec. 2006)
Neither the Systems Development nor the Client Services are included within the scope of
this ISMS.

A security practice is an action, procedure, technique or measure that provides assurance that
a control objective will be achieved. Security practices apply controls in a manner that best
achieves a control objective and supports the security requirements of an information asset or
system.

To achieve and certify the LAN and WAN environment with the ISO27001 security standard,
all 11 domains of ISO27001 will be tested:

       -   Security Policies;
       -   Organization of Information Security;
       -   Asset Management;
       -   Human Resources Security;
       -   Physical and Environmental Security;
       -   Communications and Operations Management;
       -   Access Control;
       -   Systems Development and Maintenance;
       -   Information Security Incident Management;
       -   Business Continuity Management; and
       -   Compliance with international standards and UN rules & regulations.

The activities related to the above domains will include:

       -   Planning;
       -   Identification of Critical Information Assets;
       -   Preparation of Gap Analysis;
       -   Risk Assessment;
       -   Risk Management;
       -   Risk Treatment;
       -   Preparation of Statement of Applicability (SoA);
       -   Establishing Policies and Procedures;
       -   Training and Awareness Activities;
       -   Monitoring and Report; and
       -   Certification Audit Processes.



4      Project Pre-requisites
As the new Secretary-General assumes his duties on 1 January 2007, many changes are on the
way in the United Nations to make the Organization more efficient and more effective.
UNESCAP is part of these changes. Similarly, a newly-established senior management post
of Chief Information and Technology Officer (CITO) will soon be filled, and the United
Nation’s global ICT structure, organization, and services will go through a serious review and
update process.




UNESCAP ISO27001 CERTIFICATION PROJECT – Project Plan                                      12
By A. Aksel (Ver. 1.1 as of 21 Dec. 2006)
This project was planned to streamline the ongoing efforts of the UN Headquarters and
UNESCAP in order to meet the current and emerging business requirements. UNESCAP
needs to align itself with complicated new business requirements, make effective use of
existing technologies and provide a solid and secure information and communication
technology (ICT) infra-structure its staff members.

The United Nations Headquarters has already achieved ISO27001 certification in April 2006,
and UNESCAP has recently become a part of a global effort initiated by the United Nations
Headquarters for similar certification. Other sister organizations taking part in this activity
are: United Nations Logistics Base – UNLB (Brindisi, Italy), and United Nations Office in
Geneva - UNOG (Geneva, Switzerland).



5      External Dependencies

Continued guidance of the UN Headquarters, access to available technical expertise, support
and commitment of the UNESCAP senior management, high-level of cooperation with other
UN Offices form the external dependencies of the project.

Following is a further list of possible challenges, thus dependencies:

       -   Getting fast track approvals;
       -   Keeping a sharp focus;
       -   Struggling with other competing priorities for resources;
       -   Ensuring attention and support of senior management;
       -   Availability of funds for training and awareness activities;
       -   Keeping self-interest of the staff involved;
       -   Production of high-quality up-to-date documentation;
       -   Timely endorsement and implementation of policy and procedures;
       -   Continuous monitoring and improvement; and
       -   Resolving resource limitations and contentions.



6      Planning Assumptions

Following is a list of assumptions:

       -   Full support of the UNESCAP senior management;
       -   Effective security enforcement;
       -   Availability of funds for training and education;
       -   Getting a high-priority among other resource-competing IMCTU projects;
       -   Desire within UNESCAP to change habitual non-standard practices; support to
           confront issues;
       -   High-level of cooperation with the UN Headquarters and other UN offices; and
       -   Successful prioritization of work during the implementation of all four PDCA
           cycles.



UNESCAP ISO27001 CERTIFICATION PROJECT – Project Plan                                       13
By A. Aksel (Ver. 1.1 as of 21 Dec. 2006)
7      Project Plan

7.1 Project Management Stages

There are a variety of ways to approach the certification process. The following lists six
project management stages UNESCAP will follow:

       -   STAGE 1: Project initiation – ISMS Scope – Review of Documentation (2007–
           Q1);
       -   STAGE 2: Inventory of Critical Information Assets - Gap Analysis (2007–Q1);
       -   STAGE 3: Risk Management and Remediation (2007–Q2);
       -   STAGE 4: Training & Awareness Programme - Trial Audit (2007–Q3);
       -   STAGE 5: Compliance Monitoring - Certification Process (2007–Q3 and Q4);
       -   STAGE 6: Post-certification (2007–Q4 and beyond).

Certification will be carried out by a third party, accredited certification / registration body
such as BSI. Second party trial audit will be carried out by the UN Headquarters ITSD ICT
Quality Assurance and Risk Management Section.


7.2. Product Descriptions

Specific product attributes that are relevant to the project management are:

       -   Inventory of critical information assets: Data and information; information
           technology assets (together with the supporting infra-structure);

       -   Security policies and practices from high-level (by the senior management) to low-
           level (by the system administrator);

       -   Increased capability maturity level from non-existent (0) / initial (1) / repeatable
           (2) to gradually defined (3) / managed (4) / optimized (5), the current industry
           average being 2.8; the present target is 3.5;

       -   Implementation of the controls in each one of the 10 sections to increase the
           classes of protection from Class 1 (“Inadequate Protection”) / Class 2 (“Minimal
           Protection”) to gradually Class 3 (“Reasonable Protection”) / Class 4 (“Adequate
           Protection”); and

       -   Aligning internal management, administrative, technical and security practices
           with ISO27001 for business benefit.


Detailed milestones and the production of documents as required by ISO27001 are shown in
Table 3.




UNESCAP ISO27001 CERTIFICATION PROJECT – Project Plan                                        14
By A. Aksel (Ver. 1.1 as of 21 Dec. 2006)
    Table 3.

  2007
                                                         Documents
 Quarter
                - Project Scope
                - Project Plan
                - Review of Existing Documentation
                - Inventory of Critical Information Assets (Asset Identification & Classification)
 1. Quarter
                - Gap Analysis
(Jan. – Mar.)
                - Risk Assessment Approach (Description of the Methodology)
                - Risk Assessment Report – Risk Evaluation (Threats, Vulnerability & Impact)
                - Risk Treatment Options
                - Statement of Applicability – SoA (Selected Controls)
                - Risk Treatment Plan
                - Security Policies and Procedures (ISMS Policy)
                - Measurement of Effectiveness of the Controls
                - Training and Awareness Activity Report
 2. Quarter
                - Incident Response Procedures
(Apr. – Jun.)
                - Incident Records
                - Internal Audit Check List
                - Internal ISMS Trial Audit (against Internal Audit Check List)
                - Compendium of Documents (for submission to the Auditing Body)
                - Improvements to the ISMS (as per feedback from the Auditing Body)
                - ISMS Effectiveness Review
 3. Quarter     - Measurement of Effectiveness of the Controls
(Jul. – Sep.)   - Review
                - Implementation of Improvements
                - Management Review (towards the Certification Audit)
                - Certification Audit
                - Improvements to ISMS (as per feedback from the Auditing Body)
 4. Quarter
                - Planning for Future Surveillance Audits
(Oct. – Dec.)
                - Planning Towards Reaching Organizational Security Maturity Level of “OPTIMIZED”
                - Measures to Stay at CLASS 3 (“Reasonable Protection”) / CLASS 4 (“Adequate Protection”)




    UNESCAP ISO27001 CERTIFICATION PROJECT – Project Plan                                            15
    By A. Aksel (Ver. 1.1 as of 21 Dec. 2006)
7.3 Project Funding

In addition to the regular budgeted posts and ongoing scheduled and programmed ICT
expenditures, additional capital investment costs are shown in Table 4.


Table 4.

                                                                          Cost to
                                Description
                                                                       UNESCAP (US$)
       1 Full-time fixed-term P4 staff member for 8 months.                80,000
       Training and awareness activities (for management, as well as
                                                                            5,000
       administrative and technical personnel).
       Certification Costs                                                    -



ISO27001 strongly emphasizes training of the key project team staff members (5.2.2 of the
standard). Furthermore, the standard insists on the continuous commitment of the executive
branch (5.1 of the standard). Without a strong backing of the UNESCAP senior management,
certification efforts cannot be successful. Therefore, an awareness raising campaign within
UNESCAP will be kicked-off with an information security seminar to the senior
management. The ISO27001 certification audit will definitely check the early initiation of
both the training and also awareness raising campaign.

Certification costs will be met by the UN Headquarters ITSD ICT Quality Assurance and
Risk Management Section. The same Section will also meet the cost of two 5-day missions
of two of its professional staff to UNESCAP in 2007.


7.4 Resource Requirements

The project will be composed of:

   -   A Project Board;
   -   A Project Team; and
   -   A senior UNESCAP staff member providing quality management for the project.


Composition of the Project Board is shown in Table 5.

[Please refer to QDOC/IMCTU/ISO27001-3 “UNESCAP ISO27001 CERTIFICATION
PROJECT – TERMS OF REFERENCE OF THE PROJECT BOARD” dated 21 Dec. 2006,
for the Terms of Reference - ToR of the Project Board.]




UNESCAP ISO27001 CERTIFICATION PROJECT – Project Plan                                    16
By A. Aksel (Ver. 1.1 as of 21 Dec. 2006)
Table 5.

                            Mr Shigeru MOCHIDA (Deputy Executive Secretary, Office of Executive
              Executive:
                            Secretary - OES)
                            Mr Peter VAN LAERE (Chief of ASD)
                            Mr Siva THAMPI (Chief of Information, Communication and Space
           Senior Users:    Technology Division - ICSTD)
                            Mr Russel M. RADFORD (Chief of Security and Safety Section - SSS)
                            Mr Manuel RINCON (Knowledge Management Officer, OES)
     Senior Supplier:       Mr Kalman ANDRASI (Acting Chief of IMCTU)




Composition of the Project Team is shown in Table 6.

Table 6.

         Project Manager:    Mr Adnan AKSEL (Information Systems Officer, IMCTU)
                             Mr Mohamad REZA (Lotus Notes System Administrator, IMCTU)
           Other Project     Mr Thanachai PATTANAPONGPAIBOON (Network & Systems
         Team Members:       Administrator, IMCTU)
                             Mr Nathapat JITWIRA (Computer Systems Assistant, IMCTU)




Anne MATTHEWS (Chief of CSSS) will provide quality management for the project and
will report directly to the Project Board.

All IMCTU, Human Resources Management Section (HRMS), Financial Services Section
(FSS), SSS and CSSS staff will be consulted as needed.




ANNEXES
     I      Organizational Chart Reflecting Roles and Responsibilities for the Management of
            the UNESCAP IMCTU LAN & MAN

    II      ISMS Scope Topology Map




UNESCAP ISO27001 CERTIFICATION PROJECT – Project Plan                                             17
By A. Aksel (Ver. 1.1 as of 21 Dec. 2006)
                                       ANNEX I




  ORGANIZATIONAL CHART REFLECTING ROLES AND RESPONSIBILITIES FOR
         THE MANAGEMENT OF THE UNESCAP IMCTU LAN & WAN




UNESCAP ISO27001 CERTIFICATION PROJECT – Project Plan              18
By A. Aksel (Ver. 1.1 as of 21 Dec. 2006)
                                       ANNEX II




                            ISMS SCOPE TOPOLOGY MAP




UNESCAP ISO27001 CERTIFICATION PROJECT – Project Plan   19
By A. Aksel (Ver. 1.1 as of 21 Dec. 2006)

								
To top