ISO27032 Cyberspace Security Management System Certification

1. What is ISO/IEC 27032:2012 Certification?

Certification:

Refers to the activity where a certification body conducts an audit of the auditee according to specific audit criteria, following established procedures and methods, to determine compliance with specific requirements.

Accredited Certification for ISO/IEC 27032:2012 Cybersecurity Management System:

This is a certification of an organization's compliance with the requirements of the ISO/IEC 27032:2012 Cybersecurity Management System. It provides assurance through an authoritative third-party audit that the certified organization has implemented a data storage security management system and meets the requirements of the ISO/IEC 27032:2012 cybersecurity standard for data storage security management.

Organizations that pass the ISO/IEC 27032:2012 cybersecurity certification will be registered and can be queried on the website of the China National Certification and Accreditation Administration (CNCA). "Authoritative and trustworthy, verifiable on the official website."

2. What are the benefits and roles of ISO/IEC 27032:2012 certification for enterprises?

The emergence of new network forms, new computing fundamentals and models, as well as the deep integration of informatization and industrialization, have brought new challenges to cybersecurity. The U.S. National Science and Technology Council pointed out in the "2016 Federal Cybersecurity Research and Development Strategic Plan—Cybersecurity and Information Technology Research and Development Program" that security issues in areas such as the Internet of Things, cloud computing, high-performance computing, autonomous systems, and mobile devices will be emerging research hotspots. Similarly, given the severe challenges facing cybersecurity, China established the Central Leading Group for Cybersecurity and Informatization in February 2014 to vigorously promote cybersecurity construction. In June 2015, the Academic Degrees Committee of the State Council and the Ministry of Education decided to add "Cybersecurity" as a first-level discipline, and in October 2015, they decided to add "Cybersecurity" as a first-level discipline for doctoral degree authorization. To better plan and guide related research, the Information Science Department of the National Natural Science Foundation of China selected "Basic Theories and Key Technologies of Cybersecurity" as one of the 15 priority research areas during the "13th Five-Year Plan" period.

If an enterprise passes the ISO/IEC 27032:2012 certification, it can obtain the ISO 27032:2012 certification certificate issued by GH, achieve CNAS official website certificate registration and international recognition, and obtain a management maturity report for the ISO/IEC 27032:2012 Cybersecurity Management System. Enterprises passing the ISO/IEC 27032:2012 Cybersecurity Management System certification means they have laid a solid foundation for cybersecurity protection capabilities, further promoting the improvement of cybersecurity management levels, reducing potential risks, ensuring business continuity and emergency recovery, better meeting customer cybersecurity management requirements, and demonstrating leading cybersecurity management levels, becoming undeniable pioneers in the field of cybersecurity management.

3. Which enterprises can apply for ISO/IEC 27032:2012 certification?

Cybersecurity certification is a security certification that includes information infrastructure such as the internet, communication networks, the Internet of Things, industrial control networks, and the dynamic virtual space formed by human-machine-object interactions. Based on the current enterprises that have obtained certification, the majority are:

Industries where network technology and information are lifelines:

1. Financial industry: banks, insurance, securities, funds, futures, etc.

2. Communication industry: telecom, Netcom, mobile, Unicom, etc.

3. Trading companies: foreign trade, import and export, HR, headhunting, accounting firms, etc.

Industries highly dependent on information technology:

1. Steel, semiconductors, logistics

2. Electricity, energy

3. Outsourcing (ITO or BPO): IT, software, telecom IDC, call centers, data entry, data processing, etc.

Industries with high technical process requirements and sought after by competitors:

1. Pharmaceuticals, fine chemicals

2. Research institutions

4. What are the conditions for enterprises to apply for ISO/IEC 27032:2012 certification?

Basic conditions for applying for ISO/IEC 27032:2012 Cybersecurity Management System certification:

1) Chinese enterprises must hold the "Business License" issued by the administrative department for industry and commerce, a "Production License," or equivalent documents; foreign enterprises must hold registration proof from relevant agencies.

2. The applicant's information technology security management system has been established according to the requirements of the ISO/IEC 27032:2012 Cybersecurity Management System standard and has been implemented and operated for more than 3 months.

3. At least one cybersecurity impact assessment, internal audit, and management review have been completed.

4. During the operation of the cybersecurity management system and the year prior to its establishment, the enterprise has not received administrative penalties from the competent authorities.

5. If the enterprise has received administrative penalties, they have been resolved, and there is no suspension of business.

6. The scope of application does not exceed the permitted scope of qualifications or the business scope of the certification body.

7. No违规转机构 (violation of agency transfer rules), no illegal activities, no失信 (breach of trust).

8. The difference between the declared number of employees and the actual number does not exceed 20%.

9. Provide essential qualifications related to the enterprise's business, such as system integration qualifications, security qualifications, etc., and ensure the validity and legality of these qualifications.

5. What is the process for applying for ISO/IEC 27032:2012 certification?

1. Establish a system framework according to the requirements of the ISO/IEC 27032:2012 Cybersecurity Management System standard.

2. After the system is established, it needs to operate for a period, at least three months, to generate three months of operational records.

3. Submit an audit application to the certification body.

4. The certification body assesses the cost and formal audit time.

5. The certification body will conduct a pre-audit to eliminate major deficiencies before the formal audit and familiarize the client with audit methods, risk assessment, review of policies, scope, and procedures used. Check for omissions and cumbersome areas in the system that need modification.

6. The certification body will conduct a second-stage audit, mainly focusing on implementation audits to check the execution of procedural requirements. The certification body will typically conduct on-site audits and provide recommendations.

7. If the audit is successfully completed, the ISO/IEC 27032:2012 Cybersecurity Management System certification certificate will be issued after clarifying the certification scope. It is valid for three years, subject to continuous audits.

6. What does an enterprise need to cooperate with when applying for ISO/IEC 27032:2012 certification?

Before certification: Must find an IT department staff member to assist with documentation.

1. Cooperate with project initiation: preliminary communication, implementation plan, project team, resource support.

2. Cooperate in providing qualification certificates and related materials required for the certification project consultation.

3. Cooperate in conducting preliminary training: provide cybersecurity awareness training for all employees, promote the implementation of the cybersecurity system, and conduct necessary assessments.

4. Cooperate in analyzing and identifying the value, factors, and vulnerabilities of the company's cybersecurity assets, and select appropriate measures and methods to manage risks. (These tasks require the cooperation of IT personnel to complete.)

5. Cooperate with consultants in related training, internal audits, management reviews, correction and prevention of non-conformities, improvement of record forms, printing, and archiving of documents.

During certification: (Treat auditors equally, like receiving clients.)

6. Cooperate with the certification company's audit schedule, arrange travel and accommodation for auditors.

7. Assist in the audit certification, with internal audit teams accompanying and assisting to address issues during the audit.

After certification:

8. Promptly rectify non-conformities and correctly use the certification certificate.

7. How long does it take to apply for ISO/IEC 27032:2012 certification?

Enterprise cooperation: "Need to find a person knowledgeable about information security to coordinate."

1. Able to promptly provide qualification documents that meet project certification requirements.

2. Assist in completing and providing various record data entries.

3. Cooperate with the certification company's audit schedule, assist in accompanying the audit process, and promptly rectify non-conformities.

Generally, the process from "certification application—on-site audit—certification issuance" can be completed in 30 days.