ISMS Consulting Proposal Template

Doc Ref: CS/021/KC

CONSULTING SERVICES PROPOSAL ON ISO27001

(INFORMATION SECURITY MANAGEMENT SYSTEM)TO

Information Classification Label

Red Orange Yellow Blue Green

Classification Blue3

Controller KC Wong / Yantie

Author Rodney Especkerman

Document Ref CS/021/ KC

Expiry Date 31 September 2008

Upon Expiry:

Evergreen Public

Destroy Review

<Insert Company> <Insert Company>

Published Date: 29-8-2008

RESTRICTED DOCUMENT!

This document contains highly sensitive information! Contained within this document are proposed countermeasures and description of risks pertaining to <INSERT COMPANY> Group Unauthorized use and dissemination of this information can be detrimental to the security and operations of <INSERT COMPANY> Group

Each copy of this document is individually registered. If additional copies are required, please contact, Rahayu Binti Lop at HTUkoonchoon.wong@<Insert Company>corp.com . Any unauthorized distribution and reproduction is illegal and any person or persons found committing such activities will be prosecuted to the fullest extent of the law.

By proceeding to read the remainder of this document, you are agreeing to the above mentioned terms and conditions. If you do not agree to those terms and conditions, please return this document to the document controller immediately.

Confidentiality NoticeThis document may contain secret and sensitive information, which if improperly disclosed, may have significant negative impact on the operations of the stakeholders. This is a classified document with restricted distribution. By reading this document, or being in possession of this document your have agreed to all the conditions and prerequisite of the confidentiality terms as described in http://www.<Insert Company>.com.my/confidentiality_terms.htm. If you do not agree with the terms and conditions set forth, return the document to the address stated below or destroy the document immediately. Accessing privileged information without proper authorization may / can result to legal and / or criminal prosecution.

Copyright Info<INSERT COMPANY> GroupAll Rights ReservedPrinted in Malaysia

Disclaimer<INSERT COMPANY> Group has prepared this document as a reference or Guideline. The information contained herein is protected by Copyright. No part of this document may be reproduced, translated, or transmitted in any form or by any means, electronically, mechanically or chemically, without prior written permission from <INSERT COMPANY> Group

<INSERT COMPANY> Group shall not be liable for technical or editorial errors or omissions contained herein; nor for incidental or consequential damages resulting from the furnishing, performance, or use of this document.<INSERT COMPANY> Group reserves the right to revise this document and to make changes in the content hereof without notice.

This document is published by <Insert Company> Group without any warranty. Improvements and changes to this document necessitated by typographical errors, inaccuracies, or improvements to programs, may be made by <Insert Company> Group, at any time and without notice. Such changes will, however, be incorporated into new editions of this document.

Revision HistoryVersionNumber

Date

0 29-8-2008

Document Ref. <enter document reference here>Date: 29-8-2008Total number of pages: 11

Control and Publisher's Address:< insert Company Address>

Table of Contents

Background and Objectives.........................................................................................................5

http://www.extol.com.my/confidentiality_terms.htm

http://www.extol.com.my/confidentiality_terms.htm

Benefits............................................................................................................................................5

Deliverables.....................................................................................................................................6

Value Added Services........................................................................................................6

Forensic Readiness...........................................................................................................,............6

Total Project Commitment...................................................................................................,......7

Training Certificates................................................................................................................,....7

Support Capabilities........,,...........................................................................................................7

Key Milestones and Duration.,,..................................................................................................8

Resource Requirement..............,,,...............................................................................................8

Company Overview......................,,,,...........................................................................................9

ISO Profile..........................................,,,.......................................................................................9

Terms and Conditions.........................,,,....................................................................................10

Appendix 1: Document Required in Certified ISO 27001………………………………12

Appendix 2: Implementation Process Flow ISO 27001…………………………………13

Apendix 3: Answer to Request for Proposal

Appendix 4: CV

ISO 27001 CONSULTATION PROPOSAL

1. Background and Objectives:

Commerce Dot Com(herein after refer as “CDC”),< insert Description of CDC>. CDC is seeking consulting services to develop and finally be certified to ISO 27001, Information Security Management System also known as (ISMS).

<Insert Company>is an ICT security solutions provider offering one-stop end-to-end solution services encompassing all aspects of ICT security, including managed security solutions, implementation and consultancy. <INSERT COMPANY> is seeking to offer its services to CDC to achieve its objective in conforming the ISMS.

ISMS has been chosen as the framework for information security governance as well as improving information security risk posture. The consultancy service shall lead to a successful ISO certification for CDC

The major scope of this solicitation encompasses four (4) major tasks. The major tasks are as follows:

1. Review of the existing CDC information security framework and data center including policies and processes in accordance with the ISO 27001 standard

2. Enhancement of the existing CDC information security framework and data center including policies and processes in accordance with the ISO 27001 standard

3. Provide consultancy in the development and implementation of ISMS in accordance to ISO 27001 and to achieve certification

4. Equip CDC personnel with knowledge and expertise in the requirements of implementing ISO27001 ISMS by end of 2008.

<INSERT COMPANY>, is submitting a proposal to assist CDC in its drive towards information security.

The objective of this program is to assist CDC’s IT Governance & QA Department in gap analysis, consulting and documentation and internal audit training to enable CDC to comply with the requirements of ISO 27001. The consulting services for the project shall be within a period of 4 months upon execution of the contract.

2. Benefits:

ISO 27001 ImprovesManagement Understanding of the Value of Organizational InformationCustomer Confidence, Satisfaction and TRUSTBusiness Partner Confidence, Satisfaction and TRUST (e.g. Handling Sensitive Information of Customers & Business Partners)Level of Assurance in Organizational Security & QUALITYConformance to Legal and Regulatory RequirementsOrganizational Effectiveness of Communicating Security RequirementsEmployee Motivation and Participation in Security (Best Practices)Organizational Profitability

__________________________________________________________________________

Management and Handling of Security IncidentsAbility to Differentiate Organization for Competitive AdvantageOrganizational Credibility & Reputation

Certification DemonstratesCommitmentContinuous ImprovementPreparedness for Independent ReviewMeasure Against Best Practice

Certification ProvidesMeans to Benchmarko Industry & Competitorso Business Partnerso CustomersIncreased Level of Certainty

The Scope of this proposal<INSERT COMPANY> will perform and/or shall cover the following activities for CDC.

Gap AnalysisInternal Audit TrainingConsulting, Guides and Documentation

3. Deliverables:

The following will be some of the key deliverables that will be facilitated by <INSERT COMPANY> for this project:

Conduct initial assessment and need-gap analysis to identify key process improvement areasGuides on documenting the systemGuide implementationInternal Audit TrainingSet of training materials for CDC QA team to train internal staff.

As a value-added service to CDC, <INSERT COMPANY> will be present during the appraisal to assist CDC.

<INSERT COMPANY> will facilitate the Internal ISMS Audit trainings, orientation and workshops for CDC.

<INSERT COMPANY> together with the CDC team shall accomplish this project within Four (4) months provided CDC gives the maximum support and commitment to <INSERT COMPANY> towards achieving the ISO 27001 certification.

4. Value Added Services:

To ensure that <INSERT COMPANY> provides the highest quality of service possible to its clients, it commits to extend the following value added services to CDC.

The proposal will hold should the implementation be delayed for any reason, <INSERT COMPANY> will not charge any additional amount to the client. However if there is additional service requested by CDC beyond the scope stated in this proposal, <INSERT COMPANY> shall render a separate

__________________________________________________________________________

proposal with separate costing addressing those needs and request, <INSERT COMPANY> believes that there should not be any hidden costs attached to the proposal.

To strike for the best for CDC, <INSERT COMPANY> will furnish our consultant to be present to assist CDC during the 2 days appraisal period by SIRIM. Our consultant will support and assist personnel from CDC to achieve smooth process in the appraisal exercise.

<INSERT COMPANY> will also facilitate as required, training materials and presentation materials for CDC internal staff trainings. To enhance the CDC IT department, <Insert Company> will provide an extra service of Forensic Readiness.

4.1 Forensic Readiness

In the event of any security incident, it is imperative that sufficient information is collected to allow both internal and external investigators to piece together the sequence of events. This is done mostly by investigating log files.

<Insert Company> will review current log collection facilities for critical systems within CDC and determine if the logs are adequate to the task of a forensic investigation should the need arise. This will also cover the testing of log backups as typical forensic investigations are conducted on data that is typically offline.

Another important aspect of forensic readiness is the allocation of resources to facilitate a forensic investigation by either internal or external parties. Documents such as Non-Disclosure Agreements, Evidence Collection & Evidence Storage Forms should already be in place. Forensic tools need to set aside and checked periodically for functionality. Access cards to track the movement of external investigators can also be set aside and held securely by the Quality Assurance or Audit department.

Last but not least, as speed is of the essence in piecing together a forensic investigation, a quick awareness campaign will be conducted to ensure that all CDC staff is aware on who to call in the event of a suspected security incident. Proper escalation procedures to internal investigators need to be in place, and a detailed documentation of contacts in relevant services required by investigators such as Internet Service Providers, Law Enforcement, 3rd Party Vendors, Auditors and Legal Advisors are crucial as well.

The Forensic Readiness will cover these areas, measuring how much CDC already has in place and fill in the gaps where necessary in order for CDC to be forensic ready.

5. TOTAL PROJECT COMMITMENT

<INSERT COMPANY> will make available resources to assist the personnel of CDC for assuring ISO 27001 appraisal and certification under the leadership of <INSERT COMPANY>. Rodney is a qualified lead auditor for ISMS (ISO 27001) and for QMS (ISO9001) process. Presently, he is actively involved in the WG1 (working group 1) which contributes to the ISO charter located at Geneva. This working group is through the leadership of SIRIM and they meet monthly. There will also be one document associate (DA) on site until completetion of necessary documents. Apart from the 1 DA another 1 consultant will also be at site for 2-3 days in a week until certification.

Access will be provided to the client for <INSERT COMPANY>’s learning materials such as books, manuals, etc. as needed during the consultation period. <INSERT COMPANY> will also take the lead in the handling of activities designed to promote ISO 27001 within CDC which has been included as part of the value added services.

__________________________________________________________________________

<INSERT COMPANY> together with the CDC team shall accomplish this project by end of December 2008 where all necessary documentation and implementation of the Information Security Management System in place complying to the ISO 27001 with forensic readiness and ready for recommendation for certification provided CDC gives the maximum support and commitment to <INSERT COMPANY> towards achieving the ISO 27001 initiative.

6. TRAINING CERTIFICATES

Internal Audit Training Certificates shall be given by <INSERT COMPANY> to the attendees of the training after its completion.

7. SUPPORT CAPABILITIES

<INSERT COMPANY> understands that support mechanisms are necessary to effectively implement a project and monitor its implementation progress to ensure the success of the project, hence the following support mechanisms specifically for the ISMS set-up, may be added where applicable, after an evaluation of the gap analysis of CDC;

Relief Consultants

The proposed project team is carefully selected with full considerations of a ready “back-up” or “Relief Consultants”, capable and qualified Consultants to handle ISO 27001 projects, who are primarily assigned as Secretariat and will, among others, maintain and trouble-shoot, when applicable, assist in the documentation of processes. Their secondary functions include, only when necessary, relieving other Consultants, who under inevitable circumstances, may not be available during pre-scheduled visits or other activities.A document associates (DA) will be stationed at site to assist in the production of the necessary documents that will be needed for certification. The DA will be at site for at least 1 ½ month until all documents are completed.

8. Key Milestones and Duration

Referred Appendix

9. Resource Requirements

During the conduct of the trainings, the client will arrange for the following:Training Rooms in CDC Premisesreproduction of course / training material only (if needed)hiring equipment (TV/VCR/OHP etc.), if neededLCD and Data Projection System (laptops provided by <Insert Company>)Any other such infrastructural arrangements as required (if any)

During the whole duration of the project, CDC shall provide the resources as listed below to facilitate the consulting, training and assessment activities.

Computers for use of consultants and lead assessors ( for creation of CDC documents only)Network Connection and Internet Access Facility (during on site work for printing of documents related to ISMS implementation). <INSERT COMPANY> will seek prior permission from CDC ISMS representative if it requires Network Access for downloading Consultant emails and information from <INSERT COMPANY> Server.Server Space (for storage of CDC documents)

__________________________________________________________________________

Office Space for consultants, assessors and trainers (during on site work)Telephone facility

10. Company and Partner Overview

<INSERT COMPANY> has a partnership with a consultation company which is a management systems solutions provider with a combined experience of over 9 years in Philippines, Malaysia, Singapore, China and India.

.

The guiding principle of the capabilities is based on a K-CAT business model:

Through on-site consulting, assessments, and training – proven methods that have certified more than 200 organizations in Asia against international standards - we teach our clients how to effectively manage knowledge so that this is optimized to their advantage.

The international network of 32 full time consultants, assessors, and trainers, 12 of which have handled information technology and communications-related projects, are multi-cultural and speaks a combination of seven (7) major languages. With an Information Technology Department, among 4 other departments, one of our strength is in its ability to provide innovative products and services, full service support, and cutting-edge solutions that fully complement our partners’ needs.

Through this capability, we have developed several multi-media, fully interactive computer based training (CBT) software programs. One has been fully funded by Europe-Aid, a European Commission initiative, and all three (3) are currently endorsed and promoted by Malaysia’s SIRIM Berhad and Product Safety and Management Board, and marketed in 3 languages in Malaysia, Philippines, Singapore, China, India, Thailand, Indonesia, Vietnam, Japan, and Brazil.

10.1 ISO Profile

Our staff is comprised of highly qualified individuals with proven expertise and practical experience

Technical Knowledge

__________________________________________________________________________

<Insert Company> & partners have sound knowledge and associated training experience/ skills of ISO 27001, ISO 9001, CMMI, SDLC Development, IT Project Management, Software Engineering, Assessment Techniques and some related Soft Skills.

Project Management Skills

<Insert Company> and partners have proven and practiced skills on getting things done right on time every time. This can be attributed to the trainings provided to them and experienced build up over several projects. Time management, effective communication, delegation and efficient organization skills are some of their prowess.

People Management Skills & Change Management

All organizations are different and, more so, the people working within the organization. Our consultants have been trained to bring many heads together to a table and come up to the most efficient and effective solution. All of them are trained on culture sensitivity and possess multi-language skills and have been catalysts of teamwork even in the most difficult situations.

All <INSERT COMPANY> associates share pride in our company and dedication to its goals. We focus on our client’s needs and are committed to deliver quality products and services for our client’s pursuit excellence.

11. Terms and Conditions

I. Termination of the contract.Client may terminate the contract by paying for all services received up to that point through a written notice, at least 7 days prior to the next scheduled activity date. The contract would be deemed terminated should there be material breach of agreement by the client.

II. <INSERT COMPANY> liability.<INSERT COMPANY> is not responsible for any loss or damage while undertaking the assignment at the client site except to the extent resulting out of negligence or deliberate misconduct by <INSERT COMPANY> professional. In an event of damage or loss incurred by the client as a result of negligence or deliberate misconduct from <INSERT COMPANY> professionals, <INSERT COMPANY>’s maximum liability shall be limited to the amount of the professional fees paid by the client.

III. Billing. Invoices shall be raised for professional services rendered and are payable within

seven (7) days upon the receipt of invoice. The entire amount will be payable in Malaysian Ringgit (RM) Any amount not paid within 30 days of the date of invoice may be subject to

additional fee of 2% per month on the invoice amount. All cheque / draft payments to be in favor of ‘<INSERT COMPANY>

IV. Alterations.The clauses of the Agreement can be modified or altered only through communication exchanged between two parties in writing. Such communication giving effect to the changes shall be read along with agreement to incorporate any such changes.

__________________________________________________________________________

V. Indemnity.The client will indemnify and hold harmless <INSERT COMPANY>. and its professionals from any liabilities, damages and expenses (including reasonable attorney’s fees) resulting from, relating to, or arising out of the misuse or alleged misuse by the client of any registration, certificate, logo or mark of conformity provided by <INSERT COMPANY> pursuant to this agreement.

VI. Validity of the prices.This price offer is valid for acceptance until sixty days from date of submission

VII. Force Majeure.Neither party will be deemed in default of this agreement to the extent that the performance of its obligations or attempts to cure any breach are delayed or prevented by reasons of force majeure, such as acts of God, Fire, Flood, Earthquake, acts of government and the like, provided that such party gives the other party written notice thereof promptly and, in any event, within fifteen (15) days of discovery of such delay or prevention and uses its best efforts to continue to perform its obligations or cure any breach.

VIII. Governing Laws.This agreement shall be governed by, and constructed in accordance with, the substantive laws of Malaysia. All claims arising out of this agreement shall be decided solely and exclusively by a binding arbitration, which shall be conducted in accordance with the rules of the Malaysian Legal system.

IX. Confidentiality.<INSERT COMPANY> agrees that it shall hold all Confidential Information in confidence and shall take all reasonable steps to safeguard the Confidential Information including, without limitation, those steps that it takes to protect its own Confidential Information of a similar nature.

<INSERT COMPANY> shall not disclose or otherwise provide any Confidential Information to any third party without the prior written consent of <INSERT COMPANY>. Non-Disclosure Agreement can be signed to this effect if need be.

<INSERT COMPANY> agrees to limit its internal disclosure of Confidential Information to only those of its employees or contractors who are bound by confidentiality agreements prohibiting further disclosure of the Confidential Information.

Appendix 1

Documents required in certifying ISO 27001

__________________________________________________________________________

No. Document Control Section

1 Assets Register 4.2.1 (d) 1 to 4 4.2.1 (d) 1 to 4 IIndentify risks2 Risk Register & Risk Assessment Report 4.2.1 (d) 1 to 4 Indentify risks3 Risk Treatment Plan 4.2.1 (d) 1 to 4 Indentify risks4 Statement of Application 4.2.1 (d) Prepare a Statement of

Applicability5 Internal audit procedure 4.2.3 (e) Conduct internal ISMS

audits at planned internal (see 6)6 ISMS Policy and Objectives 4.3 Documentation requirements7 Scope of ISMS 4.3 Documentation requirements8 Procedures & Controls in support of ISMS 4.3 Documentation requirements9 Documentation Controls 4.3.2 Control of documents10 Quality Records 4.3.2 Control of records11 Management Review 5.1 Management commitment,

7 Management review of the ISMS

12 Corrective Action & Prevention Action 8.1 Continual improvement8.2 Corrective Action8.3 Preventive Action

Appendix 2

Implementation Process Flow – ISO 27001

__________________________________________________________________________

__________________________________________________________________________

COMMERCE DOT COM

PRIVATE & CONFIDENTIAL

IMPLEMENTATION OF INFORMATION SECURITY MANAGEMENT SYSTEMS TO

ATTAIN ISO 27001 CERTIFICATION

Version 1.1

Date: 11 August 2008

__________________________________________________________________________

ISO 27001 PROPOSALAppendix 4

A C T I O N P L A N F O R T A S K S

MILESTONE 1 (Preparation) Week 1 Week 2 Week 3 Week 4 Week 1 Week 2 Week 3 Week 4 Week 1 Week 2 Week 3 Week 4 Week 1 Week 2 Week 3 Week 4

Collection of Documents

Documents review by EXTOL

Gap Analysis - Thorough

Gap Analysis Report Briefing and Discussion and ISO27001 Awareness Training

Forming Task Force Groups and assigning Responsibilities

MILESTONE 2 (Definition based on gaps identified)

Prepare Detailed Action plan assigning resposibilities to address gapsRevising the existing process to address gaps identified (Inclusive of preparation, Review and Rework)

Roll out of revised process

Conducting briefing for relevant stakeholders on the revised process and process areasMILESTONE 3 (Process Implementation and Institutionalization)

Process Orientation and Hand Holding on revised process

Monitoring of implementation activities

Internal Audit Training

Internal Audit

Fine-Tuning and preparation

SIRIM Stage 1 Audit

Addressing gaps based on actions items of SIRIM Stage 1 AuditMILESTONE 4 (ISO 27001 Certification) - Stage 1 Audit (Dates to be confirmed with SIRIM)

Implementation check

Action Items and Preparation for Certification

Addressing gaps based on action items identified

Readiness Review

SIRIM Stage 2 Audit (Final)

OVERALL SCHEDULE ON CONFORMING ISMS

MONTH 4MONTH 1 MONTH 2 MONTH 3

TABLE OF CONTENTS

1 Introduction 18

2 Instruction for Prospective Participants 18

3 General Terms and Conditions 20

Appendix A: Scope of Work and Evaluation Criteria 23

Appendix B: Schedule of Prices 30

Appendix C: Prospective Participants Particulars

of 22
















Internal Audit


SIRIM Stage 1 Audit





Readiness Review




of 22
















Internal Audit


SIRIM Stage 1 Audit





Readiness Review




Introduction

Requirements

Prospective Participants (PP) are invited to provide consultancy service for the implementation of ISO27001 Information Security Management System (ISMS) for COMMERCE DOT COM(CDC).

ISMS has been chosen as the framework for information security governance as well as improving information security risk posture. The consultancy service shall lead to a successful ISO certification for CDC.

The major scope of this solicitation encompasses four (4) major tasks. The major tasks are as follows:

5. Review of the existing CDC information security framework including policies and processes in accordance with the ISO 27001 standard

6. Enhancement of the existing CDC information security framework including policies and processes in accordance with the ISO 27001 standard

7. Provide consultancy in the development and implementation of ISMS in accordance to ISO 27001 and to achieve certification

of 22
















Internal Audit


SIRIM Stage 1 Audit





Readiness Review




8. Equip CDC personnel with knowledge and expertise in the requirements of

of 22
















Internal Audit


SIRIM Stage 1 Audit





Readiness Review




Appendix E – Project Team Structure

of 22
















Internal Audit


SIRIM Stage 1 Audit





Readiness Review




of 22

CONSULTING TEAM

Project Head

Lead Consultant Doc Associate

Secretariat

ReliefConsultant
















Internal Audit


SIRIM Stage 1 Audit





Readiness Review




Appendix 4

A C T I O N P L A N F O R T A S K S # Days


Collection of Documents 5

Documents review by EXTOL 5

Gap Analysis - Thorough 5


10

Forming Task Force Groups and assigning Responsibilities 5

MILESTONE 2 (Definition based on gaps identified) 30

Prepare Detailed Action plan assigning resposibilities to address gaps

10

Revising the existing process to address gaps identified (Inclusive of preparation, Review and Rework)

10

Roll out of revised process 5

Conducting briefing for relevant stakeholders on the revised process and process areas

5

MILESTONE 3 (Process Implementation and Institutionalization)

30

Process Orientation and Hand Holding on revised process 5

Monitoring of implementation activities 10

Internal Audit Training 5

Internal Audit 5

Fine-Tuning and preparation 10

SIRIM Stage 1 Audit 5

Addressing gaps based on actions items of SIRIM Stage 1 Audit

10

MILESTONE 4 (ISO 27001 Certification) - Stage 1 Audit (Dates to be confirmed with SIRIM)

50

Implementation check 5

Action Items and Preparation for Certification 5

Addressing gaps based on action items identified 5

Readiness Review 5

SIRIM Stage 2 Audit (Final) 20


















Internal Audit


SIRIM Stage 1 Audit





Readiness Review




MILESTONES: TARGET

1 - Preparation Month 1

2 - Definition based on gaps identified Month 2

3 - Process Implementation and Institutionalization Month 3

4 - ISO 27001 Certification - (Stage 1 Audit) Month 4

SIRIM Stage 2 Audit (Final) After completion of Stage 1 Audit

Note: Schedule is excluding the public holiday.

ISMS Consulting Proposal Template

Documents

Transcript of ISMS Consulting Proposal Template