Project News

For five days from March 8 to 12, 2021, nine AIS staff members attended the intensive training on the ISO/IEC 27000 family.

ISO/IEC 27000 family is an international standard that defines a series of documents that provide a system and best practices for the management, risk and control of information security, called Information Security Management System (ISMS).

ISMS is used by companies, government agencies, and other organizations to ensure their own information security. With ISMS, information security is considered as a part of an organization's risk management, and the goal is to maintain a balance between confidentiality, integrity, and availability of information, and to manage risks appropriately.

The training provided an overview of the ISO/IEC 27000 series, concentrating particularly on ISO/IEC 27001 (ISMS requirements) and ISO/IEC 27002 (ISMS implementation methods). In addition, in order to ensure that the course did not end with classroom lectures, the following exercises were conducted on the desk. By practicing specific risk management and security measures for trainees' own organization, they were able to learn how to apply the ISO/IEC 27000 series with a sense of reality.

• Formulation of information security policy
• Listing of assets and security level settings
• Identifying information security risks of assets
• Risk assessment
• Setting information security goals for the department and planning how to achieve them
• Define a set of metrics and measurements to help monitor, analyze, and evaluate the ISMS
• Determine what security controls their organization does and does not have in place
• Select controls to reduce the level of risk
• Estimate the residual risk after selecting controls to reduce the level of risk

In Viet Nam, not only ISO/IEC 27001, but also other domestic standards on security are being established and operated in accordance with international standards. The AIS is also in charge of managing their own security risks and assist other organizations in applying ISMS. Therefore, it is expected that the deepened understanding of the ISO/IEC 27000 series by the trainees who participated in this training will lead to the enhancement of risk management and information security not only for the AIS itself but also for the related departments within the Ministry of Information and Communication and the supporting organizations and companies.