Doc Ref: CS/021/KC

CONSULTING SERVICES PROPOSAL ON ISO27001

(INFORMATION SECURITY MANAGEMENT SYSTEM) TO

Information Classification Label

Red Classification Controller Author Document Ref Expiry Date Upon Expiry: Evergreen Destroy Public Review Orange Blue3 KC Wong / Yantie Rodney Especkerman CS/021/ KC 31 September 2008 Yellow Blue Green

<Insert Company> <Insert Company> Published Date: 29-8-2008

RESTRICTED DOCUMENT!
This document contains highly sensitive information! Contained within this document are proposed countermeasures and description of risks pertaining to <INSERT COMPANY> Group Unauthorized use and dissemination of this information can be detrimental to the security and operations of <INSERT COMPANY> Group Each copy of this document is individually registered. If additional copies are required, please contact, Rahayu Binti Lop at koonchoon.wong@<Insert Company>corp.com . Any unauthorized distribution and reproduction is illegal and any person or persons found committing such activities will be prosecuted to the fullest extent of the law.
HTU

By proceeding to read the remainder of this document, you are agreeing to the above mentioned terms and conditions. If you do not agree to those terms and conditions, please return this document to the document controller immediately.

Confidentiality Notice This document may contain secret and sensitive information, which if improperly disclosed, may have significant negative impact on the operations of the stakeholders. This is a classified document with restricted distribution. By reading this document, or being in possession of this document your have agreed to all the conditions and prerequisite of the confidentiality terms as described in http://www.<Insert Company>.com.my/confidentiality_terms.htm. If you do not agree with the terms and conditions set forth, return the document to the address stated below or destroy the document immediately. Accessing privileged information without proper authorization may / can result to legal and / or criminal prosecution. Copyright Info <INSERT COMPANY> Group All Rights Reserved Printed in Malaysia Disclaimer <INSERT COMPANY> Group has prepared this document as a reference or Guideline. The information contained herein is protected by Copyright. No part of this document may be reproduced, translated, or transmitted in any form or by any means, electronically, mechanically or chemically, without prior written permission from <INSERT COMPANY> Group <INSERT COMPANY> Group shall not be liable for technical or editorial errors or omissions contained herein; nor for incidental or consequential damages resulting from the furnishing, performance, or use of this document. <INSERT COMPANY> Group reserves the right to revise this document and to make changes in the content hereof without notice. This document is published by <Insert Company> Group without any warranty. Improvements and changes to this document necessitated by typographical errors, inaccuracies, or improvements to programs, may be made by <Insert Company> Group, at any time and without notice. Such changes will, however, be incorporated into new editions of this document. Revision History Version Number 0 Date 29-8-2008

Document Ref. <enter document reference here> Date: 29-8-2008 Total number of pages: 11 Control and Publisher's Address: < insert Company Address>

Table of Contents

Background and Objectives.........................................................................................................5 Benefits............................................................................................................................................5 Deliverables..................................................................................................................................... 6

Value Added Services........................................................................................................6

Forensic Readiness...........................................................................................................,............6 Total Project Commitment...................................................................................................,......7 Training Certificates................................................................................................................,....7 Support Capabilities........,,...........................................................................................................7 Key Milestones and Duration.,,..................................................................................................8 Resource Requirement..............,,,...............................................................................................8 Company Overview......................,,,,...........................................................................................9 ISO Profile..........................................,,,.......................................................................................9 Terms and Conditions.........................,,,....................................................................................10 Appendix 1: Document Required in Certified ISO 2700112 Appendix 2: Implementation Process Flow ISO 2700113 Apendix 3: Answer to Request for Proposal Appendix 4: CV

ISO 27001 CONSULTATION PROPOSAL 1. Background and Objectives: Commerce Dot Com(herein after refer as CDC),< insert Description of CDC>. CDC is seeking consulting services to develop and finally be certified to ISO 27001, Information Security Management System also known as (ISMS). <Insert Company>is an ICT security solutions provider offering one-stop end-to-end solution

services encompassing all aspects of ICT security, including managed security solutions, implementation and consultancy. <INSERT COMPANY> is seeking to offer its services to
CDC to achieve its objective in conforming the ISMS. ISMS has been chosen as the framework for information security governance as well as improving information security risk posture. The consultancy service shall lead to a successful ISO certification for CDC The major scope of this solicitation encompasses four (4) major tasks. The major tasks are as follows:

1. Review of the existing CDC information security framework and data center including
policies and processes in accordance with the ISO 27001 standard

2. Enhancement of the existing CDC information security framework and data center
including policies and processes in accordance with the ISO 27001 standard

3. Provide consultancy in the development and implementation of ISMS in accordance

to ISO 27001 and to achieve certification

4. Equip CDC personnel with knowledge and expertise in the requirements of

implementing ISO27001 ISMS by end of 2008. <INSERT COMPANY>, is submitting a proposal to assist CDC in its drive towards information security. The objective of this program is to assist CDCs IT Governance & QA Department in gap analysis, consulting and documentation and internal audit training to enable CDC to comply with the requirements of ISO 27001. The consulting services for the project shall be within a period of 4 months upon execution of the contract. 2. Benefits: ISO 27001 Improves Management Understanding of the Value of Organizational Information Customer Confidence, Satisfaction and TRUST Business Partner Confidence, Satisfaction and TRUST (e.g. Handling Sensitive Information of Customers & Business Partners) Level of Assurance in Organizational Security & QUALITY Conformance to Legal and Regulatory Requirements Organizational Effectiveness of Communicating Security Requirements Employee Motivation and Participation in Security (Best Practices)
__________________________________________________________________________ Page 5

Organizational Profitability Management and Handling of Security Incidents Ability to Differentiate Organization for Competitive Advantage Organizational Credibility & Reputation Certification Demonstrates Commitment Continuous Improvement Preparedness for Independent Review Measure Against Best Practice Certification Provides Means to Benchmark o Industry & Competitors o Business Partners o Customers Increased Level of Certainty The Scope of this proposal <INSERT COMPANY> will perform and/or shall cover the following activities for CDC. Gap Analysis Internal Audit Training Consulting, Guides and Documentation 3. Deliverables: The following will be some of the key deliverables that will be facilitated by <INSERT COMPANY> for this project:

Conduct initial assessment and need-gap analysis to identify key process improvement areas Guides on documenting the system Guide implementation Internal Audit Training Set of training materials for CDC QA team to train internal staff.

As a value-added service to CDC, <INSERT COMPANY> will be present during the appraisal to assist CDC. <INSERT COMPANY> will facilitate the Internal ISMS Audit trainings, orientation and workshops for CDC. <INSERT COMPANY> together with the CDC team shall accomplish this project within Four (4) months provided CDC gives the maximum support and commitment to <INSERT COMPANY> towards achieving the ISO 27001 certification. 4. Value Added Services: To ensure that <INSERT COMPANY> provides the highest quality of service possible to its clients, it commits to extend the following value added services to CDC.

__________________________________________________________________________ Page 6

The proposal will hold should the implementation be delayed for any reason, <INSERT COMPANY> will not charge any additional amount to the client. However if there is additional service requested by CDC beyond the scope stated in this proposal, <INSERT COMPANY> shall render a separate proposal with separate costing addressing those needs and request, <INSERT COMPANY> believes that there should not be any hidden costs attached to the proposal. To strike for the best for CDC, <INSERT COMPANY> will furnish our consultant to be present to assist CDC during the 2 days appraisal period by SIRIM. Our consultant will support and assist personnel from CDC to achieve smooth process in the appraisal exercise. <INSERT COMPANY> will also facilitate as required, training materials and presentation materials for CDC internal staff trainings. To enhance the CDC IT department, <Insert Company> will provide an extra service of Forensic Readiness. 4.1 Forensic Readiness In the event of any security incident, it is imperative that sufficient information is collected to allow both internal and external investigators to piece together the sequence of events. This is done mostly by investigating log files. <Insert Company> will review current log collection facilities for critical systems within CDC and determine if the logs are adequate to the task of a forensic investigation should the need arise. This will also cover the testing of log backups as typical forensic investigations are conducted on data that is typically offline. Another important aspect of forensic readiness is the allocation of resources to facilitate a forensic investigation by either internal or external parties. Documents such as Non-Disclosure Agreements, Evidence Collection & Evidence Storage Forms should already be in place. Forensic tools need to set aside and checked periodically for functionality. Access cards to track the movement of external investigators can also be set aside and held securely by the Quality Assurance or Audit department. Last but not least, as speed is of the essence in piecing together a forensic investigation, a quick awareness campaign will be conducted to ensure that all CDC staff is aware on who to call in the event of a suspected security incident. Proper escalation procedures to internal investigators need to be in place, and a detailed documentation of contacts in relevant services required by investigators such as Internet Service Providers, Law Enforcement, 3rd Party Vendors, Auditors and Legal Advisors are crucial as well. The Forensic Readiness will cover these areas, measuring how much CDC already has in place and fill in the gaps where necessary in order for CDC to be forensic ready. 5. TOTAL PROJECT COMMITMENT <INSERT COMPANY> will make available resources to assist the personnel of CDC for assuring ISO 27001 appraisal and certification under the leadership of <INSERT COMPANY>. Rodney is a qualified lead auditor for ISMS (ISO 27001) and for QMS (ISO9001) process. Presently, he is actively involved in the WG1 (working group 1) which contributes to the ISO charter located at Geneva. This working group is through the leadership of SIRIM and they meet monthly. There will also be one document associate (DA) on site until completetion of necessary documents. Apart from the 1 DA another 1 consultant will also be at site for 2-3 days in a week until certification. Access will be provided to the client for <INSERT COMPANY>s learning materials such as books, manuals, etc. as needed during the consultation period. <INSERT COMPANY> will also take the lead in the handling of
__________________________________________________________________________ Page 7

activities designed to promote ISO 27001 within CDC which has been included as part of the value added services. <INSERT COMPANY> together with the CDC team shall accomplish this project by end of December 2008 where all necessary documentation and implementation of the Information Security Management System in place complying to the ISO 27001 with forensic readiness and ready for recommendation for certification provided CDC gives the maximum support and commitment to <INSERT COMPANY> towards achieving the ISO 27001 initiative. 6. TRAINING CERTIFICATES Internal Audit Training Certificates shall be given by <INSERT COMPANY> to the attendees of the training after its completion. 7. SUPPORT CAPABILITIES <INSERT COMPANY> understands that support mechanisms are necessary to effectively implement a project and monitor its implementation progress to ensure the success of the project, hence the following support mechanisms specifically for the ISMS set-up, may be added where applicable, after an evaluation of the gap analysis of CDC; Relief Consultants The proposed project team is carefully selected with full considerations of a ready back-up or Relief Consultants, capable and qualified Consultants to handle ISO 27001 projects, who are primarily assigned as Secretariat and will, among others, maintain and trouble-shoot, when applicable, assist in the documentation of processes. Their secondary functions include, only when necessary, relieving other Consultants, who under inevitable circumstances, may not be available during prescheduled visits or other activities. A document associates (DA) will be stationed at site to assist in the production of the necessary documents that will be needed for certification. The DA will be at site for at least 1 month until all documents are completed. 8. Key Milestones and Duration

Referred Appendix
9. Resource Requirements During the conduct of the trainings, the client will arrange for the following: Training Rooms in CDC Premises reproduction of course / training material only (if needed) hiring equipment (TV/VCR/OHP etc.), if needed LCD and Data Projection System (laptops provided by <Insert Company>) Any other such infrastructural arrangements as required (if any) During the whole duration of the project, CDC shall provide the resources as listed below to facilitate the consulting, training and assessment activities. Computers for use of consultants and lead assessors ( for creation of CDC documents only)

__________________________________________________________________________ Page 8

 Network Connection and Internet Access Facility (during on site work for printing of
documents related to ISMS implementation). <INSERT COMPANY> will seek prior permission from CDC ISMS representative if it requires Network Access for downloading Consultant emails and information from <INSERT COMPANY> Server. Server Space (for storage of CDC documents) Office Space for consultants, assessors and trainers (during on site work) Telephone facility 10. Company and Partner Overview <INSERT COMPANY> has a partnership with a consultation company which is a management systems solutions provider with a combined experience of over 9 years in Philippines, Malaysia, Singapore, China and India.

.
The guiding principle of the capabilities is based on a K-CAT business model:

Through on-site consulting, assessments, and training proven methods that have certified more than 200 organizations in Asia against international standards - we teach our clients how to effectively manage knowledge so that this is optimized to their advantage. The international network of 32 full time consultants, assessors, and trainers, 12 of which have handled information technology and communications-related projects, are multi-cultural and speaks a combination of seven (7) major languages. With an Information Technology Department, among 4 other departments, one of our strength is in its ability to provide innovative products and services, full service support, and cutting-edge solutions that fully complement our partners needs. Through this capability, we have developed several multi-media, fully interactive computer based training (CBT) software programs. One has been fully funded by Europe-Aid, a European Commission initiative, and all three (3) are currently endorsed and promoted by Malaysias SIRIM Berhad and Product Safety and Management Board, and marketed in 3 languages in Malaysia, Philippines, Singapore, China, India, Thailand, Indonesia, Vietnam, Japan, and Brazil.

10.1 ISO Profile

__________________________________________________________________________ Page 9

Our staff is comprised of highly qualified individuals with proven expertise and practical experience Technical Knowledge <Insert Company> & partners have sound knowledge and associated training experience/ skills of ISO 27001, ISO 9001, CMMI, SDLC Development, IT Project Management, Software Engineering, Assessment Techniques and some related Soft Skills. Project Management Skills <Insert Company> and partners have proven and practiced skills on getting things done right on time every time. This can be attributed to the trainings provided to them and experienced build up over several projects. Time management, effective communication, delegation and efficient organization skills are some of their prowess.

People Management Skills & Change Management All organizations are different and, more so, the people working within the organization. Our consultants have been trained to bring many heads together to a table and come up to the most efficient and effective solution. All of them are trained on culture sensitivity and possess multilanguage skills and have been catalysts of teamwork even in the most difficult situations. All <INSERT COMPANY> associates share pride in our company and dedication to its goals. We focus on our clients needs and are committed to deliver quality products and services for our clients pursuit excellence. 11. Terms and Conditions I. Termination of the contract. Client may terminate the contract by paying for all services received up to that point through a written notice, at least 7 days prior to the next scheduled activity date. The contract would be deemed terminated should there be material breach of agreement by the client. <INSERT COMPANY> liability. <INSERT COMPANY> is not responsible for any loss or damage while undertaking the assignment at the client site except to the extent resulting out of negligence or deliberate misconduct by <INSERT COMPANY> professional. In an event of damage or loss incurred by the client as a result of negligence or deliberate misconduct from <INSERT COMPANY> professionals, <INSERT COMPANY>s maximum liability shall be limited to the amount of the professional fees paid by the client. Billing. Invoices shall be raised for professional services rendered and are payable within seven (7) days upon the receipt of invoice. The entire amount will be payable in Malaysian Ringgit (RM) Any amount not paid within 30 days of the date of invoice may be subject to additional fee of 2% per month on the invoice amount. All cheque / draft payments to be in favor of <INSERT COMPANY> Alterations.

II.

III.

IV.

__________________________________________________________________________ Page 10

The clauses of the Agreement can be modified or altered only through communication exchanged between two parties in writing. Such communication giving effect to the changes shall be read along with agreement to incorporate any such changes. V. Indemnity. The client will indemnify and hold harmless <INSERT COMPANY>. and its professionals from any liabilities, damages and expenses (including reasonable attorneys fees) resulting from, relating to, or arising out of the misuse or alleged misuse by the client of any registration, certificate, logo or mark of conformity provided by <INSERT COMPANY> pursuant to this agreement. Validity of the prices. This price offer is valid for acceptance until sixty days from date of submission Force Majeure. Neither party will be deemed in default of this agreement to the extent that the performance of its obligations or attempts to cure any breach are delayed or prevented by reasons of force majeure, such as acts of God, Fire, Flood, Earthquake, acts of government and the like, provided that such party gives the other party written notice thereof promptly and, in any event, within fifteen (15) days of discovery of such delay or prevention and uses its best efforts to continue to perform its obligations or cure any breach. Governing Laws. This agreement shall be governed by, and constructed in accordance with, the substantive laws of Malaysia. All claims arising out of this agreement shall be decided solely and exclusively by a binding arbitration, which shall be conducted in accordance with the rules of the Malaysian Legal system. Confidentiality. <INSERT COMPANY> agrees that it shall hold all Confidential Information in confidence and shall take all reasonable steps to safeguard the Confidential Information including, without limitation, those steps that it takes to protect its own Confidential Information of a similar nature. <INSERT COMPANY> shall not disclose or otherwise provide any Confidential Information to any third party without the prior written consent of <INSERT COMPANY>. Non-Disclosure Agreement can be signed to this effect if need be. <INSERT COMPANY> agrees to limit its internal disclosure of Confidential Information to only those of its employees or contractors who are bound by confidentiality agreements prohibiting further disclosure of the Confidential Information.

VI. VII.

VIII.

IX.

__________________________________________________________________________ Page 11

Appendix 1
Documents required in certifying ISO 27001 No. Document 1 2 3 4 5 6 7 8 9 10 11 12 Control Section

Assets Register 4.2.1 (d) 1 to 4 4.2.1 (d) 1 to 4 IIndentify risks Risk Register & Risk Assessment Report 4.2.1 (d) 1 to 4 Indentify risks Risk Treatment Plan 4.2.1 (d) 1 to 4 Indentify risks Statement of Application 4.2.1 (d) Prepare a Statement of Applicability Internal audit procedure 4.2.3 (e) Conduct internal ISMS audits at planned internal (see 6) ISMS Policy and Objectives 4.3 Documentation requirements Scope of ISMS 4.3 Documentation requirements Procedures & Controls in support of ISMS 4.3 Documentation requirements Documentation Controls 4.3.2 Control of documents Quality Records 4.3.2 Control of records Management Review 5.1 Management commitment, 7 Management review of the ISMS Corrective Action & Prevention Action 8.1 Continual improvement 8.2 Corrective Action 8.3 Preventive Action

Appendix 2
__________________________________________________________________________ Page 12

Implementation Process Flow ISO 27001

__________________________________________________________________________ Page 13

COMMERCE DOT COM

PRIVATE & CONFIDENTIAL

IMPLEMENTATION OF INFORMATION SECURITY MANAGEMENT SYSTEMS TO ATTAIN ISO 27001 CERTIFICATION

Version 1.1 Date: 11 August 2008

__________________________________________________________________________ Page 14

ISO 27001 PROPOSAL

Appendix 4

ACTI ON PLAN F

MI LESTONE 1 (Prepara Collection of Documents

TABLE OF CONTENTS

Documents review by EXT Gap Analysis - Thorough

Value Added Services........................................................................................................6........4 1. Background and Objectives:................................................................................................... 5 2. Benefits:................................................................................................................................. 5 3. Deliverables:.......................................................................................................................... 6 4. Value Added Services:............................................................................................................ 6 5. TOTAL PROJECT COMMITMENT............................................................................................... 7 6. TRAINING CERTIFICATES......................................................................................................... 8 7. SUPPORT CAPABILITIES.......................................................................................................... 8 8. Key Milestones and Duration.................................................................................................. 8

Gap Analysis Report Brief Awareness Training

Page 15 of 23

Forming Task Force Grou

ISO 27001 PROPOSAL

Appendix 4

ACTI ON PLAN F

MI LESTONE 1 (Prepara Collection of Documents

9. Resource Requirements......................................................................................................... 8 10. Company and Partner Overview .......................................................................................... 9 10.1 ISO Profile.......................................................................................................................... 9 11. Terms and Conditions......................................................................................................... 10 Introduction.............................................................................................................................. 18 Requirements...................................................................................................................... 18

Documents review by EXT Gap Analysis - Thorough

21 Appendix E Project Team Structure....................................................................................... 20

Gap Analysis Report Brief Awareness Training

Page 16 of 23

Forming Task Force Grou

ISO 27001 PROPOSAL

Appendix 4

ACTI ON PLAN F

MI LESTONE 1 (Prepara Collection of Documents

Documents review by EXT Gap Analysis - Thorough

Gap Analysis Report Brief Awareness Training

Page 17 of 23

Forming Task Force Grou

ISO 27001 PROPOSAL

Appendix 4

ACTI ON PLAN F

MI LESTONE 1 (Prepara Collection of Documents

Intr oduction

Documents review by EXT

Prospective Participants (PP) are invited to provide consultancy service for the implementation of ISO27001 Information Security Management System (ISMS) for COMMERCE DOT COM(CDC). ISMS has been chosen as the framework for information security governance as well as improving information security risk posture. The consultancy service shall lead to a successful ISO certification for CDC.

Gap Analysis - Thorough

Requirements

The major scope of this solicitation encompasses four (4) major tasks. The major tasks are as follows: processes in accordance with the ISO 27001 standard

Gap Analysis Report Brief Awareness Training

5. Review of the existing CDC information security framework including policies and 6. Enhancement of the existing CDC information security framework including
policies and processes in accordance with the ISO 27001 standard accordance to ISO 27001 and to achieve certification Page 18 of 23

Forming Task Force Grou

7. Provide consultancy in the development and implementation of ISMS in

ISO 27001 PROPOSAL

Appendix 4

ACTI ON PLAN F

MI LESTONE 1 (Prepara Collection of Documents

8. Equip CDC personnel with knowledge and expertise in the requirements of

Documents review by EXT Gap Analysis - Thorough

Gap Analysis Report Brief Awareness Training

Page 19 of 23

Forming Task Force Grou

ISO 27001 PROPOSAL

Appendix 4

ACTI ON PLAN F

MI LESTONE 1 (Prepara Collection of Documents

Documents review by EXT

A ppendix E Pr oject Team Str ucture

Gap Analysis - Thorough

Gap Analysis Report Brief Awareness Training

Page 20 of 23

Forming Task Force Grou

ISO 27001 PROPOSAL

Appendix 4

ACTI ON PLAN F

MI LESTONE 1 (Prepara Collection of Documents

CONSULTING TEAM

Documents review by EXT Gap Analysis - Thorough

Project Head Secretariat Lead Consultant Doc Associate

Gap Analysis Report Brief Awareness Training

Relief Consultant
Page 21 of 23

Forming Task Force Grou

ISO 27001 PROPOSAL

Appendix 4

ACTI ON PLAN FOR TASK Appendix 4 MI LESTONE 1 (Preparation) ACTI ON PLAN FOR TASKS Collection of Documents MI LESTONE 1 (Preparation) Documents review by EXTOL Collection of Documents Gap Analysis - Thorough Documents review by EXTOL

ISO 27001 PROPOSAL

Appendix 4

ACTI ON PLAN FOR TASK MI LESTONE 1 (Preparation) Collection of Documents Documents review by EXTOL Gap Analysis pr tio 1 P - Thorough - r a n e a
MET NS I SOE: L