Introduction
Information security guarantees good organization, reliability, security, and high quality level of services and products exploited by different organizations. The United Arabs Emirates organizations thus seek to bring the standards in line through operating collectively. The best organizational standards include ITU (International Telecommunications Union), IEFEE (Institute of Electrical and Electronics Engineers), and IEC (International Electro-technical Commission). The other standard organizations are ISO (International Organization for Standardization), and OIML (International Organization for Legal Standardization).
In this perspective, the ISO standards possess various diversities that are more than seventeen thousand standards globally. Hence, many worldwide nations submit an application for ISO standards with more than one thousand new standards set up yearly (Cohen, 2012). In the information security ground, the exploitation of ISO 27001-certification standard is paramount within UAE.
The ISO standards help many organizations by guaranteeing the integrity of information, confidentiality and precision of audit, as well as the security and safety of the organization. The UAE universities are capable of training students on the ISO Information Technology standards (Richrads & Dar, 2009). In the same way, several organizations might put these standards into practice directly. However, in whichever organization that has to be certified, the Emirates Authority for Standardization and Metrology (ESMA) ought to obtain and ascertain their records for implementation. The case of Abu Dhabi Gas Industries Ltd in this context might help any organization that wants to be certified.
The introduction of GASCO ISO certification process helps the organizations to analyze the guidelines for applying for the ISO 27001 standards. Therefore, it becomes important to produce quality knowledge that is significant in the contemporary market via the integration of IT set of courses and ISO standards (Talib, Khelifi & El-Barachi, 2011).
This research report highlights the prospects of ISO certification of Abu Dhabi Gas Industries Ltd. The paper starts by highlighting the general United Arab Emirates IT standards and the guidelines for ISO 27001-certification process. Furthermore, the research paper highlights the PDCA (Plan, Do, Check, and Act) model applied by GASCO, the planning phases in the GASCO ISO certification, and the gap analysis of Abu Dhabi Gas Industries Ltd. As a final point, the paper offers a discussion on the GASCO internal auditing processes as well as the challenges that faced the company during ISO certification. A brief conclusion of the body of the paper wraps up the discussion on Abu Dhabi Gas Industries Ltd ISO 27001-certification.
The United Arab Emirates IT standards
The UAE federal authority, which is also known as the Emirates Authority for Standardization and Metrology (ESMA) appears to encourage the adoption of quality and excellence international standards. Its establishment in the fiscal 2001 aimed at improving the national financial system of UAE through diverse organizations. The United Arab Emirates organizations including GASCO implement approximately two thousand out of the available seventeen thousand international standards (Richrads & Dar, 2009). The main objective of ESMA towards companies is to provide information on metrological actions as well as instructive security information for standardization.
Moreover, it supports nationwide economy by enabling the UAE corporations to accomplish ecological safety measures, secured trade and industry, and safeguard the people’s wellbeing. Just as GASCO aspired to realize the ISO IT certification, ASMA laid emphasis on the field of Information Technology. This augurs well with the certification bid for Abu Dhabi Gas Industries Ltd. The company targets incorporated areas like information assets, Information Technology security along with the training and education information technology (Cohen, 2012).
Business institutions in the UAE deriving help from worldwide specialists tend to follow the global certification principles. Relatively ten percent (10%) of all organizations found in the United Arab Emirates have ratified their ISO 27001 certification (Richrads & Dar, 2009). Most organizations find it easy to implement the international standards founded on the fact that ISO standards are extremely effective, decidedly crafted, and vastly known. As in the case of Abu Dhabi Gas Industries Ltd, the company was able to embrace certification after a very short period. The level of security awareness in the whole United Arab Emirates region appears to be lofty. Fascinatingly, organizations that have not yet embraced certification in the UAE familiarize themselves with the international standards. The entire nation applies the Information Security Management System (IMSM) ISO 27001 certification as evident in the case of Abu Dhabi Gas Industries Ltd (Richrads & Dar, 2009).
The GASCO (Abu Dhabi Gas Industries Ltd)
The company called Abu Dhabi Gas Industries Ltd aimed at achieving an all-encompassing intellectual capacity during the United Arabs Emirates’ execution of the information standards meant to warrant security. A consultation with both the project managers and the administrators of the company on the subject of information security was significant. For the period of consultation, the project manager presented an explanation that the ISO 27001certification process contained the internal and external auditing alongside the benchmark appraisals. The ISO IT certification of Abu Dhabi Gas Industries Ltd came from the cycles of Plan, Do, Check, and Act (PDCA), which is a model grounded on the appraisals of the company’s yardsticks. Moreover, GASCO manager gave details on a comprehensive roadmap to the ISO 27001 certification of the company that took three stages. The three phases of ISO certification comprised of the audit execution, implementation, as well as gap analysis (EHS, 2010).
Step one of the three phases entailed the Plan events, which incorporates the approval of an outline for risk evaluation, the founding of safety administration, and the description of guidelines and extent. In the second stage, the Do actions involved awareness, training, and risk assessment via programming the internal auditing procedures. The Check as well as the Act actions of the ISO certification marked the last stages that involved the scrutiny of the company controls. In fact, the dynamics of GASCO ISO certification accomplishment resulted from executive support, security compliance, and the awareness of various members of staff. However, the course of certification encountered certain challenges with respect to workers’ activities and aptitudes of acknowledging the resultant transformation in the organization (Talib, Khelifi & El-Barachi, 2011).
On the other hand, the company’s Information Security Administrator further enlightened how the company came to a decision of following the framework of ISO 27001. As the administrator was building on the managers initial explanations, the company’s ISO certification resulted from the GASCO needs. It took GASCO Company merely eight months to be ISO certified. Precisely, Abu Dhabi Gas Industries Ltd got its ISO 27001 certification in the fiscal May 2008, which was few months after the commencement of the certification process in the financial year 2007 October. The aspiration of the company to safeguard its information chattels and advance business practices found its motivation from the intensification of the company’s ISMS. Moreover, the objectives of Abu Dhabi Gas Industries Ltd were meant to augment partners, stakeholders, and customers’ consciousness and confidence. Abu Dhabi Gas Industries Ltd also aimed at improving and controlling the safety of the entire organization’s information security system (Hommes & Hommes, 2004).
The programming and implementation of the Information Security Management System (ISMS) involved more than seventy percent (70%) of the GASCO Information Technology team. Founded on the same grounds, other departments such as the General Service, and Human Resource contributed their support in the implementation process. On the outsourcing grounds, the company employed Deloitte Company. The use of Deloitte was to enable the customers to benefit from an assortment of monetary advice, consultation, tax, and auditing services. Abu Dhabi Gas Industries Ltd used Deloitte Company in the first step involving risk assessment and gap analysis to put into practice the ISMS (EHS, 2010). Therefore, while explaining the roadmap steps in attaining full ISO 27001 certification of GASCO, the administrators emphasized on the three phases that involved a number of steps for the completion of ISO certification process (Richrads & Dar, 2009).
The ISO 27001 certification process guidelines
In order to achieve the ISO 27001 certification, Abu Dhabi Gas Industries Ltd involved gap analysis, implementation, and audit execution steps. Likewise, every company or organization aspiring to attain a full ISO certification must put all these steps in place. A number of phases that any company has to accomplish come along with these three steps for a successful ISO certification process.
The PLAN stage (Phase one)
The gap analysis
The presentation of a gap analysis is the initial step in the Planning phase of ISO certification process that occurred in Abu Dhabi Gas Industries Ltd. In the case of GASCO, Deloitte Company was the choice to carry out the gap analysis. The performance of gap analysis in Abu Dhabi Gas Industries Ltd entailed the appraisal of the company’s safety measures and practices in progress alongside practices motivated by the ISO 27001 certification. Besides, the gap analysis performance engaged the recognition of the gaps available in the safety control at hand in the organization. In the due course, the performance tried to find ways in delineating the necessary steps in filling up such gaps. In general, GASCO increases the presentation of the company’s security schemes and meets the terms and required standards of the ISO 27001 upon successful achievement of these steps.
Abu Dhabi Gas Industries Ltd boosted a number of objectives in the Plan phase while pursuing ISO certification. These objectives consisted of the modernized procedures and guiding principles, courses of action in use, risk schemes, and the recognition of information assets. Abu Dhabi Gas Industries Ltd brought up to date the company strategies in line with the standards of ISO 27001. In fact, the update of these policies took place subsequent to the delineation of the fresh policies from an appraisal of the preceding edition. Therefore, GASCO brought Deloitte Company to be in charge of the inscription of its manuscripts in the Information Security Management System (ISMS). The documents that Deloitte Company wrote included the plan for disaster recovery and the guiding principles of ISMS (EHS, 2010).
Abu Dhabi Gas Industries Ltd had more than twelve sections of Information Technology in its management structure. As a result, the team engaged with the security of Information Technology together with other three departments for the continuation of ISMS document inscription. In this context, either one or more personnel from every department had to take part in the continuation work (Purser, 2004). The solitary sections of GASCO Information Technology have their own processes and courses of actions that go well with the prerequisites and needs of the company. For instance, GASCO have procedures such as Document Change Control, Handling and Information Classification, Risk Management, as well as Change Control. In addition, Abu Dhabi Gas Industries Ltd has processes like Information Security Incident Management, Equipment Loan, Employees Access Control, and Backup that all supported ISO certification.
Defining policies and ISMS scope
The definition of policies as well as the extent of ISMS marks the second step in the initial phase. The scope of Information Security Management System in this viewpoint might refer to the precincts and restrictions. Abu Dhabi Gas Industries Ltd approved measures for putting in order the guidelines of ISMS article in proportion to the business safety guidelines found in ABC’s. The company similarly modernized the Corporate Information Security Policy ABC’s and organized the ISMS document. All the above steps came soon after the definition of the extent of ISMS, which plays the Information Technology security function. In order to hold the drawn in work errands, the directors of GASCO propped up the foundation of security sector in the fiscal 2005. Interestingly, the sector has more than seven personnel working in it despite its commencement with merely one member of staff.
The GASCO security section
Following the recognition of the stakeholders, the definition of the linked security functions or responsibilities and the documentation of such roles and responsibilities, GASCO Company launched the security section. Besides, Abu Dhabi Gas Industries Ltd with the help of ABC’s Information Technology steering committee afterwards initiated the Security Forum. The Security Forum carried out meetings regarding the modernized security sections as well as the certification of the committee findings. Further, the Security Forum meeting conducted by the GASCO arrived at measures to be in position for actions considering the standards of ISO 27001certification. On top, Abu Dhabi Gas Industries Ltd sketched out a schedule for the meeting after expanding the character for Security Forum and locating the appraisal periods of ISMS. At last, CASCO Company made the endorsement of Corporate Information Security Policy called ABC public (EHS, 2010).
The risk assessments
According to EHS (2010), Abu Dhabi Gas Industries Corp encountered challenges ranging from password complexity risk, right of entry control, physical security, risk of people, and computer risks. As a result, the company employed both quantitative and qualitative techniques to weigh up these risks. Essentially, the qualitative approaches employed by GASCO entailed the assessment of assets besides carrying out various interviews. GASCO as a company carried out its appraisal of the risk based on the Deloitte Company procedures. Deloitte reflected on the central part proficiencies of up keeping and putting into practice the Information Security Management System. The company recognized susceptibilities, threats, and information chattels that could hinder the process of ISO certification. Besides, the above aspects could also have diverse impact on the integrity, ease of use, and confidentiality of the company material goods.
Conversely, the company familiarized itself with and weighed up the feasible action that could best suit the earlier analyzed risks. For implementation purposes, Abu Dhabi Gas Industries Ltd decided on the control of the linked safety measures along with the objectives of control. Thus, the company was able to get the administration endorsement of the outstanding related risks to foster the smooth placement of programs relating to ISMS into practice. Abu Dhabi Gas Industries Ltd then geared up a Statement of Applicability when everything was into practice and done by the company management.
The implementation or Do stage (Phase 2)
The second phase also known as the Implementation or Do phase involved employee awareness, training, and risk assessment through programming of internal auditing.
The treatment of risk
Upon realizing Deloitte Company achievement in the risk appraisal phase, Abu Dhabi Gas Industries Ltd security crew shifted their attention to developing the program of risk treatment. In this phase, the GASCO Company aspired and spotted out the main concern, tasks, assets, and administrative steps suitable for administering the risks of information security. Indeed, regarding the plan of risk treatment the company’s security crew laid focus in quite a lot of security areas. GASCO management had to build up a supportive manuscript to back up the ISO 27001 information security rheostats. These consisted of Compliance, Business Community Management, Information Security Incident Management, and Access Control. The document included International Standards Acquisition, Development and Maintenance, Physical and Operations Management, as well as Human Resource Security (Purser, 2004).
The Information Technology (IT) team of GASCO committed themselves much during the pursuit of ISO 27001 certification. In fact, the security crew of Information Technology deliberated on a security awareness and training program. The team as well established and characterized a decisive factor for gauging the project at hand with the prerequisites of ISO 27001. During the period of risk treatment processes, the organization initiated the development of Service Level Agreement (OLA) and Operational Level Agreement (SLA). The Information Technology sections and the crew at GASCO information protection interface intended to make the operational level accord and service level accords for their use. In fact, the functional level accord is an in-house pact occurring within sectors or sub-divisions of Abu Dhabi Gas Industries Ltd. Nevertheless, the Service Level Operation refers to the peripheral accord involving the sectors of Information Technology and various managerial units or sections.
Conversely, Abu Dhabi Gas Industries Ltd barely builds up a Service Level Operation intended to be used in the Information Technology section and Information Security players. The security crew of GASCO Information Technology properly built-up a related document of Information Security Management System to lend a hand to the organization for the realization of ISO 27001-certification.
The internal auditing
Talib, Khelifi, El-Barachi, and Ormandjieva (2012) claim that Abu Dhabi Gas Industries Ltd possessed two sources of auditing as was asserted by the managing director. The internal audit found its basis on the ISMS programming. The internal faction at the company did the yearly and general auditing for the entire organization. In contrast, Deloitte Company acted as an intermediary auditor for the corporation. As a result, Deloitte Company reported to Abu Dhabi Gas Industries Corp after general auditing. Deloitte Corporation scrutinized the performance of every member of staff, reviewed the organizational procedures and policies, and assessed the documentation of ISMS. In addition, the GASCO internal auditing helped the company to analyze susceptibilities and faults in the operational systems through the penetration testing performance. The internal audit was effective during the ISO certification owing to the fact that Deloitte Company currently audits after three quarters of a year compared to the half a year auditing it previously used to carry out (Talib, Khelifi, El-Barachi, & Ormandjieva, 2012).
Awareness and training
The entire employee fraternity of Abu Dhabi Gas Industries Corp submitted themselves to the comprehensive awareness and training on security program. Actually, GASCO had put in place a number of training and awareness techniques to supplement the ISMS awareness to the employees. The methods used such as presenting the ISMS developments and transformations in the company enabled the employees to realize the need for certification. Furthermore, the GASCO management sent mails to the employees frequently to keep them aware of the company undertakings through organized porters. The company as well organized various forums to relay information to the employees working at GASCO while such info was related local offices and isolated districts. Nevertheless, Abu Dhabi Gas Industries Corp never guaranteed any technological training sessions to the employees.
In order to carry on with the awareness programs and procedures, the company organized a series of questions to test the employees’ comprehension of the ISMS after every training session. At times, the members of staff found it troublesome to acknowledge the alterations in the entire system of information security. Surely, these changes consumed more time owing to the fact the security changes in the company altered the ways of presenting particular organizational assignments. For instance, the workers could merely enter the Information Technology sector and request the IT crew to execute any specific task prior to the implementation of ISMS. However, the workforce could undergo countless steps to allow the Information Technology sector to assist them in performing certain duties subsequent to the implementation of ISMS (Hommes & Hommes, 2004).
The new-fangled awareness enabled the possibility of GASCO to maintain the organizational performances on course through improved information security system. The employee training and awareness program fostered the ISO 27001certification process at GASCO. Nonetheless, the company experienced numerous impediments in relation to the conduct and manners of the employees. The company workers had trouble to modify their previous behaviors and become accustomed to the novel state of affairs. Moreover, the employees had difficulty making the recommended changes towards information security system.
The employees afterwards realized the advantages of information security changes and became custom-made to them. This was opposed to the previous occasion where employees could not promptly admit the changes at the time when GASCO started implementing the Information Security Management System. Finally, the company realized ISO 27001 certification following the employees’ support of the administration and awareness on the subject of information security compliance significance (Purser, 2004).
The audit execution or Check and Act actions (Phase 3)
Monitoring controls
According to reports, Abu Dhabi Gas Industries Corp entered into the implementations of controls after it had monitored the Information Security Management Systems. Subsequently, GASCO group commenced the performance of Information Security Management System internal auditing processes. In view of the fact that the company required a third party to help them conduct some of their internal audits, GASCO preferred Deloitte Company.
The audits carried out every year at GASCO resulted from the works of Deloitte. Additionally, Deloitte ensured that the company checkups concerning the susceptibility and weakness of the management security system is intact. The checkup was achievable through penetration examinations rendered to the employees after training on the awareness programs. Deloitte Company currently carries out in-house auditing at GASCO after each three quarters of a year as opposed to the half a year auditing in the previous schedules. Furthermore, Deloitte offered proper solutions to Abu Dhabi Gas Industries Corp after discovering non-conformities reviewed in the company’s administration (Talib, Khelifi, El-Barachi, & Ormandjieva, 2012).
The process of certification
Abu Dhabi Gas Industries Corp had chosen an accreditation body from outside to function as the initial step towards the ISO certification program. In fact, GASCO preferred Lloyd’s Register in its certification bid to carry out the company assessments. The process of assessment comprised of two stages namely Stage 1 and Stage 2 company audits. Similarly, the two stages of audit had an intermediate course of action in assessing the GASCO management. The first step in the Lloyd index incorporated scrutinizing and appraising the information safety and administration scheme certification that took place. Afterwards, the company provided solutions to the company’s non-conformities identified by the Lloyd’s review and checkups in the external audits (Wang, 2011).
Conversely, an on-site assessment was evident in the second stage of audit. The stage made the awareness of members of staff certain through comprehensive interviews. All the above factors fostered the process of Abu Dhabi Gas Industries Corp ISO 27001 qualifications. Hence, the company obtained certification rapidly following the combined effort at the GASCO family. The external auditing bodies carried out re-evaluation of the company after every three years. All the same, the exterior firms carry out yearly check-up following the certification of Abu Dhabi Gas Industries Corp.
In general, Abu Dhabi Gas Industries Ltd gave clear guidelines for the ISO 27001 official recognition. The company’s PDCA model revealed that GASCO based its bid of certification on the outcomes of the company appraisal. In order for Abu Dhabi Gas Industries Ltd to subsist as a certified organization, it had to follow the Plan, Do, Check, and Act cycles. On the other hand, the company’s planning phase of the ISO certification encompassed the policies and scopes of Information Security Management System. The planning phase of GASCO aimed to identify the updated procedures and courses of action as well as the guiding principles and processes in use. Besides, the phase of Abu Dhabi Gas Industries Ltd planning identified the system risks and info assets.
With respect to gap analysis, GASCO engaged Deloitte Company to execute the company assessment. The gap analysis conducted in the company entailed working by way of cycles. Actually, Deloitte assessment touched the present security practices of Abu Dhabi Gas Industries Ltd and the ISO 27001 inspired practices. The GASCO internal auditing revolved around two sources. The GASCO internal group had a responsibility of carrying out yearly audits while Deloitte Company acted as a third party auditor for Abu Dhabi Gas Industries Corp. Additionally, Deloitte performed penetration examinations to ascertain whether the company security system had any susceptibilities or weaknesses. Deloitte Corp twisted the way of auditing by doing it after each three quarters of a year as opposed to the half a year as it used to be before.
In spite of the speedy certification process, Abu Dhabi Gas Industries Corp faced a number of challenges. The members of staff behavior as well as their capabilities of accepting change affected the company as the above analysis remarkably concludes (Wang, 2011).
Conclusion
In the global arena, every organization finds information security as an issue of concern. The employment of standards of Information Technology in organizations might help the management in safeguarding any sensitive information. Abu Dhabi Gas Industries Corp certification tries to make the applicability of the Information Technology in every segment of organizations in the United Arabs Emirates clear. Equally, it helps the organizations to realize the need for Information Technology in the future and understand the merits and demerits of applying International Standards. Thus, the process of ISO certification of GASCO is a practical guide that any organization can employ to fast track certification ambitions. The approach is very efficient and quick for any organization’s decision making and scheduling for ISO 27001-certification.
References
Cohen, E 2012, Issues in informing science & information technology, Informing Science, New York. Web.
EHS 2010, ‘Gasco (people and places) (Gasco affiliates LLC) (appointment of Bill Miller)’, EHS Journal, vol.3, no.12, pp. J (1). Web.
Hommes, L & Hommes, B 2004, Software metrics: a rigorous and practical approach, CRC Press, London, UK. Web.
Purser, S 2004, A practical guide to managing information security, Artech House, Norwood, MA. Web.
Richrads, S & Dar, R 2009, Standardization and classification in the UAE, Al Tamimi & Company, UAE. Web.
Talib, MA, Khelifi, A, & El-Barachi, M 2011, Explanatory study on innovative use of ISO standards for IT security in the UAE, EMCI, Athens, Greece. Web.
Talib, MA, Khelifi, A, El-Barachi, M & Ormandjieva, O 2012, ‘Guide to ISO 27001: UAE case study’, Issues in Informing Science & Information Technology, vol.9. no.2, pp. 331. Web.
Wang, J 2011, Information systems and new applications in the service sector: models and methods, IGI Global Snippet, London, UK. Web.