Integrated Information Technology Services (IITS) was presented with the ISO/IEC 27001:2013 certificate in an award ceremony on 27 April 2018 for the management, operation and maintenance of its key centrally-managed IT services that include information security, network services, systems services, databases administration and data centre operations.

ISO/IEC 27001 is the de facto international standard for Information Security Management to manage information security. It adopts an overarching management process to ensure that the information security controls continue to meet the organisation's information security needs on an on-going basis.

Mr Lau Kai Cheong, Chief Information Officer and Vice President of IITS said, “With cyber threats increasing in variety, scale, frequency and sophistication, we need to be in a better position to deal with these threats and keep SMU safe. This includes knowing how and where we stand in terms of cyber-threat preparedness. There is no better way to answer this question than to benchmark us against international standards.

“IITS is committed to protecting SMU’s data. With the joint efforts of IITS teams and great support from Office of Human Resources & Faculty Administration and Office of Campus Infrastructure and Services, we have successfully put in place an effective system that measures and ensures continuous improvement of our information security efforts and their alignment to international standards. With this internationally-acclaimed certification, SMU’s internal and external stakeholders are assured of the robustness and integrity of IT services provided by IITS. In fact, I am told that the ISO27001 certification has already been put to good use in enabling SMU Executive Development to meet the minimum contractual requirement as a data sub-processor for its clients’ data protection compliance. I am pleased that our certification has helped in advancing our relationship with our external partners”.

Caption: The award is the result of joint efforts from the dedicated teams from OCIS, OHRFA and IITS – an excellent example of cross-departmental collaboration in SMU. (L-R) Mr Sundaravadivelan Selvam, Vice-President, OCIS; IITS Project Co-Director and Project Director Ms Tang Ai Chee and Mr Calvin Chan; Mr Lau Kai Cheong, CIO & Vice-President, IITS; Mr Terence Tan, Vice-President, OHRFA; and Mr Christopher Chew, Director, Office of Corporate Communications & Marketing.

Dr Shaun Ho, Head of Operations and Administration at SMU Executive Development enthused, “With the European Union enacting the General Data Protection Regulation (GDPR) which will apply from 25 May 2018, many of our clients are preparing to comply with the GDPR. As such we have been asked to take actions to assist with and enable our clients’ GDPR compliance. IITS’s ISO 27001 certification comes timely as it is one of the minimum standards that our clients are looking for in terms of data protection and I am glad that we are able to satisfy this requirement.”

Mr Calvin Chan, Deputy Director and Head of Enterprise Infrastructure of IITS commented, “The ten-month certification journey is both demanding but enriching. It is demanding in terms of timeline and resource constraints. The certification project team is a cross-divisional team with members from the six divisions in IITS. The gruelling part is that each member has to juggle with the fortnightly and monthly project meetings, follow up on his/her project action items, while carrying out his/her other projects, deliverables or daily operational/support tasks.

“The enriching part comes later in two forms – first, in understanding the weaker areas that we can do better; and second, the high degree of team spirit displayed throughout the two-stage audit process. Everyone was aligned to the common goal of getting us certified. Even those in IITS not directly involved in the certification process kept the spirit up by cheering and encouraging us. Such family spirit is not seen in other institutions, as observed by our certification consultant.”

Mr Lau added, “Getting certified is just the beginning. Henceforth IITS need to adhere to the policies, processes, standards and best practices that we say we will do, so as to conform to the ISO27001 requirements. There will be a yearly surveillance audit with a full certification every three years. At a later phase, we will extend the scope of certification to the relevant sections of the University such as the research centres. But IITS cannot do this alone. We will need the support from the entire SMU community.”

Featured photo: Mr Lau Kai Cheong, CIO & Vice-President, IITS receiving the ISO/IEC 27001:2013 certificate from Ms Emily Liow, Vice President, Business Assurance, TÜV SÜD.