CyberSecurity Malaysia’s core values are trusted, impartial and proactive.

CyberSecurity Malaysia understands the importance of impartiality when performing MS ISO/IEC 27001 certification activities. CyberSecurity Malaysia manages potential conflict of interests and provides objectivity for MS ISO/IEC 27001 certification activities. CyberSecurity Malaysia has developed and implemented procedures in compliance with the requirements of MS ISO/IEC 17021 and MS ISO/IEC 27006.

The Scheme Manager is responsible for conducting certification services in compliance with certification body policy and procedures. CyberSecurity Malaysia declares that it does not take part in any consulting activities regarding development and implementation of information security management system based on MS ISO/IEC 27001.

There is nor there shall be no pressure of any kind (financial, trade, administrative, moral or other) over the Scheme Manager and the personnel regarding the execution of their obligations as a certification body according to MS ISO/IEC 17021 and MS ISO 27006.

CyberSecurity Malaysia identifies, analyzes and documents all possibilities for conflict of interests that emerge from certification processes. The presence of relations does not necessarily position the certification body in a situation of conflict of interests. If there is some relations that pose a threat to impartiality, CyberSecurity Malaysia documents and eliminates or decreases such threats. This information is presented to the Management Board. It is necessary to cover all possible sources of conflict of interests, regardless of their origin.

CyberSecurity Malaysia requires from all employees to comply with impartiality rules as well as with all other procedures and requirements. The certification body shall not undertake any actions that threaten the impartiality and / or are potential conflict of interests.

When certain relations create unacceptable threat to impartiality, then the certification will not be conducted. The certification body do not and shall not certify another certification body for its MS ISO/IEC 27001 certification activities.

CyberSecurity Malaysia will not allow, in any way, activities that are conflict of interests, such as, advertising or providing MS ISO/IEC 27001 consultation services.

CyberSecurity Malaysia will implement corrective actions against irrelevant claims of any consulting organization that claim the certification will be simpler, quicker or cheaper if specific consulting organization is used due to the fact that it is conflict of interests.

CYBERSECURITY MALAYSIA do not ,and. shall not in future,

  • certify companies (if there are such companies) or organizations that is part of CyberSecurity Malaysia.
  • provide internal audits to its certified clients. CyberSecurity Malaysia will not certify a MS ISO/IEC 27001 for which it has conducted internal audits for two years.
  • provide certification services to a customer when relations between the consulting company and the certification body could lead to impartiality threat.
  • CyberSecurity Malaysia does not receive any financial support different, apart from grants provided by Malaysian government and from sales of its services.
  • pay any commissions to consultants, therefore, there can be no pressure exercised on the certification body by consultants.
  • allow any pressure from other certification bodies to influence the certification process in the organization. If other certification body declines to provide service for customer and the customer requests the same service from CyberSecurity Malaysia, CyberSecurity Malaysia will investigate the reasons for declining before performing any other certification activities for the specific client. For all cases CyberSecurity Malaysia will not allow any pressure from partners and others if the client is in compliance with applicable documents and procedures.
  • allow pressure from customers and / or consulting organizations. If there is such pressure then CyberSecurity Malaysia will apply requirements of MS ISO/IEC 17021 and internal procedures in order to stop such practice.
  • CyberSecurity Malaysia will not allow pressure from employees and / or related persons. Procedures of the certification body guarantee the lack of preferential services of any kind.

CyberSecurity Malaysia shall undertake any necessary actions against all threats for the independence and the impartiality of the certification body.

CyberSecurity Malaysia shall managing conflict of interest; and ensuring the objectivity of its ISO/IEC 27001 certification activities.

CyberSecurity Malaysia shall ensure all certification body personnel, either internal or external, or committees, who could influence the certification activities, act impartially.

CyberSecurity Malaysia shall not allow commercial, financial or other pressures to compromise impartiality.

CyberSecurity Malaysia shall identify and evaluate individual personnel members who may have previously provided consultancy services to a client or been associated with an organisation who has previous involvement with the client, including those acting in a managerial capacity, to ensure that the same individual is not assigned certification related responsibilities and tasks to the same client, thus potentially compromising impartiality, if they have been involved within the last two years.

CyberSecurity Malaysia shall require personnel, internal and external, to reveal any situation known to them that may present them or the certification body with a conflict of interests and use this information to identify potential threats to impartiality raised by the activities of such personnel or by the organizations that employ them.

CyberSecurity Malaysia shall not use personnel, internal or external, unless they can demonstrate that there is no conflict of interests.

CyberSecurity Malaysia shall take action to respond to any threats to its impartiality, which include the following:

  • Self-interest threats: threats that arise from a person or body acting in their own interest. A concern related to certification, as a threat to impartiality, is financial self-interest.
  • Self-review threats: threats that arise from a person or body reviewing the work done by themselves. Auditing the ISO/IEC 27001s of a client to whom the certification body provided ISO/IEC 27001s consultancy would be a self-review threat.
  • Familiarity (or trust) threats: threats that arise from a person or body being too familiar with or trusting of another person instead of seeking audit evidence.
  • Intimidation threats: threats that arise from a person or body having a perception of being coerced openly or secretively, such as a threat to be replaced or reported to a supervisor.