Alliance of Information Security Governance

At AiSG, the only focus of our firm is to assist our clients meet their strategic business objectives and to give companies the power to delight their customers, employees, and shareholders, to ensure success by relentless application of best practices in process, people and technology and a continual pursuit of excellence.

Everything we do has one goal—to help our customers achieve their goals.

Setup in 2012, AiSG offerings are underpinned by internationally accepted Business Process and Services Best Practices based on the de facto industry frameworks and standards namely Information Security Management System ISO/IEC 27001.

We help organization in using these standards and frameworks to develop and govern the information security and quality service and help them to meet their strategic goals.

Our Experience

AiSG has been involved with auditing, implementing, consulting and training to over 50 leading organizations in Malaysia with the practical implementation and training on a variety of management systems governance and best practices such as ISO 27001.

Managed by team of professionals with cross-industry experience, our competencies spread across business, process, quality and technology.

We have served business leaders including top companies within the country serving a broad array of industries, from Utilities Company, Airlines, Banking Financial Service, Information Technology, Telecommunications and Government agencies. ( Customer Reference provided upon official request.)

Our Services

Information security management system ISO/IEC 27001

  • Consultancy
  • Training/Workshop
  • Internal Audit
  • Maintenance and Review of ISMS Implementation
  • ISO/IEC 27001 Documentation
  • Business Continuity Management

Our Training Program

A) ISO/IEC 27000 Series Training

1)    ISO/IEC 27001 Information Security Management System Introduction

An ISO/IEC 27001 is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.

It can help small, medium and large businesses in any sector keep information assets secure.

2)    ISO/IEC 27001 Information Security Management System Implementation

3)    ISO/IEC 27001 Information Security Management System Internal Audit

4)    ISO/IEC 27002 Code of practice for information security controls

ISO/IEC 27002 gives guidelines for organizational information security standards and information security management practices including the selection, implementation and management of controls taking into consideration the organization’s information security risk environment(s).

It is designed to be used by organizations that intend to:

  • Select controls within the process of implementing an Information Security Management System based on ISO/IEC 27001;
  • Implement commonly accepted information security controls;
  • Develop their own information security management guidelines.

5)  ISO/IEC 27004 Information security management – Monitoring, measurement, analysis and evaluation.

ISO/IEC 27004 provides guidelines intended to assist organizations in evaluating the information security performance and the effectiveness of an information security management system in order to fulfil the requirements of ISO/IEC 27001:2013, 9.1. It establishes:

  • The monitoring and measurement of information security performance;
  • The monitoring and measurement of the effectiveness of an information security management system (ISMS) including its processes and controls;
  • The analysis and evaluation of the results of monitoring and measurement.
  • ISO/IEC 27004 is applicable to all types and sizes of organizations.

6)    ISO/IEC 27005 Information Security Risk Management

ISO/IEC 27005 provides guidelines for information security risk management.

It supports the general concepts specified in ISO/IEC 27001 and is designed to assist the satisfactory implementation of information security based on a risk management approach.

Knowledge of the concepts, models, processes and terminologies described in ISO/IEC 27001 and ISO/IEC 27002 is important for a complete understanding of ISO/IEC 27005.

ISO/IEC 27005 is applicable to all types of organizations (e.g. commercial enterprises, government agencies, non-profit organizations) which intend to manage risks that could compromise the organization’s information security.

7)   ISO/IEC 27011 ( ITU-T X.1051)  Information security control guidelines based on ISO/IEC 27002 for telecommunications organizations

The scope of this Recommendation | ISO/IEC 27011 is to define guidelines supporting the implementation of information security controls in telecommunications organizations.

The adoption of this Recommendation | ISO/IEC 27011 will allow telecommunications organizations to meet baseline information security management requirements of confidentiality, integrity, availability and any other relevant security property.

8)    ISO/IEC 27014 Governance of information security.

ISO/IEC 27014 provides guidance on concepts and principles for the governance of information security, by which organizations can evaluate, direct, monitor and communicate the information security related activities within the organization.

ISO/IEC 27014 is applicable to all types and sizes of organizations

9)    ISO/IEC 27017 Code of practice for information security controls based on ISO/IEC 27002 for cloud services.

ISO/IEC 27017 gives guidelines for information security controls applicable to the provision and use of cloud services by providing:

  • Additional implementation guidance for relevant controls specified in ISO/IEC 27002;
  • Additional controls with implementation guidance that specifically relate to cloud services.

This Recommendation | International Standard provides controls and implementation guidance for both cloud service providers and cloud service customers.

10)  ISO/IEC 27019 Information security management guidelines based on ISO/IEC 27002 for process control systems specific to the energy utility industry

ISO/IEC TR 27019 provides guiding principles based on ISO/IEC 27002 for information security management applied to process control systems as used in the energy utility industry. The aim of ISO/IEC TR 27019 is to extend the ISO/IEC 27000 set of standards to the domain of process control systems and automation technology, thus allowing the energy utility industry to implement a standardized information security management system (ISMS) in accordance with ISO/IEC 27001 that extends from the business to the process control level.

The scope of ISO/IEC TR 27019 covers process control systems used by the energy utility industry for controlling and monitoring the generation, transmission, storage and distribution of electric power, gas and heat in combination with the control of supporting processes. This includes in particular the following systems, applications and components:

  • The overall IT-supported central and distributed process control, monitoring and automation technology as well as IT systems used for their operation, such as programming and parameterization devices;
  • Digital controllers and automation components such as control and field devices or PLCs, including digital sensor and actuator elements;
  • All further supporting IT systems used in the process control domain, e.g. for supplementary data visualization tasks and for controlling, monitoring, data archiving and documentation purposes;
  • The overall communications technology used in the process control domain, e.g. networks, telemetry, telecontrol applications and remote control technology;
  • Digital metering and measurement devices, e.g. for measuring energy consumption, generation or emission values;
  • Digital protection and safety systems, e.g. protection relays or safety PLCs;
  • Distributed components of future smart grid environments;
  • All software, firmware and applications installed on above mentioned systems.

Outside the scope of ISO/IEC TR 27019 is the conventional or classic control equipment that is non-digital, i.e. purely electro-mechanical or electronic monitoring and process control systems. Furthermore, energy process control systems in private households and other, comparable residential building installations are outside the scope of ISO/IEC TR 27019.

11)  ISO/IEC 27031 Guidelines for information and communication technology readiness for business continuity.

ISO/IEC 27031 describes the concepts and principles of information and communication technology (ICT) readiness for business continuity, and provides a framework of methods and processes to identify and specify all aspects (such as performance criteria, design, and implementation) for improving an organization’s ICT readiness to ensure business continuity. It applies to any organization (private, governmental, and non-governmental, irrespective of size) developing its ICT readiness for business continuity program (IRBC), and requiring its ICT services/infrastructures to be ready to support business operations in the event of emerging events and incidents, and related disruptions, that could affect continuity (including security) of critical business functions. It also enables an organization to measure performance parameters that correlate to its IRBC in a consistent and recognized manner.

The scope of ISO/IEC 27031 encompasses all events and incidents (including security related) that could have an impact on ICT infrastructure and systems. It includes and extends the practices of information security incident handling and management and ICT readiness planning and services.

12)   ISO/IEC 27032 Guidelines for cybersecurity

ISO/IEC 27032 provides guidance for improving the state of Cybersecurity, drawing out the unique aspects of that activity and its dependencies on other security domains, in particular:

  • Information security,
  • Network security,
  • Internet security, and
  • Critical information infrastructure protection (CIIP).

It covers the baseline security practices for stakeholders in the Cyberspace. This International Standard provides:

  • An overview of Cybersecurity,
  • An explanation of the relationship between Cybersecurity and other types of security,
  • A definition of stakeholders and a description of their roles in Cybersecurity,
  • Guidance for addressing common Cybersecurity issues, and
  • A framework to enable stakeholders to collaborate on resolving Cybersecurity issues.

13)    ISO/IEC 27035 Information security incident management.

ISO/IEC 27035-1 is the foundation of this multipart International Standard. It presents basic concepts and phases of information security incident management and combines these concepts with principles in a structured approach to detecting, reporting, assessing, and responding to incidents, and applying lessons learnt.

The principles given in ISO/IEC 27035-1 are generic and intended to be applicable to all organizations, regardless of type, size or nature. Organizations can adjust the guidance given in ISO/IEC 27035-1 according to their type, size and nature of business in relation to the information security risk situation. It is also applicable to external organizations providing information security incident management services.

ISO/IEC 27035-2 provides the guidelines to plan and prepare for incident response. The guidelines are based on the “Plan and Prepare” phase and the “Lessons Learned” phase of the “Information security incident management phases” model presented in ISO/IEC 27035‑1.

The major points within the “Plan and Prepare” phase include the following:

  • information security incident management policy and commitment of top management;
  • information security policies, including those relating to risk management, updated at both corporate level and system, service and network levels;
  • information security incident management plan;
  • incident response team (IRT) establishment;
  • establish relationships and connections with internal and external organizations;
  • technical and other support (including organizational and operational support);
  • information security incident management awareness briefings and training;
  • information security incident management plan testing.

The principles given in this part of ISO/IEC 27035 are generic and intended to be applicable to all organizations, regardless of type, size or nature. Organizations can adjust the guidance given in this part of ISO/IEC 27035 according to their type, size and nature of business in relation to the information security risk situation. This part of ISO/IEC 27035 is also applicable to external organizations providing information security incident management services.

Contact Us

A701-A704, Block A
Mentari Business Park
Jalan PJS 8/5, Bandar Sunway
46150 Petaling Jaya Selangor, Malaysia
Tel : 603-7494 6170 Fax : 603-7493 5107

email : (at)