Interview with ISO 27001 audit expert Philip Ku

| Sieuwert van Otterloo | Security

Philip Ku is an international information security and audit expert. He is a certified lead auditor for ISO 27001 information security and also for related standards and trains auditors worldwide, including in The Netherlands. We interviewed Philip to understand how he became an expert and what he sees as new trends in information security.

You have a background in computer science and business and are now active in audit, risk management and information security. When did you become interested in these topics, and why?

Philip: At the early stage of my career, I was working for a semi-government IT research foundation (Institute of Information Industry, III). I was working on development and promoting new ICT services in Taiwan. In 1996, we did a spin-off of a telecom company and I was one of the founders. 7 years later, we became the second largest Internet Provider in Taiwan and merged with a large telecom company.  In these projects, I experienced how IT systems work in the financial sector and how to manage the risk for IT systems and business.  I became convinced that “information security” is the foundation of IT-business process and e-society and decided to focus on this.

I then started a new career in 2003 with the Germany Certification Body – TÜV on IT technical service as auditor/project manager/evaluator.  

You are a cofounder of TechKnowledge Services Group. How was this group founded? What services does the group offer to clients?
Philip: The TechKnowledge Service Group was founded in 2012, as a subsidiary company of Hermes infotech. Hermes Infotech has been  established in 2010. The group is an approved training partner of the CQI/IRCA (Chartered Quality Institute /International Register of Certificated Auditors). We provide accredited audit training courses worldwide for standards QMS (9001), ISMS (ISO 27001), ITSM (ISO/IEC 20000) and BCMS (ISO 22301). We are one of the few accredited CQI/IRCA training organizations offering auditor training. With ICT Institute we provide ISO 27001 lead auditor training 

Do you see an increase in information security awareness and interest? Why do people decide to obtain certification/ professional qualification?
Philip: People see information security and “privacy” breaches almost everyday in the news. The awareness has been built. Especially now that mobile (wearable) devices have become more and more popular, people are wondering HOW these data are collected, processed and applied; and WHO are using this data for WHAT purpose. 

Information security management has become crucial part of company governance. I also found more and more organisations  looking for professional services.

Why audit training

What is, according to you, the main advantage of gaining certification/ professional qualification?
Philip: We have seen many positive effects. From personal perspective, there are many participants that have been promoted or find a new career after having successfully completed this professional qualification.

From organizational perspective, legal compliance is one of the strongest motivations, for example, compliance with Personal Data Protection Act (PDPA) is enforced in EU, US and Asia Pacific countries. In Europe in particular, the GDPR regulation, that will be enforced from May 2018, is a strong driver.

What is the background of most of your trainees?
Philip: In most of our classes, participants have either a technical background or management background. Our “Planning and Lead Implementer” training trains participants on how to “do” for technical background (e.g. IT), and “auditor” training course is based on “requirements” to train participants on how to “review” for technical and management backgrounds.

You are active in several countries in Asia such as China, Taiwan, Thailand, Malaysia, Indonesia, Abu Dhabi, Iran What differences do you see between those countries?
Philip: The main differences between these countries are related to the way of implementation of the information security management system. Some of this can be explained through different styles of  Government’s enforcement of regulation.  


Are there any practical security steps / measures that you think are underused and would you recommend? Any other recommendations to improve information security?
Philip: The ISMS has become a must for any organisation, regardless the size and complexity. From business operation risk management aspect, identify the applicable requirements (legal, legislation and contractual obligation) should be the first priority for the organization. Once the organization has identified the interested parties and expectations, the security controls objectives and controls can be implemented more effectively. 

Do you have any advice for people that like to enter the field of information security?
Philip: A good starting point for IT professional, is to learn technical knowledge and skills, for example network security, hacking skills, data security. But the security standards (like ISO/IEC 27001) give you a more comprehensive view on how these technologies should be implemented and support the business operations to protect sensitive information and personal data. 

Standards also show the best practices and recommended by experts from the field. From my point of view, the information from the standards are not just knowledge, they are also the best way to engage and help communicate with the industry and the world. 

Author: Sieuwert van Otterloo
Dr. Sieuwert van Otterloo is a court-certified IT expert with interests in agile, security, software research and IT-contracts.