implementation approach to it service management (iso 20000) & security management (iso 27001)...
TRANSCRIPT
Implementation Approach to IT Service Management (ISO 20000)& Security Management (ISO 27001)
Dr. Julian LoConsulting DirectorITIL v3 Expert
Agenda
Measure IT Capabilities by using ISO StandardsImplementation ApproachChallengesSuggestions and ConsiderationsConclusion – What you can get from it.
ISO20000 & ISO27001
What are the IT Capabilities?The capabilities take the form of
functions, processes & proceduresThe capabilities represent an IT
organization’s capacity, competency, and confidence for action.
Without these capabilities, an IT organization is merely a bundle of un-coordinated resources
Do you want to measure your IT organization’s Capabilities?
Standard
Provide a measurable set of best practice benchmarks common across organizations
Compliance to the standards demonstrates that benchmarks have been attained
Standards are auditable and assessable by independent and authorized auditors
ISO20000 and ISO27001 are the standards
What is ISO20000?
ISO20000 is the international standard for IT service management.“It describes an integrated set
of management processes for the effective delivery of services to the business and its customers.”
Closely follows the ITIL framework.
While individuals are ITIL certified, organizations are ISO20000 certified.
ISO20000
Target
ISO20000
Code of Practice
ITIL Framework
Own IT Policies, Processes and Procedures
Requirements of ISO20000
An organization must be able to demonstrate it has “Management Control” of each of the ISO 20000 processes
So What is “Management Control”? Knowledge and control of the inputs Knowledge, use and interpretation of
the outputs Definition and measurement of
metrics Demonstration of objective evidence
of accountability for process functionality
Definition, measurement and review of process improvements
Input OutputActivity Activity Activity
Goal
Measure
Norms
Use of Scope for ISO20000 Certification
The scope of the delivered services must be described in a scope statement for certification.
A service provider can get certification for; a) part of all services that it delivers b) a specific country or customer.
The scope statement validates the certification for a specific situation.
Service A
Service B
Service C
Service D
Procedures
Plans
Service Level
KPI
Four aspects to be looked into
People: Who? How? What (R&R)? Culture..
Process & Procedures: The applicable ones
Product: The supporting facilitating auxiliary piece
And Partner..: With whom to team up? Eg. Suppliers
Conformance
Roles and Responsibilities are clearly defined
Policy, Process and Procedure documents established
Plans are developed to check and measure performance
Data recorded to prove that process operatives have followed the established policies and procedures, and reviews have been carried out
Process Conformance and Maturity
0 – 5pointscale
4.1
& 4.2
Man
agem
ent R
espo
nsibi
lity &
Gov
erna
nce
4.3
Docum
enta
tion
Requir
emen
ts
4.4
Resou
rces
on
Compe
tenc
e, A
waren
ess
& Tra
ining
4.5.
1 an
d 4.
5.2
Scope
and
Plan
for S
MS (P
LAN)
4.5.
3 Im
plem
ent a
nd o
pera
te S
MS (D
O)
4.5.
4 M
onito
r & R
eview
SM
S - In
tera
l Aud
it (C
HECK)
4.5.
5 M
ainta
in & Im
prov
e SM
S (ACT)
5 Des
ign a
nd T
rans
ition
of N
ew o
r Cha
nged
Ser
vices
6.1
Servic
e Le
vel M
anag
emen
t
6.2
Servic
e Rep
ortin
g
6.3
Servic
e Con
tinuit
y an
d Ava
ilabil
ity M
anag
emen
t
6.4
Budge
ting
and
Accou
nting
for I
T Ser
vices
6.5
Capac
ity M
anag
emen
t
6.6
Info
rmat
ion S
ecur
ity M
anag
emen
t
7.1
Busine
ss R
elatio
nship
Man
agem
ent
7.2
Suppli
er M
anag
emen
t
8.1
Incid
ent M
anag
emen
t
8.2
Proble
m M
anag
emen
t
9.1
Config
urat
ion M
anag
emen
t
9.2
Chang
e M
anag
emen
t
10.1
Rele
ase
Man
agem
ent
0
0.5
1
1.5
2
2.5
3
3.5
4
4.5
5
Overview of Compliance with ISO/IEC 20000Target
ISO20000 Implementation RoadmapPhase 0: Gap Analysis
Assessm
ent, Project
Start-U
p & To
ol Selections
Management of Change
Review
& Internal A
udit
Quick Win Service SupportCompleted
ISO20000
Configur Mgmt
Problem Mgmt Knowledge
Phase 1: User Support
Incident Mgmt
Service DeskService Catalog
Service Reporting
ITSM PolicyDoc .Control
Phase 2: Release & Control
Change Mgmt
Configuration Mgmt - CMDB
Release Mgmt
BusinessRelationship
Service Reporting
ITSM PlanSkills Assess.
Configuration Mgmt - CMDB
Supplier Mgmt
Phase 3: Service Delivery
Capacity Mgmt
Continuity &Availability
Service Reporting
CSI
Phase 4: Customer, & CSI
Service Level Mgmt
Service Design
IT Budget &Accounting
Configuration Mgmt - CMDB
Service Reporting
CSI
Reasons to take phase approachSeamless integration to minimize the interruptions of IT
operationBetter visibility into issues while enabling sufficient time to
refine processes
What is ISO27001?Leading International Standard for Information Security
ManagementA comprehensive set of controls comprising best practices in
information securityRisk-management based Its purpose is to protect the confidentiality, integrity and
availability of information
ConfidentialityProtecting sensitive
information from unauthorized disclosure or
interception.
Integrity
Safeguarding the accuracy and
completeness of information
AvailabilityEnsuring that information
and vital services are available to users when
required.
Information Security
ISO27001 Requirements
ISO27001 includes below Controls
ISO27001 Implementation Roadmap
Phase 1 – Planning, Gap Assessment, Training
Phase 2 – System Development and Documentation
Phase 3 – System Implementation
Phase 4 – Certification Audit
Understand existing
procedures
Identifykey gaps
PrepareProject Plan
DefineRoles &
Responsibilities
Conduct Training &Workshops
Define documentation
hierarchy
Develop required
documentation
Review established documents
Obtain approval from authorized
personnel
Workshops for promotion
Train up delegate as
internal auditor
Mentor IT Management
to review
Conduct internal audit
Provide direction to
rectify issues
External certification
audit
ISO27001 focuses on protection of information and related assets
ISO20000 focuses on the quality of service delivery
Common Areas PDCA and management system Continuity planning Incident management and change management Capacity management Information security Third party and supplier management
ISO20000 - ISO27001Major Differences and Similarities
Timeframe
For ISO20000 Maturity range of 1 - 1.5 : approximately 18 – 24 months Maturity range of 2 – 3 : approximately 6 -12 months A large maturity gap will require additional resourcing to close the
gap in a workable timeframe
For ISO27001 Small Organization 10 – 50 Employees: up to 8 months Mid-size Organization 50 – 500 Employees: up to 12 months Large Organization over 500 Employees: up to 18 months
Key Challenges
Maturity can be difficult to attain across all processes
Effort to produce and review documentations and records
Conflict between productivity and service/information security qualities
Changing to a culture of collaborating working
Suggestions and Considerations
ISO20000 and ISO27001 provide guidance on what should happen, but not on how to make it happen. So you need help and advice from consultants
Start with an assessment and develop a roadmap
Communicate the benefits and provide adequate training
To work smarter, you need tools to facilitateFor those not seeking certification – use ISO
20000 and ISO27001 as the guides
Conclusion – What you can get from it
ISO20000 and ISO27001 provide an auditable method to assess IT Service and Security quality and conformance
Assists organizations to enforce process compliance
Provides clear evidence that ITSM and Information Security qualities are taken seriously
ISO 20000 and ISO27001 set the process marks for which ITIL and Information security implementation should aim and be measured
A method of review and assessment that is linked to continuous service and information security improvement
