iso20000: understanding critical success factors ... · a service provider to monitor, measure and...
TRANSCRIPT
ISO20000:
Understanding Critical Success Factors
& Pitfalls to Avoid A presentation by Adedoyin Odunfa. (CEO, Digital Jewels) At the occasion of the Q2 2013 InformationValueChain Breakfast Forum, hosted by Digital Jewels Ltd
Outline
• About the Standard
• An implementation Roadmap
• Critical Success Factors
• Avoiding the Pitfalls
Life before ITSM
http://www.youtube.com/watch?v=ZfLgGf4nskI
Life before ITSM*
• Technology and Business speak different languages.
• Management does not clearly understand where the “investment is
going”.
• No one understands what went wrong with an incident! No assurance
that this will not happen again.
• People consider themselves the “system”.
• No way to benchmark IT service quality.
• http://www.youtube.com/watch?v=ZfLgGf4nskI
4
*Not exhaustive
Life after ITSM*
• Peace of Mind rather than “chaos”. Processes are well defined under control,
control of IT service lifecycle.
• Customers/Business knows what to expect from IT and when. Defines IT in terms
of ‘services’ rather than systems.
• Improved communication and information flow between IT and business.
• Control on IT costs and justifies IT investment.
• Ability to ‘measure’. Improved service performance on best practices,
‘continually’.
• Single, defined, repeatable, and scalable documented framework for IT best
practices that flows across the organization.
5
*Not exhaustive
Traditional IT Vs ITSM Process
6
Traditional I/T
beco
mes
ITSM Process
Technology focus Process focus
Fire-fighting Preventative
Reactive Proactive
Users Customers
Centralized, done in-house Distributed, sourced
Isolated, silos Integrated, enterprise-wide
One off', adhoc Repeatable, accountable
Informal processes Formal best practices
IT internal perspective Business perspective
Operational specific Service orientation
What is IT Service Management?
• IT Service Management (ITSM) is a process-based practice intended to align the delivery of information technology (IT) services with needs of the enterprise, emphasizing benefits to customers.
• ITSM involves a paradigm shift from managing IT as stacks of individual components to focusing on the delivery of end-to-end services using best practice process models.
7
The ISO20000 Standard
• The first worldwide standard specifically aimed at IT Service Management.
• Describes an integrated set of management processes for the effective delivery of services to the business and its customers.
• The standard is all about supporting the business side with adequate IT services, while providing those services as efficiently as possible.
• Evolved from the BS15000 and provides ITIL® related auditable set of requirements for ITSM business organizations willing to ensure full alignment with basic processes.
• Simply put, accreditation to ISO20000 is evidence of ITIL implementation. A tangible and verifiable outcome.
ISO/IEC 20000 can be used by: an organization seeking services from service providers and requiring assurance that their service requirements will be fulfilled;
an organization that requires a consistent approach by all their service providers, including those in a supply chain;
the service provider that intends to demonstrate its capability for the design, transition, delivery and improvement of services that fulfill service requirements;
a service provider to monitor, measure and review its service management processes and services;
a service provider to improve the design, transition, delivery and improvement of services through the effective implementation and operation of the SMS;
an assessor as the criteria for a conformity assessment of a service provider’s SMS to the requirements in this part of ISO/IEC 20000.
ISO20000: the numbers
~ 600 3. 1st
1st
ITSMS with ISO20000
• ISO/IEC 20000:2011, Part 1: Service Management System Requirements –mandatory requirements which must be fulfilled to be compliant with the standard.
• Knowledge of ITIL: ISO 20000 clearly draws on ITIL® principles. – ISO/IEC 20000:2005, was designed to be aligned with ITIL® V2.
– ITIL® v3, published in 2007 to achieve even better alignment with ISO 20000.
ITSMS with ISO20000 • Additional parts of the standard provide guidelines which are
not strictly mandatory:
• Guidance on the application of service management systems (SMS) contains examples and suggestions for the design of IT Service Management processes.
— ISO/IEC 20000:2012, Part 2:
• Guidance on scope definition and applicability of ISO/IEC 20000-1 provides guidance on scope definition, applicability and demonstration of conformity.
— ISO/IEC TR 20000:2005, Part 3:
• Process reference model. — ISO/IEC TR 20000:2010, Part 4:
• Exemplar implementation plan for ISO/IEC 20000-1. — ISO/IEC TR 20000:2010, Part 5:
ISO20000: the why?
Prove that your IT organization has demonstrated its ability to:
• Be aware of customer needs and respond to these needs.
• Deliver services which meet defined quality levels.
• Make use of resources in an economical way.
Provides a competitive advantage in the market
Clients/Regulators may demand ISO 20000 compliance as a
condition for awarding contracts to IT service
providers/industry captains.
Certification sets a specific target for and helps to concentrate minds.
• A good way to kick-start the adoption of ITIL Best Practice & keep motivation high.
Roadmap to Certification
Create awareness
• Communicate the goals and benefits and the approach for achieving ISO 20000 compliance. Provide a basic understanding of ITIL.
Determine the ISO 20000 certification scope
• Decide what parts of the organization, what services and/ or what locations shall be covered.
Conduct the ISO 20000 Gap Assessment
• Determine gaps btw today’s situation & the standard's requirements
• Identify conformant and non-conformant areas.
• Identify shortcomings & how they can be addressed.
Set up the ISO 20000 project:
• Establish a project governance structure.
• Choose a project Sponsor, Champion, Manager and project staff.
• Determine the necessary resources, prepare a project plan and assign tasks.
• Choose a certifier & experienced external advisor.
Roadmap to Certification
Implement a Gap Remediation Project
• Close gaps identified during the gap assessment
• Usually the most time-consuming part of the certification initiative, because several processes may need to be modified or introduced.
Prepare for the ISO 20000 certification audit
• Develop an inventory of requirements, documents and records to keep track of what requirements are already fulfilled and what related evidence (documents and records) is in place.
Conduct the ISO 20000 certification audit
• The actual ISO 20000 audit must be carried out by an external certifier from a Registered Certification Body (RCB, an organisation which has been granted permission to operate under the itSMF ISO/IEC 20000 Certification Scheme).
Retain ISO 20000 Certification
• After the initial certification, a renewal of the ISO 20000 certificate is due every three years, with intermittent assessments every 6 to 12 months.
• Ensure continued adherence to the standard and put a strong emphasis on continual service & process improvement.
The (Dreaded) Audit
• What is being verified during the ISO 20000 Certification Audit?
– Aims to check if your organization fulfils the ISO 20000 requirements. In particular, the mandatory requirements of 'ISO/IEC 20000:2011, Part 1: Service Management System Requirements' must be fulfilled.
– The ISO 20000 audit relates to the following aspects of your organization:
The (Dreaded) Audit • Adequately documented processes are a prerequisite for
managing & continually improving your processes.
• Are all the processes documented?
• Are the processes linked by consistent information flows?
• Do the processes fulfill the ISO 20000 requirements?
Documentation of the ISO
20000 Processes
• The ISO 20000 auditor will hold structured interviews with IT staff to check if everyone is familiar the processes:
• Do all members of IT staff know their own processes?
• Do they have a general understanding of all ISO 20000 processes?
Familiarity with the ISO 20000
Processes
• The ISO 20000 audit will include an examination of evidence related to the ISO 20000 processes:
• Do the expected documents and records exist?
• Are they adequate for their purposes?
Adherence to the ISO 20000
Processes
Audit Objectives
• The aim of the certification audit is to check if your organization fulfils the ISO 20000 requirements. The Audit is focused on answering the following questions:
Is there sufficient process
documentation?
Are all the processes
documented?
Are the processes linked by consistent information flows?
Do the processes fulfill the ISO 20000
requirements?
Has sufficient information and evidence been
gathered?
Do members of IT staff know
& adhere to the documented processes?
Is this evidenced in the form of
documents & records ?
Do the expected documents and records exist?
Are they adequate to achieve their
purposes?
Getting Certified: Critical Success Factors
Top Management commitment & buy-in: active & sustained
• Understand, commit, track, walk the talk, take timely decisions, keep up the moral
Accountability:
• each process owner is accountable for the implementation & operation of his or her process. Ensure work package delivery & accountability. 0 tolerance approach.
Team competence:
• experienced team members facilitate the effective development and implementation of the processes
Effective Communications:
• Awareness & training on the standard, the ITSMS and the processes are consistently managed
Getting Certified: Critical Success Factors
Painstaking Audits:
• Process audits are performed for all the processes & involve key resources such as the process owners & people that execute the activities & produce process deliverables
• Ensure internal auditors know the standard & applicable audit techniques.
Resource sufficiency: budget, staff, SME’s
• Appoint an ITSMS Manager with clout and expertise
Policies & procedures still have a place
• Ensure relevant policies & processes specifically address the ISO20k requirements.
• Ensure approvals, implementation & signoff’s
Get good support,
• work with trusted partners
Take a process approach: Remember...
• The audit is a snapshot
• There is life after certification... Maintaining vigilance is key
Getting Certified: Critical Success Factors
• Standard Specific Tips: Service Definition
• Carefully define your services. Differentiate services from processes.
Integration
• Ensure tight integration between change, release, deployment & config mgt processes
Capacity Planning
• Capacity Planning is related to Change Management and impacts your budget
Problem Management
• Take a proactive approach to Problem Management, to ensure lower incident rates over time. Problems are different from Incidents.
Configuration Database
• Carefully define items for the configuration management database – “what is changeable & can impact service”.
Pitfalls to Avoid
• Management must understand and communicate the reason for seeking certification, and visibly endorse the initiative.
No management support
• The advantages of Best Practice should be explained to all concerned. All IT staff should be involved as closely as possible during the design of the new ISO 20000 compliant processes to enhance acceptance of the new processes & ensure long-term success.
Too little involvement of IT staff
• Management commitment must be backed up by the provision of sufficient resources for the certification program. This includes freeing project staff from some of their day-to-day tasks.
Insufficient resources for the ISO 20000 project
Pitfalls to Avoid
Embracing automation too early in the process
Making it a silver bullet
Making it an “IT only Project”
• a business issue is best addressed by a multi-disciplinary team.
• risks of compromise are financial and reputational
Cutting corners
Under-estimating the assignment
• Over-promising and under-delivering
Appointing a sponsor without clout
ISO20000 Benefits
Entry into global markets where the
ISO/IEC 20000 standards are widely
recognized
Objective measurement of the
level of compliance to industry best practices
To have better information available
for numerous purposes
Better streamline to various process
improvements that may go on
simultaneously in an IT department
Guidance with prioritizing the best
practices to be implemented in an IT
department
Give a company or organization a
competitive edge
Show a drive for quality services
Increase customer focus and
transparency of value provided to the
business
Establish a mentality of continual
improvement in IT
Objectively assess and benchmark IT’s level
of maturity
Certification Benefits
Proof that IT services are delivered on the
basis of an internationally
recognized standard
Assurance that customer
requirements are fully met, i.e.
professional and efficient service, and
risks that are understood and can
be controlled
Constant surveillance and optimization of service quality
Certification Benefits Continuous improvement of service quality, incld stability & cooperation, resulting in more customer confidence
Focused services through alignment with the enterprise strategy
Insight into IT performance that is confirmed by an independent source & may serve as a basis for marketing and selling services
Improved understanding by all process participants for defining objectives, responsibilities and roles
Provides a way to align IT services with business strategies.
Creates a formal framework service management and service improvement.
Provides KPI measurement criteria.
Creates competitive advantage via the promotion of consistent and cost-effective services.
Changes an IT driven culture into a business driven culture.
Provides management a clear view of inter-dependencies across IT and the ISO 20000 processes.
Promotes risk assessment and risk management.
Enhances reputation and perception for using best practices.
IT becomes pro-active rather than re-active.
Improved understanding and relationships between IT and the business/customers.
Creation of a stable framework for both resource training and service management automation.
Other Benefits
• The standard specifies a number of closely related service management processes that help organizations;
Identify that relationships exist btw processes, &
that these relationships will be dependent on their
application within an organization
Provides guideline objectives and controls to enable an organization to deliver managed services
Provides control, greater efficiency, and
opportunities for improvement
Turns technology focused departments into service
focused departments
Ensures IT services are aligned with and satisfy
business needs
Improves system reliability and availability
Provides a basis for service level agreements
Provides the ability to measure IT service quality
Benefits of Process Maturity
!!!
1st 1SO27001 & PCIDSS QSA Professional Services Firm in Africa •PCIDSS: 3 engagements
•ISO27001 Certification: 5 Certification Engagements; 3 Surveillance Engagements •ISO20000: 1 engagement •COBIT: 9 engagements
Demonstrable capability to support you…
34
BS 25999 Lead Implementer
BS 25999 Internal Auditor
About Digital Jewels: Secure.Assure,Enable.Empower.Manage
Secure
• Information Security
Assure
• Information
Assurance
Enable
• E-business
Empower
• Capacity Building
Manage
• Project Management
Our InformationValueChain Breakfast Forums
Month (2012)
Topic Guest Speaker(s)
Dec. Project Management, Then What? Deji West. President, PMI Lagos
Sept. Special 50th IVC Session & ISMS Award
Ceremony
Mr. Charles Molapisi, CIO MTN Mrs. Tokumboh Martins Director, CBN
Aug Cashless Lagos: A Critical Update Report Mrs. Christable Onyejekwe ED, NIBSS Plc
July Learning in the midst of Chaos Shehu Garba Head, Learning. Shell.
Quarter(2013)
Topic Guest Speaker(s)
1 PCIDSS: How we did it & What it means
to the Industry
Ade Shonubi. MD/CEO. NIBSS Ltd.
Our InformationValueChain Breakfast Forums
Month (2012)
Topic Guest Speaker(s)
June Achieving Excellence in IT Service Management Probal Choudhuri, CEO, Coral eSecure Private Limited, India.
May Customer-centric Technology: GT Bank as a Case Study
Mr. Dare Adeyeri CIO GT Bank Plc
April Technology as a Value Driver in the FMCG Sector Mr. Saidu Abdullahi. Head IT, West Africa Cadbury Plc
March NOTAP: Enabling or Hindering National Technological Development
Dr. Umar Bindr DG, NOTAP
Feb. Enabling Internet Ubiquity in Nigeria: Our vision, accomplishments and challenges
Ms Funke Opeke MD/CEO Main One Cable
Our InformationValueChain Breakfast Forums
Month (2011)
Topic Guest Speaker(s)
Dec. Transformation in the Aviation Sector: The NAMA Case Study
Mr. Ifeanyi Ogochukwu. CIO, Nigerian Airspace Management Authority (NAMA),
Oct. ISO27001 Certification: The Fidelity Bank Case Study
Mr. Ik. Mbagwu ED, Fidelity Bank Plc
Sept The IT Industry in Nigeria: The need to move to a self-reliant model
Mr. John Ayoh Director IT, Central Bank of Nigeria
Aug. Making the “IT Business Operating Model” Decision
Mr. John Murray CIO, Etisalat Nigeria
Our InformationValueChain Breakfast Forums
Month (2011)
Topic Guest Speaker(s)
July Implementing Global Best Practice-Standards for a Quantum Leap in the Performance of IT Organisations in Nigeria".
Dr. Evans Woherem Ex-ED IT & Operations Unity Bank
June Redefining Healthcare Management through Technology
Mrs Fola Laoye GMD/CEO Hygeia Group
May The Changing Face of the Oil & Gas Industry & Implications on Professionals, Institutions & Governments
Mr. Ademola Adeyemi-Bero MD/CEO, BG Exploration and Production, Nigeria
April NIMS: e-payment catalyst or encumbrance? Mr. Chris Onyemenam, DG/CEO. National Identity Management Commission.
March. The Central Switch: e-payment enabler or inhibitor?
Mr. Paul Lawal. MD/CEO NIBSS Plc
Feb. PCIDSS: A pragmatic implementation Roadmap
Mr. Stellios Tikas, Snr Consultant, FortConsult, Denmark
Our InformationValueChain Breakfast Forums
Month (2010)
Topic Guest Speaker(s)
Dec. Balancing Effective IT Service Delivery Controls & Governance
Mr. Pattison Boleigha. Head, Group Compliance and Internal Control, Access Bank Plc
Nov. IT Governance: A Business Growth Imperative
Mr. Peter Hill. Director, IT Governance Network. South Africa
Oct. Performance Management Strategies for Techies
Dr. Mrs. Lucy Newman MD/CEO, FITC.
Sept. Redefining Insurance through Technology
Mr. Tunde Hassan-Odukale ED, Investment & Systems. Leadway Assurance
Aug E-learning: old wine in new skins? Dr. Mrs. Adesua Atanda Head, Learning. Nigeria LNG
Our InformationValueChain Breakfast Forums
Month (2010)
Topic Guest Speaker(s)
July ICT as a tool for transformation: Edo State as a Case Study.
Mrs Yemi Keri Exec. Dir. ICT. Edo State Government
June Failsafe Strategies for Business Success
Mrs Ibukun Awosika MD/CEO Sokoa Chair Centre.
May Risk Management as a Strategic Imperative
Mr. Tayo Koleosho Chief Risk Officer, InterSwitch
April Building, Growing & Transforming Businesses
Mr. Demola Aladekomo MD, Chams Group
March Building a multi-billion dollar business Mr. Tonye Cole. Founding Director, Sahara Energy.
Feb. Unleashing brand power on your e-delivery channels
Mrs Lola Odedina, Group Head, Communication & External Affairs. Guaranty Trust Bank Plc
Our InformationValueChain Breakfast Forums
Month (2009)
Topic Guest Speaker(s)
Dec. Intriguing perspectives in Project Management
Mr. Anthony Youdeowei, GM Projects Sahara Group, Mr. Deji Ismael, President PMI Lagos Chapter Mrs Alfie Makinde , Project Manager, Transcorp
Nov. The evolution of e-business in Africa Mr. Valentine Obi MD/CEO etranzact
Oct Building Capacity to Combat Crises & Foster Growth
Mr. Jide Sanwo-Olu Lagos State Hon. Commission for Training, Establishment & Pensions.
Sept Changing Life in the Digital Domain Mr. Emmanuel Onyeje Country Manager, Microsoft. Anglophone West & Central Africa.
Aug E-payments in Nigeria: The Road Ahead
Mr. Bukar Kyari MD/CEO, ValueCard Nig Plc
July IT as an engine of engine of global expansion for African organisations
Tunde Coker Group CIO, Access Bank Plc
Our InformationValueChain Breakfast Forums
Month (2009) Topic Guest Speaker(s)
June E-payments in Nigeria: Reality or Myth Mr. Gerald Ilukwe MD, Galaxy Backbone Plc
May Assuring Business Continuity in Uncertainty: Benefitting from the BS25999 standard
Lee Allison British Standards Institute, UAE
April Legal Risks in the Technology Environment
Basil Udotai Managing Partner, Technology Advisors
March Insight into Successful Strategies: The Rise & Rise of Computer Warehouse Group
Mr. Austin Okere MD/CEO, GWG
Feb IT Performance Mgt: High Impact Productivity & Retention Strategies
Mr. Yila Yusuf CIO O&O Plc
Our InformationValueChain Breakfast Forums
Month (2008) Topic Guest Speaker(s)
December Demystifying IT Governance Mr. David Isiavwe Chief Inspector, UBA Plc
November Strategic Issues in Information Technology
Mr. Chuks Onoha, GCIO, NNPC
October Achieving a Culture of Service Excellence
Titi Awogboro, Head, IT Gov. Etisalat
September Project Management Health Check Mr. Anders Pedersen, Director, Virak. Switzerland
Our InformationValueChain Breakfast Forums
Month (2008) Topic Guest Speaker(s)
August Leapfrog Productivity Enhancements • Mr. Lanre Onasanya Lead Consultant McGhee Productivity Solutions
July E-business in Nigeria: Where are we headed
• Mr. Mitchell Elegbe MD, InterSwitch Nigeria
June Technology Cost Savings Strategies • Mr. Mike Sisco MD, MDE Enterprises, US
May ISO27001: Understanding this Global Standard & why your company needs it
• Mr. Eric LaChapelle, CEO, Veridion, Canadaa
April Project Management Best Practise Juxtaposing PRINCE2 & PMBoK
• Mr. Steven Sloan, Director, Virak. Switzerland • Mr. Bosun Isreal-Bolarinwa PM Consultant
March Recruiting, Training & Retaining Technical Specialists
• Mr. Kunle Odebode Ex-CIO Zain (CELTEL) IT Director, Etisalat
Thank You
for your time & attention