Measuring readiness for Compliance: a Gap Analysis Tool to complete the TIPA Process Assessment Framework

michel.picard@list.lu

European & Asian System, Software & Service Process Improvement & Innovation

• TIPA

• Process Assessment vs Conformity Assessment

• TIPA Gap Analysis: the PSDC case study

• Design of the TIPA Gap Analysis

• Strengths and Weaknesses

• Conclusion and Perspectives

Agenda

EuroAsiaSPI 2 0 1 6 2

What is TIPA ?

3

TIPA Process Asst Method

TIPA framework

TIPA Process Models (PAMs)

ISO/IEC 15504 Assessment Approach

TIPA Assessment

Process

TIPA Guidance

EuroAsiaSPI 2 0 1 6

Process assessment method• Standard-based• Objective• Repeatable• Trustful

• Similar techniques and objects but different purposes:• Process assessment: “disciplined evaluation of an organizational unit’s processes

against a process assessment model”, which is defined as a “model suitable for the purpose of assessing a specified process quality characteristic, based on one or more process reference models”.

• Conformity assessment: “demonstration that specified requirements relating to a product, process, system, person or body are fulfilled”

• Process Assessment/Maturity Model not efficient to demonstrate compliance• But

• It is possible• Has low cost-benefit ratio of the approach in comparison to an audit

• Conformity Assessment not effective to support sustainable improvement of processes• Is not appropriate to prepare organizational changes• Only few inputs to bridge the identified compliance gaps

Process Assessment vs Conformity Assessment

EuroAsiaSPI 2 0 1 6 4

How to provide organizations with a tool translating the result of a conformity assessment into a process view?

• What is a Gap Analysis?• Cambridge Business Dictionary: “a gap analysis allows an organization to

measure how it is performing versus its potential”

• ITIL® 2011: “an activity that compares two sets of data and identifies the differences. A gap analysis is commonly used to compare a set of requirements with actual delivery”

• It is a form of conformity assessment (not as formal as an audit)

• Usually used at the beginning of a certification journey• Usually structured by topic (not by process)

The TIPA Gap Analysis

EuroAsiaSPI 2 0 1 6 5

• PSDC : Digitization and Long-term storage Service Provider• Luxembourg national regulation

• Objective: Guarantee the legal (probing) value of electronic documents (copy of paper-based documents or born-digital documents) in front of a court

• A set of technical regulation requirements to achieve the PSDC status• Mainly based on ISO/IEC 27001:2013 and ISO/IEC 27002:2013

• Additional requirements related to Digitization and Long-term storage processes

• Process Assessment Model for PSDC• Extension of our PAM for ISO/IEC 27001 • But too heavy in regard to the maturity of the local market (in legal e-

archiving)• Need for a lighter tool to address the local market need

TIPA Gap AnalysisThe PSDC case study

EuroAsiaSPI 2 0 1 6 6

• PAM for PSDC: the process map

TIPA Gap AnalysisThe PSDC case study

EuroAsiaSPI 2 0 1 6 7

Leadership*

Management review*

Secure storage management*

Electronic record disposal management*

Archiving

Business continuity related security management

Electronic record transformation [PSDC-DC only]*

Electronic document transformation [PSDC-D only]*

Analogue disposal management*

Electronic document disposal management [PSDC-D only]*

Access control management*

Physical environment security management*

Operations security management*

Development related security management

Supplier related security management*

Internal audit

Non-conformity management

Continual improvement

PSDC Processes

Information Security

Digitization

Operational implementation and controls*

Performance evaluation

Management System Processes

Management System Lifecycle

Top Management Management System Support

Information security risk and opportunity management*

Operational planning*

Document management

Communication management

Human resource management*

Information security incident management

* Additional requirements from the PSDC regulation that amends or supplements those from the ISO/IEC 27000 series

• The usual view of the result of a Gap Analysis:

The TIPA Gap Analysis Specific feature

EuroAsiaSPI 2 0 1 6 8

The additional specific view of the TIPA Gap Analysis : the process view

Design of a TIPA Gap AnalysisThe transformation process

EuroAsiaSPI 2 0 1 6 9

Design of a TIPA Gap AnalysisThe structured questionnaire

EuroAsiaSPI 2 0 1 6 10

Information security organization: strategy, scope and third parties 4.3

PSDC.6.2.c 4.3.1.a, 4.1PSDC.6.2.a

4.2.aPSDC.6.2.a

4.2.bPSDC.6.2.b

PSDC.7.12.8.1.5PSDC.7.12.9.1.5

4.3.1.c

4.3

6.2

b

c

de…

Have you determined the limits and applicability of the information security management system (ISMS) for estabilishing its scope, including digitizing and/or archiving processes and supporting assets?

Have you determined the internal and external problems that could prevent the achievement of the ISMS objectives, including the digitizing and archiving related problems?

Have you identified the relevant stakeholders related to ISMS and the digitizing and archiving processes?

Have you determined the requirements of those stakeholders regarding information security and document digitization and archiving including contractual, legal and regulatory requirements?

Have you analyzed the interfaces and dependencies between your business activities and thoses performed by third-party organizations?Is a scope of applicability formalized in a document (i.e. statement of applicability)?

Have you defined objectives for information security?

Are they mesurable?Are they taking into account the information security requirements, the risk assessment results and the residual risks? Are they communicated?Are they regularly updated?…

topic

generalquestion

optionalquestions

requirement traceability

• Requires a Process Reference Model (PRM) built through the Transformation process• Is based on the same collection of elementary requirements

• Is based on the identification of all requirements related to each process of the PRM• Requirements traceability ensured by the transformation process

• Creates additional aggregation rules to the gap analysis tool• Reuses the process map of the PRM• Reorganises the gap analysis result

by process

Design of a TIPA Gap AnalysisThe process view

EuroAsiaSPI 2 0 1 6 11

The TIPA Gap AnalysisTwo views on the results

EuroAsiaSPI 2 0 1 6 12

13

• Provides valuable input for both fulfilling gaps in a conformity context and defining scope in a process assessment context

• Process view does not have to be confused with the result of a process capability assessment• Both use the same process map structure• But provides different perspectives from the processes point of view

• Performance vs compliance

• Requires a set of formal requirements as raw material• To make the Conformity Assessment relevant• To make the Gap Analysis relevant

TIPA Gap Analysis Strengths and weaknesses

EuroAsiaSPI 2 0 1 6

• In the PSDC context:• TIPA Gap Analysis is an appropriate tool for low mature organizations

willing to get PSDC certification (readiness to compliance)• Should be complemented by a TIPA process assessment to initiate

organizational changes (readiness to performance)

• For the TIPA framework• Promising add-on to the existing TIPA process assessment Class 1, 2

and 3 • The existing mapping between the TIPA for ITIL PAM and ISO/IEC 20000-1

requirements will enable to jointly perform process and conformity assessment• Through a TIPA process assessment for some processes• Through a TIPA Gap Analysis for ISO/IEC 20000-1 for the other processes

TIPA Gap Analysis Conclusion and Perspectives

EuroAsiaSPI 2 0 1 6 14

Questions & Answers

EuroAsiaSPI 2 0 1 6

Thank you for your attention

15