new performed model of iso/iec 20000 standard · iso/iec 27000 standard. the result of the research...

New performed model of ISO/IEC 20000 standard

Anel Tanovic*, Samir Ribic**, Zvjezdan Sehovac*** * Department of Computer Science University of Sarajevo, Faculty of Electrical Engineering

Zmaja od Bosne bb, Sarajevo 71000, Bosnia and Herzegovina ** Department of Computer Science University of Sarajevo, Faculty of Electrical

Engineering Zmaja od Bosne bb, Sarajevo 71000, Bosnia and Herzegovina *** Institute for Standardization of Bosnia and Herzegovina

Vojvode Radomira Putnika 34, East Sarajevo 71123, Bosnia and Herzegovina [email protected], [email protected], [email protected]

Abstract

ISO/IEC 20000 is the first international standard for IT Service Management. Previous researches have showed that this standard needs improvements. This paper is focused on the improvement of the process model for ISO/IEC 20000 standard. The paper is based on the improvement of process model for ISO/IEC 20000 standard by using the comparison with ITIL 2011 framework and with eTOM and ISO/IEC 27000 standard. The result of the research is the new improved process model for ISO/IEC 20000 standard which can be implemented in any business environment. This is the first research which takes more than one other ITSM framework or standard for the comparison with ISO/IEC 20000 standard. The paper has a practical significance because this new model will be also implemented in BH Telecom, the leading Telecom operator in Bosnia and Herzegovina. Key-Words: ISO/IEC 20000, ITIL 2011, ISO/IEC 27000, eTOM, Establish ISMS, Assurance Service

Management & Operations, Assurance Resource Management & Operations. 1. Introduction ISO/IEC 20000 is the first international standard for IT Service Management. The principles of this standard are the same as for ITIL framework, but this is the standard and when one organization implement it gets the corresponding certificate [3], [4]. It consists of four phases and 13 processes [5]. The first phase is Delivery phase which contains six processes: Service Level Management, Service Reporting, Service Continuity and Availability Management, Budgeting and Accounting for services, Capacity Management and Information Security Management. The second phase is Relationship phase which contains two processes: Business Relationship Management and Supplier Management. The third phase is Resolution phase which contains two processes: Incident and Service Request Management and Problem Management. The fourth phase is Control Phase which contains three processes: Configuration Management, Change Management and Release and Deployment Management. Information Technology Infrastructure Library or shortly ITIL is the framework for the management of IT services. It contains five phases. The first phase is Service Strategy phase which contains five processes: Strategy Management for IT services, Financial Management for IT services, Demand Management, Service Portfolio Management and Business Relationship Management [1]. The second phase is Service Design phase which contains eight processes: Design Coordination, Service Catalogue Management, Service Level Management, Capacity Management, Availability Management, IT Service Continuity Management, Information Security Management and Supplier Management. The third phase is Service Transition phase responsible for the design and implementation of IT services. It contains these processes: Transition Planning and Support, Change Management, Service Asset and Configuration Management, Release and Deployment Management, Service Validation and Testing, Change Evaluation and Knowledge Management. The fourth phase is Service Operation which is

New performed model of ISO/IEC 20000 standard Anel Tanovic, Samir Ribic, Zvjezdan Sehovac

International Journal of Digital Content Technology and its Applications(JDCTA) Volume 7, Number 10, June 2013 doi : 10.4156/jdcta.vol7.issue10.9

80

responsible for maintenance of incidents nad problems after releasing of new IT services into production [2]. This phase contains five processes: Event Management, Incident Management, Request Fulfillment, Problem Management and Access Management [1], [2]. The last phase is Continual Service Improvement which has only one process called 7-Step Continual Service Improvement Process which is responsible for the continuous improvement of IT services. Enhanced Telecom Operations Map or shortly eTOM is the most popular standard for management of IT services in telecommunication industry [7], [8]. It contains three phases: Strategy, Operation and Organization in which are placed 35 processes. Processes in Strategy phase are the combination of these horizontal and vertical processes: Marketing & Offer Management, Service Development & Management, Resource Development & Management, Supply Chain Development & Management, Strategy & Commit, Infrastructure Lifecycle Management and Product Lifecycle Management [6], [8]. Processes in Operation phase are the combination of these horizontal and vertical processes: Customer Relationship Management, Service Management & Operations, Resource Management & Operations, Supplier/Partner Relationship Management, Operations Support & Readiness, Fulfillment, Assurance and Billing & Revenue Management. Processes in Organization phase are responsible for the management of risks and human resources: Strategic & Enterprise Planning, Enterprise Risk Management, Enterprise Effectiveness Management, Knowledge & Research Management, Financial & Asset Management, Stakeholder & External Relations Management and Human Resources Management [7]. ISO/IEC 27000 is responsible for the establishment, design, implementation and improvement of Information Security Management Systems (ISMS) [9], [11]. This standard contains four phases: Establishment of ISMS, Design and implementation of ISMS, Monitor and review ISMS and Maintain and improve ISMS. The first phase contains these six processes: Define the scope of ISMS, Define information security policy, Undertake risk assessment, Select controls, Risk treatment plan and Prepare the statement of applicability. The second phase has these six processes: Execute, risk treatment plan, Selecting controls for information security, Implementing controls for information security, Education and training of users, Manage operations and resources and Implement procedure for security [11], [12]. The third phase contains these six processes: Execute operational plan, Regular reviews of the effectiveness of ISMS, Review the level of residual risk, Internal ISMS audit, Management review of ISMS and Record impact on ISMS [10], [12]. The last phase also contains these six processes: Implement identified improvement, Take corrective and preventive action, Apply lesson learned, Communicate result, Ensure objective and Continue process. The second chapter of the paper describes the previous research that is finished in this area. The third chapter of the paper describes the test environment that was used for the design and implementation of a new improved model of ISO/IEC 20000 standard. The fourth chapter is based on description of the implementation of each of these four IT Service Management frameworks and standards. The fifth chapter describes results of the measurement for each ITSM framework or standard after the implementation of each. The sixth chapter is a comparative analysis, proposal for a new model of ISO/IEC 20000 and the measurement of it. The conclusion of the paper describes the benefits of the implemented new model of ISO/IEC 20000 standard. 2. Previous research and research methodology The paper described in this document is the first paper which takes more than two different IT Service Management frameworks and standards to produce a new performed model of ISO/IEC 20000 standard. Previous researches have taken only one other ITSM framework or standard to produce a new model of ISO/IEC 20000. The paper [16] presents the improvement of the implementation of ISO/IEC 20000 Edition 2 standard by using the comparison with the ITIL V3 set of best practices for implementing an IP multimedia subsystem of Telecom operator. New added processes are: Service Portfolio Management, Event Management, Demand Management and Service Validation and Testing. The paper [17] is the continuous of research described from the last paper and gives the new model of ITIL 2011 framework through the comparison with ISO/IEC 20000 standard. Papers [18], [19], [20], [21] and [22] are very similar to this paper but they are based on the improvement of ITIL framework and not on improvement of ISO/IEC 20000 standard. This paper [24] presents a model-based concept that offers support in determining the optimal maturity for ITSM processes. It is intended for application in an IT operations field where in


81

the ISO 20000 standard is relevant. The validation process is supported by a prototype created in Mat lab-Simulink. In order to allow further validation, the model concept was implemented as java desktop application that successfully passed a conducted use case validation. This paper [25] provides a Risk and Compliance Management framework for outsourced financial applications and ERP systems. The challenge is to integrate one Enterprise Resource Management system called COSO with ISO 20000 standard and ISO 27001 standard. The authors have addressed this challenge by extending the SABSA model to incorporate the integration of these standards. As a result, the framework clarifies the responsibilities of customers and outsourcing companies, thereby providing efficient risk and compliance management. Finally in paper [26] the authors have used ISO/IEC 20000 and ISO/IEC 27000 standard to describe the circulation of personal health records. Digitization of personal health records also brings with security risks. A number of technical and legal infrastructure is needed to eliminate these risks. The paper shows the benefits of using of both ISO/IEC 20000 and ISO/IEC 27000 standard to eliminate all necessary risks. The methodology of this research follows these steps: making the test environment, implementation of ISO/IEC 20000 standard in this environment, implementation of other ITSM frameworks and standards in this environment, comparative analysis of results between ISO/IEC 20000 and other ITSM frameworks and standards, proposing a new set of processes for ISO/IEC 20000, doing a measurements for a new improved model of ISO/IEC 20000 and finally describing all benefits that a new model contains. This research methodology has been used in few last researches from this area [18], [19]. For the measurement of implementation of all processes is taken a technique which is called Gap analysis. This technique is based on the comparison of results from key performance indicators with the desired values which are defined in critical success factors. Based on that, this technique measures the deviation of key performance indicators from critical success factors and gives the result which is expressed by percentage. This technique will be used for the measurement of processes for each ITSM framework and standard and also for the measurement of the processes from the improved model of ISO/IEC 20000 standard. The processes with the positive result of the implementation are those which final result of successful implemented recommendations is above 75 according to previous research [23]. 3. Test environment As a reference model for implementing and testing of all selected frameworks and standards are taken two new services which are based on the IP network: IPTV and VoIP service. The reason for choosing these two services for the research covered in this paper is that both services are based on IP network, that are two services that tend rapid growth in the number of users and that they are based on principles of old IT services [23]. The analysis described in this document means a system that is two years in production and has 100,000 of active users [16], [18]. The application layer of the IPTV/VoIP service contains eight different systems:

Middleware (MW) system (Level 1) – This system enables the following operations: adding IPTV users, editing IPTV users, deleting IPTV users, adding Set Top Boxes, deleting Set Top Boxes, adding IPTV packages, editing IPTV packages, erasing IPTV packages, adding TV channels, editing TV channels, erasing TV channels, adding video content, editing of video content, deleting video content, adding EPG content, editing EPG content, erasing EPG content, adding radio channels, editing radio channels, erasing radio channels, adding games, editing games, removing games, adding TV channels for recording, editing TV channels for recording and deleting TV channels for recording [17], [19]. All other systems including a Diverto system are connected to this system.

Video on Demand (VoD) system (Level 2) – This system is responsible for emitting video content which is inserted into this system, edited and erased [18], [21]. The system is also responsible for emiting the recorded content whose recording is done over the Middleware system.

Real Time Encryption (RTES) system (Level 3) – This system is responsible for encoding and decoding live TV channels [19], [20]. Encoding TV channels enables safety for the user to watch just those channels which he rented in a certain package.


82

Verimatrix (VCAS) system (Level 4) – This system is responsible for encoding and decoding video contents [17], [22]. With the encoding of video contents the purchase of the same is enabled and this way it is secured that assures the video can be only viewed by the users which buys the video content.

Real Application Cluster (RAC) system (Level 5) – This system is a cluster of 2 Oracle databases which inherently protect data that are defined with operations on the Middleware system. The RAC system protects data from: users, Set Top Boxes, IPTV packages, video contents, TV channels, radio channels, EPGs, games, TV channels with recording mode, information about purchased VoD contents. The most important tables for users in IPTV Entity relationship Diagram are: Subscriber, Device, Game, Channel, Channel_Package, VoD_Contents, Program and Instant_Record [18], [23]. The most important table for billing are these tables: CDR, IPTVVOD, BILLINGVOD and BILLINGIPTV.

Diverto (DIV) system (Level 6) – This system is a central VoIP component which is responsible for the following operations: adding VoIP users, editing VoIP users, deleting VoIP users, adding VoIP adapters, editing VoIP adapters, deleting VoIP adapters, adding VoIP numbers, editing VoIP numbers, erasing VoIP numbers, redirecting VoIP numbers from one user to another [17], [21].

Statistical (STAT) system (Level 7) – This system gathers the data regarding TV channel ratings: data about the user that has watched the TV channel, data about the TV channel that has been watched in a certain time period and data about the time period in respect of which the TV channel has been watched [16], [22].

Monitoring (MON) system (Level 8) – This system has the role to control IPTV/VoIP system through few modules: module for monitoring the quality of TV picture in certain regions, module for monitoring the telecommunication parameters for every fixed Set Top Box (STB) as for example, jitter, uptime, packet loos and bandwidth, module for monitoring the activity of the servers, module for monitoring the activity of IPTV headend where receivers and encoders are found, and the module for administrational support [18], [20].

4. Implementation of ISO/IEC 20000 and other complementary frameworks and standards The implementation of ISO/IEC 20000 standard and other complementary ITSM frameworks [1], [2] and standards is based on description of these four parameters:

1. Key goals of process 2. Key activities of process 3. Key performance indicators of process 4. Critical Success factors of process

The measurement described in this paper is based on assessment of the distance between real measured key performance indicators and defined key performance indicators through critical success factors. This defined distance will be showed in percentages. In this paper is described the implementation only one process from each ITSM framework of standard. The total number of implementations for ISO/IEC 20000 is 13, the total number of implementations for ITIL is 26, the total number of implementations for eTOM is 35 and the total number of implementations for ISO/IEC 27000 is 24. The total number of implementation for all ITSM frameworks and standards is 98. For the implementation of ISO/IEC 20000 is taken Service Level Management process, for the implementation of ITIL is taken Service Catalogue Management process, for the implementation of eTOM is taken Product Lifecycle Management Supply Chain Development & Management process and for the implementation of ISO/IEC 27000 is taken Ensure Objective process. Table 1. shows key performance indicators and critical success factors for ISO/IEC 20000 Service Level Management process. All these values for critical success factors for Service Level Management process from ISO/IEC 20000 standard are placed according to the real values from the Telecom operator in which are all measurements also finished.


83

Table 1. Key performance indicators and critical success factors for ISO/IEC 20000 Service Level Management process Key performance indicators for ISO/IEC 20000 Service Level Management process implemented in the test environment of IPTV/VoIP service

Critical success factors for ISO/IEC 20000 Service Level Management process implemented in the test environment of IPTV/VoIP service

The largest allowed time needed for the realization of a contract for the implementation and maintenance of Middleware system and the largest possible number of new contracts which are signed for this system during one year

15 days, 4 contracts

The largest allowed time needed for the realization of a contract for the implementation and maintenance of Video on Demand system and the largest possible number of new contracts which are signed for this system during one year

20 days, 1 contract

The largest allowed time needed for the realization of a contract for the implementation and maintenance of Real Time Encryption system and the largest possible number of new contracts which are signed for this system during one year

20 days, 1 contract

The largest allowed time needed for the realization of a contract for the implementation and maintenance of Verimatrix system and the largest possible number of new contracts which are signed for this system during one year

20 days, 1 contract

The largest allowed time needed for the realization of a contract for the implementation and maintenance of Database system and the largest possible number of new contracts which are signed for this system during one year


The largest allowed time needed for the realization of a contract for the implementation and maintenance of Diverto system and the largest possible number of new contracts which are signed for this system during one year


The largest allowed time needed for the realization of a contract for the implementation and maintenance of Statistical system and the largest possible number of new contracts which are signed for this system during one year

20 days, 1 contract

The largest allowed time needed for the realization of a contract for the implementation and maintenance of Monitoring system and the largest possible number of new contracts which are signed for this system during one year

20 days, 1 contract

The largest allowed time needed for the realization of a contract for the implementation and maintenance of TV Centre and the largest possible number of new contracts which are signed for this system during one year


The largest allowed time needed for the realization of a contract for the implementation and maintenance of IP and access network and the



84

largest possible number of new contracts which are signed for this system during one year The largest allowed time needed for the realization of a contract for the implementation and maintenance of terminal equipment and the largest possible number of new contracts which are signed for this system during one year


Table 2. shows key performance indicators and critical success factors for ITIL Service Catalogue Management process. All these values for critical success factors for Service Catalogue Management process from ISO/IEC 20000 standard are placed according to the real values from the Telecom operator in which are all measurements also finished.

Table 2. Key performance indicators and critical success factors for ITIL Service Catalogue Management process

Key performance indicators for ITIL Service Catalogue Management process implemented in the test environment of IPTV/VoIP service

Critical success factors for ITIL Service Catalogue Management process implemented in the test environment of IPTV/VoIP service

The time allowed for the preparation of technical documentation for Payroll System after installing and releasing into production of servers of the same system

22 days

The time allowed for the preparation of technical documentation for System for the realisation and monitoring of investments after installing and releasing into production of servers of the same system

20 days

The time allowed for the preparation of technical documentation for System for the management of human resources after installing and releasing into production of servers of the same system

17 days

Table 3. shows key performance indicators and critical success factors for eTOM Product Lifecycle Management Supply Chain Development & Management process. All these values for critical success factors for Product Lifecycle Management Supply Chain Development & Management process from eTOM standard are placed according to the real values from the Telecom operator in which are all measurements also finished.

Table 3. Key performance indicators and critical success factors for eTOM Product Lifecycle

Management Supply Chain Development & Management process Key performance indicators for Product Lifecycle Management Supply Chain Development & Management for IPTV/VoIP service

Critical success factors for Product Lifecycle Management Supply Chain Development & Management process for IPTV/VoIP service

The lowest average number of control operations for the companies responsible for the design and implementation of technical systems during a period of one contract

2 controls

The lowest average number of control operations for the companies responsible for the design and implementation of application systems during a period of one contract

4 controls

The lowest average number of control operations for the companies responsible for the design and implementation of Service Desk systems during a

2 controls


85

period of one contract The lowest average number of control operations for the companies responsible for the design and implementation of operation systems during a period of one contract

3 controls

Table 4. shows key performance indicators and critical success factors for ISO/IEC 27000 Ensure Objective process. All these values for critical success factors for Ensure objective process from ISO/IEC 27000 standard are placed according to the real values from the Telecom operator in which are all measurements also finished. Table 4. Key performance indicators and critical success factors for ISO/IEC 27000 Ensure objective

process Key performance indicators for ISO/IEC 27000 Ensure objective process implemented in the test environment of IPTV/VoIP service

Critical success factors for ISO/IEC 27000 Ensure objective process implemented in the test environment of IPTV/VoIP service

Allowed average time which is needed for verification of the correctness of information security procedures implemented in technical systems, the allowed percentage of realized security procedures for these systems that can meet the business needs of IPTV/VoIP service

2 months, 94%

Allowed average time which is needed for verification of the correctness of information security procedures implemented in application systems, the allowed percentage of realized security procedures for these systems that can meet the business needs of IPTV/VoIP service

3 months, 85%

Allowed average time which is needed for verification of the correctness of information security procedures implemented in Service Desk systems, the allowed percentage of realized security procedures for these systems that can meet the business needs of IPTV/VoIP service

3 months, 87%

Allowed average time which is needed for verification of the correctness of information security procedures implemented in operation systems, the allowed percentage of realized security procedures for these systems that can meet the business needs of IPTV/VoIP service

6 months, 80%

5. Results of the measurement for ISO/IEC 20000 standard and other complementary ITSM frameworks and standards Table 5. shows the results of process implementation for ISO/IEC 20000 standard [15]. Nine processes have achieved a positive result of the implementation and four processes have achieved a negative result of the implementation. The processes which have not achieved a positive result of the implementation are: Service Reporting, Information Security Management, Incident and Service Request Management and Problem Management. These are the processes which will be taken for the improvement of the existing model of ISO/IEC 20000 standard. These measurements are done by using Microsoft System Center 2012 tool as an excellent solution for these measurements.

Table 5. Results of process implementation for ISO/IEC 20000 standard

The name of process The average The result of process implementation


86

percentage of process implementation

is not satisfied and will be used in comparative analysis

Capacity Management 88.01% NO Service Continuity & Availability Mng 87.15% NO Service Level Management 90.51% NO Service Reporting 73.16% YES Information Security Management 60.66% YES Budgeting & Accounting for services 84.56% NO Business Relationship Management 75.16% NO Supplier Management 82.37% NO Incident and Service Request Management 67.48% YES Problem Management 68.04% YES Configuration Management 89.00% NO Change Management 89.45% NO Release and Deployment Management 91.08% NO

Table 6. shows the results of process implementation for ITIL 2011 framework [15]. 17 processes from this framework have achieved a positive result of the implementation. But there are no processes in this group of 17 processes which have achieved positive result of the implementation and which can be used in comparative analysis with the processes from ISO/IEC 20000 standard. Processes: Information Security Management, Incident Management and Problem Management have not achieved a positive result of the implementation. These measurements are done by using Microsoft System Center 2012 tool as an excellent solution for these measurements.

Table 6. Results of process implementation for ITIL 2011 framework

The name of process The average percentage of process implementation

The result of process implementation is satisfied and can be used in comparative analysis with ISO/IEC 20000 processes

Strategy Management for IT services 65.03% NO Financial Management for IT services 87.80% NO Demand Management 83.75% NO Service Portfolio Management 75.36% NO Business Relationship Management 55.95% NO Design Coordination 82.51% NO Service Catalogue Management 77.19% NO Service Level Management 89.50% NO Capacity Management 80.78% NO Availability Management 93.36% NO IT Service Continuty Management 87.92% NO Information Security Management 59.69% NO Supplier Management 66.65% NO Transition Planning and Support 82.90% NO Change Management 86.87% NO Service Asset and Configuration Mng 86.38% NO Release and Deployment Mng 92.56% NO Service Validation and Testing 94.14% NO Change Evaluation 91.34% NO Knowledge Management 61.86% NO Event Management 61.72% NO Incident Management 52.91% NO Request Fulfillment 94.00% NO


87

Problem Management 64.80% NO Access Management 79.16% NO 7-Step CSI Process 81.79% NO

The total number of processes from eTOM standard which have achieved a positive result of the implementation during the last measurement is 28 [13] (table 7.). But there are also two processes which have achieved a positive result of the implementation and which can be used in a comparative analysis with the processes from ISO/IEC 20000. These processes are: Assurance Service Management & Operations (which will be used as the replacement for ISO/IEC 20000 Incident and Service Request Management process) and Assurance Resource Management & Operations (which will be used as the replacement for ISO/IEC 20000 Problem Management process). These two processes will be used in the creation of the improved model of ISO/IEC 20000 standard. These measurements are done by using Microsoft System Center 2012 tool.

Table 7. Results of process implementation for eTOM standard The name of process The average



Strategy & Commit Marketing & Offer Management

81.38% NO

Strategy & Commit Service Development & Management

79.58% NO

Strategy & Commit Resource Development & Management

77.25% NO

Strategy & Commit Supply Chain Development & Management

66.00% NO

Infrastructure Lifecycle Management Marketing & Offer Management

60.25% NO

Infrastructure Lifecycle Management Service Development & Management

86.37% NO

Infrastructure Lifecycle Management Resource Development & Management

93.17% NO

Infrastructure Lifecycle Management Supply Chain Development & Management

71.35% NO

Product Lifecycle Management Marketing & Offer Management

56.27% NO

Product Lifecycle Management Service Development & Management

90.34% NO

Product Lifecycle Management Resource Development & Management

85.21% NO

Product Lifecycle Management Supply Chain Development & Management

66.75% NO

Operations Support & Readiness Customer Relationship Management

89.25% NO

Operations Support & Readiness Service Management & Operations

89.68% NO

Operations Support & Readiness Resource Management & Operations

98.17% NO

Operations Support & Readiness 94.33% NO


88

Supplier/Partner Relationship Management Fulfillment Customer Relationship Management

86.16% NO

Fulfillment Service Management & Operations

96.60% NO

Fulfillment Resource Management & Operations

86.77% NO

Fulfillment Supplier/Partner Relationship Management

80.10% NO

Assurance Customer Relationship Management

92.41% NO

Assurance Service Management & Operations

90.50% YES

Assurance Resource Management & Operations

93.23% YES

Assurance Supplier/Partner Relationship Management

86.71% NO

Billing & Revenue Management Customer Relationship Management

84.18% NO

Billing & Revenue Management Service Management & Operations

96.44% NO

Billing & Revenue Management Resource Management & Operations

81.16% NO

Billing & Revenue Management Supplier/Partner Relationship Management

87.50% NO

Strategy & Enterprise Planning 83.03% NO Financial & Asset Management 85.22% NO Human Resources Management 86.75% NO Knowledge & Research Management 71.08% NO Stakeholder & External Relations Management

79.85% NO

Enterprise Risk Management 54.71% NO Enterprise Effectiveness Management 90.55% NO

Table 8. shows the results of process implementation for ISO/IEC 27000 standard [14]. The total number of processes which have achieved a positive result of the implementation is 19 (six processes from Establish ISMS phase, five processes from Design and Implement ISMS phase, four processes from Monitor and Review ISMS phase and four processes from Maintain and Improve ISMS phase). Only all processes from Establish ISMS phase have achieved a positive result of the implementation. This phase has all necessary controls which are needed for the establishment of the Information Security Management System. All six processes from this phase will be connected in one single process which is called Establish ISMS process during the creation of the final improved model of ISO/IEC 20000 standard. The process Establish ISMS contains all key goals, key activities, key performance indicators and critical success factors from all six processes from the Establish ISO/IEC 27000 phase: Establishment of ISMS, Design and implementation of ISMS, Monitor and review ISMS and Maintain and improve ISMS. The first phase contains these six processes: Define the scope of ISMS, Define information security policy, Undertake risk assessment, Select controls, Risk treatment plan and Prepare the statement of applicability. These measurements are done by using Microsoft System Center 2012 tool as an excellent solution for these measurements.

Table 8. Results of process implementation for ISO/IEC 27000 standard The name of process The average




89

Define the scope of ISMS 92.11% YES Define information security policy 89.81% YES Undertake risk assessment 94.50% YES Select controls 89.61% YES Risk treatment plan 91.38% YES Prepare the statement of applicability 87.07% YES Execute risk treatment plan 85.23% YES Selecting controls for information security 85.23% YES Implementing controls for information security

87.67% YES

Education and training of users 67.75% NO Manage operations and resources 81.64% YES Implement procedure for security 77.16% YES Execute operational plan 63.62% NO Regular reviews of the effectiveness of ISMS 84.60% YES Review the level of residual risk 77.91% YES Internal ISMS audit 71.00% NO Management review of ISMS 93.50% YES Record impact on ISMS 84.16% YES Implement identified improvement 83.20% YES Take corrective and preventive action 86.50% YES Apply lesson learned 60.83% NO Communicate result 86.31% YES Ensure objective 64.62% NO Continue process 98.71% YES

6. Complementary analysis between ISO/IEC 20000 and other complementary ITSM frameworks and standards The results from previous chapter (table 5.) show that ISO/IEC 20000 standard did not achieve positive result of the implementation in four processes: Service Reporting, Information Security Management, Incident and Service Request Management and Problem Management. All other processes have achieved the results which are above 75% of successful implemented recommendations. ITIL 2011 and ISO/IEC 20000 have all complementary processes except the Service Reporting process [15]. Results from table 10. show that in all three complementary processes ITIL did not achieve positive results of the implementation: Information Security Management, Incident Management and Problem Management. eTOM and ISO/IEC 20000 have complementary processes only in Resolution phase [13]. These are basically two processes from eTOM which have achieved positive results of the implementation from table 11: Assurance Service Management & Operations (replacement for the process Incident and Service Request Management) and Assurance Resource Management & Operations (replacement for the process Problem Management). These two processes: Assurance Service Management & Operations and Assurance Resource Management & Operations will be added in a new performed model of ISO/IEC 20000. ISO/IEC 27000 and ISO/IEC 20000 have only one complementary process and it is Information Security Management process [14]. From table 5. it is obvious that only the first phase from ISO/IEC 27000 has achieved positive results of the implementation for all processes that are presented in this phase. To minimize the number of processes from Establish ISMS phase all processes from this phase will be taken as the replacement for ISO/IEC 20000 Information Security Management process. In this way it is created only one process from ISO/IEC 27000 which will be taken as the replacement for ISO/IEC 200000 standard and this process is called Establish ISMS process and it has six


90

subprocesses: Define the scope of ISMS, Define information security policy, Undertake risk assessment, Select controls, Risk treatment plan and Prepare the statement of applicability. Table 9. shows the results of process implementation for the new improved model of ISO/IEC 20000 standard [15]. Twelve processes in a new improved model of ISO/IEC 20000 standard have achieved a positive result of the implementation. Only one processes has not achieved a positive result of the measurement the same as in the previous measurement and it is a Service Reporting process. The first model of ISO/IEC 20000 has achieved the total result of 80.51% of successfully implemeted reccommendations. The improved model of ISO/IEC 20000 standard has achieved the total result of 84.30% of successfully implemeted reccommendations. It means that the improved model of ISO/IEC 20000 is better for 3.79% than the first model of ISO/IEC 20000. These measurements are done by using Microsoft System Center 2012 tool as an excellent solution for these measurements.

Table 9. Results of process implementation for the new improved model of ISO/IEC 20000 standard

The name of process The average percentage of process implementation

The result of process implementation is satisfied

Capacity Management 88.01% YES Service Continuity & Availability Mng 87.15% YES Service Level Management 90.51% YES Service Reporting 73.16% NO Establish ISMS 81.47% YES Budgeting & Accounting for services 84.56% YES Business Relationship Management 75.16% YES Supplier Management 82.37% YES Assurance Service Management & Operations

83.56% YES

Assurance Resource Management & Operations

80.42% YES

Configuration Management 89.00% YES Change Management 89.45% YES Release and Deployment Management 91.08% YES

7. Conclusion Figure 1. shows the improved model of ISO/IEC 20000 standard which contains three new processes. These new processes are: Establish ISMS (as the replacement for Information Security Management process), Assurance Service Management & Operations (as the replacement for Incident and Service Request Management process) and Assurance Resource Management & Operations (as the replacement for Problem Management process). The new improved model of ISO/IEC 20000 standard has achieved a better result for 3.79% of successful implemented recommendations than the first initial model of ISO/IEC 20000. The new improved model of ISO/IEC 20000 has been developed from three different IT Service Management frameworks and standards and in this way this is the first research that has ever been done [14]. This improved model of ISO/IEC 20000 standard should increase the awareness in companies about implementation of this standard in their business environments. The new improved model of ISO/IEC 20000 standard can be implemented in various types of industries like: financial institutions, telecom operators, companies for producing and distributing electrical energy, microcredit organizations, hotels, banks, energy companies etc. This research also intends to increase the level of awareness at many managers to introduce ISO/IEC 20000 standard, ITIL or new performed model of ISO/IEC 20000 in the business environment of any organization.


91

Future research of authors from this area should be directed in two ways. The first one is the improvement of the new performed model of ISO/IEC 20000 standard for its Service Reporting process which is the only process with a negative result of the implementation. The second one is the improvement of the new performed model of ISO/IEC 20000 standard by taking into consideration of other IT Service Management frameworks and standards like: Management of Risks (MoR), Management of Value (MoV), Management of Successful Programmes (MSP), Project Management (PRINCE2) and Control Objectives for Information and Related Technology (CobiT). This type of future research is directed in improvement of the Relationship phase especially Business Relationship Management process and Supplier Management process.

Figure 1. The new improved model of ISO/IEC 20000 standard

8. Acknowledgment The authors would like to thank Ministry of Education and Science of Federation Bosnia and Herzegovina for the financial support during the realization of this project. 9. References

[1] J. van Bon, A. de Jong, A. Kolthof, M.Pieper, R. Tjassing, A. van der Veen, and T. Verheijen, ”Foundations of IT Service Management Based on ITIL 2011”, The Office of Government Commerce, September 2007.

[2] J. van Bon, A. de Jong, A. Kolthof, M.Pieper, R. Tjassing, A. van der Veen, and T. Verheijen, ”Service Design based on ITIL 2011”, The Office of Government Commerce, June 2008.

[3] Van Haren Publishing, “Implementing ISO/IEC 20000 Certification – The Roadmap (ITSM Library)”, February 2008.

[4] J. Dugmore and S. Lacy, “The Differences Between BS 15000 and ISO/IEC 20000”, The Institution of Engineering and Technology, January 2007.

[5] M. Kunas, “Implementing Service Quality based on ISO/IEC 20000”, IT Governance Publishing, May 2011.

[6] H. Jiejin, “A Practical Approach to the Operation of Telecommunication Services driven by the TMF eTOM Framework”, Universitat Poliecnica de Catalunya, September 2009.


92

[7] J. P. Reilly, M. Kelly, K. J. Willets, and M. Kreaner, “The eTOM – A Business Process Framework Implementer’s Guide”. TM Forum, April 2009.

[8] D. Byron, “An Assessment of the TeleManagement Forum’s eTOM Model”. TM Forum, March 2006.

[9] V. Vasudevan, “Application Security in the ISO27001 Environment”, IT Governance Publishing, April 2008.

[10] A. Calder and S. Watkins, “Information Security Risk Management for ISO27001/ISO17799 (Implementing ISO27001)”, IT Governance Publishing, April 2007.

[11] H. Baars, K. Hintzbergen, J. Hintzbergen, and A. Smulders, ”Foundations of Information Security Based on ISO27001 and ISO27002”, Van Haren Publishing, April 2010.

[12] A. Calder and S. Watkins, “IT Governance: A Manager’s Guide to Data Security and ISO 27001 / ISO 27002”, Kogan Page, 4th Edition, May 2008.

[13] A. Hanemann, “Refining ITIL/eTOM Processes for Automation in Service Fault Management”, 2nd IEEE/IFIP International Workshop on Business-Driven IT Management (BDIM 2007), May 2007.

[14] S. Sahibudin, M. Sharifi, and M. Ayat, “Combining ITIL, CobiT and ISO/IEC 27002 in Order to Design a Comprehensive IT Framework in Organizations”, 2nd Asia International Conference on Modeling & Simulation (AICMS 2008), pp. 749-753, May 2008.

[15] M. Brenner, T. Schaaf, and A. Scherer, „Towards an information model for ITIL and ISO/IEC 20000 processes“, International Symposium on Integrated Network Management (IM’09), pp. 113-116, June 2009.

[16] A. Tanovic and F. Orucevic, “Improvement of implementation of ISO-IEC 20000 Edition 2 standard in IT systems of Telecom operator through comparison with ITIL V3 best practices”, 1st WSEAS International Conference on INFORMATION TECHNOLOGY and COMPUTER NETWORKS (ITCN 2012), pp. 333-337, Vienna, November 2012.

[17] A. Tanovic and F. Orucevic, “The design and implementation of two new IT Service Management models”, paper accepted for WSEAS Journal of Communications and Computers, December 2012.

[18] A. Tanovic and F. Orucevic, “Proposal of the improvement of actual ITIL version based on comparative IT Service Management methodologies and standards – Previous research and research methodology”, paper accepted for 13th International Conference on Applied Informatics and Communications (AIC’13), Valencia, August 2013.

[19] A. Tanovic and F. Orucevic, “Proposal of the improvement of actual ITIL version based on comparative IT Service Management methodologies and standards – The implementation of IT Service Management frameworks and standards”, paper accepted for 13th International Conference on Applied Informatics and Communications (AIC’13), Valencia, August 2013.

[20] A. Tanovic and F. Orucevic, “Proposal of the improvement of actual ITIL version based on comparative IT Service Management methodologies and standards – The comparative analysis and proposal of new models”, paper accepted for 13th International Conference on Applied Informatics and Communications (AIC’13), Valencia, August 2013.

[21] A. Tanovic and F. Orucevic, “Proposal of the improvement of actual ITIL version based on comparative IT Service Management methodologies and standards – Final measurements and the selection of the improved model”, paper accepted for 13th International Conference on Applied Informatics and Communications (AIC’13), Valencia, August 2013.

[22] A. Tanovic and F. Orucevic, “Proposal of the improvement of actual ITIL version based on comparative IT Service Management methodologies and standards – The improved model of ITIL 2011 framework”, paper accepted for 13th International Conference on Applied Informatics and Communications (AIC’13), Valencia, August 2013.

[23] A. Tanovic and F. Orucevic, “Comparative Analysis of the Practice of Telecom Operators in the Realization of IPTV Systems Based on ITIL V3 Reccomendations for the Supplier Management Process”, IEEE International Conference on Service-Oriented Computing and Applications (SOCA), pp. 1-8, December 2010.

[24] J.H. Deutscher, “Model Concepte to Determine the Optimal Maturity of IT Service Management Processes”, 8th IEEE/ACIS International Conference on Computer and Information Science (ICIS 2009), pp. 543 – 548, June 2009.


93

[25] C. Magnusson, “Risk and Compliance Management Framework for Outsourced Global Software Development”, 5th IEEE International Conference on Global Software Engineering (ICGSE 2010), pp. 228 – 233, August 2010.

[26] E. Par and E. Soysal, “Security Standards for Electronic Health Records”, IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM 2012), pp. 815 – 817, August 2012.


94

new performed model of iso/iec 20000 standard · iso/iec 27000 standard. the result of the research...

Documents