Implementation Approach to IT Service Management (ISO 20000) & Security Management (ISO 27001)
Dr. Julian Lo Consulting Director ITIL v3 Expert
Agenda
ISO20000 & ISO27001
Measure IT Capabilities by using ISO Standards Implementation Approach Challenges Suggestions and Considerations Conclusion – What you can get from it.
What are the IT Capabilities? The capabilities take the form of functions, processes & procedures The capabilities represent an IT organization’s capacity, competency, and confidence for action. Without these capabilities, an IT organization is merely a bundle of uncoordinated resources Do you want to measure your IT organization’s Capabilities?
Standard Provide a measurable set of best practice benchmarks common across organizations Compliance to the standards demonstrates that benchmarks have been attained Standards are auditable and assessable by independent and authorized auditors ISO20000 and ISO27001 are the standards
What is ISO20000? ISO20000 is the international standard for IT service management. “It describes an integrated set of management processes for the effective delivery of services to the business and its customers.” Closely follows the ITIL framework. While individuals are ITIL certified, organizations are ISO20000 certified.
ISO20000 Target ISO20000 Code of Practice ITIL Framework
Own IT Policies, Processes and Procedures
Requirements of ISO20000 An organization must be able to demonstrate it has “Management Control” of each of the ISO 20000 processes So What is “Management Control”? Knowledge and control of the inputs Knowledge, use and interpretation of the outputs Definition and measurement of metrics Demonstration of objective evidence of accountability for process functionality Definition, measurement and review of process improvements
Norms Measure
Input
Activity
Activity
Goal
Activity
Output
Use of Scope for ISO20000 Certification The scope of the delivered services must be described in a scope statement for certification. A service provider can get certification for; a) part of all services that it delivers b) a specific country or customer. The scope statement validates the certification for a specific situation. Service A
Procedures
Service B
Plans
Service C
Service Level
Service D
KPI
Four aspects to be looked into People: Who? How? What (R&R)? Culture..
Process & Procedures: The applicable ones
Product: The supporting facilitating auxiliary piece
And Partner..: With whom to team up? Eg. Suppliers
Conformance Roles and Responsibilities are clearly defined Policy, Process and Procedure documents established Plans are developed to check and measure performance Data recorded to prove that process operatives have followed the established policies and procedures, and reviews have been carried out
Process Conformance and Maturity Target 0–5 point scale
Overview of Compliance with ISO/IEC 20000 5 4.5 4 3.5 3 2.5 2 1.5 1 0.5 0
ISO20000 Implementation Roadmap Phase 0: Gap Analysis
Phase 2: Release & Control
Phase 1: User Support
Phase 3: Service Delivery
Phase 4: Customer, & CSI
Change Mgmt
Capacity Mgmt
Service Level Mgmt
Incident Mgmt
Release Mgmt
Continuity & Availability
IT Budget & Accounting
Problem Mgmt Knowledge
Business Relationship
Supplier Mgmt
Service Design
Configuration - CMDB Configuration Configur MgmtMgmt Mgmt - CMDB Service Reporting Reporting ServiceService Reporting Reporting ITSM Policy Doc .Control
ITSM Plan Skills Assess.
CSI
Review & Internal Audit
Assessment, Project Start-Up & Tool Selections
Service Desk Service Catalog
CSI
Management of Change
Quick Win Service Support Completed
ISO20000
Reasons to take phase approach Seamless integration to minimize the interruptions of IT operation Better visibility into issues while enabling sufficient time to refine processes
What is ISO27001? Leading International Standard for Information Security Management A comprehensive set of controls comprising best practices in information security Risk-management based Its purpose is to protect the confidentiality, integrity and availability of information Information Security Confidentiality Protecting sensitive information from unauthorized disclosure or interception.
Availability
Integrity Safeguarding the accuracy and completeness of information
Ensuring that information and vital services are available to users when required.
ISO27001 Requirements
ISO27001 includes below Controls
ISO27001 Implementation Roadmap Phase 1 – Planning, Gap Assessment, Training
Phase 2 – System Development and Documentation
Phase 3 – System Implementation
Phase 4 – Certification Audit
Understand existing procedures
Define documentation hierarchy
Workshops for promotion
Conduct internal audit
Identify key gaps
Develop required documentation
Train up delegate as internal auditor
Provide direction to rectify issues
Prepare Project Plan
Review established documents
Mentor IT Management to review
External certification audit
Define Roles & Responsibilities
Obtain approval from authorized personnel
Conduct Training & Workshops
ISO20000 - ISO27001 Major Differences and Similarities ISO27001 focuses on protection of information and related assets ISO20000 focuses on the quality of service delivery Common Areas
PDCA and management system Continuity planning Incident management and change management Capacity management Information security Third party and supplier management
Timeframe For ISO20000 Maturity range of 1 - 1.5 : approximately 18 – 24 months Maturity range of 2 – 3 : approximately 6 -12 months A large maturity gap will require additional resourcing to close the gap in a workable timeframe
For ISO27001 Small Organization 10 – 50 Employees: up to 8 months Mid-size Organization 50 – 500 Employees: up to 12 months Large Organization over 500 Employees: up to 18 months
Key Challenges Maturity can be difficult to attain across all processes Effort to produce and review documentations and records Conflict between productivity and service/information security qualities Changing to a culture of collaborating working
Suggestions and Considerations ISO20000 and ISO27001 provide guidance on what should happen, but not on how to make it happen. So you need help and advice from consultants Start with an assessment and develop a roadmap Communicate the benefits and provide adequate training To work smarter, you need tools to facilitate For those not seeking certification – use ISO 20000 and ISO27001 as the guides
Conclusion – What you can get from it ISO20000 and ISO27001 provide an auditable method to assess IT Service and Security quality and conformance Assists organizations to enforce process compliance Provides clear evidence that ITSM and Information Security qualities are taken seriously ISO 20000 and ISO27001 set the process marks for which ITIL and Information security implementation should aim and be measured A method of review and assessment that is linked to continuous service and information security improvement
IT Consulting
Dr. Julian Lo Consulting Director
[email protected]
