Transcript Presentation

Implementation Approach to
IT Service Management (ISO 20000)
& Security Management (ISO 27001)
Dr. Julian Lo
Consulting Director
ITIL v3 Expert
Agenda
ISO20000 & ISO27001
 Measure IT Capabilities by using ISO Standards
 Implementation Approach
 Challenges
 Suggestions and Considerations
 Conclusion – What you can get from it.
What are the IT Capabilities?
 The capabilities take the form of
functions, processes & procedures
 The capabilities represent an IT
organization’s capacity, competency,
and confidence for action.
 Without these capabilities, an IT
organization is merely a bundle of uncoordinated resources
 Do you want to measure your IT
organization’s Capabilities?
Standard
 Provide a measurable set of best practice
benchmarks common across organizations
 Compliance to the standards
demonstrates that benchmarks have been
attained
 Standards are auditable and assessable
by independent and authorized auditors
 ISO20000 and ISO27001 are the
standards
What is ISO20000?
 ISO20000 is the international
standard for IT service
management.
“It describes an integrated set
of management processes for
the effective delivery of
services to the business and its
customers.”
Closely follows the ITIL
framework.
While individuals are ITIL
certified, organizations are
ISO20000 certified.
ISO20000
Target
ISO20000
Code of
Practice
ITIL Framework
Own IT Policies, Processes
and Procedures
Requirements of ISO20000
 An organization must be able to
demonstrate it has “Management Control”
of each of the ISO 20000 processes
 So What is “Management Control”?
 Knowledge and control of the inputs
 Knowledge, use and interpretation of
the outputs
 Definition and measurement of
metrics
 Demonstration of objective evidence
of accountability for process
functionality
 Definition, measurement and review
of process improvements
Norms
Measure
Input
Activity
Activity
Goal
Activity
Output
Use of Scope for ISO20000 Certification
 The scope of the delivered services must be described in a
scope statement for certification.
 A service provider can get certification for; a) part of all
services that it delivers b) a specific country or customer.
 The scope statement validates the certification for a specific
situation.
Service A
Procedures
Service B
Plans
Service C
Service Level
Service D
KPI
Four aspects to be looked into
People: Who? How? What (R&R)?
Culture..
Process & Procedures: The
applicable ones
Product: The supporting facilitating
auxiliary piece
And Partner..: With whom to team
up? Eg. Suppliers
Conformance
 Roles and Responsibilities are clearly
defined
 Policy, Process and Procedure
documents established
 Plans are developed to check and
measure performance
 Data recorded to prove that process
operatives have followed the established
policies and procedures, and reviews
have been carried out
Process Conformance and Maturity
Target
0–5
point
scale
Overview of Compliance with ISO/IEC 20000
5
4.5
4
3.5
3
2.5
2
1.5
1
0.5
0
ISO20000 Implementation Roadmap
Phase 0:
Gap
Analysis
Phase 2:
Release &
Control
Phase 1:
User
Support
Phase 3:
Service
Delivery
Phase 4:
Customer, & CSI
Change Mgmt
Capacity Mgmt
Service Level
Mgmt
Incident Mgmt
Release Mgmt
Continuity &
Availability
IT Budget &
Accounting
Problem Mgmt
Knowledge
Business
Relationship
Supplier Mgmt
Service Design
Configuration
- CMDB
Configuration
Configur
MgmtMgmt Mgmt
- CMDB
Service
Reporting
Reporting
ServiceService
Reporting
Reporting
ITSM Policy
Doc .Control
ITSM Plan
Skills Assess.
CSI
Review & Internal Audit
Assessment, Project
Start-Up & Tool Selections
Service Desk
Service Catalog
CSI
Management of Change
Quick Win Service Support
Completed
ISO20000
Reasons to take phase approach
 Seamless integration to minimize the interruptions of IT
operation
 Better visibility into issues while enabling sufficient time to
refine processes
What is ISO27001?
 Leading International Standard for Information Security
Management
 A comprehensive set of controls comprising best practices in
information security
 Risk-management based
 Its purpose is to protect the confidentiality, integrity and
availability of information
Information Security
Confidentiality
Protecting sensitive
information from unauthorized
disclosure or interception.
Availability
Integrity
Safeguarding the accuracy
and completeness of
information
Ensuring that information and
vital services are available to
users when required.
ISO27001 Requirements
ISO27001 includes below Controls
ISO27001 Implementation Roadmap
Phase 1 –
Planning, Gap
Assessment,
Training
Phase 2 – System
Development and
Documentation
Phase 3 –
System
Implementation
Phase 4 –
Certification
Audit
Understand
existing
procedures
Define
documentation
hierarchy
Workshops for
promotion
Conduct
internal audit
Identify
key gaps
Develop
required
documentation
Train up
delegate as
internal auditor
Provide
direction to
rectify issues
Prepare
Project Plan
Review
established
documents
Mentor IT
Management
to review
External
certification
audit
Define
Roles &
Responsibilities
Obtain approval
from authorized
personnel
Conduct
Training &
Workshops
ISO20000 - ISO27001
Major Differences and Similarities
 ISO27001 focuses on protection of information
and related assets
 ISO20000 focuses on the quality of service
delivery
 Common Areas






PDCA and management system
Continuity planning
Incident management and change management
Capacity management
Information security
Third party and supplier management
Timeframe
 For ISO20000
 Maturity range of 1 - 1.5 : approximately 18 – 24 months
 Maturity range of 2 – 3 : approximately 6 -12 months
 A large maturity gap will require additional resourcing to close the
gap in a workable timeframe
 For ISO27001
 Small Organization 10 – 50 Employees: up to 8 months
 Mid-size Organization 50 – 500 Employees: up to 12 months
 Large Organization over 500 Employees: up to 18 months
Key Challenges
Maturity can be difficult to
attain across all processes
Effort to produce and review
documentations and records
Conflict between productivity
and service/information
security qualities
Changing to a culture of
collaborating working
Suggestions and Considerations
 ISO20000 and ISO27001 provide guidance on
what should happen, but not on how to make it
happen. So you need help and advice from
consultants
 Start with an assessment and develop a
roadmap
 Communicate the benefits and provide
adequate training
 To work smarter, you need tools to facilitate
 For those not seeking certification – use ISO
20000 and ISO27001 as the guides
Conclusion – What you can get from it
 ISO20000 and ISO27001 provide an auditable
method to assess IT Service and Security quality
and conformance
 Assists organizations to enforce process
compliance
 Provides clear evidence that ITSM and
Information Security qualities are taken seriously
 ISO 20000 and ISO27001 set the process marks
for which ITIL and Information security
implementation should aim and be measured
 A method of review and assessment that is linked
to continuous service and information security
improvement
IT Consulting
Dr. Julian Lo
Consulting Director
[email protected]