1 / 22

Implementation Approach to IT Service Management (ISO 20000) & Security Management (ISO 27001)

Implementation Approach to IT Service Management (ISO 20000) & Security Management (ISO 27001). Dr. Julian Lo Consulting Director ITIL v3 Expert. Agenda. M easure IT Capabilities by using ISO Standards Implementation Approach Challenges Suggestions and Considerations

chipo
Download Presentation

Implementation Approach to IT Service Management (ISO 20000) & Security Management (ISO 27001)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Implementation Approach to IT Service Management (ISO 20000)& Security Management (ISO 27001) Dr. Julian Lo Consulting Director ITIL v3 Expert

  2. Agenda • Measure IT Capabilities by using ISO Standards • Implementation Approach • Challenges • Suggestions and Considerations • Conclusion – What you can get from it. ISO20000 & ISO27001

  3. What are the IT Capabilities? • The capabilities take the form of functions, processes & procedures • The capabilities represent an IT organization’s capacity, competency, and confidence for action. • Without these capabilities, an IT organization is merely a bundle of un-coordinated resources • Do you want to measure your IT organization’s Capabilities?

  4. Standard • Provide a measurable set of best practice benchmarks common across organizations • Compliance to the standards demonstrates that benchmarks have been attained • Standards are auditable and assessable by independent and authorized auditors • ISO20000 and ISO27001 are the standards

  5. What is ISO20000? • ISO20000 is the international standard for IT service management. • “It describes an integrated set of management processes for the effective delivery of services to the business and its customers.” • Closely follows the ITILframework. • While individuals are ITIL certified, organizations are ISO20000 certified.

  6. Norms Measure Input Output Activity Activity Activity Goal Requirements of ISO20000 • An organization must be able to demonstrate it has “Management Control” of each of the ISO 20000 processes • So What is “Management Control”? • Knowledge and control of the inputs • Knowledge, use and interpretation of the outputs • Definition and measurement of metrics • Demonstration of objective evidence of accountability for process functionality • Definition, measurement and review of process improvements

  7. Use of Scope for ISO20000 Certification The scope of the delivered services must be described in a scope statement for certification. A service provider can get certification for; a) part of all services that it delivers b) a specific country or customer. The scope statement validates the certification for a specific situation. Service A Procedures Service B Plans Service C Service Level Service D KPI

  8. Four aspects to be looked into People: Who? How? What (R&R)? Culture.. Process & Procedures: The applicable ones Product: The supporting facilitating auxiliary piece And Partner..: With whom to team up? Eg. Suppliers

  9. Conformance • Roles and Responsibilities are clearly defined • Policy, Process and Procedure documents established • Plans are developed to check and measure performance • Data recorded to prove that process operatives have followed the established policies and procedures, and reviews have been carried out

  10. Process Conformance and Maturity Target 0 – 5 point scale

  11. Phase 4: Customer, & CSI • Phase 3: Service Delivery • Phase 0: Gap Analysis • Phase 1: User Support • Phase 2: Release & Control Service Level Mgmt ChangeMgmt Service Desk Service Catalog Capacity Mgmt ReleaseMgmt Incident Mgmt Continuity & Availability IT Budget & Accounting Problem Mgmt Knowledge Business Relationship Supplier Mgmt Service Design • Assessment, Project • Start-Up & Tool Selections • Configuration Mgmt - CMDB Configur Mgmt • Configuration Mgmt - CMDB Configuration Mgmt - CMDB • Service Reporting • Service Reporting Service Reporting Service Reporting ISO20000 Service Support Completed Quick Win ISO20000 Implementation Roadmap • Review & Internal Audit ITSM Policy Doc .Control ITSM Plan Skills Assess. CSI CSI • Management of Change

  12. Reasons to take phase approach • Seamless integration to minimize the interruptions of IT operation • Better visibility into issues while enabling sufficient time to refine processes

  13. What is ISO27001? Information Security Confidentiality Availability Protecting sensitive information from unauthorized disclosure or interception. Ensuring that information and vital services are available to users when required. Integrity Safeguarding the accuracy and completeness of information Leading International Standard for Information Security Management A comprehensive set of controls comprising best practices in information security Risk-management based Its purpose is to protect the confidentiality, integrity and availability of information

  14. ISO27001 Requirements

  15. ISO27001 includes below Controls

  16. ISO27001 Implementation Roadmap Phase 1 – Planning, Gap Assessment, Training Phase 2 – System Development and Documentation Phase 3 – System Implementation Phase 4 – Certification Audit Conduct internal audit Workshops for promotion Define documentation hierarchy Understand existing procedures Provide direction to rectify issues Train up delegate as internal auditor Develop required documentation Identify key gaps External certification audit Mentor IT Management to review Review established documents Prepare Project Plan Define Roles & Responsibilities Obtain approval from authorized personnel Conduct Training & Workshops

  17. ISO20000 - ISO27001 Major Differences and Similarities • ISO27001 focuses on protection of information and related assets • ISO20000 focuses on the quality of service delivery • Common Areas • PDCA and management system • Continuity planning • Incident management and change management • Capacity management • Information security • Third party and supplier management

  18. Timeframe • For ISO20000 • Maturity range of 1 - 1.5 : approximately 18 – 24 months • Maturity range of 2 – 3 : approximately 6 -12 months • A large maturity gap will require additional resourcing to close the gap in a workable timeframe • For ISO27001 • Small Organization 10 – 50 Employees: up to 8 months • Mid-size Organization 50 – 500 Employees: up to 12 months • Large Organization over 500 Employees: up to 18 months

  19. Key Challenges • Maturity can be difficult to attain across all processes • Effort to produce and review documentations and records • Conflict between productivity and service/information security qualities • Changing to a culture of collaborating working

  20. Suggestions and Considerations • ISO20000 and ISO27001 provide guidance on what should happen, but not on how to make it happen. So you need help and advice from consultants • Start with an assessment and develop a roadmap • Communicate the benefits and provide adequate training • To work smarter, you need tools to facilitate • For those not seeking certification – use ISO 20000 and ISO27001 as the guides

  21. Conclusion – What you can get from it • ISO20000 and ISO27001 provide an auditable method to assess IT Service and Security quality and conformance • Assists organizations to enforce process compliance • Provides clear evidence that ITSM and Information Security qualities are taken seriously • ISO 20000 and ISO27001 set the process marks for which ITIL and Information security implementation should aim and be measured • A method of review and assessment that is linked to continuous service and information security improvement

  22. IT ConsultingDr. Julian LoConsulting Directorjulian.lo@igsl-group.com

More Related