Date post: | 09-Jan-2017 |
Category: |
Technology |
Upload: | institute-of-systems-science-national-university-of-singapore |
View: | 103 times |
Download: | 6 times |
7 May 13
Demystifying ISO 20000-1 standard
ISO/TS 16949 Workshop07 May 2013
Chris NgProduct Manager / Lead Auditor
TÜV SÜD PSB Pte LtdMITM, ABCP, CISM, CISA, CISSP, CTT, ISO 9000 LA, ISO 27000 LA, ISO 20000 LA
ISO 22301 LA, SS 507 LA, SS 584 LA
IT & IT Security Certfiication SchemesTÜV SÜD PSB Singapore Slide 1
Content
IT & IT Security Certfiication Schemes7 May 13
Intro to TUV SUD PSB &Product PortfolioIntro to TUV SUD PSB &Product Portfolio
What is ISO 20000 (SMS) ?What is ISO 20000 (SMS) ?2
Why ISO 20000 certification?Why ISO 20000 certification?3
Main components of ISO 20000Main components of ISO 200004
1
ISO certification roadmap-Pre-requisites-Certification Process
ISO certification roadmap-Pre-requisites-Certification Process
5
TÜV SÜD PSB Singapore Slide 2
Content
IT & IT Security Certfiication Schemes7 May 13
Key success factorsKey success factors
ConclusionConclusion7
6
TÜV SÜD PSB Singapore Slide 3
TÜV SÜD PSB Pte Ltd 10/4/2016
TUV SUD PSBCorporate Overview
TÜV SÜD PSB
TUV SUD heritage: over 145 years of business success
Slide 5
Establishment of a Mannheim-based steam boilerinspection association by 21 operators andowners of steam boilers, with the objective ofprotecting man, the environment and propertyagainst the risk emanating from a new and largelyunknown form of technology
1866
First vehicle periodic technical inspection (PTI)1910
1958 Development of a Bavaria-wide network of vehicleinspection centres in the late 1950s
1926 Introduction of the “TÜV mark / stamp” in Germany
1990s Conglomeration of TÜVs from the southern part ofGermany to form TÜV SÜD and the expansion ofbusiness operations into Asia
TÜV SÜD continues to pursue a strategy ofinternationalisation and growth
Today
2006 Expansion of services in ASEAN by acquiringSingapore-based PSB Group
2009 Launch of Turkey-wide vehicle inspection byTÜVTURK
TÜV SÜD PSB Pte Ltd 10/4/2016
IT Certification Product Portfolio
Auditing solutions service portfolio
QualityISO 9001ISO / TS 16949ISO 13485ESD 20:20TL 9000AS 9100
ITInformation Security(ISO27001)Service Mgt System(ISO20000-1)Business Continuity & DisasterRecovery (BC/DR, SS507)Business ContinuityManagement (ISO 22301)Multi-Tier Cloud Security(MTCS) (SS 584)
Environmental Health & SafetyISO14001OHSAS 18001QC080000Safety & Health Management System (SHMS)Safe Management of Hazardous Substances (SMHS)Carbon Footprint Certification
Food safetyISO22000British Retail Consortium(BRC)Hazard Analysis andCritical Control Points(HACCP)Good ManufacturingPractice (GMP)
Specific industryQuality Management forBunker Supply Chain(QMBS)Quality Maritime Educationand Training (QMET)Good Distribution Practicefor Medical Devices(GDPMDS)
Product InspectionProduct Listing (PLS)Ready Mixed ConcreteCertificationPre-shipment Inspection(PSI)Factory/AgencyInspectionSource InspectionSuppliers’ Audit
7 May 13
ISO14064PAS 2050ISO 50001
Social complianceSA8000
CDMValidation, verification of
carbon dioxide (CO²) emissions
IT & IT Security Certfiication SchemesTÜV SÜD PSB Singapore Slide 7
7 May 13
Why TUV SUD PSB?
• Why TUV SUD PSB?– Market leader in certification industries within ASEAN– Certification Body with the largest team of IT and other scheme
Auditors in ASEAN– All IT auditors are
armed with many years of industrial experiencesexposed to various IT related schemes
– Quality of audits– One of the few Registered Certification Body (RCB) for APMG
ISO/IEC 20000:2011 Certification Scheme– 1st Certification Body (CB) to award ISO 20000:2011 certificate to
organization in Singapore
IT & IT Security Certfiication SchemesTÜV SÜD PSB Singapore Slide 8
TÜV SÜD PSB Pte Ltd 10/4/2016
Seminars Participated
7 May 13
Why TUV SUD PSB?
• Seminars Participated– Being invited as guess speaker for several IT related seminars in
SingaporeAISP-ITSC Information Security Standards - ISO 27001 Series: Talk #1- Information Security Management System Foundation – 23 Apr 2010
Information Systems Audit and Control Association (ISACA) – ISO27001 Dinner talks – 19 Aug 2010
AISP-ITSC Information Security Standards - ISO 27001 Series: Talk #8- SS540 - The Singapore Standard for Business ContinuityManagement (BCM) and its relationship with the ISO 27001 (ISMS)standard – 18 Feb 11
IT & IT Security Certfiication SchemesTÜV SÜD PSB Singapore Slide 10
7 May 13
Why TUV SUD PSB?
• Seminars Participated– Being invited as guess speaker for several IT related seminars in
SingaporeAISP-ITSC Information Security Standards - ISO 27001 Series: Talk #1- Information Security Management System Foundation – 5 Apr 2012
AISP-ITSC Information Security Standards - ISO 27001 Series: Talk #1(Re-run) - Information Security Management System Foundation – 11May 2012
ISACA Oct 12 Networking Talk Seminar - Introduction to BusinessContinuity Management Standard (ISO 22301) – 23 Oct 12
PinkAsiaForum12 – 1st Annual IT Service Management LeadershipForum – 6-7 Dec 12
IT & IT Security Certfiication SchemesTÜV SÜD PSB Singapore Slide 11
7 May 13
Why TUV SUD PSB?
• Seminars Participated– Being invited as guest speaker for several IT related seminars in
SingaporeTUV SUD PSB’s “Think Security First’ Seminar” to give an introductionon ISO 27001 Standards on 13 Sep 13
BCM Institute Seminar on “An insight into the ISO 22301 (BCMS)standard - the certification body perspective” on 28 Feb 14
ISACA May 14 Networking Talk Seminar – Online all the time (BCMrelated) – 20 May 14
Invited as a speaker for ST Kinetics’ Business Continuity AwarenessWeek to give an introduction on “ISO 22301 (BCMS) standard - thecertification body perspective” on 21 Jul 14
IT & IT Security Certfiication SchemesTÜV SÜD PSB Singapore Slide 12
7 May 13
Why TUV SUD PSB?
• Seminars Participated– Being invited as guest speaker for several IT related seminars in
Singapore- Invited by IDA as Panel Experts in discussion forum on SS 584 Multi-tier Cloud Security (MTCS) standard in Cloud Asia Conference on 30Oct 14Conduct a Clinic Session on SS 584 Multi-tier Cloud Security (MTCS)standard in TUV SUD PSB on 13 May 15
IT & IT Security Certfiication SchemesTÜV SÜD PSB Singapore Slide 13
TÜV SÜD PSB Pte Ltd 10/4/2016
ISO 20000 Standard
(An International Standard for Service Management)
TÜV SÜD PSB Pte Ltd 10/4/2016
ITIL
IT Infrastructure Library (ITIL)
• The IT Infrastructure Library (ITIL)– is essentially a series of documents that forms the basis of a framework to
deliver, improving and managing IT Services
– this customizable framework defines how Service Management is appliedwithin an organization.
– Not a standard but a Best Practices Framework, which includes all the bestpractices to facilitate the delivery of high quality IT services
– It focuses on managing services to customers, not technology to users
– Centered on Service Lifecycle approach and focused on providing businessvalue
– adopted as the de-facto standard for best practice in the provision of ITService
TÜV SÜD PSB Singapore Slide 16
IT Infrastructure Library (ITIL)
• The IT Infrastructure Library (ITIL)– It focuses on the following:
Service Strategy– determines which types of services should be offered to which
customers or marketsService Design– identifies service requirements and devises new service offerings as
well as changes and improvements to existing onesService Transition– builds and deploys new or modified servicesService Operation– carries out operational tasksContinual Service Improvement– learns from past successes and failures and continually improves the
effectiveness and efficiency of services and processes.
TÜV SÜD PSB Singapore Slide 17
10/4/2016
What is SMS?
• What is Service Management System (SMS)?– Service Management System (SMS) is a process-based practice
intended to align the delivery of information technology (IT) serviceswith the needs of the enterprise, emphasizing benefits to customers.
– SMS focuses on the delivery of end-to-end services using bestpractice process model
What is ISO/IEC 20000 standard?
• What is ISO/IEC 20000 standard?– the formal standard against which organizations may seek independent
certification for their Service Management Systems (SMS)
– introduced in Dec 2005 and closely follows the ITIL framework to ensurethere is a consistent way to implement and “measure” IT ServiceManagement
– A set of “controls” against which an organization can be assessed foreffective IT Service Management processes
– requires organizations to comply with all the requirements across ServiceManagement standard
– adopts an integrated end-to-end approach
TÜV SÜD PSB Singapore Slide 19
What is ISO/IEC 20000 standard?
• What is ISO/IEC 20000 standard?– to provide a common base for:
developing organizational IT service standards and adoptingeffective service management practicesto provide confidence in inter-organizational dealings
– uses a Plan-Do-Check-Act (PDCA) model to achieve continualimprovement
TÜV SÜD PSB Singapore Slide 20
TÜV SÜD PSB Pte Ltd
Why ISO 20000 (SMS)?
7 May 13
Why ISO 20000 certification?
• Why ISO 20000 certification?– Satisfying Customers’ Requirements
Requirements from customers to posses a comprehensive servicemanagement system
– Enhancing Operational Efficiency & EffectivenessCertification improves the delivering of quality services in a moreefficient & effective manner
– Provision of AssuranceCertification provides assurance to the clients that the organization hasa robust and reliable operational setup within its service managementsystems
Benefits & Drivers
IT & IT Security Certfiication SchemesTÜV SÜD PSB Singapore Slide 22
7 May 13
Why ISO 20000 certification?
– Enhancing the Risk management:Leads to a better knowledge of service management systems, theirweaknesses and how to protect them.Apply controls from a risk perspective.
– Increasing credibility and confidenceCertification can help set a company apart from its competitors and inthe marketplace.Provides assurance to the clients in managing the provision of ITservices
Benefits & Drivers
IT & IT Security Certfiication SchemesTÜV SÜD PSB Singapore Slide 23
7 May 13
Why ISO 20000 certification?
– Helping to reduce costsReduced costs related to streamlining of processes , handling ofoperational issues through its structured & organized incident andproblem handling process
– Improving service awarenessImproves employee awareness of providing quality services and theirspecific roles & responsibilities to achieve that
Benefits & Drivers
IT & IT Security Certfiication SchemesTÜV SÜD PSB Singapore Slide 24
TÜV SÜD PSB Pte Ltd
Application of ISO 20000 (SMS)
7 May 13
Application of ISO 20000
• Which organizations can go for ISO 20000 certification?– Any organization that requires alignment of its Services (incl of IT services)
with the Business needs– Provide assurance to interested parties e.g. customers that they have
reliable and certified Service Management Systems (SMS)
• Certify organizations in:– finance, banking and insurance– telecommunications– utilities– retail sectors– manufacturing sector– various service industries– transportation sector– Government bodies
IT & IT Security Certfiication SchemesTÜV SÜD PSB Singapore Slide 26
TÜV SÜD PSB Pte Ltd 10/4/2016
ISO 20000 Family of Standards
ISO/IEC 20000 Standard
• Family of ISO/IEC 20000 standard– ISO 20000-1:2011 (Part 1)– A specification where the Service Management processes can be
audited againstdefines the processes and provides assessment criteria andrecommendations for those responsible for Service Management
– ISO 20000-2:2012 (Part 2)Code of practice that provides assistance to organizations that are tobe audited against ISO/IEC 20000 standard or are planning serviceimprovements
TÜV SÜD PSB Singapore Slide 28
TÜV SÜD PSB Pte Ltd 10/4/2016
The Main Components of ISO/IEC 20000
ISO/IEC 20000 Standard
• Main components of ISO/IEC 20000 standard– ISO 20000-1:2011 (9 sections)
1. Scope2. Normative references3. Terms and Definitions4. Service Management System General Requirements5. Design & Transition of New or Changed Services6. Service Delivery Process7. Relationship Processes8. Resolution Processes9. Control Processes
TÜV SÜD PSB Singapore Slide 30
Main Components of ISO/IEC 20000
• Main components of ISO/IEC 20000 standard
• Clause 4: Service management system general requirements– Clause 4.1 Management responsibility– Clause 4.2 Governance of processes operated by other parties– Clause 4.3 Documentation management– Clause 4.4 Resource management– Clause 4.5 Establish & improve the SMS
TÜV SÜD PSB Singapore Slide 31
Main Components of ISO/IEC 20000
• Main components of ISO/IEC 20000 standard
• Clause 5: Design & transition of new or changed service– Clause 5.1 General– Clause 5.2 Plan new or changed services– Clause 5.3 Design & development of new or changed services– Clause 5.4 Transition of new or changed services
TÜV SÜD PSB Singapore Slide 32
Main Components of ISO/IEC 20000
• Main components of ISO/IEC 20000 standard– ISO/IEC 20000-1:2011 groups the main ITIL processes into Four core
process sets (Cl 6-9) :-
– 1. Service Delivery Processes (Cl 6) – which includes:Service Level Management (SLM) (Cl 6.1),Service Reporting (Cl 6.2)Service Continuity & Availability Management, (Cl 6.3)Budgeting and Accounting for Services (Cl 6.4)Capacity Management (Cl 6.5),Information Security Management (Cl 6.6)
TÜV SÜD PSB Singapore Slide 33
Main Components of ISO/IEC 20000
• Main components of ISO/IEC 20000 standard (con’t)
– 2. Relationship Processes (Cl 7):Business Relationship Management (Cl 7.1)– to establish and maintain a good relationship between the service
provider and customer– have designated individual to handle customer
Supplier Management (Cl 7.2)– to manage suppliers to ensure the provision of seamless, quality
services– monitor of supplier’s service performance– management of changes– review of SLAs
TÜV SÜD PSB Singapore Slide 34
Main Components of ISO/IEC 20000
• Main components of ISO/IEC 20000 standard (con’t)– 3. Resolution Processes (Cl 8):
Incident & Service Request Management (Cl 8.1)– deals with the restoration of services– requires a documented procedure for all incidents which include
information like classification, priority, escalation, resolution, closure,etc.
– takes into consideration of the impact & urgency of incident– defines major incident and ensure it is communicated to the right
interested parties
Problem Management (Cl 8.2)– to minimize or avoid impact of incidents or problems– identifying & removing the root causes of incidents or problems– Will lead to Change Management for relevant solutions or patches
TÜV SÜD PSB Singapore Slide 35
Main Components of ISO/IEC 20000
• Main components of ISO/IEC 20000 standard (con’t)– 4. Control Processes (Cl 9):
Configuration Management (Cl 9.1)– to define & control the components of the service & infrastructure &
maintain accurate configuration information– establishment of configuration baseline,– definition of CIs in the CMDB– identifies assets owner & interdependencies
Change Management (Cl 9.2)– ensures all changes are assessed, approved, implemented and
reviewed in a controlled manner– procedures to handle emergency changes– decision-making of accepting change shall take into consideration
the risks, the potential impacts to services and the customer, servicerequirements, etc.
TÜV SÜD PSB Singapore Slide 36
Main Components of ISO/IEC 20000
• Main components of ISO/IEC 20000 standard (con’t)– 4. Control Processes (Cl 9):
Release & Deployment Management (Cl 9.3)– to deliver, distribute and track one or more changes in the live
environment– conducts impact analysis before release– release needs to be built & tested before deployment– establishes release, roll-out & roll-back plan
TÜV SÜD PSB Singapore Slide 37
10/4/2016
Main Components of ISO/IEC 20000
TÜV SÜD PSB Pte Ltd 10/4/2016
The Certification Roadmap
ISO 20000 Certification Road map (2 phases)1. Gap analysis
- Getting the ISO 20000 standards- List of identified gaps- Cost and schedule estimation
2. Setting up SMS framework-Prepare Service Management Policy & Plan-Define Scope, objectives, resources, etc.-Identify Risk Management methodology, perform riskassessment., identify internal audit approach, etc.
3. Implementation-Allocation of funds, budget, roles andResponsibilities, ITIL/ISO 20k training, etc.-Documenting policies, plans, processes, etc.
4. Check & Act-Management review (*), internal audit (*),-Monitor Service Improvement plan etc.
1
Phase 1:
Pre-Certification
Phase
TÜV SÜD PSB Singapore Slide 40
Pre-requisites for ISO 20000 certification
• Pre-requisites– Develop the SMS Manual
Establish the SMS Scope (*)Establish SMS Policy (*)Define SMS Objectives (*)
– Perform Risk AssessmentDescription of Risk Assessment Methodology & Process (*)Risk assessment reportRisk Treatment Process & Plan (*)
– Prepare Service Improvement Policy/Service Management Plan, etc.
TÜV SÜD PSB Singapore Slide 41
Pre-requisites for ISO 20000 certification
• Pre-requisites (con’t)– Perform Internal Audit
Internal Audit ProcedureInternal audit Programme & Results (*)
– Conduct Management Review (*)
– Develop competency of staff in SMS (*)
– Continual ImprovementCorrective Actions (CA) ProcedurePreventive Actions (PA) ProcedureNon-conformities uncovered and results of CA (*)
– Establish Control of documents/records proceduresControl of Document ProcedureControl of Records Procedure
TÜV SÜD PSB Singapore Slide 42
ISO 20000 Certification Road map (con’t)
7. Preliminary assessment (Stage 1)- Records demonstrating SMS implementation
8. Certification assessment (Stage 2)-Assessment report and CorrectiveAction (CA)
9. Awarding of certificate
1
5. Application for ISO 20000 certification
6. Document (Manual) assessment (Stage 1)Phase 2:
Certification
Phase
TÜV SÜD PSB Singapore Slide 43
ISO 20000 Certification Process
1. Application
2. DocumentationAssessment (Stage 1)
3. PreliminaryAssessment (Stage 1)
4.Certification
Assessment (Stage 2)
5. Awardof
Certificate(valid for 3 yrs)
6. Post-AwardRoutine
Surveillance
7. Renewalof Certificate
(on the 3rd yr)
CERTIFICATION PROCESS
TÜV SÜD PSB Singapore Slide 44
TÜV SÜD PSB Pte Ltd 10/4/2016
Key Success Factors
Successful ISO 20000 implementation
• Key Success Factors:– Management Commitment– Cross-functional forum / committee– Understanding Stakeholders’ business requirements in relation to
service delivery– Effective Risk Management Process
TÜV SÜD PSB Singapore Slide 46
Successful ISO 20000 implementation
• Key Success Factors:– Training & Awareness
– Proactive & Continual ImprovementInternal audit & management reviewIdentify and act on security weaknessesLearn from incidents and establish relevant Prevention Action
TÜV SÜD PSB Singapore Slide 47
TÜV SÜD PSB Pte Ltd 10/4/2016
Common FAQs
Common FAQs
• Q1: How much and how long it takes for an ISO 20000certification audit to complete?– The cost and the time taken depends on the following factors:
Scope of servicesStaff strength in supporting the servicesNumber of remote sites (if any)Complexity of logistics arrangementComplexity of organization , processes & servicesNo. of ITIL process that are already implementedNature & sensitivity of businessesAny existing certification like ISO 9001 being implementedLanguage Barrier (requires a local interpreter if English is not the usedmedium for audit)
TÜV SÜD PSB Singapore Slide 49
Common FAQs
• Q2: How many months of data must I accumulate beforeapplying for certification?– Typically, a minimum of 3 months of data and/or implementation
records will be required in order for a meaningful audit to be carriedout.
TÜV SÜD PSB Singapore Slide 50
Common FAQs
• Q3:What are the different kinds of assessment findings? (con’t)Stage 1 Certification:– Area of Concerns (AOC)
Represents a non-conformance in the implementation of the SMSrequirements. Organization will be given a one month’s time toresolve any AOC issues
TÜV SÜD PSB Singapore Slide 51
Common FAQs
• Q3:What are the different kinds of assessment findings? (con’t)Stage 2 Certification / Continuing / Renewal :– Category 1 (Major finding)
Represents a breakdown in the SMS framework. Organization will begiven a three month’s time to resolve any CAT 1 issuesOn site visit is necessary to clear CAT 1 issues
– Category 2 (Minor finding)Represents some deficiency in the implementation of SMSrequirements. Organization will be given a one month’s time toresolve any CAT 2 issues
TÜV SÜD PSB Singapore Slide 52
Common FAQs
• Q3:What are the different kinds of assessment findings? (con’t)– AFI (Area for Improvement)
Represents an area that need to be enhanced before it develops into aCAT 1 or CAT 2 problems
– Positive (Positive Aspects)Represents an implementation that can be used as a role model forother departments or organization
TÜV SÜD PSB Singapore Slide 53
TÜV SÜD PSB Pte Ltd 10/4/2016
Conclusion
Conclusion
• Conclusion– ISO 20000-1 is the certifiable standard for the Service Management
Systems (SMS) of an organization– ISO 20000-2 is used as a code of practice to satisfy the requirements
of the SMS standard– Need to perform detail readiness check or gap analysis before
applying for ISO 20000 certification– Understand the Key Success Factors in ISO 20000 certification
TÜV SÜD PSB Singapore Slide 55
Thank you
IT & IT Security Certfiication Schemes7 May 13TÜV SÜD PSB Singapore Slide 56
Thank you
www.tuv-sud-psb.sg
Vielen Dank
C m n b n Terima kasih
Contact
IT & IT Security Certfiication Schemes7 May 13
Name: Chris NgDesignation: Product Manager / Lead AuditorEmail: [email protected] : 65 68851628Office Hotline: (65) 9366 8611
TÜV SÜD PSB Singapore Slide 57