Qwr iso20000 auditor m04 implementing audit and tooling us 06 apr14

ISO/IEC 20000 Auditor

4Implementing, Audit

and Tooling

© Copyright 2006, Quint Wellington Redwood


© Copyright 2006, Quint Wellington Redwood


Module 4

Implementing, audit and tooling

© Copyright 2006, Quint Wellington Redwood Page 4 - 1


page 4 - 2

6. How do we keep going?

High Level Business Objectives

1. What is the Vision?

Assessments, benchmarks

2. Where are we now?

Measurable Targets

3. Where do we want to be?

Process Improvement

4. How do we get there?

Measurements and Metrics

5. How can we tell we have?

High level approach

Page 4 - 2 © Copyright 2006, Quint Wellington Redwood


page 4 - 3

Generic Implementation Overview

Can be combined into one phase

Audit

Audit preparation

Awareness

Assessment

Implementation

Phase 1: Process AssessmentThis phase requires input from the organization aiming for the ISO/IEC 20000 certification. Subject of investigations include personnel from your organization like the line and process managers, coordinators, and process operators while documents such as reports, handbooks, planning and strategy documents and service level agreements are also reviewed. The main focus of the assessment is to ascertain the work processes of the organization, as well as how the organization is managed.

Based on the outcome of the assessment, a gap analysis is established. Phase 2 and 3 of the project is then initiated, with the drawing up of detailed deliverables and timelines.

Phase 2: Process ImplementationThis Phase focuses on realizing the identified quick wins that will produce fast results as well as a positive momentum for medium and long-term improvements. These mid- and long-term improvements become part of the improvement plan which is then incorporated as an integral part of the ongoing “plan-do-check-act cycle.” Another important part of the effort required to implement ISO/IEC 20000 is in the area of the organization’s work processes. These processes represent the ability of the key IT processes to deliver the value and required quality services expected from the organization’s customers.

For a successful implementation of the ISO/IEC 20000, it is also necessary to implement the proper control and steering mechanisms. The control model is about ensuring the right control mechanisms (“triggers”) are in place, with respect to how managers are expected to behave and performance indicators in the IT organization are steered.

Phase 3: Pre-Audit Assessment and team awarenessThis phase requires the internal implementers (with help of an external party) to work closely with the key people involved to conduct awareness sessions for the implementation of the process improvements. A comprehensive audit on all the ISO/IEC 20000 processes should be performed to identify any further gaps left and close them on an urgent basis so as to close the audit.

Phase 4: Final AuditThis phase requires an independent audit executed by a Registered Certification Body (RCB).



page 4 - 4

Assessing

• Assessment Goals: Gap analysis with standard

Ways to improve both compliance and internal performance

Ways to improve co-operation within IT organisation and with customer and suppliers

• Deliverables Gap analysis

Quick wins and other improvement opportunities

Business case(s)

Project plan

Management of Change plan Communication plan

Quint uses a model that focuses on analyzing multiple aspects of IT organizations, its governance and design. The model consists of four components, namely, strategy, organization (functional model), processes, and steering. From a ISO/IEC 20000 perspective, the process and control dimensions are most relevant (see red circle in next figure). In the process model component, an analysis and professional judgement on the ISO/IEC 20000 processes is conducted.



page 4 - 5

Process model to map ISO/IEC 20000

IT Domain

Service Design

Service Development

Service Build & Test

FinancialMgnt

Service Planning

CapacityMgnt

AvailabilityMgnt

ContinuityMgnt

SecurityMgnt

FinanceCommercial

PolicyHRM Architecture

IncidentMgnt

ReleaseMgnt

ConfigurationMgnt

ProblemMgnt

OperationsMgnt

Change Mgnt

Service Operations

Business IT AlignmentDomain (BITA)

ICTvaluing

InformationMgnt.

Demand Mgnt.

FunctionalMgnt.

ApplicationMgnt.

BusinessSupport

Supplier IT AlignmentDomain (SITA)

SupplierPortfolio Mgnt.

StrategicSourcing

ContractMgnt.

SupplyMgnt.

OperationsSupport

PurchaseMgnt.

BITASITA

Service Level Management

Relationship Management

Service desk

The ISO/IEC 20000 processes are indicated in light blue in slide. It is apparent that the ISO/IEC 20000 processes, Service Reporting and Business Relationship Management, are missing. The output and activities of both processes are not however. The objective of Service Reporting within IPW is covered within SLM. Business Relationship Management is also covered in SLM regarding ongoing services and within Demand Management for new services.



page 4 - 6

Map current maturity / compliance level

IT Domain

Service Design

Service Development


FinancialMgnt

Service Planning

CapacityMgnt

AvailabilityMgnt

ContinuityMgnt

SecurityMgnt

FinanceCommercial


IncidentMgnt

ReleaseMgnt

ConfigurationMgnt

ProblemMgnt

OperationsMgnt

Change Mgnt

Service Operations

ICTvaluing

InformationMgnt.

Demand Mgnt.

FunctionalMgnt.

ApplicationMgnt.

BusinessSupport


StrategicSourcing

ContractMgnt.

SupplyMgnt.

OperationsSupport

PurchaseMgnt.

BITA

SITA



Service desk

improvingproactivecontrolledmonitorednot identifiednot performed

IPW, as an overall method to implement a process oriented way of working, is taken a step further with the introduction of maturity stages. This IPW Stage Model (IPW SMtm) is derived from the same philosophy used in both the Capability Maturity Model (CMM) and SPICE (ISO 15504). It represents a growth approach for increasing the professionalism of an IT organization with the help of ITIL / IPW, and includes an extensive amount of "built-in improvement experience" from Quint Wellington Redwood consultants.

For each process and maturity stage, a set of generic and process specific criteria are defined representing the value the process adds to the overall result. The model makes improvement projects manageable, helps to establish the present level of processes and of the organization.It also helps to establish the level of ambition. Consistent with the philosophy, skipping stages is not advisable. This is primarily because each subsequent stage is built on the foundation laid in the previous stage. The stages or maturity levels are directly linked with the (perceived) added value of the process for the customer (customer value), and are determined using the generic and specific process characteristics. On the basis of the process selection and a maturity level associated with each process, five maturity levels have been defined for an IT management organization as a whole. These stages are: “initial,” ”operational monitoring”, “operational control”, “service control”, and “service improving.” As individual processes and the entire organization reach a higher IPW SM stage, the added value of the process to the customer also increases, as does the level of control.



page 4 - 7

Define desired future maturity

IT Domain

Service Design

Service Development


FinancialMgnt

Service Planning

CapacityMgnt

AvailabilityMgnt

ContinuityMgnt

SecurityMgnt

FinanceCommercial


IncidentMgnt

ReleaseMgnt

ConfigurationMgnt

ProblemMgnt

OperationsMgnt

Change Mgnt

Service Operations

ICTvaluing

InformationMgnt.

Demand Mgnt.

FunctionalMgnt.

ApplicationMgnt.

BusinessSupport


StrategicSourcing

ContractMgnt.

SupplyMgnt.

OperationsSupport

PurchaseMgnt.

BITA

SITA



Service desk

improvingproactivecontrolledmonitorednot identifiednot performed

Defining the required or desired state for the implementation is one of the last steps of the assessment. Based on the desired state, the objectives, activities, knowledge, resources and so on required for the implementation can be derived.



page 4 - 8

GapTargetBaselineIntern Review

How far do we have to go?

RR

M

RP&

I (Pl

an)

RP&

I (DO

)RP

&I (C

heck

)

RM

S

RP&

I (Ac

t)R

CA&

TR

SLM

RSR

RC

&AM

RAf

S

RC

apM

RIS

M

RBR

M

RSM RIM

RPM

RC

onf

MR

CM

Audit areas

Awareness and Assessment

This slides gives an example of how a mapping could look like specifically aimed at ISO/IEC 20000-1 compliance.



page 4 - 9

Staged Implementation Approach

Execute andMeasure

ContinuousStep by stepImprovement Empowerment

Realize“external fit”

Realize“Internal fit”

There are various maturity models available and one of them is the IPW Maturity Model.

Implementation of Process-oriented Workflow (IPWTM ) is a de facto standard for the implementation of ITIL processes in an IT organization. The basic version of IPWTM was developed in 1992 by Quint Wellington Redwood and KPN Telecom. Since then, the model has evolved tremendously and proved to be extremely successful in transforming both large and small IT organizations from functional, product and technology-oriented organizations to customer-, process- and service-oriented organizations. Also when (parts of) the IT services are outsourced, IPWTM has proved to be of great practical use to both the outsourcing organization and the outsourcing partner in arriving at clearly defined services, dividing processes over several organizations, and in entering into agreements on matters such as communication, the execution of processes, or reporting.

Furthermore, the use of IPWTM has had an important synergistic effect on the certification of IT organizations (ISO-9000) and the introduction of other quality systems.

The IPW Maturity ModelTM is a model that divides the IPWTM management processes, which form a superset of the processes from the ITIL library, into five process categories, and defines a number of process activities and best practices for all of these processes. Most of the best practices are taken from the ITIL library. Other best practices have been added for fields not provided for by ITIL.

Apart from the fact that it mainly concerns management processes and not development processes, the arrangement is comparable with the arrangements used in CMMsm and SPICE. However the IPWMMTM adds the maturity level component, which is again comparable with that of CMMsm and SPICE. In the IPWMMTM, six process maturity levels are distinguished. These maturity levels are: “not performed”, “not identified”, “monitored”, “controlled”, “proactive”, and “improving” (Figure 4), which indicate the maturity level reached by the IPWTM process.



page 4 - 10

Progress Dashboard

Why a dashboard? In a lot of IT organizations lack of usable management reports and structured management meetings lead to decision making and steering based on informal meetings and unstructured meetings. A dashboard provides the management with a set of key metrics that consolidate underlying data, reducing the need for management to read reports with tons of operational metrics that don’t provide valuable steering information.

What is a dashboard? A dashboard is a visual display of the most important information needed to achieve one or more objectives; consolidated and arranged on a single screen so the information can be monitored at a glance

Who is the dashboard for? The dashboard can, in different forms and with different data sets, be used by IT management, customers, end-users and suppliers.

How can the dashboard help improve? A dashboard comprises a set of specific metrics pertinent to delivery of projects and services and enables IT-managers to "manage by exception" (that is, take action when a tolerance range has been exceeded or a trend is interrupted). If chosen wisely the Key Performance Indicators (KPI’s) presented by the dashboard provide management with valuable information regarding the performance, in the following ways:• It enables management to improve its planning because there is a direct link between the strategy

and process activities• Improve the relevance of the information provided to the management as it reflects the progress of

achieving the strategy and key goals• It provides early warning about areas that develop in an unwanted direction provide managers with

ample time to take corrective action• It provides means to the organization to continuously improve itself and set itself higher goals• It provides a common set of parameters to discuss the progress of the organization, improving and

structuring the communication

Where should it lead to? The improved ability of the management to steer the organization and its assets will ultimately lead to higher customer satisfaction.



page 4 - 11

• Four main areas for measurements, KPIs and CSFs: progress - milestones, maturity of the process:

e.g. creation and maintenance of a Forward Schedule of Change

a repeatable process for making changes

compliance - penetration and comprehensiveness: e.g. 10% reduction in the number of unauthorised changes 10% reduction in the number of urgent changes

effectiveness - accuracy and correctness: 10% increase in the number of successful changes 5% reduction in the number of back-out changes

efficiency - productive, use of resources and time: 20% increase in the number of changes implemented on time 5% reduction in the average cost of a change

Metrics



page 4 - 12

Alignment of People, Process and Products

People

ProductsProcesses

Internal

IT Organization

IT organizationenvironment

Profession Technology

Society

Customers Suppliers

Capability fit

Process Fit Technological fit

Cultural fit

Capability fit

Organizational Fit ?

A lot of attention has traditionally been given to means within an IT organization. From the very start the “tools of work” have been focused on the available technology. Since the beginning of the 90's processes have received more and more attention. Driven by concepts such as process based working methods, ICT process re-engineering and workflow management, function based and hierarchical organizations have been transformed into process based organizations that are far more focused on service delivery and the client. To this point, there has been little attention paid to the human being. Still, the human factor often appears to play a crucial role in the success or failure of ICT organizational improvement.

In the ideal situation, the human factor needs to be attuned to the other factors (means and processes), while the whole needs to be attuned to the environment (clients and suppliers). More generally, the means factor should be attuned to the “state” of technology, the process factor to the “state” of the profession (best practices) and the human factor to the “state” of society. These are called, respectively, the “technological fit”, the “process fit” and the “cultural fit”. By “state” we mean that which is generally in use or possible and which, therefore, serves as the reference point for the activities of an ICT organization. The adjustment to all relevant aspects (the internal and external “fit”) is the so-called “organizational fit”. As an organization reaches a higher level of maturity, the “organizational fit” becomes better. If an organization is unable to attune itself to one or more of the aspects cited, problems will be the result in the short or longer term. In this contribution we will concentrate on the human factor.



page 4 - 13

Linking Management Informationwith IT Tooling

Definition of information

requirements

Collection of information

Analyzing

Figures

Create and distribute

information

Correct /explain results

Use reports

Output requirements

Interfaces, Extraction, DWH Data sources

User and System

Functionality

Communication and reporting functionality

Meta-data, data model

and databases

Content management

Evaluation of effective use of IT

Information Management

IT Tools

Based on the process characteristics and the information it requires to function one or more tools have to be selected or build to ensure that all information creation, distribution and storage that should be automated is done so in an effective and efficient manner.



page 4 - 14

Service Management Tooling

• SM tooling should not be a major issue

• SM tools help with the efficient registration and monitoring of incidents, changes etc.

• Service levels can be monitored and linked to records

• It supports compliance to government legislation

• Think also about links with knowledge sharing tools and management information systems (MIS)

The supporting role of Service Management tools should not be underestimated. Tools have become necessary instruments for organizing the complicated infrastructure. Tools support the organization in assessing the consequences of changes within the infrastructure.

In addition, service management tools may be helpful with the efficient registration and monitoring of incidents. Customer data can be mapped and service levels can be monitored. It also supports compliance to for example SOX by generating reports and providing an auditable trail of information. Establishing interfaces with SM tools of suppliers is one way to enhance the operational level of end-to-end control. Proper contracts, change management and contract management procedures are other ways to ensure a proper level of IT control.



page 4 - 14

Service Management Tooling

• SM tooling should not be a major issue

• SM tools help with the efficient registration and monitoring of incidents, changes etc.

• Service levels can be monitored and linked to records

• It supports compliance to government legislation

• Think also about links with knowledge sharing tools and management information systems (MIS)

A tool plays basically an important role in any ISO/IEC 20000 implementation project. In the tool implementation, defined processes and procedures become visible for the organization. This also applies to flaws though. The tool forces the activities to be defined in more detail. In many service management projects, the tool often acts as a catalyst by highlighting specific points for improvement. A role as catalyst is fine but the timing has to be right. All too often, tools are implemented in a “new organization” far too soon. The processes and procedures have barely been described, the goals and starting points have been badly defined but the tool has already been implemented. Only when the processes in the organization have been defined should the implementation of the tool be considered. Compliance of tools to ISO/IEC 20000 is unlikely to be a big issue. Most of the mature service management tools will support the basic ISO/IEC 20000 requirements, though the level of compliance may vary digging into the details.



page 4 - 16

Formal Certification

• Typically an service provider will need to: Demonstrate to their own satisfaction that they have appropriate

evidence of conformance to the standard

Obtain an outside view prior to the audit – eitherby an external Consultant or Internal Audit Team

Arrange and participate in the formal audit by the Registered Certification Body (RCB)



page 4 - 17

Certification audit

• The Certification Audit will typically comprise Agree terms of reference and scope

Off-site assessment of process documentation

On-site audit of staff and process compliance

Presentation of the audit findings

If all requirements satisfied, presentation of the ISO/IEC 20000certificate

The following picture provides an overview of how KPMG approaches and phases a ISO/IEC 20000 audit process

During the first phase a pre-certification report is created that identifies any gaps in regarding compliance and other controls that management should address prior to the certification assessment process. The report also confirms risks and observations to consider for each gap.

The output of the second phase is a report confirming recommendation for ISO/IEC 20000 certification and a two-page document that certifies that the organization is compliant with and has been successfully certified to ISO/IEC 20000-1:2005 standard by an itSMF recognized certification body.

During the third phase a document is produced that reports in a consolidated manner on the periodic on-going compliance visits that identifies any areas of concern with regard to continuing compliance with the current standard or any updated requirements for approval.



page 4 - 18

After certification

• Certificate is valid for three years

• Annual surveillance audits are required

• Internal audits are required by Part 1 and the certification scheme

• On the third year anniversary, a full re-audit will be carried out



page 4 - 19

Questions




Date post:	02-Jul-2015
Category:	Data & Analytics
Upload:	said-missoum
View:	105 times
Download:	0 times

Qwr iso20000 auditor m04 implementing audit and tooling us 06 apr14

Data & Analytics