Implementation Approach to IT Service Management (ISO 20000)& Security Management (ISO 27001)
Dr. Julian LoConsulting DirectorITIL v3 Expert
Agenda
Measure IT Capabilities by using ISO StandardsImplementation ApproachChallengesSuggestions and ConsiderationsConclusion – What you can get from it.
ISO20000 & ISO27001
What are the IT Capabilities?The capabilities take the form of
functions, processes & proceduresThe capabilities represent an IT
organization’s capacity, competency, and confidence for action.
Without these capabilities, an IT organization is merely a bundle of un-coordinated resources
Do you want to measure your IT organization’s Capabilities?
Standard
Provide a measurable set of best practice benchmarks common across organizations
Compliance to the standards demonstrates that benchmarks have been attained
Standards are auditable and assessable by independent and authorized auditors
ISO20000 and ISO27001 are the standards
What is ISO20000?
ISO20000 is the international standard for IT service management.“It describes an integrated set
of management processes for the effective delivery of services to the business and its customers.”
Closely follows the ITIL framework.
While individuals are ITIL certified, organizations are ISO20000 certified.
ISO20000 TargetISO20000
Code of Practice
ITIL Framework
Own IT Policies, Processes and Procedures
Requirements of ISO20000 An organization must be able to
demonstrate it has “Management Control” of each of the ISO 20000 processes
So What is “Management Control”? Knowledge and control of the inputs Knowledge, use and interpretation of
the outputs Definition and measurement of
metrics Demonstration of objective evidence
of accountability for process functionality
Definition, measurement and review of process improvements
Input OutputActivity Activity Activity
Goal
Measure
Norms
Use of Scope for ISO20000 Certification The scope of the delivered services must be described in a
scope statement for certification. A service provider can get certification for; a) part of all
services that it delivers b) a specific country or customer. The scope statement validates the certification for a specific
situation.
Service A
Service B
Service C
Service D
Procedures
Plans
Service Level
KPI
Four aspects to be looked into
People: Who? How? What (R&R)? Culture..
Process & Procedures: The applicable ones
Product: The supporting facilitating auxiliary piece
And Partner..: With whom to team up? Eg. Suppliers
ConformanceRoles and Responsibilities are clearly
definedPolicy, Process and Procedure
documents establishedPlans are developed to check and
measure performanceData recorded to prove that process
operatives have followed the established policies and procedures, and reviews have been carried out
Process Conformance and Maturity
0 – 5pointscale
4.1 &
4.2 M
anag
emen
t Res
pons
ibility
& G
overn
ance
4.3 D
ocum
entat
ion R
equir
emen
ts
4.4 R
esou
rces o
n Com
peten
ce, A
warene
ss &
Trainin
g
4.5.1
and 4
.5.2 S
cope
and P
lan fo
r SMS (P
LAN)
4.5.3
Imple
ment a
nd op
erate
SMS (DO)
4.5.4
Monito
r & R
eview
SMS - I
nteral
Aud
it (CHECK)
4.5.5
Maintai
n & Im
prove
SMS (A
CT)
5 Des
ign an
d Tran
sition
of N
ew or
Cha
nged
Serv
ices
6.1 S
ervice
Leve
l Man
agem
ent
6.2 S
ervice
Rep
orting
6.3 S
ervice
Con
tinuit
y and
Ava
ilabil
ity M
anag
emen
t
6.4 B
udge
ting a
nd A
ccou
nting
for IT
Serv
ices
6.5 C
apac
ity M
anag
emen
t
6.6 In
formati
on S
ecuri
ty Man
agem
ent
7.1 B
usine
ss R
elatio
nship
Man
agem
ent
7.2 S
uppli
er Man
agem
ent
8.1 In
ciden
t Man
agem
ent
8.2 P
roblem
Man
agem
ent
9.1 C
onfig
uratio
n Man
agem
ent
9.2 C
hang
e Man
agem
ent
10.1
Releas
e Man
agem
ent
0
0.5
1
1.5
2
2.5
3
3.5
4
4.5
5
Overview of Compliance with ISO/IEC 20000Target
ISO20000 Implementation RoadmapPhase 0: Gap Analysis
Assessm
ent, Project
Start-U
p & Tool S
elections
Management of Change
Review
& Internal A
udit
Quick Win Service SupportCompleted
ISO20000
Configur Mgmt
Problem Mgmt Knowledge
Phase 1: User Support
Incident Mgmt
Service DeskService Catalog
Service Reporting
ITSM PolicyDoc .Control
Phase 2: Release & Control
Change Mgmt
Configuration Mgmt - CMDB
Release Mgmt
BusinessRelationship
Service Reporting
ITSM PlanSkills Assess.
Configuration Mgmt - CMDB
Supplier Mgmt
Phase 3: Service Delivery
Capacity Mgmt
Continuity &Availability
Service Reporting
CSI
Phase 4: Customer, & CSI
Service Level Mgmt
Service Design
IT Budget &Accounting
Configuration Mgmt - CMDB
Service Reporting
CSI
Reasons to take phase approachSeamless integration to minimize the interruptions of IT
operationBetter visibility into issues while enabling sufficient time to
refine processes
What is ISO27001?Leading International Standard for Information Security
ManagementA comprehensive set of controls comprising best practices in
information securityRisk-management based Its purpose is to protect the confidentiality, integrity and
availability of information
ConfidentialityProtecting sensitive
information from unauthorized disclosure or
interception.Integrity
Safeguarding the accuracy and
completeness of information
AvailabilityEnsuring that information
and vital services are available to users when
required.
Information Security
ISO27001 Requirements
ISO27001 includes below Controls
ISO27001 Implementation Roadmap
Phase 1 – Planning, Gap Assessment, Training
Phase 2 – System Development and Documentation
Phase 3 – System Implementation
Phase 4 – Certification Audit
Understand existing
procedures
Identifykey gaps
PrepareProject Plan
DefineRoles &
Responsibilities
Conduct Training &Workshops
Define documentation
hierarchy
Develop required
documentation
Review established documents
Obtain approval from authorized
personnel
Workshops for promotion
Train up delegate as
internal auditor
Mentor IT Management
to review
Conduct internal audit
Provide direction to
rectify issues
External certification
audit
ISO27001 focuses on protection of information and related assets
ISO20000 focuses on the quality of service delivery
Common Areas PDCA and management system Continuity planning Incident management and change management Capacity management Information security Third party and supplier management
ISO20000 - ISO27001Major Differences and Similarities
Timeframe
For ISO20000 Maturity range of 1 - 1.5 : approximately 18 – 24 months Maturity range of 2 – 3 : approximately 6 -12 months A large maturity gap will require additional resourcing to close the
gap in a workable timeframeFor ISO27001
Small Organization 10 – 50 Employees: up to 8 months Mid-size Organization 50 – 500 Employees: up to 12 months Large Organization over 500 Employees: up to 18 months
Key ChallengesMaturity can be difficult to
attain across all processesEffort to produce and review
documentations and recordsConflict between productivity
and service/information security qualities
Changing to a culture of collaborating working
Suggestions and Considerations
ISO20000 and ISO27001 provide guidance on what should happen, but not on how to make it happen. So you need help and advice from consultants
Start with an assessment and develop a roadmap
Communicate the benefits and provide adequate training
To work smarter, you need tools to facilitateFor those not seeking certification – use ISO
20000 and ISO27001 as the guides
Conclusion – What you can get from it
ISO20000 and ISO27001 provide an auditable method to assess IT Service and Security quality and conformance
Assists organizations to enforce process compliance
Provides clear evidence that ITSM and Information Security qualities are taken seriously
ISO 20000 and ISO27001 set the process marks for which ITIL and Information security implementation should aim and be measured
A method of review and assessment that is linked to continuous service and information security improvement