development of a new improved model of iso 20000 standard ...docs.mipro-proceedings.com › sse ›...
TRANSCRIPT
Development of a new improved model of ISO
20000 standard based on recommendations from
ISO 27001 standard
Anel Tanović Department of Computer Science
Faculty of Electrical Engineering, University of Sarajevo Sarajevo, Bosnia and Herzegovina
Irena Serna Marjanovic Department of Computer Science
Faculty of Electrical Engineering, University of Sarajevo Sarajevo, Bosnia and Herzegovina
Abstract – ISO 20000-1:2011 is the most important standard for the
management of IT services. ISO 27001:2013 is the most important
standard for information security. This paper compares these two
standards in the real environment of IPTV/VoIP service of Telecom
operator in Bosnia and Herzegovina. This paper produces a new
improved version of ISO 20000 standard in the field of information
security based on recommendations from ISO 27001 standard in the
field of information security. A new improved version of ISO 20000
standard is implemented in a real environment of Telecom operator
and it produced a better results then the previous model.
Keywords: ISO 20000-1:2011, ISO 27001:2013, IPTV/VoIP
I. INTRODUCTION
Quality management systems are of great interest to the
business of each organization. Today the most important
standards from the area of management systems are:
ISO 9001: 2015 – Quality Management System
ISO 14001: 2015 – Environmental Management
System
ISO 20000-1:2011 – IT services Management
System
ISO 22301:2012 - Business Continuity
Management System
ISO 27001:2013 - Information Security
Management System
ISO 50001:2011 - Energy Management System.
At the center of this work are the standards: ISO 20000
(IT Service Management System) and ISO 27001
(Information Security Management System). The basic
tasks within this research include:
• To examine all elements of ISO 20000 (IT
Service Management System)
• To examine all elements of ISO 27001
(Information Security Management System)
• To complete a comparative analysis of these two
management systems
• Through a comparative analysis, to identify the
disadvantages of IT Service Management System based on the ISO 20000 standard (through actual
measurement results)
• Through the comparative analysis, to take into the
consideration the advantages of the Information
Security Management System based on the ISO
27001 standard (through actual measurement
results)
• On the basis of completed comparative analyzes,
to create a new improved model of ISO 20000
standard based on the advantages of the ISO
27001 standard (through actual measurement
results)
• To implement a new enhanced IT Service
Management System based on ISO 20000
standard (a new enhanced version of ISO 20000
standard) in the real environment of IPTV/VoIP service in Telecom operator from Bosnia and
Herzegovina.
Section II. shows IT Service Management System
based on ISO 20000 recommendations and shows
Information Security Management System based on ISO
27001 recommendations. Section III. presents research
methodology which was used in this paper. Section IV.
presents IPTV/VoIP model which was used as a reference
model in this paper. Section V. describes the process of
implementation of ISO 20000 standard in the reference model, while section VI. presents the implementation of
ISO 27001 in the same reference model. Section VII.
presents a comparison of achieved results and proposes a
new improved model of ISO 20000 standard. Section VIII.
is the conclusion of the paper while section IX. presents all
references used in this paper.
This research has been done on ISO 20000-1:2011
while the new version of this international standard (ISO
20000-1:2018) has been issued in September 2018. The
new version of ISO 20000 standard from 2018 keeps the same version of processes like the version from 2011
which is described in this paper so this is the reason while
the same one can still be used for scientific research. The
new version of standard ISO 20000-1:2018 only makes the
difference in Annex SL standard which is not important for
this paper, while the process structure important for this
paper is the same one.
II. IT SERVICE MANAGEMENT SYSTEM AND
INFORMATION SECURITY MANAGEMENT
SYSTEM
The management system based on the ISO 20000 standard
has a total of 13 processes that include [1] [2]:
MIPRO 2019/SSE 1747
1. Budgeting & Accounting Process - Financial
Management Process
2. Capacity Management - Capacity management
process
3. Availability Management - Service availability
management process
4. Service Level Management - Contract
management process
5. Service Reporting - The process of generating
reports
6. Service Catalogue Management - IT service
catalogue management process
7. Information Security Management - A process
for managing information security
8. Business Relationship Management - The
process of managing business relationships inside
and outside the organization
9. Supplier Management – The process of supplier
management and procurement
10. Incident Management and Request Fulfillment -
Incident management process and user
requirements process
11. Problem Management – A problem management
process
12. Release and Deployment Management – A
process for development and maintenance of IT
services
13. Service Asset and Configuration Management -
The process of managing IT Assets and
Configuration units
14. Change Management - Change management
process.
Although the ISO 20000 standard has a process of
information security management (Information Security
Management process), it still contains only basic
information security implementation guidelines. There are
no details related to the implementation of information security. Figure 1. shows processes inside this system.
Figure 1. Processes inside ISO 20000 standard
Information security management system based on the
ISO 27001 standard has all the elements of information
security that can be integrated within the existing ISO
20000 standard. In this way, a new improved model of the
ISO 20000 standard can be developed, which should in
fact be an original scientific contribution to this thesis.
The ISO 27001 standard contains the following
organizational components:
• A5 – Policies for information security
management
• A6 - Organizational roles in the management of
information security
• A7 - Human Resource Management
• A8 - Asset management • A9 - Logical Security (Subprocess)
• A10 - Cryptography (Subprocess)
• A11 - Physical safety and security of the
environment
• A12 - Security of operations (Subprocess)
• A13 - Communication Security (Subprocess)
• A14 - Operational maintenance of the system
• A15 - Supplier management
• A16 - Security incident management
• A17 - Business Continuity Management System
• A18 - Law and Legislation Management
Research through this work from ISO 27001:2013
standards takes these four subprocesses: A9 - Logical
Security, A10 - Cryptography, A12 - Security of
operations and A13 - Security of Communications.
The following figure shows the life cycle of processes
and activities for ISO 27001: 2013 standard:
Figure 2. Lifecycle of processes and activities inside ISO 27001
standard
III. RESEARCH METHODOLOGY
The basic objectives of this research include:
• Theoretically study of existing standards ISO
20000-1:2011 and ISO 27001:2013 • Conducting a comparative analysis of the two
existing standards
• Monitoring at the disadvantages of the
information security view of ISO 20000-1:2011
standard through actual measurement results
• Integrating the benefits of ISO 27001:2013
standard with the existing Information Security
Management process in ISO 20000-1:2011
standard (through actual measurement results)
1748 MIPRO 2019/SSE
• Creating a new enhanced ISO 20000-1:2011
standard with the benefits of the information
security management process
• Based on the creation, implementing a new
improved model of ISO 20000-1:2011 standard
in the business environment of the IPTV/VoIP
service of Telecom operator in Bosnia and
Herzegovina.
The basic hypotheses to which this research relates
include: • Hypothesis 1 (H1): ISO 20000 is a very
widespread standard in the IT world that has been
increasingly used
• Hypothesis 2 (H2): ISO 20000 does not have a
thoroughly elaborated process for managing
information security
• Hypothesis 3 (H3): Information security is one of
the main topics in today's IT world
• Hypothesis 4 (H4): ISO 27001 provides a set of
detailed recommendations in the field of
information security
• Hypothesis 5 (H5): Previous research has shown that it is possible and necessary to make
numerous changes from the aspect of information
security for ISO 20000
• Hypothesis 6 (H6): There are four subprocesses
from ISO 27001:2013 that can be taken to
improve any other standard
• Hypothesis 7 (H7): Create a new improved ISO
20000 standard model
• Hypothesis 8 (H8): Apply the new ISO 20000
standard model in the practical environment of
the IPTV/VoIP service of the Telecom operator.
The basic principle of the methodology in this research
is based on a comparative analysis between existing
international standards: ISO 20000-1:2011 and ISO
27001:2013 in the field of information security
management processes. The basic concepts of research
methodology include:
• Theoretical study of existing ISO 20000 and ISO
27001 standards
• Comparative analysis of existing ISO 20000 and
ISO 27001 standards in the field of information
security management by using actual measurement results
• Creation of a new improved ISO 20000 standard
model based on comparative analysis and
benefits of ISO 27001 standard by using actual
measurement results
• Implementation of the new ISO 20000 standard
in the practical environment of the IPTV/VoIP
service of the Telecom operator
• After applying in a practical environment,
evaluating the benefits of the new improved ISO
20000 standard model compared to the old ISO
20000 standard model.
IV. REFERENCE MODEL
For the research covered by this work, the IPTV/VoIP
service with the Telecom operator was taken. The selected
IPTV/VoIP service of the Telecom operator consists of the
following eight levels:
• Level 1 - Middleware system - a system that is
responsible for administering all IPTV users
through which a connection with the Central
information system of Telecom operator and the
Billing system
• Level 2 - Video on Demand system - a system
that is responsible for adding, editing and deleting
video content as a very important element of each
IPTV service • Level 3 - Real Time Encryption system - TV
channel encryption system (a very important
segment for measurements that have been made)
• Level 4 - Verimatrix system - video encryption
system (a very important segment for the
measurements that have been made)
• Level 5 - Real Application Cluster - a database
based on Oracle technology
• Level 6 - Diverto system - a system that is
responsible for the administration all VoIP users
through which a connection with the central information system of Telekom operator and the
Billing system
• Level 7 - Statistical system - a system that
measures TV and video content ratings and is a
very useful function in management (a very
important segment for the measurements that
have been made)
• Level 8 - Monitoring system - TV and video
monitoring system as well as terminal equipment
(Set Top Boxes) located on the end-user side.
Figure 3. shows the IPTV/VoIP service model of the Telecom operator, which implemented the implementation
of the ISO 20000-1:2011 and ISO 27001:2013 standards,
as well as all reference measurements.
Figure 3. Reference model used for research
V. IMPLEMENTATION OF IT SERVICE
MANAGEMENT SYSTEM IN THE
REFERENCE MODEL
MIPRO 2019/SSE 1749
The implementation of the ISO 2000 standard process
together with the set of activities, metrics and metrics
results are shown in the table below [3] [4]:
TABLE 1: APPLICATION OF ISO 20000 STANDARD IN THE
BUSINESS ENVIRONMENT OF IPTV/VOIP SERVICE OF TELECOM
OPERATOR
The name
of process
Activities needed for
the implementation
Key Performance
Indicator (KPI)
KPI Result
(The
percentage
of the
measured
value)
Budgeting
&
Accountin
g
Implementation of
modules for:
budgeting, billing and
accounting
Allowed time period
needed for the
implementation is
90 days
85%
Capacity
Manageme
nt
Realization of
capacity plans for:
business, IT services
and IT components
Allowed percentage
of the successful
prepared capacity
plans
91%
Availabilit
y
Manageme
nt
Measurement of work
of IT services through
logs on servers
Time period of
availability of IT
services on all
services should be
greater than 95%
92%
Service
Level
Manageme
nt
Prepare the contracts
between all
organization units
inside the same
company
The percentage of
all signed contracts
between all
organizational units
is 90%
100%
Service
Reporting
Every month, the IT
service report is sent
to the company
management
The permitted
percentage of
generated reports
sent to the
Company's
management is 99%
100%
Service
Catalogue
Manageme
nt
Business catalog of
all IT services and
technical catalogue of
all IT services were
prepared
Updating the
business and
technical catalogue
of the IT service is
done regularly on a
monthly basis
100%
Informatio
n Security
Manageme
nt
Implementation of
security policy in
practice: logical
security,
cryptography,
security of operations
and security of
communication
Updating and
controlling security
policies is done
regularly on a
monthly basis
65%
Business
Relationsh
ip
Manageme
nt
Creating modules in
the information
system for collecting
and analyzing
complaints come
from users
Percentage of
resolved complaints
by users resolved in
a time period of less
than 48 hours
99%
Supplier
Manageme
nt
Creating modules in
the information
system for collecting
bids from suppliers
and evaluating offers
Percentage of the
procurement
process that has
been completed in
accordance with
legal acts and within
the allowed time
period after the
implementation of
the module
97%
Incident
Manageme
nt and
Request
Fulfillment
Implementation of
Service Desk tools
for analyzing,
collecting, processing
and solving incidents
and requests for
service by the user
The percentage of
incidents and
requests for service
resolved within a
48-hour period
98%
Problem
Manageme
nt
Implementation of
Service Desk tools
for analysis,
collection, processing
and troubleshooting
by users
Percentage of
problems resolved
within a time period
of 48h
100%
Release
and
Deployme
nt
Manageme
nt
Creating a working
procedure for
implementing new
applications, system
components, and
network components
of the IT service
The maximum
allowed time period
for the
implementation of a
new application,
system component,
or network
component of the IT
92%
service must not
exceed the time
period of 3 months
Service
Asset and
Configurat
ion
Manageme
nt
Realization of a
database containing
information about IT
equipment within the
company
Percentage of IT
components that are
included within the
Database
91%
Change
Manageme
nt
Implementation of
the Service Desk tool
for analyzing,
collecting, processing
and solving changes
by users
The percentage of
changes resolved
within the 48-hour
period
97%
VI. IMPLEMENTATION OF INFORMATION
SECURITY MANAGEMENT SYSTEM IN
THE REFERENCE MODEL
The implementation of the ISO 27001 standard
process together with the set of activities, metrics and
metrics results are shown in the table below [5], [6], [7],
[8], [9]:
TABLE 2: APPLICATION OF ISO 27001 STANDARD IN THE
BUSINESS ENVIRONMENT OF IPTV/VOIP SERVICE OF TELECOM
OPERATOR
The name
of process
Activities needed for
the implementation
Key Performance
Indicator (KPI)
KPI Result
(The
percentage
of the
measured
value)
Logical
security
Implementation of
employees' identity
management modules
as well as
administrators of their
accounts
There is a record of
the identities of all
employees and their
account
administrators
100%
Cryptogra
phy
All passwords within
the information
system must be
encrypted by an
asymmetric algorithm
The percentage of
passwords within all
information system
modules that are
encrypted
99%
Security of
operations
Create logs that will
monitor the operation
of each individual
module of the
information system
Percentage of
information system
modules that have
their logs from
which they can
monitor their work
95%
Communic
ation
security
Create access lists
between all IT
property components
to allow or prohibit
the entry of
unauthorized persons
The number of
security incidents
related to
unauthorized access
must always be zero
100%
VII. COMPARISON OF MEASUREMENT
RESULTS
All processes within ISO 20000-1:2011 standards,
except for the process of Information Security
Management, have results in implementation that is above
90% of the implementation success. Only the Information
Security Management process achieved an unsatisfactory result of 65% in the measurements, which is not a
satisfactory achieved result.
The processes within the ISO 27001:2013 standards
have achieved the implementation success of 98.50%,
which is a significant and good result. It is evident that the
Information Security Management process of the ISO
20000-1:2011 standard achieved the result of 65% of the 1750 MIPRO 2019/SSE
performance, while the processes in ISO 27001:2013
achieved the result of 98.50%, which is more than 33.50%
better performance compared to the adequate process in
ISO 20000 standard [11].
Since ISO 27001: 2013 is the reference standard for
information security, and since it has achieved a
satisfactory result on the IPTV/VoIP service model of the
Telecom operator, the proposal is to create a new improved
model of ISO 20000-1:2011 standard [12].
The new improved ISO 20000-1: 2011 standard model
will have a completely identical structure and process
schedule as well as the original model shown in Figure 1.
In its scheme of process, the Information Security
Management process will remain, only the same process
will now include four subprocesses from ISO 27001:2013
that do not exist in the original ISO 20000 standard [14],
[15]: logical security, cryptography, security of operations,
and communication security. For all four subprocesses will
be done in the second round of measurements as well as
the measurements completed in the first round.
The original scientific contribution achieved through
this work is a new enhanced model of IT Service
Management System based on the ISO 20000-1:2011
standard. The new improved ISO 20000 standard has been
improved only in the field of Information Security
Management process [10]. Recommendations for
improving the existing ISO 20000 standard are taken from
the standard that defines information security management in details (ISO 27001:2013 standard). A new Information
Security Management process has been added with four
subprocesses [14]: Logical security, Cryptography,
Security of operations and Communication security.
Then the implementation of the new ISO 20000-1:2011
standard on the same reference model was done through
the same key performance indicators to see the new
achieved result:
TABLE 3: IMPLEMENTATION OF THE NEW IMPROVED ISO 20000 STANDARD
MODEL ON THE IPTV/VOIP SERVICE MODEL
The name
of process
Activities needed for
the implementation
Key Performance
Indicator (KPI)
KPI Result
(The
percentage
of the
measured
value)
Budgeting
&
Accountin
g
Implementation of
modules for:
budgeting, billing and
accounting
Allowed time period
needed for the
implementation is
90 days
85%
Capacity
Manageme
nt
Realization of
capacity plans for:
business, IT services
and IT components
Allowed percentage
of the successful
prepared capacity
plans
91%
Availabilit
y
Manageme
nt
Measurement of work
of IT services through
logs on servers
Time period of
availability of IT
services on all
services should be
greater than 95%
92%
Service
Level
Manageme
nt
Prepare the contracts
between all
organization units
inside the same
company
The percentage of
all signed contracts
between all
organizational units
is 90%
100%
Service
Reporting
Every month, the IT
service report is sent
to the company
management
The permitted
percentage of
generated reports
sent to the
Company's
management is 99%
100%
Service
Catalogue
Manageme
nt
Business catalog of
all IT services and
technical catalogue of
all IT services were
prepared
Updating the
business and
technical catalogue
of the IT service is
done regularly on a
monthly basis
100%
Informati
on
Security
Managem
ent:
Logical
security
Implementation of
employees' identity
management modules
as well as
administrators of
their accounts
There is a record of
the identities of all
employees and their
account
administrators
100%
Informati
on
Security
Managem
ent:
Cryptogra
phy
All passwords within
the information
system must be
encrypted by an
asymmetric algorithm
The percentage of
passwords within all
information system
modules that are
encrypted
99%
Informati
on
Security
Managem
ent:
Security
of
operations
Create logs that will
monitor the operation
of each individual
module of the
information system
Percentage of
information system
modules that have
their logs from
which they can
monitor their work
95%
Informati
on
Security
Managem
ent:
Communi
cation
security
Create access lists
between all IT
property components
to allow or prohibit
the entry of
unauthorized persons
The number of
security incidents
related to
unauthorized access
must always be zero
100%
Business
Relationsh
ip
Manageme
nt
Creating modules in
the information
system for collecting
and analyzing
complaints come
from users
Percentage of
resolved complaints
by users resolved in
a time period of less
than 48 hours
99%
Supplier
Manageme
nt
Creating modules in
the information
system for collecting
bids from suppliers
and evaluating offers
Percentage of the
procurement
process that has
been completed in
accordance with
legal acts and within
the allowed time
period after the
implementation of
the module
97%
Incident
Manageme
nt and
Request
Fulfillment
Implementation of
Service Desk tools
for analyzing,
collecting, processing
and solving incidents
and requests for
service by the user
The percentage of
incidents and
requests for service
resolved within a
48-hour period
98%
Problem
Manageme
nt
Implementation of
Service Desk tools
for analysis,
collection, processing
and troubleshooting
by users
Percentage of
problems resolved
within a time period
of 48h
100%
Release
and
Deployme
nt
Manageme
nt
Creating a working
procedure for
implementing new
applications, system
components, and
network components
of the IT service
The maximum
allowed time period
for the
implementation of a
new application,
system component,
or network
component of the IT
service must not
exceed the time
period of 3 months
92%
Service
Asset and
Configurat
ion
Manageme
nt
Realization of a
database containing
information about IT
equipment within the
company
Percentage of IT
components that are
included within the
Database
91%
Change
Manageme
nt
Implementation of
the Service Desk tool
for analyzing,
collecting, processing
The percentage of
changes resolved
within the 48-hour
period
97%
MIPRO 2019/SSE 1751
and solving changes
by users
VIII. CONCLUSION
The Information Security Management process with its
four subprocesses has achieved the final implementation
result of 98.50%, which is more than 33.50% of the
successful implementation compared to the 65% result
achieved in the first measurement. All other processes
from ISO 20000-1:2011 standards have resulted in an
identical result as in the first measurement [10], [11].
From this it is quite evident that a new improved model
of ISO 20000-1:2011 for the Information Security
Management process has been created based on the
recommendations and key activities of ISO 27001:2013
standard. The new enhanced model was created on the
Telekom operator's IPTV/VoIP service model [10].
The next research in this field must rely on other
reference models. Examples of other reference models that
can be considered for research include: Enterprise
Resource Planning System for the production company, Service Desk system for Waterworks, Customer
Relationship Management System at Company for
production and distribution of electrical energy, Document
Management System for IT companies [11]. If the results
of these surveys achieve a satisfactory result such as the
result achieved on the reference model of IPTV/VoIP
services, then ISO will have all the elements to revise the
existing ISO 20000-1:2011 standard in the field of
Information Security Management [12]. Figure 4. shows a
new improved model of the ISO 20000 standard, which at
the same time represents the original scientific data of this produced through the completed measurements.
Figure 4. New improved model of ISO 20000-1:2011 standard
IX. REFERENCES
[1] IEEE Standard -- Adoption of ISO/IEC 20000-2:2012,
Information technology -- Service management -- Part 2:
Guidance on the application of service management systems,
2013., pp. 1 – 105
[2] K. Begic, A. Tanovic, Improvement of implementation
of ISO-IEC 20000 Edition 2 standard in IT systems of
Telecom operator through comparison with ITIL V3 best
practices, TELFOR Beograd 2012
[3] Michael Brenner ; Thomas Schaaf ; Alexander Scherer,
Towards an information model for ITIL
and ISO/IEC 20000 processes, 2009 IFIP/IEEE International
Symposium on Integrated Network Management, 2009, pp.
113 – 116
[4] Jenny Dugmore, BS 15000 to ISO/IEC 20000 What
difference does it make?, Year: 2006 , Volume: 48 , Issue: 3
[5] Koldo Peciña ; Ricardo Estremera ; Alfonso
Bilbao ; Enrique Bilbao, Physical and Logical Security
management organization model based on ISO 31000 and
ISO 27001, 2011, pp. 1 – 5
[6] Lala Rukh ; Ali Afzal Malik, Swiss army knife of software
processes generic framework of ISO 27001 and its mapping
on resource management, 2017., pp. 12 – 15
[7] Joffre Velasco ; Rodrigo Ullauri ; Luis Pilicita ; Bolívar
Jácome ; Pablo Saa ; Oswaldo Moscoso-Zea, Benefits of
Implementing an ISMS According to the ISO 27001 Standard
in the Ecuadorian Manufacturing Industry, 2018 International
Conference on Information Systems and Computer Science
(INCISCOS), pp. 294. – 300.
[8] Khalid I. Alshitri ; Abdulmohsen N. Abanumy, Exploring
the Reasons behind the Low ISO 27001 Adoption in Public
Organizations in Saudi Arabia, 2014 International Conference
on Information Science & Applications (ICISA), pp. 1 – 4
[9] Bayona Sussy ; Chauca Wilber ; Lopez
Milagros ; Maldonado Carlos,
ISO/IEC 27001 implementation in public organizations: A
case study, 2015 10th Iberian Conference on Information
Systems and Technologies (CISTI), pp. 1 – 6.
[10] Jenny Dugmore: BS 15000 to ISO 20000 What
difference does it make? ITNOW Conference 2016, Volume
48, 2016., pp. 30 – 36.
[11] Marion Lepments, Eric Ras, Alain Renault, A Quality
Measurement Framework for IT services, Annual SRII Global
Conference, 2011, pp. 767 - –74.
[12] Jan Helge – Deutscher and Carsten Felden, Model
Concept to Determine the Optimal Maturity of IT Service
Management Processes, Eight IEEE/ACIS International
Conference on Computer and Information Science, 2009., pp.
543 – 548.
[13] Carol Hsu, Tawei Wang and Ang Lu, The Impact of ISO
27001 Certification on Firm Performance, 49th Hawaii
International Conference on System Sciences (HICSS), 2016,
pp. 4842 – 4848.
[14] Manar Abu Talib, Adel Khelifi, and Tahsin Ugurlu,
Using ISO 27001 in teaching information security, IECON
2012 – 38th Annual Conference on IEEE Industrial
Electronics Society, 2012, pp. 3149 – 3153.
[15] Marcelo Pereira de Silva and Rodolfo Miranda de Barros,
Maturity Model of Information Security for Software
Developers, IEEE Latin America Transactions, 2017., vol.
15., pp. 1994 – 1999.
1752 MIPRO 2019/SSE