Implementation Approach to IT Service Management (ISO 20000)& Security Management (ISO 27001)

Dr. Julian LoConsulting DirectorITIL v3 Expert

Agenda

Measure IT Capabilities by using ISO StandardsImplementation ApproachChallengesSuggestions and ConsiderationsConclusion – What you can get from it.

ISO20000 & ISO27001

What are the IT Capabilities?The capabilities take the form of

functions, processes & proceduresThe capabilities represent an IT

organization’s capacity, competency, and confidence for action.

Without these capabilities, an IT organization is merely a bundle of un-coordinated resources

Do you want to measure your IT organization’s Capabilities?

Standard

Provide a measurable set of best practice benchmarks common across organizations

Compliance to the standards demonstrates that benchmarks have been attained

Standards are auditable and assessable by independent and authorized auditors

ISO20000 and ISO27001 are the standards

What is ISO20000?

ISO20000 is the international standard for IT service management.“It describes an integrated set

of management processes for the effective delivery of services to the business and its customers.”

Closely follows the ITIL framework.

While individuals are ITIL certified, organizations are ISO20000 certified.

ISO20000 TargetISO20000

Code of Practice

ITIL Framework

Own IT Policies, Processes and Procedures

Requirements of ISO20000 An organization must be able to

demonstrate it has “Management Control” of each of the ISO 20000 processes

So What is “Management Control”? Knowledge and control of the inputs Knowledge, use and interpretation of

the outputs Definition and measurement of

metrics Demonstration of objective evidence

of accountability for process functionality

Definition, measurement and review of process improvements

Input OutputActivity Activity Activity

Goal

Measure

Norms

Use of Scope for ISO20000 Certification The scope of the delivered services must be described in a

scope statement for certification. A service provider can get certification for; a) part of all

services that it delivers b) a specific country or customer. The scope statement validates the certification for a specific

situation.

Service A

Service B

Service C

Service D

Procedures

Plans

Service Level

KPI

Four aspects to be looked into

People: Who? How? What (R&R)? Culture..

Process & Procedures: The applicable ones

Product: The supporting facilitating auxiliary piece

And Partner..: With whom to team up? Eg. Suppliers

ConformanceRoles and Responsibilities are clearly

definedPolicy, Process and Procedure

documents establishedPlans are developed to check and

measure performanceData recorded to prove that process

operatives have followed the established policies and procedures, and reviews have been carried out

Process Conformance and Maturity

0 – 5pointscale

4.1 &

4.2 M

anag

emen

t Res

pons

ibility

& G

overn

ance

4.3 D

ocum

entat

ion R

equir

emen

ts

4.4 R

esou

rces o

n Com

peten

ce, A

warene

ss &

Trainin

g

4.5.1

and 4

.5.2 S

cope

and P

lan fo

r SMS (P

LAN)

4.5.3

Imple

ment a

nd op

erate

SMS (DO)

4.5.4

Monito

r & R

eview

SMS - I

nteral

Aud

it (CHECK)

4.5.5

Maintai

n & Im

prove

SMS (A

CT)

5 Des

ign an

d Tran

sition

of N

ew or

Cha

nged

Serv

ices

6.1 S

ervice

Leve

l Man

agem

ent

6.2 S

ervice

Rep

orting

6.3 S

ervice

Con

tinuit

y and

Ava

ilabil

ity M

anag

emen

t

6.4 B

udge

ting a

nd A

ccou

nting

for IT

Serv

ices

6.5 C

apac

ity M

anag

emen

t

6.6 In

formati

on S

ecuri

ty Man

agem

ent

7.1 B

usine

ss R

elatio

nship

Man

agem

ent

7.2 S

uppli

er Man

agem

ent

8.1 In

ciden

t Man

agem

ent

8.2 P

roblem

Man

agem

ent

9.1 C

onfig

uratio

n Man

agem

ent

9.2 C

hang

e Man

agem

ent

10.1

Releas

e Man

agem

ent

0

0.5

1

1.5

2

2.5

3

3.5

4

4.5

5

Overview of Compliance with ISO/IEC 20000Target

ISO20000 Implementation RoadmapPhase 0: Gap Analysis

Assessm

ent, Project

Start-U

p & Tool S

elections

Management of Change

Review

& Internal A

udit

Quick Win Service SupportCompleted

ISO20000

Configur Mgmt

Problem Mgmt Knowledge

Phase 1: User Support

Incident Mgmt

Service DeskService Catalog

Service Reporting

ITSM PolicyDoc .Control

Phase 2: Release & Control

Change Mgmt

Configuration Mgmt - CMDB

Release Mgmt

BusinessRelationship

Service Reporting

ITSM PlanSkills Assess.

Configuration Mgmt - CMDB

Supplier Mgmt

Phase 3: Service Delivery

Capacity Mgmt

Continuity &Availability

Service Reporting

CSI

Phase 4: Customer, & CSI

Service Level Mgmt

Service Design

IT Budget &Accounting

Configuration Mgmt - CMDB

Service Reporting

CSI

Reasons to take phase approachSeamless integration to minimize the interruptions of IT

operationBetter visibility into issues while enabling sufficient time to

refine processes

What is ISO27001?Leading International Standard for Information Security

ManagementA comprehensive set of controls comprising best practices in

information securityRisk-management based Its purpose is to protect the confidentiality, integrity and

availability of information

ConfidentialityProtecting sensitive

information from unauthorized disclosure or

interception.Integrity

Safeguarding the accuracy and

completeness of information

AvailabilityEnsuring that information

and vital services are available to users when

required.

Information Security

ISO27001 Requirements

ISO27001 includes below Controls

ISO27001 Implementation Roadmap

Phase 1 – Planning, Gap Assessment, Training

Phase 2 – System Development and Documentation

Phase 3 – System Implementation

Phase 4 – Certification Audit

Understand existing

procedures

Identifykey gaps

PrepareProject Plan

DefineRoles &

Responsibilities

Conduct Training &Workshops

Define documentation

hierarchy

Develop required

documentation

Review established documents

Obtain approval from authorized

personnel

Workshops for promotion

Train up delegate as

internal auditor

Mentor IT Management

to review

Conduct internal audit

Provide direction to

rectify issues

External certification

audit

ISO27001 focuses on protection of information and related assets

ISO20000 focuses on the quality of service delivery

Common Areas PDCA and management system Continuity planning Incident management and change management Capacity management Information security Third party and supplier management

ISO20000 - ISO27001Major Differences and Similarities

Timeframe

For ISO20000 Maturity range of 1 - 1.5 : approximately 18 – 24 months Maturity range of 2 – 3 : approximately 6 -12 months A large maturity gap will require additional resourcing to close the

gap in a workable timeframeFor ISO27001

Small Organization 10 – 50 Employees: up to 8 months Mid-size Organization 50 – 500 Employees: up to 12 months Large Organization over 500 Employees: up to 18 months

Key ChallengesMaturity can be difficult to

attain across all processesEffort to produce and review

documentations and recordsConflict between productivity

and service/information security qualities

Changing to a culture of collaborating working

Suggestions and Considerations

ISO20000 and ISO27001 provide guidance on what should happen, but not on how to make it happen. So you need help and advice from consultants

Start with an assessment and develop a roadmap

Communicate the benefits and provide adequate training

To work smarter, you need tools to facilitateFor those not seeking certification – use ISO

20000 and ISO27001 as the guides

Conclusion – What you can get from it

ISO20000 and ISO27001 provide an auditable method to assess IT Service and Security quality and conformance

Assists organizations to enforce process compliance

Provides clear evidence that ITSM and Information Security qualities are taken seriously

ISO 20000 and ISO27001 set the process marks for which ITIL and Information security implementation should aim and be measured

A method of review and assessment that is linked to continuous service and information security improvement

IT Consulting

Dr. Julian LoConsulting Director

julian.lo@igsl-group.com