presentacion bari marzo 2015
TRANSCRIPT
AENOR
VALUTAZIONE
della
CONFORMITA’
CERTIFICAZIONE
e
AENOR
Índice 1. Introduction 2. What is AENOR ICT?. 3. Datacenter concept 4. ICTs as MANAGEMENT SUPPORT AND INNOVATION IN BUSINESS 5. AENOR ISO framework in ICT. 6. IT Risks & solutions. Solutions to the Risks at ISO Dynamic Framework for
ICT 7. Pilots in ICT 8. Certification Process
Table of Contents
2
AENOR
Cosa è
? y TICs
1. Introduction
AENOR
† è uno degli Enti di Certificazione e Normazione più prestigiosi
Prodotti e servizi.
contribuire a migliorare la qualità e proteggere l’ambiente.
Ha emesso , attualmente, circa 40,000 Certificati, in vigore in più di 40 Paesi,
ed essi sostengono la Conformità dei sistemi di gestione,
I Valori † sono : indipendenza, obiettività,
imparzialità, professionalità e
aumento del valore dei nostri Clienti
e riconosciuti nel mondo, il cui scopo è
AENOR
Presenza negli Organismi
INTERNAZIONALI † è membro dei principali organismi internazionali di Normazione e
Certificazione
NORMAZIONE:
International Standard Organization (ISO)
Commisione Electrotecnica Internazionale (IEC)
Commisione Panamericana di Normazione Técnica (COPANT)
International Telecommunication Union
Comitato Europeo di Normazione (CEN)
Comitato Europeo di Normazione Electrotecnica (CELENEC)
Istituto Europeo di Norme di Telecomunicazioni (ETSI)
Rete Mondiale di Certificazione (IQNet)
CERTIFICAZIONE :
AENOR
† NEL MONDO 42 Paesi nei quali è presente †
AENOR
21.783 Certificazioni di sistemi di Gestione in vigore
13.472
5.259
2.946
106
30.548
11.763
900
482
Norme elaborate
Inspezioni
Auditor qualificati
Verifiche e validazioni ambientali
104.000 Certificazioni di prodotto e Servizio
97,541
6,481 Prodotti
Servizi
†
DATI GENERALI
Qualità
Ambiente
Sicurezza
Responsabilitá Sociale
AENOR
Svolgere attività di certificazione ed altre attività collegate, in ambito internazionale, direttamente o attraverso proprie Società
Sviluppare la diffusione di una cultura che ci identifichi come riferimento per chi cerca l'eccellenza.
Soddisfare le necessità dei suoi Clienti, rendendo disponibili servizi e certificati di riconoscimento internazionale.
Certificare prodotti, servizi e sistemi di gestione delle imprese, conferendo agli stessi, un valore competitivo differenziale che contribuisca a favorire gli scambi commerciali e la cooperazione internazionale.
Orientare i Sistemi di Gestione alla soddisfazione dei Clienti finali ed alla partecipazione attiva del personale, con criteri di gestione totale della qualità, al fine di ottenere risultati che garantiscano uno sviluppo competitivo.
L’ impegno di
†
AENOR
† è composto da più di 900 tecnici specializzati in tutti i settori industriali, capaci di gestire progetti globali di
certificazione, ispezione e formazione, in qualunque ambito geografico.
SETTORI
TICs Pubblica Amministrazione
Energía Costruzioni Turismo e svago
Alimentazione Trasporto e Logistica
Automotive Aerospaziale Sanità e Servizi Sociali
AENOR
Cosa è IQNET
La maggiore rete mondiale di organismi di certificazione di sistemi di gestione.
Associazione nata nel 1990, con sede in Svizzera.
† è socio fondatore.
Formata dagli Organismi di certificazione leader in ogni Paese.
35 membri e più di 200 associati.
Più di 300.000 imprese certificate in più di 150 Paesi.
AENOR
Cosa viene consegnato ai
CLIENTI †
† , come membro IQNET,, emette i propri Certificati, relativi ai Sistemi di Gestione, insieme al Certificato IQNET, riconosciuto internazionalmente
AENOR
Benefici della
CERTIFICAZIONE Risparmio di tempo e costi, mediante la gestione unificata delle attività di certificazione.
Relazione con un unico fornitore di servizi, in tutto il mondo.
Ottimo controllo della certificazione delle filiali di impresa, in qualunque Paese.
Riconoscimento dei certificati su scala internazionale per la nostra appartenenza a IQNet.
Auditor specializzati nelle attività del sistema di gestione dell’ impresa
Processi di certificazione con ottimizzazione di risorse umane e tempi brevi di emissioni dei certificati
AENOR
Certificazione Marchi di
y TICs
AENOR
Certificazione di
SISTEMI DI GESTIONE
Marchio IQNet
MANAGEMENT SYSTEM
tecnologie dell'informazione
Marchio † Gestione delle Tecnologie dell’Informazione ISO/IEC 20.000-1
Marchio † Affare Continuita ISO 22301
Marchio † Software con qualità certificata ISO/IEC 25000
Marchio † Sicurezza delle Informazioni ISO/IEC 27001
Marchio † Livello di Maturita Ciclo di Vita del SW – SPICE-ISO 15504/ISO 12207
AENOR
Modello dinamico di governo e di gestione ISO in ICT
Business Continuity ISO 22301
Sistema de Gestión Continuidad del Negocio.
Livello di Maturita Ciclo di Vita del SW
SPICE ISO 15504 Modelo de Evaluación, Mejora y Madurez de Software
Information Security ISO 27001
Sistema de Gestión Seguridad de la Información
IT Services ISO 20000-1
Sistema de Gestión Servicios TI
ISO 20000-2 Guía de Buenas Prácticas
Sviluppo di Software Operations / Services
Obietivo: ITGovernance and Management con norme ISO.
IT Governance ISO 38500
IT Governance
15
ISO 25000 Software product Quality
CIO
IT Quality and Safety in services
Critical proceses continuity
ISO 27002 Guía de Controles
DEVOPS Software creation
ISO 12207 Ciclo de Vida de Desarrollo de Software
AENOR
• AENOR ICTs is an area founded in 2004, with head office Spain headquarter (into AENOR Development&Research Office).
• Carlos Manuel Fernandez. and his team, developed the ISO Framework for ICT.
• They have carried out more than 500 certified companies in more than 10 countries from 2004 to current day.
2. Who’s AENOR ICTs
16
AENOR
• Is an association founded in 1990, with head office in Switzerland
• † is a main member
• Formed by leading certification bodies
• 38 members and over 200 subsidiaries
• More than 200,000 certified companies in more than 150 countries.
2. IQNet
What is IQNet?
17
AENOR
2. COUNTRIES IN WHICH † HAS GRANTED CERTIFICATES
MORE THAN 59.000 CERTIFICATES OF MANAGEMENT SYSTEM AND PRODUCT EN MORE THAN 63 COUNTRIES 18
AENOR
2. COUNTRIES IN WHICH † HAS GRANTED CERTIFICATES (ICTs)
19
MORE THAN 500 CERTIFICATES OF ISO ICT FRAMEWORK AND PRODUCT EN MORE THAN 10 COUNTRIES
- EUROPE- Spain, Germany, Portugal, Polska, Italy, UK.
- USA . Texas.
- LATAM – Argentina, Brasil, Chile, Ecuador, México, Perú.
AENOR
It is a set of assets and processes: - People (Human ware) - Systems and Technologies (Database, software, applications, hardware, telecommunications and room servers and infrastructure). - IT Processes (Capacity Management, Security Management, Supplier Management, Development Management, service management, etc.)
3. Data Center or/and ICT (Information Communications and Technologies)
20
AENOR
B2C B2B BIG DATA
WEB 1.0 WEB 2.0 WEB 3.0?
“New Business and Tools for Business” To CEOs & CIOs
Portal Corporativo Redes Sociales Wikis BYOD
e-Branding e-Mailing e-Learning
GIS RFID
CRM ERP SCM
MOBILITY Pdas Smartphone Blakberry / Iphone / HTC
BUSINESS PLAN = ICT PLAN (Integration and Alignment)
FACTORY OF ICT (New ICT Services and Operations)
CLOUD COMPUTING SaaS (Software As A Service) IaaS (Infraestructure As A Service)
PaaS (Platform As A Service)
4. ICTs as MANAGEMENT SUPPORT AND INNOVATION IN BUSINESS
Fuente: Carlos MF – UPSAM/UPM/UAM/UAH/UNIR
Social Mobility Analytics Cloud
AENOR
5. IT Risks & solutions Solutions to the Risks at ISO Dynamic Framework for ICT
• Risks in Information Security (ISO 27001)
- Loss of integrity of the information. - Identity Spoofing/ Misuse of roles. - Intrusion in information systems. - Denial of Service (DoS). - Leakage of information. - Risk of malware (viruses, Trojans, APTs, etc.)
• Risks in IT Services (ISO 20000-1)
- IT Services undefined and without obligation - Breach of SLAs (Service Level Agreements). - Services with an increased cost. - Loss of service and slow recovery.
• Risks in Software Development (ISO 15504-SPICE)
- Non-compliance user requirements. - Non-compliance with project planning. - No Test-user (sign-off) before final delivery. - No user requirements traceability to source code
22 © AENOR
AENOR
• Risks in IT Governance (ISO 38500)
- - Non-compliance plan ICT / Business Plan - Non- legal compliance - Employees runmotivated. - Purchases of IT not aligned with business needs. excessive costs .
• Risks in Business Continuity (ISO 22301)
- Disappearance of the company. After a natural disaster or caused by a negligence - There is no resilience to disasters or serious incidents - No critical processes are identified.
• Risks in Business Product 25000)
- Non-compliance funcionaliy expected. - Excessive maintenance costs. - Complexity of software
23
5. IT Risks & solutions Solutions to the Risks at ISO Dynamic Framework for ICT
© AENOR
AENOR
6. ISO Dynamic Framework for ICT
Business Continuity ISO 22301
Sistema de Gestión Continuidad del Negocio.
Livello di Maturita Ciclo di Vita del SW
SPICE ISO 15504 Modelo de Evaluación, Mejora y Madurez de Software
Information Security ISO 27001
Sistema de Gestión Seguridad de la Información
IT Services ISO 20000-1
Sistema de Gestión Servicios TI
ISO 20000-2 Guía de Buenas Prácticas
Sviluppo di Software Operations / Services
Obietivo: ITGovernance and Management con norme ISO.
IT Governance ISO 38500
IT Governance
24
ISO 25000 Software product Quality
CIO
IT Quality and Safety in services
Critical proceses continuity
ISO 27002 Guía de Controles
DEVOPS Software creation
ISO 12207 Ciclo de Vida de Desarrollo de Software
AENOR
6. ICT Management business criteria
• Penteo Report: – Only 21% of the CIOs manage the Department of IT with business
criteria – 31% CIOs manage the dept. IT only with technical criteria – 48% managed with hybrid criteria
• Conclusions: – Managers of organizations have a more positive perception of CIOs
who are business criteria. They give the role of business leaders contributors by 58%
– Management of ICT improves the positioning of the dept. IS and CIO – In the future managers and CIOs more low-tech (Survey: 85 CIOs; 36 CEOs and 12 Presidents)
25
AENOR
• 80's (automate business operations)
• 90's (Help Desk and budget control)
• Late 90's (E-Commerce and marketplace)
• XXI-(ITIL, CMMI, COBIT, ISO, etc. ..): define, measure and analyze: Continuous Improvement Cycle. ICT processes: increasing product development and innovation)
• CIOs become CPOs (Chief Process Officers) integrated with business objectives.
» Source: David Flint. Vice President at Gartner. Research. (June -2008).
6. Time Process in ICT
26
AENOR
• 71% of executives agree that IT is a driver to transform the business
• 62% believe that ICT should focus on innovation in business processes
• 66% agree that ICTs have involved a more complex risk management in corporations.
» Source: Ernst & Young study "What's next for the CIO? (January 2011).
A solution to the governance and management of ICT is the AENOR ISO framework in ICT where does the government and ICT management in alignment with business objectives.
6. How managers understand the Information Systems
27
AENOR
• Pilots (ISO Pilots and New Standard Pilot)
– Study the Standard (AENOR and customers/organizations) – Pilot with one or two big organizations (at least one year). Implementation by
external consultant and certification by AENOR – Pilots with smorg associations (because in Spain 90% of the organizations are
smorg) – Road-Show around Spain and other countries (i.e. Spain, Portugal, Polska,
Mexico DF, Perú, Argentina, etc. ) by AENOR – ENAC Accreditation. ENAC is an entity of IAF – Bookstore by AENOR Ediciones. These books are the experience of the pilots.
(i.e. AENOR Ediciones y Start-up: “Guía de Aplicación de la Norma UNE-ISO/IEC 27001 sobre seguridad en Sistema de Información para pymes”, etc.
7. How AENOR do pilots?
28
AENOR
7. ICT Pilots with standards (1 de 2)
29
• Milestones more relevant ISO 27001 In 2004 pilot with UNE 71502 with a company of the financial sector during
the first quarter of 2004. (BNP PARIBAS) Currently more than 400 certifications issued AENOR and IQNet Certificate
• Milestones more relevant ISO 20000-1
In June 2007 TELEPHONE SOLUTIONS pilots and EL CORTE INGLES. Currently more than 150 certifications issued AENOR and IQNet Certificate
• Milestones more relevant SPICE-ISO 15504 / ISO 12207
In March 2008, 21 pilot companies Maturity Level 2 Study on the relationship between ISO / IEC 15504 - SPICE and CMMI-DEV
v1.2, allowanced by Spanish Ministry of Industry Currently over 50 certifications issued Level 2 and Level 3 AENOR Certificate
AENOR
7. ICT Pilots with standards (2 de 2)
30
• Milestones more relevant of IT Governance - ISO 38500 In 2010 the ISO 38500 pilot company in the financial sector: (RSI - Rural Computing Service) Currently with 1 certified company and several pilots on-going AENOR Certificate of Compliance
• Milestones more relevant ISO 22301
In 2010 the ISO 22301 pilot with a healthcare company and the financial sector: (Sanitas and Credit Bureau (Mexico)) Currently with 8 certified company AENOR and IQNet Certificate
• Milestones more relevant ISO 25000
In 2013/2014 pilot with 4 SW development companies. (BitWare, Enxenio, Sicaman and SER&PRactices) AENOR certificate of conformity of product. (Maintainability, functionality (on-going), etc.)
• Milestones more relevant ISO 29119 - Testing SW
In 2015 under study and pilots.
AENOR
8. Certification Process according to ISO 17021
PHASE 2: PERFORMING AUDIT (in person)
PERFORM CORRECTIVE ACTIONS PLAN- CAP
PHASE 1: AUDIT PLANNING AND STUDY OF DOCUMENTATION (in person)
Information Applicant
RECERTIFICATION AUDIT (third year)
UPDATE THE RESULTS
GRANTING CERTIFICATE
SURVEILLANCE AUDIT 1 (first year)
SURVEILLANCE AUDIT 2 (second year)
AENOR
Certification Audit (ISO 17021)
Main
tena
nce a
udit c
ertif
icatio
n
Assessment Report and
Decision
Report Phase 1
Data Sheet
Scope : “… in according to current XXX”
Final Report
31
AENOR
8. Accreditation and membership
32
Is an association founded in 1990, with head office in Switzerland 38 members and over 200 subsidiaries
Accreditation by an independent government entity.
AENOR is accredited by ENAC
AENOR
8. State of the Art – Press release - AMETIC (Abril 2014)
33
AENOR
8. Testimonial ICT Framework - AENOR
“Tenemos un análisis de riesgos totalmente adaptado a nuestras necesidades”
Luís Lopes Director Técnico CESCE Soluçoes Informatica. Portugal del Grupo SIA España
ISO 27001 ISO 20000-1 Luis Manuel Ortiz Director Comercial TI América. México
“La certificación garantiza a los clientes que nuestros servicios se rigen por las mejores prácticas”
Maximino Álvarez Director General Xtream . España
SPICE-ISO 15504/ISO 12207
“Base de nuestro crecimiento internacional ”
ISO 22301 Cristo M. Pérez Rosquete Área de Seguridad Informática Sanitas. España
“Para continuar cuidando”
Luis Montalban CEO BITWARE. España
ISO 15504 + ISO 25000
“La aplicación conjunta de ISO 15504 e ISO 25000 ha supuesto una mejora en la productividad y un ahorro de costes en el mantenimiento del 60% en el software
ENS Carlos Carnicer Presidente Consejo General de la Abogacía Española
“Los ciudadanos pueden confiar en que sus datos se gestionan con garantías de seguridad“
AENOR
8. Management Systems in ICT. A recent history
“Simplicity is the ultimate sophistication” Leonardo Da Vinci
35
AENOR
AENOR Support Articles
36
Modelo para el Gobierno de las TIC basado en normas ISO. 2012. Ed. AENOR. Carlos Manuel Fdez. y Mario Piattini
Gestionar las TIC en el siglo XXI. Revista AENOR. Nº 278. pags 26-31. Año 2013. Carlos Manuel Fdez.
La norma ISO 27001 del Sistema de Gestión de la Seguridad de la Información. CALIDAD. Páginas 40-44. Año 2012. Carlos Manuel Fdez.
UNE-ISO/IEC 20000-1. Calidad certificada en los servicios de TI. FORUM CALIDAD. Nº.222- Junio 2011. Carlos Manuel Fdez.
Calidad y Seguridad en los servicios de las TIC. Revista AENOR. Nº 242. Año. 2009. Carlos Manuel Fdez. y Boris Delgado
AENOR
AENOR Support Articles
37
Calidad en el desarrollo de SW. Revista AENOR. Nº 285. Año 2013. Carlos Manuel Fdez.
ISO 22301. Resistir lo extraordinario. AENOR. Nº 285. Año 2013. Carlos Manuel Fdez.
Calidad en el producto Software. AENOR. Nº 288. Año 2013. Carlos Manuel Fdez.
A maturity model for the Spanish software industry based on ISO standards. ELSEVIER. Abril 2013. Carlos Manuel Fdez, et al
ISO 27001, un sistema de gestión para los procesos de control industrial. RevistaSIC. Año 2013. Carlos Manuel Fdez y Antonio Carretero.
AENOR
Library XXI century Real Experiences (+ 500 companies)
38 © AENOR
AENOR
Issues to consider: • Internal control of Information Technology is not a
fashion.
• Management System on ICT helps to manage the internal control Information Technology aligned and integrated with business objectives and legal and industry compliance.
• Deming Cycle. PDCA. Continual Improvement Cycle.
Future and conclusions in Management Systems at ICT.
39
AENOR 40
AENOR
“ Integrated (PDCA) of ICT aligned with the Business” .
Thank you Merci Danke
Obrigado Grazie Tack
Dzięki Díky Kiitos
Thanks Ačiū
Köszönöm GRACIAS
A New Challenge in ICT
41
Carlos Manuel FERNÁNDEZ ICT Certification Manager (AENOR)
Associate Professor at the University (UNIR,UPM,UCJC)
AENOR Italia
Bari
Via Che Guevara 1
Torino Corso Trapani 16
www.aenoritalia.com Tel. +39 348 82 14 729