Presentation on theme: "Dr. Julian Lo Consulting Director ITIL v3 Expert"— Presentation transcript:
1 Dr. Julian Lo Consulting Director ITIL v3 Expert Implementation Approach to IT Service Management (ISO 20000) & Security Management (ISO 27001)Dr. Julian LoConsulting DirectorITIL v3 Expert
2 Agenda Measure IT Capabilities by using ISO Standards ISO20000 & ISO27001Measure IT Capabilities by using ISO StandardsImplementation ApproachChallengesSuggestions and ConsiderationsConclusion – What you can get from it.
3 What are the IT Capabilities? The capabilities take the form of functions, processes & proceduresThe capabilities represent an IT organization’s capacity, competency, and confidence for action.Without these capabilities, an IT organization is merely a bundle of un-coordinated resourcesDo you want to measure your IT organization’s Capabilities?
4 StandardProvide a measurable set of best practice benchmarks common across organizationsCompliance to the standards demonstrates that benchmarks have been attainedStandards are auditable and assessable by independent and authorized auditorsISO20000 and ISO27001 are the standards
5 Own IT Policies, Processes and Procedures What is ISO20000?ISO20000 is the international standard for IT service management.“It describes an integrated set of management processes for the effective delivery of services to the business and its customers.”Closely follows the ITIL framework.While individuals are ITIL certified, organizations are ISO20000 certified.ISO20000TargetCode of PracticeITIL FrameworkOwn IT Policies, Processes and Procedures
6 Requirements of ISO20000An organization must be able to demonstrate it has “Management Control” of each of the ISO processesSo What is “Management Control”?Knowledge and control of the inputsKnowledge, use and interpretation of the outputsDefinition and measurement of metricsDemonstration of objective evidence of accountability for process functionalityDefinition, measurement and review of process improvementsInputOutputActivityGoalMeasureNorms
7 Use of Scope for ISO20000 Certification The scope of the delivered services must be described in a scope statement for certification.A service provider can get certification for; a) part of all services that it delivers b) a specific country or customer.The scope statement validates the certification for a specific situation.Service AProceduresTo start ISO20000 certification project, you need to first define the scoping statement. You decide which delivered services that you are going to obtain ISO20000 status. Obviously, you don’t need to certify all you delivered service. The good thing is that you can easily control the resources and time frame required for the certification process and quickly demonstrate the benefit of enforcing such standard.Service BPlansService CService LevelService DKPI7
8 Four aspects to be looked into People: Who? How? What (R&R)? Culture..Process & Procedures: The applicable onesProduct: The supporting facilitating auxiliary pieceAnd Partner..: With whom to team up? Eg. Suppliers
9 Conformance Roles and Responsibilities are clearly defined Policy, Process and Procedure documents establishedPlans are developed to check and measure performanceData recorded to prove that process operatives have followed the established policies and procedures, and reviews have been carried out
10 Process Conformance and Maturity Target0 – 5pointscale
12 Reasons to take phase approach Seamless integration to minimize the interruptions of IT operationBetter visibility into issues while enabling sufficient time to refine processes
13 Safeguarding the accuracy and completeness of information What is ISO27001?Leading International Standard for Information Security ManagementA comprehensive set of controls comprising best practices in information securityRisk-management basedIts purpose is to protect the confidentiality, integrity and availability of informationConfidentialityProtecting sensitive information from unauthorized disclosure or interception.IntegritySafeguarding the accuracy and completeness of informationAvailabilityEnsuring that information and vital services are available to users when required.Information Security
14 ISO27001 RequirementsPlanEstablish ISMS policy, objectives, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organization’s overall policies and objectives.DoImplement and operate the ISMS policy, controls, processes and procedures.CheckAssess and, where applicable, measure process performance against ISMS policy, objectives and practical experience and report the results to management for review.ActTake corrective and preventive actions, based on the results of the internal ISMS audit and management review or other relevant information, to achieve continual improvement of the ISMS.
16 ISO27001 Implementation Roadmap Phase 1 – Planning, Gap Assessment, TrainingPhase 2 – System Development and DocumentationPhase 3 – System ImplementationPhase 4 – Certification AuditConduct internal auditUnderstand existing proceduresDefine documentation hierarchyWorkshops for promotionDevelop required documentationTrain up delegate as internal auditorProvide direction to rectify issuesIdentifykey gapsPrepareProject PlanReview established documentsMentor IT Managementto reviewExternal certification auditDefineRoles & ResponsibilitiesObtain approval from authorized personnelConduct Training &Workshops
17 Major Differences and Similarities ISO ISO27001Major Differences and SimilaritiesISO27001 focuses on protection of information and related assetsISO20000 focuses on the quality of service deliveryCommon AreasPDCA and management systemContinuity planningIncident management and change managementCapacity managementInformation securityThird party and supplier management
18 Timeframe For ISO20000 For ISO27001 Maturity range of : approximately 18 – 24 monthsMaturity range of 2 – 3 : approximately monthsA large maturity gap will require additional resourcing to close the gap in a workable timeframeFor ISO27001Small Organization 10 – 50 Employees: up to 8 monthsMid-size Organization 50 – 500 Employees: up to 12 monthsLarge Organization over 500 Employees: up to 18 months
19 Key ChallengesMaturity can be difficult to attain across all processesEffort to produce and review documentations and recordsConflict between productivity and service/information security qualitiesChanging to a culture of collaborating working
20 Suggestions and Considerations ISO20000 and ISO27001 provide guidance on what should happen, but not on how to make it happen. So you need help and advice from consultantsStart with an assessment and develop a roadmapCommunicate the benefits and provide adequate trainingTo work smarter, you need tools to facilitateFor those not seeking certification – use ISO and ISO27001 as the guides
21 Conclusion – What you can get from it ISO20000 and ISO27001 provide an auditable method to assess IT Service and Security quality and conformanceAssists organizations to enforce process complianceProvides clear evidence that ITSM and Information Security qualities are taken seriouslyISO and ISO27001 set the process marks for which ITIL and Information security implementation should aim and be measuredA method of review and assessment that is linked to continuous service and information security improvement
22 IT Consulting Dr. Julian Lo Consulting Director julian. lo@igsl-group IT Consulting Dr. Julian Lo Consulting Director