Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dr. Julian Lo Consulting Director ITIL v3 Expert

Similar presentations

Presentation on theme: "Dr. Julian Lo Consulting Director ITIL v3 Expert"— Presentation transcript:

1 Dr. Julian Lo Consulting Director ITIL v3 Expert
Implementation Approach to IT Service Management (ISO 20000) & Security Management (ISO 27001) Dr. Julian Lo Consulting Director ITIL v3 Expert

2 Agenda Measure IT Capabilities by using ISO Standards
ISO20000 & ISO27001 Measure IT Capabilities by using ISO Standards Implementation Approach Challenges Suggestions and Considerations Conclusion – What you can get from it.

3 What are the IT Capabilities?
The capabilities take the form of functions, processes & procedures The capabilities represent an IT organization’s capacity, competency, and confidence for action. Without these capabilities, an IT organization is merely a bundle of un-coordinated resources Do you want to measure your IT organization’s Capabilities?

4 Standard Provide a measurable set of best practice benchmarks common across organizations Compliance to the standards demonstrates that benchmarks have been attained Standards are auditable and assessable by independent and authorized auditors ISO20000 and ISO27001 are the standards

5 Own IT Policies, Processes and Procedures
What is ISO20000? ISO20000 is the international standard for IT service management. “It describes an integrated set of management processes for the effective delivery of services to the business and its customers.” Closely follows the ITIL framework. While individuals are ITIL certified, organizations are ISO20000 certified. ISO20000 Target Code of Practice ITIL Framework Own IT Policies, Processes and Procedures

6 Requirements of ISO20000 An organization must be able to demonstrate it has “Management Control” of each of the ISO processes So What is “Management Control”? Knowledge and control of the inputs Knowledge, use and interpretation of the outputs Definition and measurement of metrics Demonstration of objective evidence of accountability for process functionality Definition, measurement and review of process improvements Input Output Activity Goal Measure Norms

7 Use of Scope for ISO20000 Certification
The scope of the delivered services must be described in a scope statement for certification. A service provider can get certification for; a) part of all services that it delivers b) a specific country or customer. The scope statement validates the certification for a specific situation. Service A Procedures To start ISO20000 certification project, you need to first define the scoping statement. You decide which delivered services that you are going to obtain ISO20000 status. Obviously, you don’t need to certify all you delivered service. The good thing is that you can easily control the resources and time frame required for the certification process and quickly demonstrate the benefit of enforcing such standard. Service B Plans Service C Service Level Service D KPI 7

8 Four aspects to be looked into
People: Who? How? What (R&R)? Culture.. Process & Procedures: The applicable ones Product: The supporting facilitating auxiliary piece And Partner..: With whom to team up? Eg. Suppliers

9 Conformance Roles and Responsibilities are clearly defined
Policy, Process and Procedure documents established Plans are developed to check and measure performance Data recorded to prove that process operatives have followed the established policies and procedures, and reviews have been carried out

10 Process Conformance and Maturity
Target 0 – 5 point scale

11 ISO20000 Implementation Roadmap
Phase 0: Gap Analysis Assessment, Project Start-Up & Tool Selections Configur Mgmt Problem Mgmt Knowledge Phase 1: User Support Incident Mgmt Service Desk Service Catalog Service Reporting ITSM Policy Doc .Control Phase 2: Release & Control Change Mgmt Configuration Mgmt - CMDB Release Mgmt Business Relationship Service Reporting ITSM Plan Skills Assess. Phase 4: Customer, & CSI Service Level Mgmt Service Design IT Budget & Accounting Configuration Mgmt - CMDB Service Reporting CSI Configuration Mgmt - CMDB Supplier Mgmt Phase 3: Service Delivery Capacity Mgmt Continuity & Availability Service Reporting CSI Review & Internal Audit Management of Change Quick Win Service Support Completed ISO20000

12 Reasons to take phase approach
Seamless integration to minimize the interruptions of IT operation Better visibility into issues while enabling sufficient time to refine processes

13 Safeguarding the accuracy and completeness of information
What is ISO27001? Leading International Standard for Information Security Management A comprehensive set of controls comprising best practices in information security Risk-management based Its purpose is to protect the confidentiality, integrity and availability of information Confidentiality Protecting sensitive information from unauthorized disclosure or interception. Integrity Safeguarding the accuracy and completeness of information Availability Ensuring that information and vital services are available to users when required. Information Security

14 ISO27001 Requirements Plan Establish ISMS policy, objectives, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organization’s overall policies and objectives. Do Implement and operate the ISMS policy, controls, processes and procedures. Check Assess and, where applicable, measure process performance against ISMS policy, objectives and practical experience and report the results to management for review. Act Take corrective and preventive actions, based on the results of the internal ISMS audit and management review or other relevant information, to achieve continual improvement of the ISMS.

15 ISO27001 includes below Controls

16 ISO27001 Implementation Roadmap
Phase 1 – Planning, Gap Assessment, Training Phase 2 – System Development and Documentation Phase 3 – System Implementation Phase 4 – Certification Audit Conduct internal audit Understand existing procedures Define documentation hierarchy Workshops for promotion Develop required documentation Train up delegate as internal auditor Provide direction to rectify issues Identify key gaps Prepare Project Plan Review established documents Mentor IT Management to review External certification audit Define Roles & Responsibilities Obtain approval from authorized personnel Conduct Training & Workshops

17 Major Differences and Similarities
ISO ISO27001 Major Differences and Similarities ISO27001 focuses on protection of information and related assets ISO20000 focuses on the quality of service delivery Common Areas PDCA and management system Continuity planning Incident management and change management Capacity management Information security Third party and supplier management

18 Timeframe For ISO20000 For ISO27001
Maturity range of : approximately 18 – 24 months Maturity range of 2 – 3 : approximately months A large maturity gap will require additional resourcing to close the gap in a workable timeframe For ISO27001 Small Organization 10 – 50 Employees: up to 8 months Mid-size Organization 50 – 500 Employees: up to 12 months Large Organization over 500 Employees: up to 18 months

19 Key Challenges Maturity can be difficult to attain across all processes Effort to produce and review documentations and records Conflict between productivity and service/information security qualities Changing to a culture of collaborating working

20 Suggestions and Considerations
ISO20000 and ISO27001 provide guidance on what should happen, but not on how to make it happen. So you need help and advice from consultants Start with an assessment and develop a roadmap Communicate the benefits and provide adequate training To work smarter, you need tools to facilitate For those not seeking certification – use ISO and ISO27001 as the guides

21 Conclusion – What you can get from it
ISO20000 and ISO27001 provide an auditable method to assess IT Service and Security quality and conformance Assists organizations to enforce process compliance Provides clear evidence that ITSM and Information Security qualities are taken seriously ISO and ISO27001 set the process marks for which ITIL and Information security implementation should aim and be measured A method of review and assessment that is linked to continuous service and information security improvement

22 IT Consulting Dr. Julian Lo Consulting Director julian. lo@igsl-group
IT Consulting Dr. Julian Lo Consulting Director

Download ppt "Dr. Julian Lo Consulting Director ITIL v3 Expert"

Similar presentations

Ads by Google