Implementation Approach to IT Service Management (ISO 20000) & Security Management (ISO 27001) Dr. Julian Lo Consulting Director ITIL v3 Expert Agenda ISO20000 & ISO27001 Measure IT Capabilities by using ISO Standards Implementation Approach Challenges Suggestions and Considerations Conclusion – What you can get from it. What are the IT Capabilities? The capabilities take the form of functions, processes & procedures The capabilities represent an IT organization’s capacity, competency, and confidence for action. Without these capabilities, an IT organization is merely a bundle of uncoordinated resources Do you want to measure your IT organization’s Capabilities? Standard Provide a measurable set of best practice benchmarks common across organizations Compliance to the standards demonstrates that benchmarks have been attained Standards are auditable and assessable by independent and authorized auditors ISO20000 and ISO27001 are the standards What is ISO20000? ISO20000 is the international standard for IT service management. “It describes an integrated set of management processes for the effective delivery of services to the business and its customers.” Closely follows the ITIL framework. While individuals are ITIL certified, organizations are ISO20000 certified. ISO20000 Target ISO20000 Code of Practice ITIL Framework Own IT Policies, Processes and Procedures Requirements of ISO20000 An organization must be able to demonstrate it has “Management Control” of each of the ISO 20000 processes So What is “Management Control”? Knowledge and control of the inputs Knowledge, use and interpretation of the outputs Definition and measurement of metrics Demonstration of objective evidence of accountability for process functionality Definition, measurement and review of process improvements Norms Measure Input Activity Activity Goal Activity Output Use of Scope for ISO20000 Certification The scope of the delivered services must be described in a scope statement for certification. A service provider can get certification for; a) part of all services that it delivers b) a specific country or customer. The scope statement validates the certification for a specific situation. Service A Procedures Service B Plans Service C Service Level Service D KPI Four aspects to be looked into People: Who? How? What (R&R)? Culture.. Process & Procedures: The applicable ones Product: The supporting facilitating auxiliary piece And Partner..: With whom to team up? Eg. Suppliers Conformance Roles and Responsibilities are clearly defined Policy, Process and Procedure documents established Plans are developed to check and measure performance Data recorded to prove that process operatives have followed the established policies and procedures, and reviews have been carried out Process Conformance and Maturity Target 0–5 point scale Overview of Compliance with ISO/IEC 20000 5 4,5 4 3,5 3 2,5 2 1,5 1 0,5 0 ISO20000 Implementation Roadmap Phase 0: Gap Analysis Phase 2: Release & Control Phase 1: User Support Phase 3: Service Delivery Phase 4: Customer, & CSI Change Mgmt Capacity Mgmt Service Level Mgmt Incident Mgmt Release Mgmt Continuity & Availability IT Budget & Accounting Problem Mgmt Knowledge Business Relationship Supplier Mgmt Service Design Configuration - CMDB Configuration Configur MgmtMgmt Mgmt - CMDB Service Reporting Reporting ServiceService Reporting Reporting ITSM Policy Doc .Control ITSM Plan Skills Assess. CSI Review & Internal Audit Assessment, Project Start-Up & Tool Selections Service Desk Service Catalog CSI Management of Change Quick Win Service Support Completed ISO20000 Reasons to take phase approach Seamless integration to minimize the interruptions of IT operation Better visibility into issues while enabling sufficient time to refine processes What is ISO27001? Leading International Standard for Information Security Management A comprehensive set of controls comprising best practices in information security Risk-management based Its purpose is to protect the confidentiality, integrity and availability of information Information Security Confidentiality Protecting sensitive information from unauthorized disclosure or interception. Availability Integrity Safeguarding the accuracy and completeness of information Ensuring that information and vital services are available to users when required. ISO27001 Requirements ISO27001 includes below Controls ISO27001 Implementation Roadmap Phase 1 – Planning, Gap Assessment, Training Phase 2 – System Development and Documentation Phase 3 – System Implementation Phase 4 – Certification Audit Understand existing procedures Define documentation hierarchy Workshops for promotion Conduct internal audit Identify key gaps Develop required documentation Train up delegate as internal auditor Provide direction to rectify issues Prepare Project Plan Review established documents Mentor IT Management to review External certification audit Define Roles & Responsibilities Obtain approval from authorized personnel Conduct Training & Workshops ISO20000 - ISO27001 Major Differences and Similarities ISO27001 focuses on protection of information and related assets ISO20000 focuses on the quality of service delivery Common Areas PDCA and management system Continuity planning Incident management and change management Capacity management Information security Third party and supplier management Timeframe For ISO20000 Maturity range of 1 - 1.5 : approximately 18 – 24 months Maturity range of 2 – 3 : approximately 6 -12 months A large maturity gap will require additional resourcing to close the gap in a workable timeframe For ISO27001 Small Organization 10 – 50 Employees: up to 8 months Mid-size Organization 50 – 500 Employees: up to 12 months Large Organization over 500 Employees: up to 18 months Key Challenges Maturity can be difficult to attain across all processes Effort to produce and review documentations and records Conflict between productivity and service/information security qualities Changing to a culture of collaborating working Suggestions and Considerations ISO20000 and ISO27001 provide guidance on what should happen, but not on how to make it happen. So you need help and advice from consultants Start with an assessment and develop a roadmap Communicate the benefits and provide adequate training To work smarter, you need tools to facilitate For those not seeking certification – use ISO 20000 and ISO27001 as the guides Conclusion – What you can get from it ISO20000 and ISO27001 provide an auditable method to assess IT Service and Security quality and conformance Assists organizations to enforce process compliance Provides clear evidence that ITSM and Information Security qualities are taken seriously ISO 20000 and ISO27001 set the process marks for which ITIL and Information security implementation should aim and be measured A method of review and assessment that is linked to continuous service and information security improvement IT Consulting Dr. Julian Lo Consulting Director [email protected]