Dr. Julian Lo Consulting Director ITIL v3 Expert

Slides:



Advertisements
Similar presentations
Session No. 4 Implementing the State’s Safety Programme Implementing Service Providers SMS
Advertisements

Environmental Management System Implementation
PRESENTATION ON MONDAY 7 TH AUGUST, 2006 BY SUDHIR VARMA FCA; CIA(USA) FOR THE INSTITUTE OF INTERNAL AUDITORS – INDIA, DELHI CHAPTER.
Service Delivery – your ticket to play
1 Professionalising Programme & Project Management Developing programme & project management capacities for UNDP and national counterparts External Briefing.
Security Controls – What Works
Quality evaluation and improvement for Internal Audit
Quality Management Systems
Purpose of the Standards
ISA 220 – Quality Control for Audits of Historical Financial Information
THE PRINCIPLES OF QUALITY MANAGEMENT. DEFINING QUALITY Good Appearance? High Price? The Best? Particular Specification? Not necessarily, but always: Fitness.
Presentation on Integrating Management Systems
Integrated Process Model - v2
4. Quality Management System (QMS)
The ISO/IEC family Lynda Cooper Co-author ISO20000 Project editor ISO20000 part 1 Principal UK Expert to ISO group ITIL Expert.
Welcome ISO9001:2000 Foundation Workshop.
Elements of Internal Controls Preventing Fraud, Waste, and Abuse in Urban and Rural Transit Systems.
Release & Deployment ITIL Version 3
Visit us at E mail: Tele:
Internal Auditing and Outsourcing
Effectively applying ISO9001:2000 clauses 5 and 8
Session No. 3 ICAO Safety Management Standards ICAO SMS Framework
1 Next Generation ISO Susan LK Briggs Presented to EFCOG/DOE EMS Implementation, Lessons Learned & Best Practices Training Workshop, 3/05.
Information Security Governance 25 th June 2007 Gordon Micallef Vice President – ISACA MALTA CHAPTER.
National Standards for Safer Better Healthcare
The Evergreen, Background, Methodology and IT Service Management Model
CHAPTER 5 Infrastructure Components PART I. 2 ESGD5125 SEM II 2009/2010 Dr. Samy Abu Naser 2 Learning Objectives: To discuss: The need for SQA procedures.
Continual Service Improvement Process
Improving Corporate Governance in Malaysian Capital Markets – The Role of the Audit Committee Role of the Audit Committee in Assessing Audit Quality.
Module 3 Develop the Plan Planning for Emergencies – For Small Business –
ISO 9000 and Public Awareness and Information Session 22 February 2006 Owen Glave, MBA-TQM.
ISO 9000 & TOTAL QUALITY ISO 9000 refers to a group of quality assurance standards established by the International Organization for Standardization.This.
Roles and Responsibilities
CSI - Introduction General Understanding. What is ITSM and what is its Value? ITSM is a set of specialized organizational capabilities for providing value.
Roadmap to Maturity FISMA and ISO 2700x. Technical Controls Data IntegritySDLC & Change Management Operations Management Authentication, Authorization.
IT Governance: COBIT, ISO17799 & ITIL. Introduction COBIT ITIL ISO17799Others.
Assessment Workshop Title of the Project (date). Project Title Assessment Workshop October 25, 2015© Company Name All rights reserved2 Agenda Purpose.
Self Assessment Using EFQM Excellence MODEL Down Lisburn Trust’s Experience of Continuous Improvement John Simpson Down Lisburn Trust.
Paul Hardiman and Rob Brown SMMT IF Planning and organising an audit.
Introduction to the Continual Service Improvement Toolkit Welcome.
Information Security 14 October 2005 IT Security Unit Ministry of IT & Telecommunications.
Example Incident Mgmt Initiation No recording of Incidents Users can approach different departments Solutions of previous incidents are not available.
Information Security IBK3IBV01 College 2 Paul J. Cornelisse.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
ISMS Implementation Workshop Adaptive Processes Consulting Pvt. Ltd.
SAM-101 Standards and Evaluation. SAM-102 On security evaluations Users of secure systems need assurance that products they use are secure Users can:
Information Security tools for records managers Frank Rankin.
ICS Area Managers Training 2010 ITIL V3 Overview April 1, 2010.
AssessPlanDo Review QuestionYesNo? Do I know what I want to evaluate and why? Consider drivers and audience Do I already know the answer to my evaluation.
Process Auditing Why do people think that this is something new? Presented by Kevin Gilson, Orion Registrar, Inc. For the ASQ ISO Users Group October 8,
The Presentation Will Begin At 12PM EST Mark Sherry Director of Marketing, Stroma Service Consulting, Inc. Using ISO/IEC to Implement Any Process.
How Good are you at Managing your Processes? Operational Excellence.
Submitted By: Tanveer Khan M.Tech(CSE) IVth sem.  The ISO 9000 standards are a collection of formal International Standards, Technical Specifications,
Internal Audit Quality Assessment Guide
Shared Services and Third Party Assurance: Panel May 19, 2016.
Service Design.
AUDIT STAFF TRAINING WORKSHOP 13 TH – 14 TH NOVEMBER 2014, HILTON HOTEL NAIROBI AUDIT PLANNING 1.
What is ISO Certification? Information is a valuable asset that can make or break your business. When properly managed it allows you to operate.
Auditors’ Dilemma – reporting requirements on Internal Financial Controls under the Companies Act 2013 and Clause 49 of the Listing agreement V. Venkataramanan.
BIL 424 NETWORK ARCHITECTURE AND SERVICE PROVIDING.
What Is ISO ISO 27001, titled "Information Security Management - Specification With Guidance for Use", is the replacement for BS It is intended.
Learn Your Information Security Management System
Integrated Management System and Certification
So where in ISO is Process?
Auditor Training Module 1 – Audit Concepts and Definitions
Lockheed Martin Canada’s SMB Mentoring Program
How to conduct Effective Stage-1 Audit
Process Auditing Why do people think that this is something new?
Taking the STANDARDS Seriously
Establishing a Strategic Process Roadmap
Presentation transcript:

Dr. Julian Lo Consulting Director ITIL v3 Expert Implementation Approach to IT Service Management (ISO 20000) & Security Management (ISO 27001) Dr. Julian Lo Consulting Director ITIL v3 Expert

Agenda Measure IT Capabilities by using ISO Standards ISO20000 & ISO27001 Measure IT Capabilities by using ISO Standards Implementation Approach Challenges Suggestions and Considerations Conclusion – What you can get from it.

What are the IT Capabilities? The capabilities take the form of functions, processes & procedures The capabilities represent an IT organization’s capacity, competency, and confidence for action. Without these capabilities, an IT organization is merely a bundle of un-coordinated resources Do you want to measure your IT organization’s Capabilities?

Standard Provide a measurable set of best practice benchmarks common across organizations Compliance to the standards demonstrates that benchmarks have been attained Standards are auditable and assessable by independent and authorized auditors ISO20000 and ISO27001 are the standards

Own IT Policies, Processes and Procedures What is ISO20000? ISO20000 is the international standard for IT service management. “It describes an integrated set of management processes for the effective delivery of services to the business and its customers.” Closely follows the ITIL framework. While individuals are ITIL certified, organizations are ISO20000 certified. ISO20000 Target Code of Practice ITIL Framework Own IT Policies, Processes and Procedures

Requirements of ISO20000 An organization must be able to demonstrate it has “Management Control” of each of the ISO 20000 processes So What is “Management Control”? Knowledge and control of the inputs Knowledge, use and interpretation of the outputs Definition and measurement of metrics Demonstration of objective evidence of accountability for process functionality Definition, measurement and review of process improvements Input Output Activity Goal Measure Norms

Use of Scope for ISO20000 Certification The scope of the delivered services must be described in a scope statement for certification. A service provider can get certification for; a) part of all services that it delivers b) a specific country or customer. The scope statement validates the certification for a specific situation. Service A Procedures To start ISO20000 certification project, you need to first define the scoping statement. You decide which delivered services that you are going to obtain ISO20000 status. Obviously, you don’t need to certify all you delivered service. The good thing is that you can easily control the resources and time frame required for the certification process and quickly demonstrate the benefit of enforcing such standard. Service B Plans Service C Service Level Service D KPI 7

Four aspects to be looked into People: Who? How? What (R&R)? Culture.. Process & Procedures: The applicable ones Product: The supporting facilitating auxiliary piece And Partner..: With whom to team up? Eg. Suppliers

Conformance Roles and Responsibilities are clearly defined Policy, Process and Procedure documents established Plans are developed to check and measure performance Data recorded to prove that process operatives have followed the established policies and procedures, and reviews have been carried out

Process Conformance and Maturity Target 0 – 5 point scale

ISO20000 Implementation Roadmap Phase 0: Gap Analysis Assessment, Project Start-Up & Tool Selections Configur Mgmt Problem Mgmt Knowledge Phase 1: User Support Incident Mgmt Service Desk Service Catalog Service Reporting ITSM Policy Doc .Control Phase 2: Release & Control Change Mgmt Configuration Mgmt - CMDB Release Mgmt Business Relationship Service Reporting ITSM Plan Skills Assess. Phase 4: Customer, & CSI Service Level Mgmt Service Design IT Budget & Accounting Configuration Mgmt - CMDB Service Reporting CSI Configuration Mgmt - CMDB Supplier Mgmt Phase 3: Service Delivery Capacity Mgmt Continuity & Availability Service Reporting CSI Review & Internal Audit Management of Change Quick Win Service Support Completed ISO20000

Reasons to take phase approach Seamless integration to minimize the interruptions of IT operation Better visibility into issues while enabling sufficient time to refine processes

Safeguarding the accuracy and completeness of information What is ISO27001? Leading International Standard for Information Security Management A comprehensive set of controls comprising best practices in information security Risk-management based Its purpose is to protect the confidentiality, integrity and availability of information Confidentiality Protecting sensitive information from unauthorized disclosure or interception. Integrity Safeguarding the accuracy and completeness of information Availability Ensuring that information and vital services are available to users when required. Information Security

ISO27001 Requirements Plan Establish ISMS policy, objectives, processes and procedures relevant to managing risk and improving information security to deliver results in accordance with an organization’s overall policies and objectives. Do Implement and operate the ISMS policy, controls, processes and procedures. Check Assess and, where applicable, measure process performance against ISMS policy, objectives and practical experience and report the results to management for review. Act Take corrective and preventive actions, based on the results of the internal ISMS audit and management review or other relevant information, to achieve continual improvement of the ISMS.

ISO27001 includes below Controls

ISO27001 Implementation Roadmap Phase 1 – Planning, Gap Assessment, Training Phase 2 – System Development and Documentation Phase 3 – System Implementation Phase 4 – Certification Audit Conduct internal audit Understand existing procedures Define documentation hierarchy Workshops for promotion Develop required documentation Train up delegate as internal auditor Provide direction to rectify issues Identify key gaps Prepare Project Plan Review established documents Mentor IT Management to review External certification audit Define Roles & Responsibilities Obtain approval from authorized personnel Conduct Training & Workshops

Major Differences and Similarities ISO20000 - ISO27001 Major Differences and Similarities ISO27001 focuses on protection of information and related assets ISO20000 focuses on the quality of service delivery Common Areas PDCA and management system Continuity planning Incident management and change management Capacity management Information security Third party and supplier management

Timeframe For ISO20000 For ISO27001 Maturity range of 1 - 1.5 : approximately 18 – 24 months Maturity range of 2 – 3 : approximately 6 -12 months A large maturity gap will require additional resourcing to close the gap in a workable timeframe For ISO27001 Small Organization 10 – 50 Employees: up to 8 months Mid-size Organization 50 – 500 Employees: up to 12 months Large Organization over 500 Employees: up to 18 months

Key Challenges Maturity can be difficult to attain across all processes Effort to produce and review documentations and records Conflict between productivity and service/information security qualities Changing to a culture of collaborating working

Suggestions and Considerations ISO20000 and ISO27001 provide guidance on what should happen, but not on how to make it happen. So you need help and advice from consultants Start with an assessment and develop a roadmap Communicate the benefits and provide adequate training To work smarter, you need tools to facilitate For those not seeking certification – use ISO 20000 and ISO27001 as the guides

Conclusion – What you can get from it ISO20000 and ISO27001 provide an auditable method to assess IT Service and Security quality and conformance Assists organizations to enforce process compliance Provides clear evidence that ITSM and Information Security qualities are taken seriously ISO 20000 and ISO27001 set the process marks for which ITIL and Information security implementation should aim and be measured A method of review and assessment that is linked to continuous service and information security improvement

IT Consulting Dr. Julian Lo Consulting Director julian. lo@igsl-group IT Consulting Dr. Julian Lo Consulting Director julian.lo@igsl-group.com

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.