SlideShare a Scribd company logo

Standardization of IT Processes

Download as PPTX, PDF
Natarajan V
Natarajan V

A world without standards is road to chaos and IT processes are no exception. This presentation talks nicely in more friendly manner about IT Standards of ISO 27001, ISO 20000, CobiT, ISO 38500

1 of 21
Standardization of IT Processes Irshadh Rasheed, Ernst & Young 6-Sep-2013
Can you imagine a world without standards
A few in our daily life A lot more.. in every day life.. We are not conscious of them
More important in Technology • Monitors • Storage Devices • Processors • Hard Disks • Communication protocols • Communication medium U name anything in Technology you will have standards
Why Standadization? Users / Consumers • Easier life • Compatibility & Reusability • Lower prices • Better quality • Trust & Confidence Industry - Products • Larger market with fewer varieties • Increases productivity & efficiency • Increased competition Industry – Processes • Internal benchmarking against Best practices • Compatibility / compliance • Time / effort savings • Gaining competitive advantage • Assurance of smooth communications • Corporate cultures / loyalty
IT Standards • IT Infrastructure – Hardware – Software – Applications • Data • IT Processes – Software Development – Service Delivery – Information Security – Risk & Governance
Standardization – Level, Industry & Area
IT Processes Pyramid & Standards.. CobiT, ISO 38500 ISO 20000, ISO 22301 ISO 27001 & many more IT Governance
Who develops IT Standards
IT Governance: 38500
ISO 20000: IT Service Management ISO 20000 is the international standard for IT Service Management (ITSM) published by the International Organization for Standardization (ISO). The standard ISO 20000 consists of two parts – ► Part 1: Specification ► Part 2: Code of Practice ISO/IEC 20000-1 (Part 1-Specifications) promotes the adoption of an integrated process approach to effectively deliver managed services to meet the business and customer requirements. ISO/IEC 20000-2 (Part 2-Code of Practice) represents an industry consensus on quality standards for IT service management processes. Service Management System (SMS) Design and transition of new or changed services Service delivery processes Relationship processes Capacity management Service level management Information security management Service continuity and availability management Service reporting Budgeting and accounting for services Incident and service request management Problem management Business relationship management Resolution processes Supplier management Control processes Configuration management Change management Release and deployment management Management responsibility Establish SMS Governance of processes operated by other parties Documentation management Resource management
ISO 27000: Information Security ISO 27002 Clauses/ Controls objectives (Domains addressed) ► Security policy ► Organization of Information Security ► Asset management ► Human resources security ► Physical and environmental security ► Communications and operations management ► Access control ► Information systems acquisition, development and maintenance ► Information Security incident management ► Business continuity management ► Compliance ISO 27001 System ISO 27003 – Implementation Guide ISO 27004 - Security Measurements ISO 27005 – Risk Management
ISO 22301: Business Continuity Management • Clause 1 - Scope • Clause 2 – Normative references • Clause 3 – Terms and definitions • Clause 4 – Context of the organization (Plan) • Clause 5 - Leadership (Plan) • Clause 6 - Planning (Plan) • Clause 7 - Support (Plan) • Clause 8 - Operation (Do) • Clause 9 - Performance evaluation (Check) • Clause10 – Improvement (Act)
1 2 Management support for information security 3 4 Develop/ Update of existing IS polices & procedures (ISPP) 5 6 Develop implementation plan for rollout of ISPP 7 8 9 10 11 12 13 15 14 1 Information security awareness rollout Implement the identified controls as per SOA Develop implementation plan for observations ISO 27001 pre- certification assessment Define ISO 27001 certification scope Perform risk assessment and develop SOA Update ISPP as per Statement of Applicability (If required); develop L1 documentation Setup PMO to manage the roll-out of ISPP Implementation of the ISPP as per implementation plan ISMS effectiveness and implementation check ISO 27001 certificati audit KPI and ISMS effectiveness audit A Typical ISO 27001 certification roadmap Surveillance audit every 6 months
Benefits of Implementing IT Standards • Improving the quality, responsiveness and reliability • Improving the achievability, predictability and repeatability of outcomes • Reducing risks, incidents and project failures • Increased efficiencies and reduced costs • Enhanced compliance and respect from regulators • Trust & Confidence to all stakeholders
Benefits of implementing - ISO 27001 An organization’s case
Benefits of Implementing - ISO 20000 • SLA Compliance to resolution 60% to 92% • Customer satisfaction 74% to 90% • Customer calls reduced from 300 to 50 An organization’s case
Standardization of IT Processes
ISO 20000 process areas 1. Incident management ► Identification and logging of calls ► Incident classification, categorization and prioritization ► Incident investigation and diagnosis ► Resolution and recovery of incidents ► Incident closure ► Periodic analysis and reporting of incidents 2. Problem management ► Problem detection and logging ► Problem classification and prioritization ► Problem investigation and diagnosis ► Error control ► Closure of problems ► Proactive identification and management of problems (Proactive problem management) ► Periodic analysis and reporting of problems ► Periodic status updates to the relevant stakeholders 3. Change management ► Change request initiation, logging, validation and approval ► Impact assessment, change categorization and prioritization ► Change Advisory Board (CAB) approvals ► Change planning and scheduling ► Change building and testing ► Post Implementation Review (PIR) ► Roll-back of changes ► Change closure, analysis and reporting 4. Release management ► Release policy development ► Release planning and preparation ► Release building and testing ► Release transfer, deployment and retirement ► Release monitoring and verification ► Release closure
ISO 20000 process areas 5. Configuration management ► Identification of the configuration items (CI) ► Managing control of CI ► Status accounting and reporting of CI ► Verification and audit of CI ► Periodic backup and housekeeping of CI 6. Service level management ► Design of the service level agreement framework ► Identification and agreement with business (service beneficiary) on the service requirements and expectations ► Monitoring and reporting of service performance ► Periodic review and improvement of agreed service ► Identification and implementation of the process improvements ► Periodic review of service level agreement and contract 7. Business Relationship management ► Service catalogue development ► Service level agreement (SLA) development facilitation ► Service review meeting facilitation ► Customer satisfaction survey ► Complaint management process ► Periodic review of the service catalogue 8. Supplier management ► Design of the supplier risk management framework ► Identification and selection of supplier ► Assessment of the supplier risk, project risk and contract risk ► Formulation of supplier contracts ► Management of contractual disputes ► Periodic review of supplier performance ► Periodic review of supplier contracts
ISO 20000 process areas 9. Service reporting ► Defining the service report ► Periodic analysis of the service data ► Periodic preparation and circulation of the service report ► Periodic review and improvement of agreed service 10. Capacity Management ► Identification of current capacity and performance ► Capacity plan development ► Monitoring, forecasting and tuning ► Assess, agree and document new requirements and capacity ► Planning new capacity 12. Budgeting and Accounting of IT services ► Budgeting And Accounting Policy ► IT budgeting ► IT accounting and costing ► Financial review 11. Service continuity and availability management ► Perform business impact analysis (BIA) ► Develop business continuity strategy ► Develop business continuity plans ► Develop it continuity plan(s) ► Review and testing of it continuity plan(s) ► Training for it continuity ► Availability monitoring and reporting 13. Information security management ► Information security policy ► Information security risk management ► Security controls management ► Information security incidents management ► Security audits

More Related Content

Standardization of IT Processes

  • 1. Standardization of IT Processes Irshadh Rasheed, Ernst & Young 6-Sep-2013
  • 2. Can you imagine a world without standards
  • 3. A few in our daily life A lot more.. in every day life.. We are not conscious of them
  • 4. More important in Technology • Monitors • Storage Devices • Processors • Hard Disks • Communication protocols • Communication medium U name anything in Technology you will have standards
  • 5. Why Standadization? Users / Consumers • Easier life • Compatibility & Reusability • Lower prices • Better quality • Trust & Confidence Industry - Products • Larger market with fewer varieties • Increases productivity & efficiency • Increased competition Industry – Processes • Internal benchmarking against Best practices • Compatibility / compliance • Time / effort savings • Gaining competitive advantage • Assurance of smooth communications • Corporate cultures / loyalty
  • 6. IT Standards • IT Infrastructure – Hardware – Software – Applications • Data • IT Processes – Software Development – Service Delivery – Information Security – Risk & Governance
  • 7. Standardization – Level, Industry & Area
  • 8. IT Processes Pyramid & Standards.. CobiT, ISO 38500 ISO 20000, ISO 22301 ISO 27001 & many more IT Governance
  • 9. Who develops IT Standards
  • 11. ISO 20000: IT Service Management ISO 20000 is the international standard for IT Service Management (ITSM) published by the International Organization for Standardization (ISO). The standard ISO 20000 consists of two parts – ► Part 1: Specification ► Part 2: Code of Practice ISO/IEC 20000-1 (Part 1-Specifications) promotes the adoption of an integrated process approach to effectively deliver managed services to meet the business and customer requirements. ISO/IEC 20000-2 (Part 2-Code of Practice) represents an industry consensus on quality standards for IT service management processes. Service Management System (SMS) Design and transition of new or changed services Service delivery processes Relationship processes Capacity management Service level management Information security management Service continuity and availability management Service reporting Budgeting and accounting for services Incident and service request management Problem management Business relationship management Resolution processes Supplier management Control processes Configuration management Change management Release and deployment management Management responsibility Establish SMS Governance of processes operated by other parties Documentation management Resource management
  • 12. ISO 27000: Information Security ISO 27002 Clauses/ Controls objectives (Domains addressed) ► Security policy ► Organization of Information Security ► Asset management ► Human resources security ► Physical and environmental security ► Communications and operations management ► Access control ► Information systems acquisition, development and maintenance ► Information Security incident management ► Business continuity management ► Compliance ISO 27001 System ISO 27003 – Implementation Guide ISO 27004 - Security Measurements ISO 27005 – Risk Management
  • 13. ISO 22301: Business Continuity Management • Clause 1 - Scope • Clause 2 – Normative references • Clause 3 – Terms and definitions • Clause 4 – Context of the organization (Plan) • Clause 5 - Leadership (Plan) • Clause 6 - Planning (Plan) • Clause 7 - Support (Plan) • Clause 8 - Operation (Do) • Clause 9 - Performance evaluation (Check) • Clause10 – Improvement (Act)
  • 14. 1 2 Management support for information security 3 4 Develop/ Update of existing IS polices & procedures (ISPP) 5 6 Develop implementation plan for rollout of ISPP 7 8 9 10 11 12 13 15 14 1 Information security awareness rollout Implement the identified controls as per SOA Develop implementation plan for observations ISO 27001 pre- certification assessment Define ISO 27001 certification scope Perform risk assessment and develop SOA Update ISPP as per Statement of Applicability (If required); develop L1 documentation Setup PMO to manage the roll-out of ISPP Implementation of the ISPP as per implementation plan ISMS effectiveness and implementation check ISO 27001 certificati audit KPI and ISMS effectiveness audit A Typical ISO 27001 certification roadmap Surveillance audit every 6 months
  • 15. Benefits of Implementing IT Standards • Improving the quality, responsiveness and reliability • Improving the achievability, predictability and repeatability of outcomes • Reducing risks, incidents and project failures • Increased efficiencies and reduced costs • Enhanced compliance and respect from regulators • Trust & Confidence to all stakeholders
  • 16. Benefits of implementing - ISO 27001 An organization’s case
  • 17. Benefits of Implementing - ISO 20000 • SLA Compliance to resolution 60% to 92% • Customer satisfaction 74% to 90% • Customer calls reduced from 300 to 50 An organization’s case
  • 19. ISO 20000 process areas 1. Incident management ► Identification and logging of calls ► Incident classification, categorization and prioritization ► Incident investigation and diagnosis ► Resolution and recovery of incidents ► Incident closure ► Periodic analysis and reporting of incidents 2. Problem management ► Problem detection and logging ► Problem classification and prioritization ► Problem investigation and diagnosis ► Error control ► Closure of problems ► Proactive identification and management of problems (Proactive problem management) ► Periodic analysis and reporting of problems ► Periodic status updates to the relevant stakeholders 3. Change management ► Change request initiation, logging, validation and approval ► Impact assessment, change categorization and prioritization ► Change Advisory Board (CAB) approvals ► Change planning and scheduling ► Change building and testing ► Post Implementation Review (PIR) ► Roll-back of changes ► Change closure, analysis and reporting 4. Release management ► Release policy development ► Release planning and preparation ► Release building and testing ► Release transfer, deployment and retirement ► Release monitoring and verification ► Release closure
  • 20. ISO 20000 process areas 5. Configuration management ► Identification of the configuration items (CI) ► Managing control of CI ► Status accounting and reporting of CI ► Verification and audit of CI ► Periodic backup and housekeeping of CI 6. Service level management ► Design of the service level agreement framework ► Identification and agreement with business (service beneficiary) on the service requirements and expectations ► Monitoring and reporting of service performance ► Periodic review and improvement of agreed service ► Identification and implementation of the process improvements ► Periodic review of service level agreement and contract 7. Business Relationship management ► Service catalogue development ► Service level agreement (SLA) development facilitation ► Service review meeting facilitation ► Customer satisfaction survey ► Complaint management process ► Periodic review of the service catalogue 8. Supplier management ► Design of the supplier risk management framework ► Identification and selection of supplier ► Assessment of the supplier risk, project risk and contract risk ► Formulation of supplier contracts ► Management of contractual disputes ► Periodic review of supplier performance ► Periodic review of supplier contracts
  • 21. ISO 20000 process areas 9. Service reporting ► Defining the service report ► Periodic analysis of the service data ► Periodic preparation and circulation of the service report ► Periodic review and improvement of agreed service 10. Capacity Management ► Identification of current capacity and performance ► Capacity plan development ► Monitoring, forecasting and tuning ► Assess, agree and document new requirements and capacity ► Planning new capacity 12. Budgeting and Accounting of IT services ► Budgeting And Accounting Policy ► IT budgeting ► IT accounting and costing ► Financial review 11. Service continuity and availability management ► Perform business impact analysis (BIA) ► Develop business continuity strategy ► Develop business continuity plans ► Develop it continuity plan(s) ► Review and testing of it continuity plan(s) ► Training for it continuity ► Availability monitoring and reporting 13. Information security management ► Information security policy ► Information security risk management ► Security controls management ► Information security incidents management ► Security audits