A world without standards is road to chaos and IT processes are no exception. This presentation talks nicely in more friendly manner about IT Standards of ISO 27001, ISO 20000, CobiT, ISO 38500
3. A few in our daily life
A lot more.. in every day life.. We are not conscious of them
4. More important in Technology
• Monitors
• Storage Devices
• Processors
• Hard Disks
• Communication protocols
• Communication medium
U name anything in Technology you will have standards
5. Why Standadization?
Users / Consumers
• Easier life
• Compatibility &
Reusability
• Lower prices
• Better quality
• Trust & Confidence
Industry - Products
• Larger market with
fewer varieties
• Increases productivity &
efficiency
• Increased competition
Industry – Processes
• Internal benchmarking
against Best practices
• Compatibility /
compliance
• Time / effort savings
• Gaining competitive
advantage
• Assurance of smooth
communications
• Corporate cultures /
loyalty
6. IT Standards
• IT Infrastructure
– Hardware
– Software
– Applications
• Data
• IT Processes
– Software Development
– Service Delivery
– Information Security
– Risk & Governance
11. ISO 20000: IT Service Management
ISO 20000 is the international standard for IT Service
Management (ITSM) published by the International
Organization for Standardization (ISO).
The standard ISO 20000 consists of two parts –
► Part 1: Specification
► Part 2: Code of Practice
ISO/IEC 20000-1 (Part 1-Specifications) promotes the
adoption of an integrated process approach to effectively
deliver managed services to meet the business and
customer requirements.
ISO/IEC 20000-2 (Part 2-Code of Practice) represents
an industry consensus on quality standards for IT service
management processes.
Service Management System (SMS)
Design and transition of new or changed services
Service delivery processes
Relationship
processes
Capacity
management
Service level
management
Information security
management
Service continuity
and availability
management
Service reporting Budgeting and
accounting
for services
Incident and service request
management
Problem management
Business relationship
management
Resolution
processes
Supplier management
Control processes
Configuration management
Change management
Release and deployment
management
Management responsibility
Establish SMS
Governance of processes operated
by other parties
Documentation management
Resource management
12. ISO 27000: Information Security
ISO 27002
Clauses/ Controls objectives (Domains
addressed)
► Security policy
► Organization of Information Security
► Asset management
► Human resources security
► Physical and environmental security
► Communications and operations management
► Access control
► Information systems acquisition, development and
maintenance
► Information Security incident management
► Business continuity management
► Compliance
ISO 27001 System
ISO 27003 – Implementation Guide
ISO 27004 - Security Measurements
ISO 27005 – Risk Management
14. 1
2
Management support for
information security
3
4
Develop/ Update of
existing IS polices &
procedures (ISPP)
5
6
Develop implementation
plan for rollout of ISPP
7
8
9
10
11
12
13
15
14
1
Information security
awareness rollout
Implement the
identified controls as
per SOA
Develop implementation
plan for observations
ISO 27001 pre-
certification assessment
Define ISO 27001
certification scope
Perform risk assessment
and develop SOA
Update ISPP as per Statement of Applicability
(If required); develop L1 documentation
Setup PMO to manage the
roll-out of ISPP
Implementation of the ISPP
as per implementation plan
ISMS effectiveness and
implementation check
ISO 27001 certificati
audit
KPI and ISMS
effectiveness
audit
A Typical ISO 27001 certification
roadmap
Surveillance audit
every 6 months
15. Benefits of Implementing IT Standards
• Improving the quality, responsiveness and reliability
• Improving the achievability, predictability and
repeatability of outcomes
• Reducing risks, incidents and project failures
• Increased efficiencies and reduced costs
• Enhanced compliance and respect from regulators
• Trust & Confidence to all stakeholders
17. Benefits of Implementing - ISO 20000
• SLA Compliance to resolution 60% to 92%
• Customer satisfaction 74% to 90%
• Customer calls reduced from 300 to 50
An organization’s case
19. ISO 20000 process areas
1. Incident management
► Identification and logging of calls
► Incident classification, categorization and prioritization
► Incident investigation and diagnosis
► Resolution and recovery of incidents
► Incident closure
► Periodic analysis and reporting of incidents
2. Problem management
► Problem detection and logging
► Problem classification and prioritization
► Problem investigation and diagnosis
► Error control
► Closure of problems
► Proactive identification and management of problems
(Proactive problem management)
► Periodic analysis and reporting of problems
► Periodic status updates to the relevant stakeholders
3. Change management
► Change request initiation, logging, validation and
approval
► Impact assessment, change categorization and
prioritization
► Change Advisory Board (CAB) approvals
► Change planning and scheduling
► Change building and testing
► Post Implementation Review (PIR)
► Roll-back of changes
► Change closure, analysis and reporting
4. Release management
► Release policy development
► Release planning and preparation
► Release building and testing
► Release transfer, deployment and retirement
► Release monitoring and verification
► Release closure
20. ISO 20000 process areas
5. Configuration management
► Identification of the configuration items (CI)
► Managing control of CI
► Status accounting and reporting of CI
► Verification and audit of CI
► Periodic backup and housekeeping of CI
6. Service level management
► Design of the service level agreement framework
► Identification and agreement with business (service
beneficiary) on the service requirements and
expectations
► Monitoring and reporting of service performance
► Periodic review and improvement of agreed service
► Identification and implementation of the process
improvements
► Periodic review of service level agreement and
contract
7. Business Relationship management
► Service catalogue development
► Service level agreement (SLA) development facilitation
► Service review meeting facilitation
► Customer satisfaction survey
► Complaint management process
► Periodic review of the service catalogue
8. Supplier management
► Design of the supplier risk management framework
► Identification and selection of supplier
► Assessment of the supplier risk, project risk and
contract risk
► Formulation of supplier contracts
► Management of contractual disputes
► Periodic review of supplier performance
► Periodic review of supplier contracts
21. ISO 20000 process areas
9. Service reporting
► Defining the service report
► Periodic analysis of the service data
► Periodic preparation and circulation of the service
report
► Periodic review and improvement of agreed service
10. Capacity Management
► Identification of current capacity and performance
► Capacity plan development
► Monitoring, forecasting and tuning
► Assess, agree and document new requirements and
capacity
► Planning new capacity
12. Budgeting and Accounting of IT services
► Budgeting And Accounting Policy
► IT budgeting
► IT accounting and costing
► Financial review
11. Service continuity and availability
management
► Perform business impact analysis (BIA)
► Develop business continuity strategy
► Develop business continuity plans
► Develop it continuity plan(s)
► Review and testing of it continuity plan(s)
► Training for it continuity
► Availability monitoring and reporting
13. Information security management
► Information security policy
► Information security risk management
► Security controls management
► Information security incidents management
► Security audits