ISO 9001, ISO 27001, ISO 20000 and ITIL Ana Meskovska, QISM Trajkovski & Partners Consulting Ohrid, May 2009
May 13, 2015
ISO 9001, ISO 27001, ISO 20000 and ITIL
Ana Meskovska, QISM
Trajkovski & Partners ConsultingOhrid, May 2009
If you
do
n’t w
ant to
help
yo
urself, n
o o
ne can
Importance of the ICT standards
Overview of the ISO standards relevant for ICT industry
Integration of the ISO standards relevant for ICT
12.05.2009 2
If you
do
n’t w
ant to
help
yo
urself, n
o o
ne can
12.05.2009 3
If you
do
n’t w
ant to
help
yo
urself, n
o o
ne can
Increased use of standards and best practices (such as ISO 20000, ITIL, ISO 27001 etc. )
Key drivers: business requirements for improved
performance need for increased control over IT activities.
Resulting effect from increased use of standards and best practices - moving from ad hoc and chaotic approaches to IT, to defined and managed processes.
12.05.2009 4
If you
do
n’t w
ant to
help
yo
urself, n
o o
ne can
IT best practices are important because:help enable effective governance of IT
activitiesmanagement of IT is critical to the success
of enterprise strategymanagement framework is needed so
everyone knows what to do (policy, internal controls and defined practices).
they provide many benefits - including efficiency gains, less reliance on experts, fewer errors, increased trust from business partners, respect from regulators etc.
12.05.2009 5
If you
do
n’t w
ant to
help
yo
urself, n
o o
ne can
Costly and unfocused if they are treated as purely technical guidance.
Effective if thay are applied within the business context, focusing on providing benefits to the organisation.
The focus of IT governance is directing the IT best practices to align to business and governance requirements rather than technical requirements.
12.05.2009 6
If you
do
n’t w
ant to
help
yo
urself, n
o o
ne can
Senior business and IT managers should understand the value of IT best practices and how to implement them.
Implementation of best practices should be: tailored, prioritised and planned to achieve
effective useappropriate for the organisationconsistent with the organizations’ risk
management integrated with other methods and
practices that are being used
12.05.2009 7
If you
do
n’t w
ant to
help
yo
urself, n
o o
ne can
12.05.2009 8
If you
do
n’t w
ant to
help
yo
urself, n
o o
ne can
The ISO standards are structured to be integrated into any organization's existing management system
The goal of ISO standards is meeting and exceeding customers’ expectations.
The ISO standards are compatible among themselves
Benefits from ISO certification: Increasing customer expectations and confidence Documenting and measuring quality Using consistent terminology and processes Implementing continual improvement initiatives
12.05.2009 9
If you
do
n’t w
ant to
help
yo
urself, n
o o
ne can
Say what you do
Do what you say
Prove it
Improve it!
12.05.2009 10
If you
do
n’t w
ant to
help
yo
urself, n
o o
ne can
12.05.2009 11
If you
do
n’t w
ant to
help
yo
urself, n
o o
ne can
Quality management system – Requirements
Introduces the Quality Management System, a model for continual improvement and customer satisfaction
Suitable for any organization looking to improve the way it is operated and managed, regardless of size or sector.
It helps bringing out the best in organization by enabling understanding of the processes for delivering products/services to the customers.
12.05.2009 12
If you
do
n’t w
ant to
help
yo
urself, n
o o
ne can
IT service management is concerned with delivering and supporting IT services that are appropriate to the business requirements of the organisation.
ITIL provides a comprehensive, consistent and coherent set of best practices for IT service management and related processes
Promotes a quality approach for achieving business effectiveness and efficiency in the use of IS.
The generic processes described in ITIL promote best practice and may be used as a basis for achieving certification for the international standard—ISO/IEC 20000.
12.05.2009 13
If you
do
n’t w
ant to
help
yo
urself, n
o o
ne can
Part 1: Information technology – Service management – Specification
Part 2: Information technology – Service management – Code of Practice
Promotes the adoption of an integrated process approach for effectively delivered managed services to meet the business and customer requirements
12.05.2009 14
If you
do
n’t w
ant to
help
yo
urself, n
o o
ne can
Information technology – Security techniques – Information Security Management Systems – Requirements
Provides information to responsible parties for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS.
Designed to ensure adequate security controls to protect information assets, documenting ISMS and give confidence to customers and interested parties
12.05.2009 15
If you
do
n’t w
ant to
help
yo
urself, n
o o
ne can
12.05.2009 16
If you
do
n’t w
ant to
help
yo
urself, n
o o
ne can
Standards and best practices are not a panacea
Effectiveness of standards depends on how they have been actually implemented and kept up to date.
IT best practices need to be:aligned to business requirement integrated with one another integrated with internal procedures i.e. the
existing management system of the organisation.
12.05.2009 17
If you
do
n’t w
ant to
help
yo
urself, n
o o
ne can
Management system - framework of processes and procedures used in an organization
A management system exists to bring benefit to the organization in which it is used.
From a business perspective there should be only one management system.
The aim should therefore be to develop a cohesive system that supports the day-to-day operations and delivers what the organization needs.
12.05.2009 18
If you
do
n’t w
ant to
help
yo
urself, n
o o
ne can
12.05.2009 19
If you
do
n’t w
ant to
help
yo
urself, n
o o
ne can
Integrated management system – IMS integrates all components of a business into one coherent system to enable the achievement of its purpose and mission.
Aim - delivering the organization’s need in the simplest and most effective manner.
Integration of management system should be carefully planed and implemented in a balanced way.
12.05.2009 20
If you
do
n’t w
ant to
help
yo
urself, n
o o
ne can
12.05.2009 21
If you
do
n’t w
ant to
help
yo
urself, n
o o
ne can
IMS can be consisted of many different international standards, depending of the industry and the needs of the company.
Important for effective IMS: set a solid and comprehensive framework of
the IMS, on which different standards relevant for the company can be upgraded;
choose the standard and best practices that are important and relevant for the organization
plan the implementation process implement the standards and best practices
gradually
12.05.2009 22
If you
do
n’t w
ant to
help
yo
urself, n
o o
ne can
12.05.2009 23
If you
do
n’t w
ant to
help
yo
urself, n
o o
ne can
12.05.2009 24
If you
do
n’t w
ant to
help
yo
urself, n
o o
ne can
ISO ISO 2000020000
ISO 9001:2000ISO 9001:2000ISO 9001:2000ISO 9001:2000
ISO 27001ISO 27001
12.05.2009 25
If you
do
n’t w
ant to
help
yo
urself, n
o o
ne can
12.05.2009 26
If you
do
n’t w
ant to
help
yo
urself, n
o o
ne can
ISO27001:2005
4. Information Security Management System
4.1 General Requirements4.2 Establishing and managing
the ISMS4.2.1 Establish the ISMS4.2.2 Implement and operate
the ISMS4.2.3 Monitor and review the
ISMS4.2.4 Maintain and improve the
ISMS4.3 Documentation
Requirements4.3.1 General4.3.2 Control of documents4.3.3 Control of records
• ISO9001:2008
4. Quality Management System4.1 General Requirements
8.2.3 Monitoring and measurement of processes
8.2.4 Monitoring and measurement of products
4.2 Documentation Requirements
4.2.1 General4.2.2 Quality manual4.2.3 Control of
documents4.2.4 Control of records
12.05.2009 27
If you
do
n’t w
ant to
help
yo
urself, n
o o
ne can
ISO20000:20053.1 Management
responsibility
3.2 Documentation requirements
3.3 Competence, Awwareness and Training
4.1 Plan service management
4.3 Monitoring measuring and Reviewing
• ISO9001:20005. Management commitment
4.2 Documentation requirements
6.2.2 Competence, Awwareness and Training
7. Planning of product realization
8.2.2 Internal audit
8.2.3 Monitoring and measuring Processes
12.05.2009 28
If you
do
n’t w
ant to
help
yo
urself, n
o o
ne can
PAS 99:2006 Specification of common management system requirements as a framework for integration
Specification issued by BSI
“Recognised” by Certification Bodies
Purpouse - help your organization to achieve benefits from integrating the common requirements of all your management system standards and specifications, and managing these requirements effectively.
12.05.2009 29
If you
do
n’t w
ant to
help
yo
urself, n
o o
ne can
To optimize the operational process of the various common standards used
To reduce duplication and bureaucracy
To reduce processes and procedures
To realise internal cost savings
To improve efficiency and effectiveness of the organization
12.05.2009 30
If you
do
n’t w
ant to
help
yo
urself, n
o o
ne can
12.05.2009 31