Integration of ICT Standards

ISO 9001, ISO 27001, ISO 20000 and ITIL

Ana Meskovska, QISM

Trajkovski & Partners ConsultingOhrid, May 2009

If you

do

n’t w

ant to

help

yo

urself, n

o o

ne can

Importance of the ICT standards

Overview of the ISO standards relevant for ICT industry

Integration of the ISO standards relevant for ICT

12.05.2009 2

If you

do

n’t w

ant to

help

yo

urself, n

o o

ne can

12.05.2009 3

If you

do

n’t w

ant to

help

yo

urself, n

o o

ne can

Increased use of standards and best practices (such as ISO 20000, ITIL, ISO 27001 etc. )

Key drivers: business requirements for improved

performance need for increased control over IT activities.

Resulting effect from increased use of standards and best practices - moving from ad hoc and chaotic approaches to IT, to defined and managed processes.

12.05.2009 4

If you

do

n’t w

ant to

help

yo

urself, n

o o

ne can

IT best practices are important because:help enable effective governance of IT

activitiesmanagement of IT is critical to the success

of enterprise strategymanagement framework is needed so

everyone knows what to do (policy, internal controls and defined practices).

they provide many benefits - including efficiency gains, less reliance on experts, fewer errors, increased trust from business partners, respect from regulators etc.

12.05.2009 5

If you

do

n’t w

ant to

help

yo

urself, n

o o

ne can

Costly and unfocused if they are treated as purely technical guidance.

Effective if thay are applied within the business context, focusing on providing benefits to the organisation.

The focus of IT governance is directing the IT best practices to align to business and governance requirements rather than technical requirements.

12.05.2009 6

If you

do

n’t w

ant to

help

yo

urself, n

o o

ne can

Senior business and IT managers should understand the value of IT best practices and how to implement them.

Implementation of best practices should be: tailored, prioritised and planned to achieve

effective useappropriate for the organisationconsistent with the organizations’ risk

management integrated with other methods and

practices that are being used

12.05.2009 7

If you

do

n’t w

ant to

help

yo

urself, n

o o

ne can

12.05.2009 8

If you

do

n’t w

ant to

help

yo

urself, n

o o

ne can

The ISO standards are structured to be integrated into any organization's existing management system

The goal of ISO standards is meeting and exceeding customers’ expectations.

The ISO standards are compatible among themselves

Benefits from ISO certification: Increasing customer expectations and confidence Documenting and measuring quality Using consistent terminology and processes Implementing continual improvement initiatives

12.05.2009 9

If you

do

n’t w

ant to

help

yo

urself, n

o o

ne can

Say what you do

Do what you say

Prove it

Improve it!

12.05.2009 10

If you

do

n’t w

ant to

help

yo

urself, n

o o

ne can

12.05.2009 11

If you

do

n’t w

ant to

help

yo

urself, n

o o

ne can

Quality management system – Requirements

Introduces the Quality Management System, a model for continual improvement and customer satisfaction

Suitable for any organization looking to improve the way it is operated and managed, regardless of size or sector.

It helps bringing out the best in organization by enabling understanding of the processes for delivering products/services to the customers.

12.05.2009 12

If you

do

n’t w

ant to

help

yo

urself, n

o o

ne can

IT service management is concerned with delivering and supporting IT services that are appropriate to the business requirements of the organisation.

ITIL provides a comprehensive, consistent and coherent set of best practices for IT service management and related processes

Promotes a quality approach for achieving business effectiveness and efficiency in the use of IS.

The generic processes described in ITIL promote best practice and may be used as a basis for achieving certification for the international standard—ISO/IEC 20000.

12.05.2009 13

If you

do

n’t w

ant to

help

yo

urself, n

o o

ne can

Part 1: Information technology – Service management – Specification

Part 2: Information technology – Service management – Code of Practice

Promotes the adoption of an integrated process approach for effectively delivered managed services to meet the business and customer requirements

12.05.2009 14

If you

do

n’t w

ant to

help

yo

urself, n

o o

ne can

Information technology – Security techniques – Information Security Management Systems – Requirements

Provides information to responsible parties for establishing, implementing, operating, monitoring, reviewing, maintaining and improving a documented ISMS.

Designed to ensure adequate security controls to protect information assets, documenting ISMS and give confidence to customers and interested parties

12.05.2009 15

If you

do

n’t w

ant to

help

yo

urself, n

o o

ne can

12.05.2009 16

If you

do

n’t w

ant to

help

yo

urself, n

o o

ne can

Standards and best practices are not a panacea

Effectiveness of standards depends on how they have been actually implemented and kept up to date.

IT best practices need to be:aligned to business requirement integrated with one another integrated with internal procedures i.e. the

existing management system of the organisation.

12.05.2009 17

If you

do

n’t w

ant to

help

yo

urself, n

o o

ne can

Management system - framework of processes and procedures used in an organization

A management system exists to bring benefit to the organization in which it is used.

From a business perspective there should be only one management system.

The aim should therefore be to develop a cohesive system that supports the day-to-day operations and delivers what the organization needs.

12.05.2009 18

If you

do

n’t w

ant to

help

yo

urself, n

o o

ne can

12.05.2009 19

If you

do

n’t w

ant to

help

yo

urself, n

o o

ne can

Integrated management system – IMS integrates all components of a business into one coherent system to enable the achievement of its purpose and mission.

Aim - delivering the organization’s need in the simplest and most effective manner.

Integration of management system should be carefully planed and implemented in a balanced way.

12.05.2009 20

If you

do

n’t w

ant to

help

yo

urself, n

o o

ne can

12.05.2009 21

If you

do

n’t w

ant to

help

yo

urself, n

o o

ne can

IMS can be consisted of many different international standards, depending of the industry and the needs of the company.

Important for effective IMS: set a solid and comprehensive framework of

the IMS, on which different standards relevant for the company can be upgraded;

choose the standard and best practices that are important and relevant for the organization

plan the implementation process implement the standards and best practices

gradually

12.05.2009 22

If you

do

n’t w

ant to

help

yo

urself, n

o o

ne can

12.05.2009 23

If you

do

n’t w

ant to

help

yo

urself, n

o o

ne can

12.05.2009 24

If you

do

n’t w

ant to

help

yo

urself, n

o o

ne can

ISO ISO 2000020000

ISO 9001:2000ISO 9001:2000ISO 9001:2000ISO 9001:2000

ISO 27001ISO 27001

12.05.2009 25

If you

do

n’t w

ant to

help

yo

urself, n

o o

ne can

12.05.2009 26

If you

do

n’t w

ant to

help

yo

urself, n

o o

ne can

ISO27001:2005

4. Information Security Management System

4.1 General Requirements4.2 Establishing and managing

the ISMS4.2.1 Establish the ISMS4.2.2 Implement and operate

the ISMS4.2.3 Monitor and review the

ISMS4.2.4 Maintain and improve the

ISMS4.3 Documentation

Requirements4.3.1 General4.3.2 Control of documents4.3.3 Control of records

• ISO9001:2008

4. Quality Management System4.1 General Requirements

8.2.3 Monitoring and measurement of processes

8.2.4 Monitoring and measurement of products

4.2 Documentation Requirements

4.2.1 General4.2.2 Quality manual4.2.3 Control of

documents4.2.4 Control of records

12.05.2009 27

If you

do

n’t w

ant to

help

yo

urself, n

o o

ne can

ISO20000:20053.1 Management

responsibility

3.2 Documentation requirements

3.3 Competence, Awwareness and Training

4.1 Plan service management

4.3 Monitoring measuring and Reviewing

• ISO9001:20005. Management commitment

4.2 Documentation requirements

6.2.2 Competence, Awwareness and Training

7. Planning of product realization

8.2.2 Internal audit

8.2.3 Monitoring and measuring Processes

12.05.2009 28

If you

do

n’t w

ant to

help

yo

urself, n

o o

ne can

PAS 99:2006 Specification of common management system requirements as a framework for integration

Specification issued by BSI

“Recognised” by Certification Bodies

Purpouse - help your organization to achieve benefits from integrating the common requirements of all your management system standards and specifications, and managing these requirements effectively.

12.05.2009 29

If you

do

n’t w

ant to

help

yo

urself, n

o o

ne can

To optimize the operational process of the various common standards used

To reduce duplication and bureaucracy

To reduce processes and procedures

To realise internal cost savings

To improve efficiency and effectiveness of the organization

12.05.2009 30

If you

do

n’t w

ant to

help

yo

urself, n

o o

ne can

12.05.2009 31