ISO 20000-1: Common Misconceptions

June 24, 2010

Over the last several weeks, our staff has received inquiries from our readers regarding the ISO 20000-1 standard, and the need to clarify some common misconceptions between ITIL and ISO 20000-1.

To best address that request, we welcome Subrata Guha to our website as a guest writer and author of a recent whitepaper entitled, “ISO 20000-1: Common Misconceptions”.

Subrata Guha is the Director of IT Services, at UL DQS Inc. and for over 20 years has had hands on experience on the full lifecycle of IT services management processes.  We hope that we can share more of Subrata’s writing talents with our readership in the future and we thank him for his contribution of content to assist in fulfilling the needs of our IT Service Management community.

Click the link below to access Mr. Guha’s whitepaper…

Misconceptions about ISO 20000-1

Please pass this information along to those individuals or team members in your organization, who are responsible for the  IT service management processes, needs and requirements within that organization.

IT Service Management — Meeting Business Requirement Gap

April 28, 2010

In spite of volumes of information available on the importance of managing organizational change and aligning IT with the business, recent surveys and correspondence reviewed by this website reveals that many organizations are still experiencing a significant gap between the services IT provides and those that are needed by the business. 

As part of this website’s education efforts, we suggest that you inform your internal IT Service Management and ISO 20000 team members about the itSMF USA 2010: On-Line Conference series of presentations around this topic.  The presentations can be scheduled to be heard either live on the original presentation date(s) or as a recorded resource to be heard later.

At the same time, we also realize that our readers are fully aware of the significance of managing organizational change and the importance that role plays in supporting the organization’s business continuity and disaster recovery plan strategies.  Certainly having these presentations as an available resource for these planning groups is a good thought as well.

Click here to attend or listen to a presentation.

ISO 20000 Implementation: Benefits Gained

January 12, 2010

Following some recent ISO implementation projects completed by Sally A. Smoczynski, who is a Managing Director of Radian Compliance, LLC, and also a contributing writer for articles on this site, Ms. Smoczynski wanted to share some of the benefits stemming from those implementations with others who might be considering an ISO/IEC  20000-1:2005  implementation for their organization(s).

And, with this time of the year when many companies are reviewing or continuously improving their compliance plans and re-confirming their ability to maintain business information security levels compliant with customer and regulatory requirements, we also believe that such an offering of pertinent material to the ISO 20000 Standard can be a benefit to those organization(s).

Intending not to bore everyone with too many details of the implementation process, Sally has tried to summarize her findings in a recent publication released by the Radian Complaince team and offered freely to our community of readers.

Click here ISO 20000 Implementation Benefits to view a pdf file of a snapshot of the benefits of implementing ISO 20000.  Although not all inclusive, it provides talking points to get interest and commitment for an ISO 20000 implementation. 

(You may want to utilize the magnification features of this *.pdf file to make your reading a little easier.)

From ITIL Maturity to ISO 20000

October 28, 2009

When you hear IT Service Management, most people associate the acronym ITIL with it.  ITIL (Information Technology Infrastructure Library) is a set of best practices to manage IT Services.   Enterprise organizations have spent many years striving to achieve ITIL success.  ITIL provides its guidance in a set of 5 books;

• Service Strategy
• Service Design
• Service Transition
• Service Operation
• Continual Service Improvement

Through the guidance of ITIL, most organizations have been able to achieve a level of mature process for the delivery of critical IT Services; whether to their internal customers or external customers.  From a competitive standpoint, for both large and small organizations though, there is there is no way for an organization to prove ITIL competence beyond the confidence of existing customers. 

There are personal certifications for individuals to show ITIL competencies, but within ITIL, there is no “stamp of approval” for organizations.

There is, however, an ISO (International Organization of Standards) certification for IT Service Management with ISO/IEC 20000-1:2005.  This standard provides an ITIL lite set requirement along with the common Management System structure of Plan, Do, Check, Act (PDCA).

ISO 20000 – IT Service Management is a set of auditable requirements which ensure management participation and customer feedback.  The standard incorporates an overall compliance management framework and includes such critical areas as information systems security and looks at overall compliance risks to the delivery of the IT Services.

Following best practice (ITIL) and conforming to a recognized standard (ISO 20000) provides the evidence that IT services are meeting the highest standard of best practices and that mechanisms are in place to keep it that way.  Through the certification by a third party registrar, an organization is able to prove or certify their IT Service Management commitment.   

ISO/IEC 20000-1:2005 is to the organization what ITIL is to the operations. In today’s business climate, more than ever, suppliers of IT Services are being required to certify to ISO 20000 to keep existing clients or as a cost of entry to respond to new Requests for Proposals (RFPs).  This ITSM standard is a way to get the best of both best practice and continuous improvement and meet the certification requirements.

ITSM — IT Service Management

October 23, 2009

With the business demand to lower costs and improve delivery of IT services, focus on IT Service Management has been at the forefront this year.

The management for the delivery of IT Services includes those organizations that want to manage their internal IT services, manage the external delivery to their customers and in many cases, both.

IT Service Management combines a set of inter-related processes to manage the level of service, quality of service and cost of the service.  IT Service Management also relies heavily on the customer’s input and requirements.

There are a number of “best practice” frameworks available within ITSM.  The most common is ITIL: Information Technology Infrastructure Library.  ITIL is a set of 5 books and has a number of supporting organizations that provide guidance and forums.  Others such as ISO/IEC 20000-1:2005 IT Service Management is an ISO standard that can “certify” an organization to specific ITIL lite requirements.  This standard is gaining momentum due to the mandates within certain agencies of the Federal Government that now require ISO 20000 certification as a requirement to respond to a proposal.  Additional guidance is gained through CMMI and Six Sigma methodologies.  Whichever one or many that you chose, the ultimate goal is to be able to successfully deliver IT Services.

Service Management extends well beyond IT and should be looked at more holistically.  As stated before, ITSM uses a set of inter-related processes.  It also includes requirements for supplier management – especially those vendors in the critical path of service delivery.  Additionally, you and/or your customers might be subject to compliance auditing and need proper controls for third party audits.   Using ISO 20000 as a baseline can help achieve process compliance across many regulatory and customer audit requirements.    The inter-relationship of the processes of ITSM ensure that any critical service component is managed within a lifecycle and that all critical inputs and outputs are considered when creating, changing or removing any service. 

High level views of a few critical components are:

• Management responsibility
• Change Management
• Information Security Risk Management
• Continuity and Availability
• Release Management

Whether you are an Internal IT department or a Managed Services firm, embracing some form of IT Service Management has now become a critical business requirement.

Information Security Management

October 15, 2009

A recurring theme in the Continuity Compliance website is the need to determine your critical processes.   In most cases, which of the organizations processes are critical takes some discovery.  And then, there are obvious processes that don’t take much thought.  The protection of Information Assets, such as data stored on your local hard drive, encrypted data stored on a remote e-vault or even those documents from the last major acquisition in 1984, stuffed in a white banker’s box in a warehouse in Ohio are definitely a critical component of the major process for Information Security Management.

Information Security Management is the overall process for protecting “information assets” that are essential to your business such as HR Files, Customer Data and Mailings Lists.  As defined in the
BS ISO/IEC 27001-1:2005 Terms and Definitions section, Information Security is defined as

“Preservation of confidentiality, integrity and availability of information; in addition, other properties such as authenticity, accountability, non-repudiation and reliability can also be involved”.

Further definition for the Information Security Management System states;

“the part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain and improve information security”.

Based on the above definitions and general experiences, it is apparent that Information Security requires the management of the processes for success.  Key words such as Risk, Confidentiality and Availability are everyday requirements in the world of IT Departments.     How organizations go about their specific business of information security varies to some degree.  There are a number of general frameworks and a few standards that an organization can use to assist them in ensuring their critical processes for managing information security is working.

Frameworks help us to define, build, and communicate ideas and requirements but they tend to lack guidance.  This may leave an organization with a large costly implementation project with slow ROI or failed sub projects that cannot see light at the end of the tunnel.   Standards require the organization to implement specific controls.  They can leverage the beneficial elements of Frameworks to ensure compliance to the standard as well as be more flexible to the requirements of the business.   Some standards can be audited by a third party, such as BS ISO/IEC 27001-1:2005 Information technology – Security techniques-Information Security management systems – Requirements.  Others, such as the NIST Special Publication 800-53 Recommended Security Control for Federal Information Systems has become a widely adopted standard by non-government business to use for guidance in managing their IT business.

Information Assets come in many shapes and sizes, and can be found throughout the organization.  Both the NIST 800-53 Publication and the ISO 27001-1 Requirements document list a family or domain of areas to input controls.   

 

In a generalized view, Information Security Management should look at the following areas to ensure protection.

 

Risk Assessment	Physical and Environmental Protection
Security Planning	Contingency Planning and Operations
Management System and Services Acquisition	Configuration Management
Management Security Control Review	Hardware and Software Maintenance
Processing Authorization	System and Information Integrity
Personnel Security	Media Protection
Incident Response	Security Awareness and Training
Identification and Authentication	Logical Access Control

 

Every day, sensitive data is being compromised and it is under the auspices of Information Security Management that a company ensures that correct and timely response can mitigate the costly and sometimes devastating effects of a security breach. Whichever combination of or sets of controls that an organization adopts, the important rule is to be able to manage the confidentiality, integrity and availability of these critical information assets.

• 
• 
• 
• 

• Subscribe

  • Subscribe to RSS
  • Comments

• Recent News

  • Career Options and the PS-Prep Program
  • E-Discovery – Compliance and Privacy Challenges
  • “Career Options and the PS-Prep Program” – July 27th, 2010 Webinar Reminder
  • Can Resilience be Enshrined in a Standard?
  • PS-Prep Developing Liability Protection?
  • PS-Prep Career Options Webinar
  • Emergency Plans and Behavioral Accuracy
  • Business Continuity Testing Guidance
  • Federal Cybersecurity Guidelines Document Update Released by NIST
  • Checklist Offered to Mitigate Project Related Risk Factors

• Categories

  • Events
  • Information
    • Auditing
    • Business Continuity Info
    • IT Service Management
    • Organizational Resiliency
    • PS-Prep Program
    • Regulatory Compliance
    • Standards & Best Practices
  • Security
    • Cybersecurity
    • Environmental Security
    • Executive Protection
    • Homeland Security Dpt
    • Information Security
    • Physical Security
    • Regulatory Compliance
    • Safety
  • Tools & Resources
    • Community Projects
      • Forms & Checklists
      • Glossary
    • First Timers
      • FAQs
  • Uncategorized

• Archives

  • July 2010
  • June 2010
  • May 2010
  • April 2010
  • March 2010
  • February 2010
  • January 2010
  • December 2009
  • November 2009
  • October 2009
  • September 2009
  • August 2009

• What Others Are Reading About

  ANAB ASIS ASIS SPC.1-2009 best practices Business Continuity business continuity management business continuity planning Business Continuity Plans compliance compliance risk contingency planning corporate security crisis management cybersecurity cyber security data breach Department of Homeland Security DHS disaster recovery disaster recovery planning e-Discovery emergency response enterprise risk management FEMA Information Security information systems security network security NFPA 1600 organizational resilience Organizational Resiliency Physical Security preparedness privacy Private Sector Preparedness PS-Prep PS-Prep Program readiness Regulatory Compliance resilience Resiliency risk assessment risk management Security security management security policies Auditing (4)
  Business Continuity Info (89)
  Community Projects (2)
  Cybersecurity (26)
  Environmental Security (2)
  Events (3)
  Executive Protection (1)
  FAQs (1)
  Forms & Checklists (1)
  Glossary (2)
  Homeland Security Dpt (11)
  Information (2)
  Information Security (57)
  IT Service Management (6)
  Organizational Resiliency (12)
  Physical Security (15)
  PS-Prep Program (57)
  Regulatory Compliance (16)
  Regulatory Compliance (9)
  Safety (4)
  Standards & Best Practices (9)
  Tools & Resources (4)
  Uncategorized (2)
  

  WP Cumulus Flash tag cloud by Roy Tanck and Luke Morton requires Flash Player 9 or better.