February 5, 2012

Posts Comments

You are here: Home / Archives for Information / Standards & Best Practices

ASIS offers PS-Prep and Conformity Assessment Webinar Presented by Dr. Marc Seigel

October 25, 2011 By Leave a Comment

As part of this website’s recognition to the PS-Prep program and in support of the statement that conformity to International Standards gives confidence and facilitates access to global markets, our staff would like to inform our readers of an ASIS sponsored webinar entitled “Buyer Beware – Standards, Conformity Assessment and Certification”.  This webinar is presented by Dr. Marc Siegel and is offered free of charge.

Before you consider the PS-Prep Program, certification of your organization, or even becoming a certified lead auditor, become more aware of the globally accepted international standards and practices guiding the conformity assessment, auditing and certification processes, and, attend this webinar on November 2nd starting at 1:00 PM Eastern Standard Time.  The session will last no more than 60 minutes.

If applicable please pass this information along to those business continuity, risk assessment or PS-Prep strategy planning team members in your organization.

Click here for more details and to register for this webinar.

Filed Under: Business Continuity Info, PS-Prep, PS-Prep Program, Risk Management, Standards & Best Practices Tagged With: , , , , , , , , , , , ,

ISO 28002 Resilience in the Supply Chain Standard Approved

August 5, 2011 By Leave a Comment

Contributed by: Lisa DuBrock

It seems every day ISO approves new standards.  However, the approval of ISO 28002 (Resilience in the Supply Chain) is a standard to be watched in this space.  The Technical Committee ISO/TC 8 of the International Organization of Standards (ISO) has worked hard to get this standard adopted.  It is based on SPC.1 (Organizational Resilience Management System), one of the PS-Prep standards, and provides true linkage to a number of other Standards, including ISO 28000 Security in the Supply Chain and ISO 31000 Principles and Guidelines of Risk Management. 

No discussion on ISO 28002 can go without mention of ASIS and their unwavering support of the 28000 series of standards.  ASIS is also in the forefront of creating Lead Auditor curriculum that is in the final process of being certified by RABQSA, a leader in the world of ISO Lead Auditor Training and Certification. 

What does this certification mean?  Only time will tell, however, with the adoption of the standard as a Full ISO Management System Standard, many hurdles have already been cleared. 

The ContinuityCompliance.org team wishes to congratulate all involved in this process.

Click here to read more about the ASIS announcement about this standard for resilience in the supply chain approval by ISO.

If applicable, please pass this information along to those risk management or PS-Prep compliance strategy planning teams in your organization. 

Photo courtesy of blog.to-increase.com

Filed Under: Business Continuity Info, Information Security, Organizational Resiliency, PS-Prep Program, Regulatory Compliance, Regulatory Compliance, Risk Management, Standards & Best Practices Tagged With: , , , , , , , , , , , , , , , , , ,

PS-Prep Standards — How Do they Compare?

May 26, 2011 By Leave a Comment

As many of our readers know, the PS-Prep program is a topic often posted on this website.

Our staff provides access to many postings on the internet related to PS-Prep, and, recently, a posting available on the SearchDisasterRecovery.com website came to our attention as something to be shared with our readership.

The SearchDisasterRecovery.com staff of writers organized a concise comparative chart between ASIS/BSI BCM.01-2010 with ISO 22301 and the existing PS-Prep recognized Standards (ASIS SPC.1:2009, BS 25999:2 and NFPA 1600:2010).

This information would be a great additional reading resource for the business continuity, risk management or PS-Prep strategy planning team members in your organization.

Click here to download this chart (pdf format) for your library.

Again, we thank the SearchDisasterRecovery.com staff for making this available.

Photo courtesy of tutor2u.net

Filed Under: Business Continuity Info, Regulatory Compliance, Standards & Best Practices Tagged With: , , , , , , , ,

INTEGRATED ASSESSMENT — A Potential Option

May 16, 2011 By Leave a Comment

By: Sally Smoczynski

Has your organization ever implemented or potentially needed to implement, audit or certify to more than one quality initiative?  If so, would you be concerned about duplication of effort and additional costs?

As a Managing Partner in a consultancy firm that specializes in the implementation of ISO Standards, very often our clients have already passed a Capability Maturity Model Integration (CMMI) level 3 Assessment or gone through a Standard CMMI Method for Process Improvement (“SCAMPI”) process.  In these situations, the integration of ISO 20000 Service Management and CMMI , while not seamless, is a natural process over time, particularly at a CMMI level 3 for Services and above.

Certainly, this example would be an opportunity to have an integrated assessment approach available to better integrate the whole quality control system of an organization, and, at the same time, better collectively analyze the strengths and weaknesses of that system.

I would like to focus your attention to a recent whitepaper report, written by Subrata Guha, Director of IT Services for UL DQS, Inc.  In this report Subrata writes about an integrated assessment he and his firm conducted combining ISO 9001 and CMMI for Development.  The roadmap of this integrated assessment (audit) process included both the ISO 9001 Stage 1 and Stage 2 audits as well as the full SCAMPI 8 for CMMI Development.  The result was an effective assessment that reduced staff time requirements and audit / assessment days – and therefore, costs.

This report provides an exciting opportunity for organizations to share a more robust integrated foundation between ISO and CMMI.

This whitepaper also suggests that this integrated assessment methodology can be created for ISO 20000 Service Management System and CMMI.

I welcome our readers to read this whitepaper  and please share your thoughts and comments on this integrated assessment potential option.  And, if applicable, pass this information along to those IT Service Management and Quality Management team members in your organization.

Photo courtesy of itil.org

 

Filed Under: Business Continuity Info, IT Service Management, Standards & Best Practices Tagged With: , , , , , ,

ASP’s Boston Chapter Offers Free Seminar on International Standards

May 14, 2011 By 1 Comment

One of this website’s contributing writers, Don Byrne, is giving a presentation related to the PS-Prep and other international standards in the Boston area on Tuesday, May 17. 2011.

This presentation will be offered as a free training/seminar at the Trade Center in Woburn, MA. and will be sponsored by the Boston chapter of the Association for Strategic Planning group.  Mr. Byrne’s presentation will include a review of selected standards, a discussion of how they relate to other regulations, a review of the concepts of management systems, and the implications of this worldwide initiative. The issue of various types of auditing will be covered as well as the evolving business case for the adoption of standards.

If applicable, you can click here for more details, directions, information and how to register to attend.

 

Filed Under: PS-Prep, Standards & Best Practices Tagged With: , , , , , ,

Development of Corporate Code of Conduct Promoted by WMACCA

May 10, 2011 By Leave a Comment

The Washington Metropolitan Area Corporate Counsel Association (WMACCA) serves the professional needs of in-house counsel in Washington, D.C., the Commonwealth of Virginia, and suburban Maryland, and on May 19th is hosting a May Signature Luncheon.

Amy E. Hutchens, CCEP, General Counsel and Vice President, Compliance and Ethics Services, Watermark Risk Management International, who is also a contributing writer for this website,  along with Karen M. Litsinger, General Counsel, Mirixa Corporation, and Jason L. Lunday, Director, Values and Compliance, Verisign, Inc.n and Bonnie Green of Sodexo.

The title of that presentation is “Good Behavior – The Ins and Outs of Developing a Corporate Code of Conduct”.

Given the strong impact that executive management has on the culture and support needed to have and maintain an effective internal business continuity or risk management plan or policy, attendance at this presentation could and would be time well spent for in-house counsel or business continuity planning team members.

If applicable, Click here to read more about and register for this WMACCA event.

Photo courtesy of xzbackup.com

Filed Under: Business Continuity Info, Regulatory Compliance, Standards & Best Practices, Standards & Best Practices Tagged With: , , , , , , ,

PS-Prep and the Update Status on NFPA 1600 — 2013 Edition

May 9, 2011 By Leave a Comment

Work on the 2013 edition of NFPA 1600Standard on Disaster/Emergency Management and Business Continuity Programs” is well underway. The technical committee met in Orlando in late March, this year,  to continue the research and development of what will become the sixth edition of the standard. The technical committee is also asking for public input for new content or revisions to existing text.

In an article written by Donald L. Schmidt, ARM, CBCP, CBCLA, CEM and posted on the Disaster-Resource.com website, our readers may read more about how the NFPA 1600 Technical Committee tries to achieve a balance between writing prescriptive requirements and writing a standard that is widely applicable and not overly burdensome.

The committee is soliciting your input on the 2013 edition. But, meanwhile you can download the 2010 edition for free. (Click here)

You can submit your suggestions for additions or revisions online via NFPA’s Online Submission System. (Click here)

You can also download (Microsoft Word format), complete, and return a Document Proposal Form. (Click here)   Instructions for submitting the form via mail, fax, or email are included at the bottom of the form. The deadline for submissions is May 23, 2011.

The first draft of the 2013 edition is expected to be published for public review by December 23, 2011.

Once published, public comments on the draft will be accepted until March 2, 2012. Following the second round of public comments the committee will meet to finalize and vote on the draft prior to issuance by NFPA as early as November 2012.

This website thanks Mr. Schmidt for writing this article, and, asks that if applicable, this information would be forwarded to those PS-Prep strategy planning teams in your organization.

Photo courtesy of campussafetymagazine.com

Filed Under: PS-Prep Program, Regulatory Compliance, Standards & Best Practices, Standards & Best Practices Tagged With: , , , , ,

Preparedness Focus Workshop for Small Business Offered by ANSI-HSSP

May 4, 2011 By Leave a Comment

On May 25, 2011, the American National Standards Institute Homeland Security Standards Panel (ANSI-HSSP) will host Achieving Preparedness through Standards Implementation: Challenges and Opportunities for Small Businesses” — a workshop focusing on the unique needs of small businesses in preparing for unforeseen challenges.

The goal of the workshop is to identify actions needed to better reflect small business considerations with regard to preparedness standards and conformity assessment. A final report outlining findings and recommendations from the workshop will be published following the event.

Through a series of moderated panel discussions, the workshop seeks to foster dialogue among small businesses, standards developing organizations, federal agencies, and other stakeholders to support private-sector preparedness (PS-Prep) through voluntary consensus standards and conformance activities.

The workshop will be held on May 25, 2011, at the Executive Conference Center in Arlington, VA.   Attendance is free of charge, but all attendees must register by May 11, 2011.

For more information or to register, visit the event page.

Filed Under: Business Continuity Info, PS-Prep, PS-Prep Program, Standards & Best Practices Tagged With: , , ,

ISO 20000-1: 2011 vs. 2005 Revisions — Continued Update

April 27, 2011 By Leave a Comment

In an earlier posting on this website concerning the International Organization of Standards (ISO) release of the new Service Management System standard — ISO/IEC 20000-1:2011(E) — Sally Smoczynski, one of this website’s contributing writers,  gave us a condensed version of some of the highlights expressed in this new standard as compared to the previous standard — ISO/IEC 20000-1: 2005.  And, as stated in that write-up — more information was yet to come.  That information is now available.

Our staff is pleased to announce that  Ms. Smoczynski has teamed up with Tim Woodcome, Conformity Assessment Director with the National Quality Assurance Registrar Group,  NQA, and they have published a more complete article on this topic, entitled “ISO UPDATE:  ISO 20000-1 HAS BEEN REVISED“.

The original document was posted on the NQA website just a few days ago, but, fortunately, with their permission, this website has been allowed to present this information to our readership via reference to that document …..(please see below)….

“ISO UPDATE:  ISO 20000-1 HAS BEEN REVISED

On Friday, April 15, 2011, The international organization of standards (ISO) released the updated standard for Service Management with ISO/IEC 20000-1:2011(E).  There are significant changes to the structure and wording of the requirements that takes away a lot of the interpretation which caused some confusion of the previous version ISO/IEC 20000-1:2005.   This article attempts to provide you with the highlights of the changes.    We encourage you to purchase the standard to fully understand the scope of the changes.

HIGHLIGHTS:

The most obvious change to the standard is the removal of the reference to this standard being an “IT Service Management System”.  It is now referred to as a “Service Management System”.  Some other highlights include:

  • Terms and definitions have 37 definitions over the 15 in the 2005 version
  • Consistent use of the term Governance
  • Removal of Objective Statements after each clause or sub clause
  • Reference to Resources as being “human, technical, financial and information”
  • Requirement for a catalog of services
  • Requirements to create procedures and details of what they should contain 
  • Clearer content around the requirements.  Although the shalls are basically the same requirement, the wording and explanations are much more direct and leave less for interpretation.
  • Removed the term “Stakeholders” and replaced with “Interested Parties”
  • Repeated references that a service provider must plan, establish, implement, operate, monitor, review, maintain and improve the SMS and the requirements include the design, transition, delivery and improvement of services to fulfill service requirements.
  • Updated bibliography 

The table below provides a detailed correlation between the table of contents from the 2005 version to the table of contents on the 2011 version with a description of key changes.

ARE YOU ALREADY CERTIFIED?

If you already hold an ISO/IEC 20000-1:2005 certification, we will be issuing a transition plan for your organization to make any necessary changes to update your current set of requirements.  We expect the transition period to be over 18 months

IN THE PROCESS OF IMPLEMENTING ISO 20000?

If you are in the process of implementing ISO 20000 under the 2005 requirements, the progress is still valid.  Depending on your timeline for certification, you may still obtain your certification to the 2005 requirements.  Once we issue a transition plan, you will have a better understanding of when to make some of these changes.

Did the guidance document get updated?

The supporting guidance document, ISO/IEC 20000-2:2005 is currently under revision and is expected to be released later this year.  CAUTION to ensure you do not use it as an absolute reference to the new standard.

ISO 20000-1:2005 ISO 20000-1:2011 Additions/Changes
     
“Information Technology – Service management – Part 1:  Specification  “Information Technology – Service management – Part 1:  Service Management system requirements  
Forward and Introduction Forward and Introduction More detailed and includes reference to a Service Management System and integrated management systems.
1      Scope  1      Scope1.1   General1.2   Application Update figure for Service management system and includes closer verbiage to ITIL v3
  2 Normative References Aligns with ISO 9001:2008
2  Terms and Definitions15    terms included 3  Terms and Definitions37 terms included Many terms not include cross references and additional notations
3  Requirements for a Management System 4 Service management system general requirements  
3.1 Management Responsibility  4.1 Management responsibility4.1.1 Management commitment4.1.2 Service management policy4.1.3 Authority, responsibility and communication4.1.4 Management representative4.2 Governance of processes operated by other parties The new section breaks down more specific shalls according to the section header.4.1.4 provides more responsibility for the Management representative4.2 Provides more direct accountability or governance when service provider is reliant on other parties for the processes that are operated outside of the service provider itself
3.2 Documentation Requirements 4.3 Document management4.3.1 Establish and maintain documents4.3.2 Control of documents4.3.3 Control of records 4.3.1 details some of the required documents and now names a catalog of services as a required document.4.3.2, 4.3.3 Separated control of documents and control of records. 4.3.2 specifically details the requirement to create and approve documents.  Provides specific requirements.4.3.3 Specific requirement for the control of records including identification, storage and protection.
3.3 Competence Awareness Training  4.4 Resource management4.4.1 Provision of resource4.4.2 Human resources 4.4.1 Specifically states that the service provider shall determine and provide human, technical, information and financial resources to support the SMS.4.4.2 specifically for those with roles in the SMS are clearly defined  requirements  for competence, training and knowledge of their role in the SMS
4  Planning and Implementing service management4.1 Plan Service Management4.2 Implement Service Management4.3 Monitor, Measure Review4.4 Continuous Improvement4.41 Policy4.42 Management Improvements4.43 Activities  4.5 Establish and improve the SMS4.5.1 Define scope4.5.2 Plan the SMS (Plan)4.5.3 Implement and operate the SMS (Do)4.5.4 Monitor and review the SMS (Check)4.5.4.1 General4.5.4.2 Internal Audit4.5.4.3 Management Review4.5.5 Maintain and improve the SMS (Act)4.5.5.1 General

4.5.5.2 Management of Improvements

  4.5.1 requires that the scope is included in the Service Management plan. 4.5.2 replaces 4.1 with more direct language of what to include in the Service Management plan such as including known limitations that could affect the SMS.4.5.3 Separate out requirements for internal audit and management reviews4.5.5 Includes the term Corrective and Preventive action and makes reference to ISO 9001:20084.5.5.2 Detailed requirements for management of improvements and includes requirement to identify, document, evaluate, approve, prioritize, manage, measure and report improvements
5.0 Planning and Implementing New or Changed Services  5    Design and Transition of new or changed services5.1 General5.2 Plan new or changed services5.3 Design and development of new or changed services5.4 transition of new of changed services 5  Much clearer direction and requirements for the planning and transition of a new or changed service with specific reference to management of Configuration items.5.3 includes reference to documenting change technology and updates to the catalog of services. 5.4 requires a transition and inter-dependency to release and deployment
6  Service Delivery Process 6  Service Delivery Process  
6.1 Service Level Management 6.1 Service Level Management Further definition of what is included in an SLA.  Requirements of an agreed catalog of services. New reference to service components provided by an internal group or the customer and specific reference to review of these types of SLAs
6.2 Service Reporting 6.2 Service Reporting Addition of identification of the frequency of a service report..  Clearer descriptions of what a service report includes.
6.3 Service Continuity and Availability Management  6.3 Service Continuity and Availability Management6.3.1 Service Continuity and Availability requirements6.3.2 Service Continuity and Availability plans6.3.3 Service Continuity and Availability monitoring and testing 6.3.1 clearly requires a risk assessment against continuity and availability.6.3.2 clear requirements for contents of plans
6.4 Budgeting and Accounting for IT Services  6.4 Budgeting and accounting for services Removed the reference to ITExplicit requirements stating “There shall be policies and documented procedures for…”specific list for what is to be included.
6.5 Capacity Management  6.5 Capacity Management Additional guidance for capacity plan contents including a tie in to service continuity and availability.
6.6 Information Security Management 6.6 Information Security Management6.6.1 information security policy6.6.2 information security controls6.6.3 Information security changes and incidents 6.6.1 Clearer detail on what is included in the security policy and now includes a requirement that internal information security audits are conducted  6.6.2 defines controls in physical, administrative and technical. 
7 Relationship Process 7 Relationship Process  
7.1 General   Removed 7.1 General
7.2 Business Relationship Management 7.1 Business Relationship Management Renumber of sub clause. 7.1  requirement to identify and document the customers, users and interested parties of the services.  No reference to stakeholders. 
7.3 Supplier Management 7.2 Supplier Management Renumber of sub clause 7.2  Very clear requirements to what a supplier contract must include or reference
8 Resolution process 8 Resolution process  
8.1 Background   Removed 8.1 background
8.2 Incident Management 8.1 Incident and service request managements Added service request 8.1 defined procedure for incident.  Must have a named person responsible for managing a major incident.  Terms and definitions define incident and service request
8.3 Problem Management  8.2 Problem Management Requirement to create a procedure and details required elements
9 Control Processes 9  Control Processes  
9.1 Configuration Management 9.1 Configuration Management Clear requirements for the definition of a CI. 
9.2 Change Management 9.2 Change Management A requirement for a change management policy.  Requirements to control the types of changes with specific reference major impact changes to follow clause 5.  Requirement that states “Approved changes shall be developed and tested”
10 Release process   Removed clause 10 entirely.
10.1 Release management process  9.3 Release and Deployment management A clearer requirement that the release policy must be agreed to by the customer. 

 

The contents of this article was supported with input from Sally Smoczynski, a managing partner at Radian Compliance, LLC.   Radian Compliance provides implementation, internal audit and education for Service Management, Information Security and Business Continuity.  You may reach Sally at 630.728.7181 or ssmoczynski@radiancompliance.com.”

If applicable, please pass this information along to those information security management, service delivery and business relationship and risk management team members in your organization.

Photo courtesy of iqms.co.uk

Filed Under: IT Service Management, Standards & Best Practices Tagged With: , , , , , , , , , , ,

ISO/IEC 20000-1:2011 Standard Formally Released

April 15, 2011 By 3 Comments

by: Sally Smoczynski, Contributing Writer

I just wanted to let you know that ISO has just issued a new update to the ISO/IEC 20000-1:2005 standard.  There is now a revised standard, ISO/IEC 20000-1:2011.  It is available for purchase at http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=51986 

What does this mean for you???  

At this time, and if you have been already certified to the old version of the standard, your Service Management System is still valid!  In the near future, the Registrars will issue a transition plan that will require certified organizations to transition to the new requirements of the standard.  It is usually an 18 months transition period. 

I have highlighted a few of the changes for you to consider:

  1. The updated standard refers to a Service Management System instead of an IT Service Management System.
  2. Clauses 3 and 4 have been collapsed in to one clause and have been aligned with ISO 9001 and ISO 27001 requirement statements.
  3. There are additional definitions in the glossary.
  4. There is more clarification in most sections
ISO/IEC 20000-1:2005                                                              ISO/IEC 20000-1:2011
Clauses 3 & 4 have been merged into one Clause
Clause 3 Management Responsibility Clause 4 Service Management Responsibility
Clause 4 PDCA Service Management
Clause 5 has been expanded to a more ITIL based Service Design and Transition process
Clause 5 New or Changed Services Clause 5 Design and Transition of New or Changed Services
Clause 6 has added more clarification and expansion on requirements for each sub clause
Clause 7 has added additional guidance on supplier management
Clause 8 has included service request to incident management
Clause 8.2 Incident Management Clause 8.2 Incident and Service Request Management
Clause 9 has included Release and Deployment Management, Clause 10 is removed
Clause 10 Release Management Clause 9.3 Release and Deployment Management

 

I am certain that more will be written about these changes and their effects on organizations already certified to ISO.IEC 20000-1:2005 or those considering to become either in compliance with or certified to the new standard ISO/IEC 20000-2011 — so be watchful for those notices on this website or other websites dealing with this standard.

Photo courtesy of samanage.com

Filed Under: IT Service Management, Regulatory Compliance, Standards & Best Practices, Standards & Best Practices Tagged With: , , ,
« Older Posts