Demystifying ISO 20000-1 Standard

7 May 13

Demystifying ISO 20000-1 standard

ISO/TS 16949 Workshop07 May 2013

Chris NgProduct Manager / Lead Auditor

TÜV SÜD PSB Pte LtdMITM, ABCP, CISM, CISA, CISSP, CTT, ISO 9000 LA, ISO 27000 LA, ISO 20000 LA

ISO 22301 LA, SS 507 LA, SS 584 LA

IT & IT Security Certfiication SchemesTÜV SÜD PSB Singapore Slide 1

Content

IT & IT Security Certfiication Schemes7 May 13

Intro to TUV SUD PSB &Product PortfolioIntro to TUV SUD PSB &Product Portfolio

What is ISO 20000 (SMS) ?What is ISO 20000 (SMS) ?2

Why ISO 20000 certification?Why ISO 20000 certification?3

Main components of ISO 20000Main components of ISO 200004

1

ISO certification roadmap-Pre-requisites-Certification Process

ISO certification roadmap-Pre-requisites-Certification Process

5

TÜV SÜD PSB Singapore Slide 2

Content


Key success factorsKey success factors

ConclusionConclusion7

6


TÜV SÜD PSB Pte Ltd 10/4/2016

TUV SUD PSBCorporate Overview

TÜV SÜD PSB

TUV SUD heritage: over 145 years of business success

Slide 5

Establishment of a Mannheim-based steam boilerinspection association by 21 operators andowners of steam boilers, with the objective ofprotecting man, the environment and propertyagainst the risk emanating from a new and largelyunknown form of technology

1866

First vehicle periodic technical inspection (PTI)1910

1958 Development of a Bavaria-wide network of vehicleinspection centres in the late 1950s

1926 Introduction of the “TÜV mark / stamp” in Germany

1990s Conglomeration of TÜVs from the southern part ofGermany to form TÜV SÜD and the expansion ofbusiness operations into Asia

TÜV SÜD continues to pursue a strategy ofinternationalisation and growth

Today

2006 Expansion of services in ASEAN by acquiringSingapore-based PSB Group

2009 Launch of Turkey-wide vehicle inspection byTÜVTURK


IT Certification Product Portfolio

Auditing solutions service portfolio

QualityISO 9001ISO / TS 16949ISO 13485ESD 20:20TL 9000AS 9100

ITInformation Security(ISO27001)Service Mgt System(ISO20000-1)Business Continuity & DisasterRecovery (BC/DR, SS507)Business ContinuityManagement (ISO 22301)Multi-Tier Cloud Security(MTCS) (SS 584)

Environmental Health & SafetyISO14001OHSAS 18001QC080000Safety & Health Management System (SHMS)Safe Management of Hazardous Substances (SMHS)Carbon Footprint Certification

Food safetyISO22000British Retail Consortium(BRC)Hazard Analysis andCritical Control Points(HACCP)Good ManufacturingPractice (GMP)

Specific industryQuality Management forBunker Supply Chain(QMBS)Quality Maritime Educationand Training (QMET)Good Distribution Practicefor Medical Devices(GDPMDS)

Product InspectionProduct Listing (PLS)Ready Mixed ConcreteCertificationPre-shipment Inspection(PSI)Factory/AgencyInspectionSource InspectionSuppliers’ Audit

7 May 13

ISO14064PAS 2050ISO 50001

Social complianceSA8000

CDMValidation, verification of

carbon dioxide (CO²) emissions


7 May 13

Why TUV SUD PSB?

• Why TUV SUD PSB?– Market leader in certification industries within ASEAN– Certification Body with the largest team of IT and other scheme

Auditors in ASEAN– All IT auditors are

armed with many years of industrial experiencesexposed to various IT related schemes

– Quality of audits– One of the few Registered Certification Body (RCB) for APMG

ISO/IEC 20000:2011 Certification Scheme– 1st Certification Body (CB) to award ISO 20000:2011 certificate to

organization in Singapore



Seminars Participated

7 May 13

Why TUV SUD PSB?

• Seminars Participated– Being invited as guess speaker for several IT related seminars in

SingaporeAISP-ITSC Information Security Standards - ISO 27001 Series: Talk #1- Information Security Management System Foundation – 23 Apr 2010

Information Systems Audit and Control Association (ISACA) – ISO27001 Dinner talks – 19 Aug 2010

AISP-ITSC Information Security Standards - ISO 27001 Series: Talk #8- SS540 - The Singapore Standard for Business ContinuityManagement (BCM) and its relationship with the ISO 27001 (ISMS)standard – 18 Feb 11


7 May 13

Why TUV SUD PSB?

• Seminars Participated– Being invited as guess speaker for several IT related seminars in

SingaporeAISP-ITSC Information Security Standards - ISO 27001 Series: Talk #1- Information Security Management System Foundation – 5 Apr 2012

AISP-ITSC Information Security Standards - ISO 27001 Series: Talk #1(Re-run) - Information Security Management System Foundation – 11May 2012

ISACA Oct 12 Networking Talk Seminar - Introduction to BusinessContinuity Management Standard (ISO 22301) – 23 Oct 12

PinkAsiaForum12 – 1st Annual IT Service Management LeadershipForum – 6-7 Dec 12


7 May 13

Why TUV SUD PSB?

• Seminars Participated– Being invited as guest speaker for several IT related seminars in

SingaporeTUV SUD PSB’s “Think Security First’ Seminar” to give an introductionon ISO 27001 Standards on 13 Sep 13

BCM Institute Seminar on “An insight into the ISO 22301 (BCMS)standard - the certification body perspective” on 28 Feb 14

ISACA May 14 Networking Talk Seminar – Online all the time (BCMrelated) – 20 May 14

Invited as a speaker for ST Kinetics’ Business Continuity AwarenessWeek to give an introduction on “ISO 22301 (BCMS) standard - thecertification body perspective” on 21 Jul 14


7 May 13

Why TUV SUD PSB?

• Seminars Participated– Being invited as guest speaker for several IT related seminars in

Singapore- Invited by IDA as Panel Experts in discussion forum on SS 584 Multi-tier Cloud Security (MTCS) standard in Cloud Asia Conference on 30Oct 14Conduct a Clinic Session on SS 584 Multi-tier Cloud Security (MTCS)standard in TUV SUD PSB on 13 May 15



ISO 20000 Standard

(An International Standard for Service Management)


ITIL

IT Infrastructure Library (ITIL)

• The IT Infrastructure Library (ITIL)– is essentially a series of documents that forms the basis of a framework to

deliver, improving and managing IT Services

– this customizable framework defines how Service Management is appliedwithin an organization.

– Not a standard but a Best Practices Framework, which includes all the bestpractices to facilitate the delivery of high quality IT services

– It focuses on managing services to customers, not technology to users

– Centered on Service Lifecycle approach and focused on providing businessvalue

– adopted as the de-facto standard for best practice in the provision of ITService


IT Infrastructure Library (ITIL)

• The IT Infrastructure Library (ITIL)– It focuses on the following:

Service Strategy– determines which types of services should be offered to which

customers or marketsService Design– identifies service requirements and devises new service offerings as

well as changes and improvements to existing onesService Transition– builds and deploys new or modified servicesService Operation– carries out operational tasksContinual Service Improvement– learns from past successes and failures and continually improves the

effectiveness and efficiency of services and processes.


10/4/2016

What is SMS?

• What is Service Management System (SMS)?– Service Management System (SMS) is a process-based practice

intended to align the delivery of information technology (IT) serviceswith the needs of the enterprise, emphasizing benefits to customers.

– SMS focuses on the delivery of end-to-end services using bestpractice process model

What is ISO/IEC 20000 standard?

• What is ISO/IEC 20000 standard?– the formal standard against which organizations may seek independent

certification for their Service Management Systems (SMS)

– introduced in Dec 2005 and closely follows the ITIL framework to ensurethere is a consistent way to implement and “measure” IT ServiceManagement

– A set of “controls” against which an organization can be assessed foreffective IT Service Management processes

– requires organizations to comply with all the requirements across ServiceManagement standard

– adopts an integrated end-to-end approach


What is ISO/IEC 20000 standard?

• What is ISO/IEC 20000 standard?– to provide a common base for:

developing organizational IT service standards and adoptingeffective service management practicesto provide confidence in inter-organizational dealings

– uses a Plan-Do-Check-Act (PDCA) model to achieve continualimprovement


TÜV SÜD PSB Pte Ltd

Why ISO 20000 (SMS)?

7 May 13

Why ISO 20000 certification?

• Why ISO 20000 certification?– Satisfying Customers’ Requirements

Requirements from customers to posses a comprehensive servicemanagement system

– Enhancing Operational Efficiency & EffectivenessCertification improves the delivering of quality services in a moreefficient & effective manner

– Provision of AssuranceCertification provides assurance to the clients that the organization hasa robust and reliable operational setup within its service managementsystems

Benefits & Drivers


7 May 13


– Enhancing the Risk management:Leads to a better knowledge of service management systems, theirweaknesses and how to protect them.Apply controls from a risk perspective.

– Increasing credibility and confidenceCertification can help set a company apart from its competitors and inthe marketplace.Provides assurance to the clients in managing the provision of ITservices

Benefits & Drivers


7 May 13


– Helping to reduce costsReduced costs related to streamlining of processes , handling ofoperational issues through its structured & organized incident andproblem handling process

– Improving service awarenessImproves employee awareness of providing quality services and theirspecific roles & responsibilities to achieve that

Benefits & Drivers


TÜV SÜD PSB Pte Ltd

Application of ISO 20000 (SMS)

7 May 13

Application of ISO 20000

• Which organizations can go for ISO 20000 certification?– Any organization that requires alignment of its Services (incl of IT services)

with the Business needs– Provide assurance to interested parties e.g. customers that they have

reliable and certified Service Management Systems (SMS)

• Certify organizations in:– finance, banking and insurance– telecommunications– utilities– retail sectors– manufacturing sector– various service industries– transportation sector– Government bodies



ISO 20000 Family of Standards

ISO/IEC 20000 Standard

• Family of ISO/IEC 20000 standard– ISO 20000-1:2011 (Part 1)– A specification where the Service Management processes can be

audited againstdefines the processes and provides assessment criteria andrecommendations for those responsible for Service Management

– ISO 20000-2:2012 (Part 2)Code of practice that provides assistance to organizations that are tobe audited against ISO/IEC 20000 standard or are planning serviceimprovements



The Main Components of ISO/IEC 20000

ISO/IEC 20000 Standard

• Main components of ISO/IEC 20000 standard– ISO 20000-1:2011 (9 sections)

1. Scope2. Normative references3. Terms and Definitions4. Service Management System General Requirements5. Design & Transition of New or Changed Services6. Service Delivery Process7. Relationship Processes8. Resolution Processes9. Control Processes


Main Components of ISO/IEC 20000

• Main components of ISO/IEC 20000 standard

• Clause 4: Service management system general requirements– Clause 4.1 Management responsibility– Clause 4.2 Governance of processes operated by other parties– Clause 4.3 Documentation management– Clause 4.4 Resource management– Clause 4.5 Establish & improve the SMS



• Main components of ISO/IEC 20000 standard

• Clause 5: Design & transition of new or changed service– Clause 5.1 General– Clause 5.2 Plan new or changed services– Clause 5.3 Design & development of new or changed services– Clause 5.4 Transition of new or changed services



• Main components of ISO/IEC 20000 standard– ISO/IEC 20000-1:2011 groups the main ITIL processes into Four core

process sets (Cl 6-9) :-

– 1. Service Delivery Processes (Cl 6) – which includes:Service Level Management (SLM) (Cl 6.1),Service Reporting (Cl 6.2)Service Continuity & Availability Management, (Cl 6.3)Budgeting and Accounting for Services (Cl 6.4)Capacity Management (Cl 6.5),Information Security Management (Cl 6.6)



• Main components of ISO/IEC 20000 standard (con’t)

– 2. Relationship Processes (Cl 7):Business Relationship Management (Cl 7.1)– to establish and maintain a good relationship between the service

provider and customer– have designated individual to handle customer

Supplier Management (Cl 7.2)– to manage suppliers to ensure the provision of seamless, quality

services– monitor of supplier’s service performance– management of changes– review of SLAs



• Main components of ISO/IEC 20000 standard (con’t)– 3. Resolution Processes (Cl 8):

Incident & Service Request Management (Cl 8.1)– deals with the restoration of services– requires a documented procedure for all incidents which include

information like classification, priority, escalation, resolution, closure,etc.

– takes into consideration of the impact & urgency of incident– defines major incident and ensure it is communicated to the right

interested parties

Problem Management (Cl 8.2)– to minimize or avoid impact of incidents or problems– identifying & removing the root causes of incidents or problems– Will lead to Change Management for relevant solutions or patches



• Main components of ISO/IEC 20000 standard (con’t)– 4. Control Processes (Cl 9):

Configuration Management (Cl 9.1)– to define & control the components of the service & infrastructure &

maintain accurate configuration information– establishment of configuration baseline,– definition of CIs in the CMDB– identifies assets owner & interdependencies

Change Management (Cl 9.2)– ensures all changes are assessed, approved, implemented and

reviewed in a controlled manner– procedures to handle emergency changes– decision-making of accepting change shall take into consideration

the risks, the potential impacts to services and the customer, servicerequirements, etc.



• Main components of ISO/IEC 20000 standard (con’t)– 4. Control Processes (Cl 9):

Release & Deployment Management (Cl 9.3)– to deliver, distribute and track one or more changes in the live

environment– conducts impact analysis before release– release needs to be built & tested before deployment– establishes release, roll-out & roll-back plan


10/4/2016



The Certification Roadmap

ISO 20000 Certification Road map (2 phases)1. Gap analysis

- Getting the ISO 20000 standards- List of identified gaps- Cost and schedule estimation

2. Setting up SMS framework-Prepare Service Management Policy & Plan-Define Scope, objectives, resources, etc.-Identify Risk Management methodology, perform riskassessment., identify internal audit approach, etc.

3. Implementation-Allocation of funds, budget, roles andResponsibilities, ITIL/ISO 20k training, etc.-Documenting policies, plans, processes, etc.

4. Check & Act-Management review (*), internal audit (*),-Monitor Service Improvement plan etc.

1

Phase 1:

Pre-Certification

Phase


Pre-requisites for ISO 20000 certification

• Pre-requisites– Develop the SMS Manual

Establish the SMS Scope (*)Establish SMS Policy (*)Define SMS Objectives (*)

– Perform Risk AssessmentDescription of Risk Assessment Methodology & Process (*)Risk assessment reportRisk Treatment Process & Plan (*)

– Prepare Service Improvement Policy/Service Management Plan, etc.


Pre-requisites for ISO 20000 certification

• Pre-requisites (con’t)– Perform Internal Audit

Internal Audit ProcedureInternal audit Programme & Results (*)

– Conduct Management Review (*)

– Develop competency of staff in SMS (*)

– Continual ImprovementCorrective Actions (CA) ProcedurePreventive Actions (PA) ProcedureNon-conformities uncovered and results of CA (*)

– Establish Control of documents/records proceduresControl of Document ProcedureControl of Records Procedure


ISO 20000 Certification Road map (con’t)

7. Preliminary assessment (Stage 1)- Records demonstrating SMS implementation

8. Certification assessment (Stage 2)-Assessment report and CorrectiveAction (CA)

9. Awarding of certificate

1

5. Application for ISO 20000 certification

6. Document (Manual) assessment (Stage 1)Phase 2:

Certification

Phase


ISO 20000 Certification Process

1. Application

2. DocumentationAssessment (Stage 1)

3. PreliminaryAssessment (Stage 1)

4.Certification

Assessment (Stage 2)

5. Awardof

Certificate(valid for 3 yrs)

6. Post-AwardRoutine

Surveillance

7. Renewalof Certificate

(on the 3rd yr)

CERTIFICATION PROCESS



Key Success Factors

Successful ISO 20000 implementation

• Key Success Factors:– Management Commitment– Cross-functional forum / committee– Understanding Stakeholders’ business requirements in relation to

service delivery– Effective Risk Management Process


Successful ISO 20000 implementation

• Key Success Factors:– Training & Awareness

– Proactive & Continual ImprovementInternal audit & management reviewIdentify and act on security weaknessesLearn from incidents and establish relevant Prevention Action



Common FAQs

Common FAQs

• Q1: How much and how long it takes for an ISO 20000certification audit to complete?– The cost and the time taken depends on the following factors:

Scope of servicesStaff strength in supporting the servicesNumber of remote sites (if any)Complexity of logistics arrangementComplexity of organization , processes & servicesNo. of ITIL process that are already implementedNature & sensitivity of businessesAny existing certification like ISO 9001 being implementedLanguage Barrier (requires a local interpreter if English is not the usedmedium for audit)


Common FAQs

• Q2: How many months of data must I accumulate beforeapplying for certification?– Typically, a minimum of 3 months of data and/or implementation

records will be required in order for a meaningful audit to be carriedout.


Common FAQs

• Q3:What are the different kinds of assessment findings? (con’t)Stage 1 Certification:– Area of Concerns (AOC)

Represents a non-conformance in the implementation of the SMSrequirements. Organization will be given a one month’s time toresolve any AOC issues


Common FAQs

• Q3:What are the different kinds of assessment findings? (con’t)Stage 2 Certification / Continuing / Renewal :– Category 1 (Major finding)

Represents a breakdown in the SMS framework. Organization will begiven a three month’s time to resolve any CAT 1 issuesOn site visit is necessary to clear CAT 1 issues

– Category 2 (Minor finding)Represents some deficiency in the implementation of SMSrequirements. Organization will be given a one month’s time toresolve any CAT 2 issues


Common FAQs

• Q3:What are the different kinds of assessment findings? (con’t)– AFI (Area for Improvement)

Represents an area that need to be enhanced before it develops into aCAT 1 or CAT 2 problems

– Positive (Positive Aspects)Represents an implementation that can be used as a role model forother departments or organization



Conclusion

Conclusion

• Conclusion– ISO 20000-1 is the certifiable standard for the Service Management

Systems (SMS) of an organization– ISO 20000-2 is used as a code of practice to satisfy the requirements

of the SMS standard– Need to perform detail readiness check or gap analysis before

applying for ISO 20000 certification– Understand the Key Success Factors in ISO 20000 certification


Thank you

IT & IT Security Certfiication Schemes7 May 13TÜV SÜD PSB Singapore Slide 56

Thank you

www.tuv-sud-psb.sg

Vielen Dank

C m n b n Terima kasih

http://www.tuv-sud-psb.sg/

Contact


Name: Chris NgDesignation: Product Manager / Lead AuditorEmail: [email protected] : 65 68851628Office Hotline: (65) 9366 8611


mailto:[email protected]

Demystifying ISO 20000-1 Standard

Technology

Transcript of Demystifying ISO 20000-1 Standard