AENOR

VALUTAZIONE

della

CONFORMITA’

CERTIFICAZIONE

e

AENOR

Índice 1. Introduction 2. What is AENOR ICT?. 3. Datacenter concept 4. ICTs as MANAGEMENT SUPPORT AND INNOVATION IN BUSINESS 5. AENOR ISO framework in ICT. 6. IT Risks & solutions. Solutions to the Risks at ISO Dynamic Framework for

ICT 7. Pilots in ICT 8. Certification Process

Table of Contents

2

AENOR

Cosa è

? y TICs

1. Introduction

AENOR

† è uno degli Enti di Certificazione e Normazione più prestigiosi

Prodotti e servizi.

contribuire a migliorare la qualità e proteggere l’ambiente.

Ha emesso , attualmente, circa 40,000 Certificati, in vigore in più di 40 Paesi,

ed essi sostengono la Conformità dei sistemi di gestione,

I Valori † sono : indipendenza, obiettività,

imparzialità, professionalità e

aumento del valore dei nostri Clienti

e riconosciuti nel mondo, il cui scopo è

AENOR

Presenza negli Organismi

INTERNAZIONALI † è membro dei principali organismi internazionali di Normazione e

Certificazione

NORMAZIONE:

International Standard Organization (ISO)

Commisione Electrotecnica Internazionale (IEC)

Commisione Panamericana di Normazione Técnica (COPANT)

International Telecommunication Union

Comitato Europeo di Normazione (CEN)

Comitato Europeo di Normazione Electrotecnica (CELENEC)

Istituto Europeo di Norme di Telecomunicazioni (ETSI)

Rete Mondiale di Certificazione (IQNet)

CERTIFICAZIONE :

AENOR

† NEL MONDO 42 Paesi nei quali è presente †

AENOR

21.783 Certificazioni di sistemi di Gestione in vigore

13.472

5.259

2.946

106

30.548

11.763

900

482

Norme elaborate

Inspezioni

Auditor qualificati

Verifiche e validazioni ambientali

104.000 Certificazioni di prodotto e Servizio

97,541

6,481 Prodotti

Servizi

†

DATI GENERALI

Qualità

Ambiente

Sicurezza

Responsabilitá Sociale

AENOR

Svolgere attività di certificazione ed altre attività collegate, in ambito internazionale, direttamente o attraverso proprie Società

Sviluppare la diffusione di una cultura che ci identifichi come riferimento per chi cerca l'eccellenza.

Soddisfare le necessità dei suoi Clienti, rendendo disponibili servizi e certificati di riconoscimento internazionale.

Certificare prodotti, servizi e sistemi di gestione delle imprese, conferendo agli stessi, un valore competitivo differenziale che contribuisca a favorire gli scambi commerciali e la cooperazione internazionale.

Orientare i Sistemi di Gestione alla soddisfazione dei Clienti finali ed alla partecipazione attiva del personale, con criteri di gestione totale della qualità, al fine di ottenere risultati che garantiscano uno sviluppo competitivo.

L’ impegno di

†

AENOR

† è composto da più di 900 tecnici specializzati in tutti i settori industriali, capaci di gestire progetti globali di

certificazione, ispezione e formazione, in qualunque ambito geografico.

SETTORI

TICs Pubblica Amministrazione

Energía Costruzioni Turismo e svago

Alimentazione Trasporto e Logistica

Automotive Aerospaziale Sanità e Servizi Sociali

AENOR

Cosa è IQNET

La maggiore rete mondiale di organismi di certificazione di sistemi di gestione.

Associazione nata nel 1990, con sede in Svizzera.

† è socio fondatore.

Formata dagli Organismi di certificazione leader in ogni Paese.

35 membri e più di 200 associati.

Più di 300.000 imprese certificate in più di 150 Paesi.

AENOR

Cosa viene consegnato ai

CLIENTI †

† , come membro IQNET,, emette i propri Certificati, relativi ai Sistemi di Gestione, insieme al Certificato IQNET, riconosciuto internazionalmente

AENOR

Benefici della

CERTIFICAZIONE Risparmio di tempo e costi, mediante la gestione unificata delle attività di certificazione.

Relazione con un unico fornitore di servizi, in tutto il mondo.

Ottimo controllo della certificazione delle filiali di impresa, in qualunque Paese.

Riconoscimento dei certificati su scala internazionale per la nostra appartenenza a IQNet.

Auditor specializzati nelle attività del sistema di gestione dell’ impresa

Processi di certificazione con ottimizzazione di risorse umane e tempi brevi di emissioni dei certificati

AENOR

Certificazione Marchi di

y TICs

AENOR

Certificazione di

SISTEMI DI GESTIONE

Marchio IQNet

MANAGEMENT SYSTEM

tecnologie dell'informazione

Marchio † Gestione delle Tecnologie dell’Informazione ISO/IEC 20.000-1

Marchio † Affare Continuita ISO 22301

Marchio † Software con qualità certificata ISO/IEC 25000

Marchio † Sicurezza delle Informazioni ISO/IEC 27001

Marchio † Livello di Maturita Ciclo di Vita del SW – SPICE-ISO 15504/ISO 12207

AENOR

Modello dinamico di governo e di gestione ISO in ICT

Business Continuity ISO 22301

Sistema de Gestión Continuidad del Negocio.

Livello di Maturita Ciclo di Vita del SW

SPICE ISO 15504 Modelo de Evaluación, Mejora y Madurez de Software

Information Security ISO 27001

Sistema de Gestión Seguridad de la Información

IT Services ISO 20000-1

Sistema de Gestión Servicios TI

ISO 20000-2 Guía de Buenas Prácticas

Sviluppo di Software Operations / Services

Obietivo: ITGovernance and Management con norme ISO.

IT Governance ISO 38500

IT Governance

15

ISO 25000 Software product Quality

CIO

IT Quality and Safety in services

Critical proceses continuity

ISO 27002 Guía de Controles

DEVOPS Software creation

ISO 12207 Ciclo de Vida de Desarrollo de Software

AENOR

• AENOR ICTs is an area founded in 2004, with head office Spain headquarter (into AENOR Development&Research Office).

• Carlos Manuel Fernandez. and his team, developed the ISO Framework for ICT.

• They have carried out more than 500 certified companies in more than 10 countries from 2004 to current day.

2. Who’s AENOR ICTs

16

AENOR

• Is an association founded in 1990, with head office in Switzerland

• † is a main member

• Formed by leading certification bodies

• 38 members and over 200 subsidiaries

• More than 200,000 certified companies in more than 150 countries.

2. IQNet

What is IQNet?

17

AENOR

2. COUNTRIES IN WHICH † HAS GRANTED CERTIFICATES

MORE THAN 59.000 CERTIFICATES OF MANAGEMENT SYSTEM AND PRODUCT EN MORE THAN 63 COUNTRIES 18

AENOR

2. COUNTRIES IN WHICH † HAS GRANTED CERTIFICATES (ICTs)

19

MORE THAN 500 CERTIFICATES OF ISO ICT FRAMEWORK AND PRODUCT EN MORE THAN 10 COUNTRIES

- EUROPE- Spain, Germany, Portugal, Polska, Italy, UK.

- USA . Texas.

- LATAM – Argentina, Brasil, Chile, Ecuador, México, Perú.

AENOR

It is a set of assets and processes: - People (Human ware) - Systems and Technologies (Database, software, applications, hardware, telecommunications and room servers and infrastructure). - IT Processes (Capacity Management, Security Management, Supplier Management, Development Management, service management, etc.)

3. Data Center or/and ICT (Information Communications and Technologies)

20

AENOR

B2C B2B BIG DATA

WEB 1.0 WEB 2.0 WEB 3.0?

“New Business and Tools for Business” To CEOs & CIOs

Portal Corporativo Redes Sociales Wikis BYOD

e-Branding e-Mailing e-Learning

GIS RFID

CRM ERP SCM

MOBILITY Pdas Smartphone Blakberry / Iphone / HTC

BUSINESS PLAN = ICT PLAN (Integration and Alignment)

FACTORY OF ICT (New ICT Services and Operations)

CLOUD COMPUTING SaaS (Software As A Service) IaaS (Infraestructure As A Service)

PaaS (Platform As A Service)

4. ICTs as MANAGEMENT SUPPORT AND INNOVATION IN BUSINESS

Fuente: Carlos MF – UPSAM/UPM/UAM/UAH/UNIR

Social Mobility Analytics Cloud

AENOR

5. IT Risks & solutions Solutions to the Risks at ISO Dynamic Framework for ICT

• Risks in Information Security (ISO 27001)

- Loss of integrity of the information. - Identity Spoofing/ Misuse of roles. - Intrusion in information systems. - Denial of Service (DoS). - Leakage of information. - Risk of malware (viruses, Trojans, APTs, etc.)

• Risks in IT Services (ISO 20000-1)

- IT Services undefined and without obligation - Breach of SLAs (Service Level Agreements). - Services with an increased cost. - Loss of service and slow recovery.

• Risks in Software Development (ISO 15504-SPICE)

- Non-compliance user requirements. - Non-compliance with project planning. - No Test-user (sign-off) before final delivery. - No user requirements traceability to source code

22 © AENOR

AENOR

• Risks in IT Governance (ISO 38500)

- - Non-compliance plan ICT / Business Plan - Non- legal compliance - Employees runmotivated. - Purchases of IT not aligned with business needs. excessive costs .

• Risks in Business Continuity (ISO 22301)

- Disappearance of the company. After a natural disaster or caused by a negligence - There is no resilience to disasters or serious incidents - No critical processes are identified.

• Risks in Business Product 25000)

- Non-compliance funcionaliy expected. - Excessive maintenance costs. - Complexity of software

23

5. IT Risks & solutions Solutions to the Risks at ISO Dynamic Framework for ICT

© AENOR

AENOR

6. ISO Dynamic Framework for ICT

Business Continuity ISO 22301

Sistema de Gestión Continuidad del Negocio.

Livello di Maturita Ciclo di Vita del SW

SPICE ISO 15504 Modelo de Evaluación, Mejora y Madurez de Software

Information Security ISO 27001

Sistema de Gestión Seguridad de la Información

IT Services ISO 20000-1

Sistema de Gestión Servicios TI

ISO 20000-2 Guía de Buenas Prácticas

Sviluppo di Software Operations / Services

Obietivo: ITGovernance and Management con norme ISO.

IT Governance ISO 38500

IT Governance

24

ISO 25000 Software product Quality

CIO

IT Quality and Safety in services

Critical proceses continuity

ISO 27002 Guía de Controles

DEVOPS Software creation

ISO 12207 Ciclo de Vida de Desarrollo de Software

AENOR

6. ICT Management business criteria

• Penteo Report: – Only 21% of the CIOs manage the Department of IT with business

criteria – 31% CIOs manage the dept. IT only with technical criteria – 48% managed with hybrid criteria

• Conclusions: – Managers of organizations have a more positive perception of CIOs

who are business criteria. They give the role of business leaders contributors by 58%

– Management of ICT improves the positioning of the dept. IS and CIO – In the future managers and CIOs more low-tech (Survey: 85 CIOs; 36 CEOs and 12 Presidents)

25

AENOR

• 80's (automate business operations)

• 90's (Help Desk and budget control)

• Late 90's (E-Commerce and marketplace)

• XXI-(ITIL, CMMI, COBIT, ISO, etc. ..): define, measure and analyze: Continuous Improvement Cycle. ICT processes: increasing product development and innovation)

• CIOs become CPOs (Chief Process Officers) integrated with business objectives.

» Source: David Flint. Vice President at Gartner. Research. (June -2008).

6. Time Process in ICT

26

AENOR

• 71% of executives agree that IT is a driver to transform the business

• 62% believe that ICT should focus on innovation in business processes

• 66% agree that ICTs have involved a more complex risk management in corporations.

» Source: Ernst & Young study "What's next for the CIO? (January 2011).

A solution to the governance and management of ICT is the AENOR ISO framework in ICT where does the government and ICT management in alignment with business objectives.

6. How managers understand the Information Systems

27

AENOR

• Pilots (ISO Pilots and New Standard Pilot)

– Study the Standard (AENOR and customers/organizations) – Pilot with one or two big organizations (at least one year). Implementation by

external consultant and certification by AENOR – Pilots with smorg associations (because in Spain 90% of the organizations are

smorg) – Road-Show around Spain and other countries (i.e. Spain, Portugal, Polska,

Mexico DF, Perú, Argentina, etc. ) by AENOR – ENAC Accreditation. ENAC is an entity of IAF – Bookstore by AENOR Ediciones. These books are the experience of the pilots.

(i.e. AENOR Ediciones y Start-up: “Guía de Aplicación de la Norma UNE-ISO/IEC 27001 sobre seguridad en Sistema de Información para pymes”, etc.

7. How AENOR do pilots?

28

AENOR

7. ICT Pilots with standards (1 de 2)

29

• Milestones more relevant ISO 27001 In 2004 pilot with UNE 71502 with a company of the financial sector during

the first quarter of 2004. (BNP PARIBAS) Currently more than 400 certifications issued AENOR and IQNet Certificate

• Milestones more relevant ISO 20000-1

In June 2007 TELEPHONE SOLUTIONS pilots and EL CORTE INGLES. Currently more than 150 certifications issued AENOR and IQNet Certificate

• Milestones more relevant SPICE-ISO 15504 / ISO 12207

In March 2008, 21 pilot companies Maturity Level 2 Study on the relationship between ISO / IEC 15504 - SPICE and CMMI-DEV

v1.2, allowanced by Spanish Ministry of Industry Currently over 50 certifications issued Level 2 and Level 3 AENOR Certificate

AENOR

7. ICT Pilots with standards (2 de 2)

30

• Milestones more relevant of IT Governance - ISO 38500 In 2010 the ISO 38500 pilot company in the financial sector: (RSI - Rural Computing Service) Currently with 1 certified company and several pilots on-going AENOR Certificate of Compliance

• Milestones more relevant ISO 22301

In 2010 the ISO 22301 pilot with a healthcare company and the financial sector: (Sanitas and Credit Bureau (Mexico)) Currently with 8 certified company AENOR and IQNet Certificate

• Milestones more relevant ISO 25000

In 2013/2014 pilot with 4 SW development companies. (BitWare, Enxenio, Sicaman and SER&PRactices) AENOR certificate of conformity of product. (Maintainability, functionality (on-going), etc.)

• Milestones more relevant ISO 29119 - Testing SW

In 2015 under study and pilots.

AENOR

8. Certification Process according to ISO 17021

PHASE 2: PERFORMING AUDIT (in person)

PERFORM CORRECTIVE ACTIONS PLAN- CAP

PHASE 1: AUDIT PLANNING AND STUDY OF DOCUMENTATION (in person)

Information Applicant

RECERTIFICATION AUDIT (third year)

UPDATE THE RESULTS

GRANTING CERTIFICATE

SURVEILLANCE AUDIT 1 (first year)

SURVEILLANCE AUDIT 2 (second year)

AENOR

Certification Audit (ISO 17021)

Main

tena

nce a

udit c

ertif

icatio

n

Assessment Report and

Decision

Report Phase 1

Data Sheet

Scope : “… in according to current XXX”

Final Report

31

AENOR

8. Accreditation and membership

32

Is an association founded in 1990, with head office in Switzerland 38 members and over 200 subsidiaries

Accreditation by an independent government entity.

AENOR is accredited by ENAC

AENOR

8. State of the Art – Press release - AMETIC (Abril 2014)

33

AENOR

8. Testimonial ICT Framework - AENOR

“Tenemos un análisis de riesgos totalmente adaptado a nuestras necesidades”

Luís Lopes Director Técnico CESCE Soluçoes Informatica. Portugal del Grupo SIA España

ISO 27001 ISO 20000-1 Luis Manuel Ortiz Director Comercial TI América. México

“La certificación garantiza a los clientes que nuestros servicios se rigen por las mejores prácticas”

Maximino Álvarez Director General Xtream . España

SPICE-ISO 15504/ISO 12207

“Base de nuestro crecimiento internacional ”

ISO 22301 Cristo M. Pérez Rosquete Área de Seguridad Informática Sanitas. España

“Para continuar cuidando”

Luis Montalban CEO BITWARE. España

ISO 15504 + ISO 25000

“La aplicación conjunta de ISO 15504 e ISO 25000 ha supuesto una mejora en la productividad y un ahorro de costes en el mantenimiento del 60% en el software

ENS Carlos Carnicer Presidente Consejo General de la Abogacía Española

“Los ciudadanos pueden confiar en que sus datos se gestionan con garantías de seguridad“

AENOR

8. Management Systems in ICT. A recent history

“Simplicity is the ultimate sophistication” Leonardo Da Vinci

35

AENOR

AENOR Support Articles

36

Modelo para el Gobierno de las TIC basado en normas ISO. 2012. Ed. AENOR. Carlos Manuel Fdez. y Mario Piattini

Gestionar las TIC en el siglo XXI. Revista AENOR. Nº 278. pags 26-31. Año 2013. Carlos Manuel Fdez.

La norma ISO 27001 del Sistema de Gestión de la Seguridad de la Información. CALIDAD. Páginas 40-44. Año 2012. Carlos Manuel Fdez.

UNE-ISO/IEC 20000-1. Calidad certificada en los servicios de TI. FORUM CALIDAD. Nº.222- Junio 2011. Carlos Manuel Fdez.

Calidad y Seguridad en los servicios de las TIC. Revista AENOR. Nº 242. Año. 2009. Carlos Manuel Fdez. y Boris Delgado

AENOR

AENOR Support Articles

37

Calidad en el desarrollo de SW. Revista AENOR. Nº 285. Año 2013. Carlos Manuel Fdez.

ISO 22301. Resistir lo extraordinario. AENOR. Nº 285. Año 2013. Carlos Manuel Fdez.

Calidad en el producto Software. AENOR. Nº 288. Año 2013. Carlos Manuel Fdez.

A maturity model for the Spanish software industry based on ISO standards. ELSEVIER. Abril 2013. Carlos Manuel Fdez, et al

ISO 27001, un sistema de gestión para los procesos de control industrial. RevistaSIC. Año 2013. Carlos Manuel Fdez y Antonio Carretero.

AENOR

Library XXI century Real Experiences (+ 500 companies)

38 © AENOR

AENOR

Issues to consider: • Internal control of Information Technology is not a

fashion.

• Management System on ICT helps to manage the internal control Information Technology aligned and integrated with business objectives and legal and industry compliance.

• Deming Cycle. PDCA. Continual Improvement Cycle.

Future and conclusions in Management Systems at ICT.

39

AENOR 40

AENOR

“ Integrated (PDCA) of ICT aligned with the Business” .

Thank you Merci Danke

Obrigado Grazie Tack

Dzięki Díky Kiitos

Thanks Ačiū

Köszönöm GRACIAS

A New Challenge in ICT

41

Carlos Manuel FERNÁNDEZ ICT Certification Manager (AENOR)

Associate Professor at the University (UNIR,UPM,UCJC)

AENOR Italia

Bari

Via Che Guevara 1

Torino Corso Trapani 16

www.aenoritalia.com Tel. +39 348 82 14 729