Security intelligence Security intelligence

“ISO/IEC 20000-1”

Anan Sony

/

Anan SonyCISSP, CISASection Manager, ACIS Professional Center Co., Ltd.Section Manager, ACIS Professional Center Co., Ltd.

Security intelligence

Security intelligence

What is ISO/IEC 20000?What is ISO/IEC 20000?

• Worldwide standard for IT Service Management• 200+ requirements to be able to demonstrate compliance• Certification for Quality Management• => Like “ISO 9001” in “IT Service Management”

3

Security intelligence

What is ISO/IEC 20000? (Cont )What is ISO/IEC 20000? (Cont.)

• ISO 20000 => IT Service Management System

4

Security intelligence

ISO/IEC 20000 vs. ITIL and why not / yISO 9001?

WHAT? HOW?

5

WHAT? HOW?

Security intelligence

AgendaWhy Should we care ?Why Should we care ?

1 W ld id St d d f IT S i M t1. Worldwide Standard for IT Service Management2. International Certification against standard3 P f th t ITIL b t ti h d b3. Proof that ITIL best practices had been

implemented4 ITIL (IT I f t t Lib ) i lib f b t4. ITIL (IT Infrastructure Library) is a library of best

practices, not a standard5 “ITIL is a set of g idance” “ISO 20000 is5. “ITIL is a set of guidance” , “ISO 20000 is

requirement” 6 Certification for “Quality Management”6. Certification for “Quality Management”

Security intelligence

ISO/IEC 20000 vs ITILISO/IEC 20000 vs. ITIL

7

Security intelligence

ISO/IEC 20000 vs. ITILISO/IEC 20000 vs. ITIL

8Ref: http://www.isaca.org

Security intelligence

What IT Strategies are Being Implemented?What IT Strategies are Being Implemented?

› ITIL is, by far, the most n 616 common strategy

being implemented

– Users are significantly

n = 616

Users are significantly more likely to be implementing ITIL (85%) and BSM (26%)(26%)

– Americas respondents are significantly more likely to be i l i Siimplementing Six Sigma (28%)

– Larger companies are significantly more g ylikely to be implementing Six Sigma (33%) and CMI (20%)

9

(20%)

Ref: BMC

Security intelligence

ITIL Processes AdoptedITIL Processes Adoptedn = 209

› Incident Management, Service Desk and Change Management are most likely to have been adopted alreadyp y

– Larger companies are significantly more likely to have already adopted releaseadopted release management, change management, capacity management, and problem managementproblem management best practices

10Ref: BMC

Security intelligence

ITIL Processes in ISO 20000ITIL Processes in ISO 20000

11

Security intelligence

ISO/IEC 20000 and AEC 2015ISO/IEC 20000 and AEC 2015

• There are more competitor in IT Service Management Industries

• How organization prove that they are better than the others

• ISO/IEC 20000-1 certified is the answers!

12

Security intelligence

How to Becomes ISO/IEC 20000-1:2011 Certified

13

Ref: http://www.bureauveritas.com/

Security intelligence

ISO/IEC 20000 BenefitsISO/IEC 20000 Benefits

Guarantee your IT Service Management Competitive Advantage for IT Service Providerp g Improve brand image from customer perspective Business-IT Alignment Business IT Alignment Customer Satisfaction

Eff ti d Effi i f IT S i Effectiveness and Efficiency for IT Service

14

Security intelligence

How to find certified organization gand scope?

15

Ref: http://www.isoiec20000certification.com/home/ISOCertifiedOrganizations/ISOCountryListings-TH.aspx

Security intelligence

Security intelligence

ISO 20000 & ITIL Timeline

ITIL 20112007

ITSMF

2001

ITIL Concept

2011

2007

1991

2001

1980s

1989

ITIL V3

GITIMM / ITIL V1

ITIL V3ITIL V2

ISO/IEC 20000-1ISO/IEC 20000-2

ISO/IEC 20000-4ISO/IEC 20000-5

BS 15000 12002

ISO/IEC 20000 2

2005

2009

2010

2011BS 15000-1

2000

17

BS 15000-1:2002BS 15000-2:2002

2005

ISO/IEC TR 20000-3

2010

ISO/IEC 20000-1:2011ISO/IEC 20000-2:2011

2000

Security intelligence

ITIL Historical HighlightsITIL Historical Highlights 1986 – CCTA starts the GITIMM project To gain control of IT costs; particularly in procurement

and operations To promote use of “best practice” CCTA later renamed OGC GITIMM later renamed “ITIL”

1989 – ITIL V1 44 books published

1991 – itSMF founded originally named “itIMF”

18

Security intelligence

ITIL Historical Highlights (Cont.)ITIL Historical Highlights (Cont.) 2001 – ITIL V2 7 books published

2007 – ITIL V3 5 books published

2011 – ITIL 2011 5 books revised

19

Security intelligence

ISO 20000 Historical HighlightsISO 20000 Historical Highlights

Was originally a BS standard. BS 15000 was the world’s first standard for IT service

t d i iti ll bli h d i 2000management, and was initially published in 2000 In 2002 a second part was added to the standard set,

BS15000 2 A formal certification scheme was alsoBS15000-2. A formal certification scheme was also introduced.

In December 2005 ISO 20000 itself was published based In December 2005, ISO 20000 itself was published, based almost entirely on the above predecessors.

20

Security intelligence

Security intelligence

ISO/IEC 20000 & IT AuditISO/IEC 20000 & IT Audit

• One of CISA domain!

22

Security intelligence

1st 2nd 3rd party audit1st, 2nd, 3rd party audit

• 1st party audit: Internal auditOrganization/

• 2nd party audit: Customer audit (External audit)

Company

2 party audit: Customer audit (External audit)

Organization/ Company CustomersAudit

• 3rd party audit: Certification audit (External audit)

Company

Organization/ Company

Certification bodiesAudit

23

Certification

Security intelligence

Philosophy of AuditPhilosophy of Audit

Audit Criteria

Effectiveness Conform

Seek

Execute Audit Evidences

Exist

24

Security intelligence

How to develop checklist?How to develop checklist?

Standard clauses

Transform“Don’t make two or

Transform more topics in a question”

Yes/No Questions/ Q

© Copyright, ACIS Professional Center Company Limited, All rights reserved 25

Security intelligence

Checklists ExampleChecklists Example

© Copyright, ACIS Professional Center Company Limited, All rights reserved 26

Security intelligence

How to get ready to audit?How to get ready to audit?

• Knowledge & Skills!!!– IT Background ITIL Certification, CISA– ISO/IEC 20000-1:2011 understanding IRCA Course– Business Sector Knowledge

• Company products/services• IT service process• Financing and Budgeting• Stakeholders• Suppliers and customers relationship

© Copyright, ACIS Professional Center Company Limited, All rights reserved 27

Security intelligence

www irca orgwww.irca.org

© Copyright, ACIS Professional Center Company Limited, All rights reserved 28

Security intelligence

The 10 CSFs for SMS ImplementationThe 10 CSFs for SMS Implementation

1. Management Support2. Balancing between ITIL and organization culture3. Staff Awareness and Organization Change4. ITSM Tools5. Good Consultant6. Staff Competency7. Implementation Scope8. Continuous Monitoring9. Continual Service Improvement10.Beliefs Attitudes Behaviors

29Ref: itSMF Thailand Conference 2011

Security intelligence

Q&AQ&A

30

Security intelligence

You can follow us!You can follow us!

www.facebook.com/itsmfthailandwww.twitter.com/itsmfthailand

© Copyright, ACIS Professional Center Company Limited, All rights reserved 31