visiblethread user experience within our iso 20k certified air force pmo

November 2014

VisibleThread User Experience Within Our ISO 20K Certified Air Force PMO

Briefing for the VisibleThread Users’ Conference 2014

Copyright 2014, Booz Allen Hamilton Inc.

Chris Roelofs, Lead Associate, Booz Allen Hamilton

1

Our VisibleThread Journey Since October 2012

Deltek Reports (October 2012)

Sandbox (October 2012 – March 2013)

Out-of-the-Box Utilization (April 2013)

Concept Dictionary Deployment for RFP Analysis (May 2013 – Present)

Concept Dictionary Deployment for ISO 20K Compliance (June 2013 – Present)

Concept Dictionary Development for ISO 27K Certification (August 2014)


2

Deltek Reports (October 2012)

Customers identified VisibleThread as an RFP analysis tool available on the Deltek site

Conducted research to see if firm already possessed licenses

Contacted VisibleThread to learn more

Our journey began with a tip from a customer


3

Sandbox (October 2012 – March 2013)

Select user group

Support and demonstrations from VisibleThread experts

Minor Concept Dictionary development

Focus on RFP analysis

Broad reach within firm

Supported business case development for purchase

The sandbox allowed demonstrations on real data without restriction


4

Out-of-the-Box Utilization (April 2013)

Initial procurement

Installation on internal server

Expanded user group

Training

Demonstrations of capabilities to market groups and proposal teams

Solicited feedback on concept report output – refined basic dictionaries

We honed our skills, gained a larger user base and envisioned broader application


5

Concept Dictionary Deployment for RFP Analysis (May 2013 – Present)

Compliance Matrix – What does the SOW tell us to do?

EISM Task Areas – How does this requirement relate to the prime contract?

Risk Matrix – Which firm identified risks are triggered?

Section L & M – What do we provide and how will we be evaluated?

We enhanced and refined dictionary development to achieve targeted results


6

What does the Statement of Work

tells us to do?

What scope areas from the IDIQ does

the RFP address?

Which Firm Specified Risk areas

are triggered?

What do we have to provide in

our proposal and

how will we be evaluated?

Concept Dictionaries Deployed

for RFP Analysis


7

Concept Dictionary Deployment for ISO 20K Compliance (June 2013 – Present)

“ISO/IEC 20000-1:2011 (ISO 20K) is a standard for the design, transition, delivery and

improvement of services that fulfill service requirements and provide value for both the

customer and the service provider.” *

“ISO 20K requires an integrated process approach when the service provider plans,

establishes, implements, operates, monitors, reviews, maintains and improves a service

management system (SMS).” *

“Coordinated integration and implementation of the SMS through all stages of the service

lifecycle, from strategy through design, transition and operation, including continual

improvement.” *

We use VisibleThread to help us:

– Ensure all areas of the standard are addressed in our documents (policies, plans, procedures, etc.)

– Show the interrelationship between documents involved in the performance of a process from initiation to completion

* - BS ISO/IEC 20000-1:2011

We targeted concepts across multiple documents to show linkages and process relationships


8

Concept Analysis for ISO 20K Compliance


9

Document Folders



10

Documents Under Analysis



11



Concept dictionary

12



ISO 20k Requirement Clause

13



Analysis

14

Concept Dictionary Development for ISO 27K Certification (August 2014)

ISO/IEC 27001:2013 (ISO 27K) – “This International Standard has been prepared to provide

requirements for establishing, implementing, maintaining and continually improving an

information security management system.” *

“The information security management system preserves the confidentiality, integrity and

availability of information by applying a risk management process and gives confidence to

interested parties that risks are adequately managed.” *

“It is important that the information security management system is part of and integrated with

the organization’s processes and overall management structure and that information security

is considered in the design of processes, information systems, and controls.” *

We use VisibleThread to help us:

– To determine where ISO 27K controls are adequately incorporated into existing documentation

– Identify which controls may not be fully managed or only partially managed – gaps that need resolution prior to certification audit

* - SN ISO/IEC 27001:2013 en

We are envisioning how documents should relate to achieve integrated processes


15

ISO 27K Certification

Compliance Analysis


16


Compliance Analysis


Concept dictionary

17


Compliance Analysis


ISO 27k Control

18


Compliance Analysis


Documents Under Analysis

19


Compliance Analysis


Analysis

20

The VisibleThread Journey Continues…

It has been a growing experience

– A suggestion has turned into a standard business practice for our PMO

Our ISO 27K Concept Dictionary is work in progress

– Proper selection of terms and phrases will determine its effectiveness

We still have customers asking if we can do something different with the tool

– We haven’t had to say “No” yet


visiblethread user experience within our iso 20k certified air force pmo

Business