1. Integrated implementation of ISO/IEC
2000-1 and ISO/IEC 27000-series
ISO/IEC 27013
By:
Septafiansyah Dwi P.
Institut Teknologi Bandung
2. ITSM or SMS
IT service management, is a concept that combines with system
management, network management, system development
management and incident management, problem
management, service management, security and so on helping
enterprises to manage the process of
constructing, implement, maintaining, and planning for IT system
through effective management method (Tang, 2009).
3. ISO 20000 – Standart in IT Service
Management
What is it?
The formulation of ITIL practices into an international standard
Management of 13 key IT services to meet business requirements
(predominantly internally focused)
Specifies a number of closely related processes that brought together will
help ensure that an organisation delivers managed IT services to its internal
customers
Comprehensive but not exhaustive
Planning, implementing, monitoring, improvement of new and changed
services
4. The benefits ISO 20000
• A consistent approach to service management
• IT service provision becomes measurable and accountable
• Consistent levels of service are agreed
• Improved communication flows between IT and the business
• IT gain better understanding of the business requirement
• Reduced risk of business failure
• A reduction in the number of avoidable and repeat incidents
• Higher availability of systems and services
5. Service management system
1. Scope
1.1. General
1.2.
Application
2.Nor
mativ
e
refren
ces
3.
Terms
and
defini
tions
4. SMS general requirements
4.1.
Management
responsibility
4.2.
Governance
of processes
operated by
other parties
4.3
Documentati
on
management
4.4 Resource
management
Establish and
improvethe
SMS ..
5. Design and transition of
new or changed service
5.1 General
5.2 Plan new
or changed
services
5.3 Design
and
development
of new or
changed
services
5.4
Transition of
new or
changed
services
6. Service delivery process
6.1 Service
level
management
6.2 Service
reporting
6.3 Service
continuity
and
availability
management
6.4
Budgeting
and
accounting
for services
6.5 Capacity
management
6.6
Information
security
management
7. Relationsip
process
7.1. Business
relationship
management
7.2 Supplier
management
8. Resolution
process
8.1. Incident
and service
request
management
8.2 Problem
management
9. Control process
9.1
Configuration
management
9.2 Change
management
9.3 Release
and
deployment
management
6. Implementing PDCA to service managment
Plan
•Establishing
•Documenting
•Agreeing SMS
Do
•Implementing
•Operating the SMS
Check
•Monitoring,
•Measuring,
•Reviewing SMS
Act
•Improving the SMS
•Improving the service
Policies Objectives Plans Process
Service Management System
SMS
Service
Management
Process
Service
8. ISO27001
ISO27001 is the standard for establishing, controlling, monitoring and
improving an Information Security Management System (ISMS). It
provides the requirements for an ISMS framework as well as 133
controls (much like the “shalls” in ISO 20000.) (Implement ISO, 2012)
It is compatible with other standards such as NIST 800-53, ISO
27005, COSO, Detiknas. and uses a risk-based assesment approach to
determine the scope of its implementation within an organisation. The
main goals of the ISO 27001 standard are to manage information
security, maintain business continuity and comply with regulation. It
addresses all information,physical security, environmental
aspects, outsourcing issues, etc.
9. The benefits ISO27000
• Reduction in possibly damaging/embarrassing information leaks and
failures
• Total risk mitigation, security of brand equity
• Reduction in costs due to fewer security incidents
• Common policies and control across the whole organisation
• Increased staff awareness
• Better monitored and audited systems and information flows
• The risk significantly reduced
11. Organization
ISO/ IEC 27001 ISO/ IEC 2000-1
Spesific to
ISO/ IEC 27001
Clasification of
informat ion
Informat ion asset
managment
Spesific to
ISO/ IEC 2000-1
Budgeting and
accounting for
service
Business
relationship
managment
Design and
t ransition of new
and changed
services
Service level
managment
Resource
management
Risk assesment
Roles and
responbilities
Informat ion securit y
management
Service continuit y
and avaibilit y
management
Supplier
management
Capacit y
management
Change
management
Incident and
service request
management
Problem
management
Release and
deployement
management
Shared parts (some overlaps, some
diferences)
Common parts (identical between standarts)
- Cont inual Improvement - PDCA
- Legal and regulat ory compliance - Training and awarness
- Management Review - Document at ion management
Focus on
serviceFocus on
informat ion asset s
Perumusan praktek ITIL ke dalam standar internasional Pengelolaan 13 layanan TI kunci untuk memenuhi kebutuhan bisnis (terutama berfokus secara internal) Menentukan sejumlah proses terkait erat yang membawa bersama-sama akan membantu memastikan bahwa organisasi memberikan layanan TI berhasil pelanggan internal Komprehensif tapi tidak menyeluruh Perencanaan, pelaksanaan, pemantauan, perbaikan layanan baru dan berubah
Integrated SMS and ISMSIt is ISO 27001 which fits in to ISO 20000 and specifically in Section 6.6 Information Security Management. This section addresses information security policy, controls and changes/incidents as related to IT-based information. ISO 27001 can provide much further details and information in terms of setting up security elements in your organisation. ISO 27001 tells you “how” to do it rather than stating that you “have” to do it.In other words, aim to combine some of the implementation activities such as the auditreview / risk assesment. There are advantages to having a single audit team to look at both Management Systems. This eliminates redundancies and gives good value for money and make organitization established one of aspect in good delivery service. As stated above, both standards use common management approaches, are both based on processes and also use the PDCA principles.
There are a number of advantages in implementing an integrated management system which takes into account not only the services provided but also the protection of information assets. These benefits can be experienced whether one standard is implemented before the other, or both standards are implemented simultaneously. Management and organizational processes, in particular, can derive benefit from the similarities between the International Standards and their common objectives. Key benefits of an integrated implementation include: a) the credibility, to internal or external customers of the organization, of an effective and secure service; b) the lower cost of an integrated programme of two projects, where achieving both service management and information security are part of an organization’s strategy; c) a reduction in implementation time due to the integrated development of processes common to both standards; d) elimination of unnecessary duplication; e) a greater understanding by service management and security personnel of each others’ viewpoints;