Musibau Taiwo LasisiISO 20000 Lead Auditor

(PMP, ISO 9001 L.A,LSSBB,COBIT,ITIL)musibaulasisi@gmail.com

Reasons for Implementation Benefits Additional Benefits Clause 4.1 – 4.4 Clause 6.1 – 6.6

ISO 20000 has become a basic business requirement for an organisation in the same manner as ISO 9000

ISO 20000 provides the organisation with the means to operate more effectively and efficiently

ISO 20000 provides an auditable method by which it can assess the quality and conformance of its IT Services

ISO 20000 assists organisations to enforce process compliance

ISO 20000 helps to significantly improve the morale of the IT department, the business and ultimately the Customer

ISO 20000 provides clear evidence that the quality of IT Service Management is taken seriously

3

Benefits

Source: www.cemarkingmumbai.com

Provides a competitive advantage over competitors Promotes consistent and cost-effective services Easier to justify or combat outsourcing Reduces organisational risks and cost Effective Supplier Management Provides a stable framework for IT Service Management Assists with meeting Regulatory compliance requirements Ownership and Responsibility defined at all levels Creates a progressive ethos & culture Increased business and customer confidence & perception Improved quality, reputation and consistency of service

5

Top Management shall:

Establish a Service Management policy, objectives and plans Communicate the importance of achieving the objectives of service management and the need for continuous improvement Ensure that customer requirements are determined and met Designate a management representative to manage the IT SMS

6

• Identify the processes or parts operated by other parties

• Demonstrate responsibility and authority • Control the definition of processes and

interfaces with other processes • Determining the process performance and

compliance with the requirements of the process • Control the planning and prioritization of

improvements • Through Suppliers Management or Service Level

Management

7

The documentation should include: ◦Service Management Policies and plans◦Service level agreements ◦Documented catalog of services ◦Documented processes, procedures and

records required by ISO / IEC 20000-1 ◦Procedures for the creation, review,

approval, maintenance, disposal and control of documents and records must be established

8

The organization must: ◦Define and maintain the roles, responsibilities

and authority of SM ◦Critically analyze and manage skills and

training needs Top management shall ensure that employees

are aware of: ◦The relevance and importance of their

activities ◦How they contribute to the objectives of SM

9

10

customercustomer

serviceservice

IT InfrastructureIT Infrastructure

customercustomer

The Service Level AgreementThe Service Level Agreement

serviceservice

IT InfrastructureIT Infrastructure

customercustomer customercustomer

Basic SLA SLA based on customer

Each department / customer may have different requirements

agreed

Service Level

agreed

Service Level

Service Level Agreements basically:

Communicates the IT customer needs Communicates to the customer how IT can meet those needs and at what cost Remove Misunderstandings conflicts dissatisfactions

11

Describe each service including: identity purpose Audience Details of the data source Produce reports of services meeting

identified needs and customer requirements

12

The service report usually includes:

Required Vs Actual service level goals Issues of non-compliance Characteristics of the workload Reports of resolution & control processes Trend InformationCustomer Satisfaction analysis

13

Requirements for availability and continuity of service shall be identified on the basis of:

Business Plans SLAs Risk Assessments Requirements should include rights of

access, response times and availability "end-to-end" system components

14

Availability and service continuity plans should be:

Developed and critically analyzed annually to ensure all requirements are met in all circumstances Maintained to ensure they reflect the combined changes required by the business Re-test any major change in the business environment

15

The change management process should evaluate the impact of any change in the availability and service continuity plan

availability should be measured and recorded

Unplanned unavailability should be investigated and actions taken

Preventive action should be taken

16

The organization must have clear policies and procedures for:

Budgeting and accounting for all components Apportioning indirect costs and allocating direct costs to services to provide overall cost for each serviceEffective financial control and authorization

17

Costs should be budgeted in sufficient detail to enable effective financial control and decision making

The service provider should: Monitor and report costs against budget Critically analyze financial forecasts Manage costs appropriately Changes in services should be budgeted

approved by change management process

18

Creating, implementing and maintaining a capacity plan taking into consideration human, technical, information and financial resources:

Agreeing Capacity and performance requirements.Capacity plan shall include at least: Current and forecast demand for servicesTimescales, thresholds and costs for upgrades to service capacityPotential impact of statutory, regulatory, contractual , organizational changes, new technologies and new techniques

19

Direction with own authority: Adopt an information security policy Communicate the policy to relevant

personnel, suppliers and customers Ensure Information security risk assessments

are conducted at planned intervals Ensure internal audits of information security

management system and audit results reviewed for opportunity for improvements

20

SEEISO/IEC 27000 series

Document, Implement and operate physical, administrative and technical information security controls in order to:

Preserve confidentiality, integrity and accessibility of information assets

Fulfil policy requirements Manage risks related to information security Basic arrangements involving third party access

on a formal agreement defining safety requirements

21

SEEISO/IEC 27001 Annex A