Session 609 Tuesday, October 22, 2:45 PM - 3:45 PM Track: IT Governance and Security

Transcription

1 Session 609 Tuesday, October 22, 2:45 PM - 3:45 PM Track: IT Governance and Security An Overview of Recent Changes to ISO Ron Lester Enterprise Service Management Consultant, Information Technology Consultants ron_lester98@msn.com Session Description In the world of federal contracting, there are very few events that cause enough of a shift in the procurement landscape to significantly alter the distribution of contract awards. However, just such an event occurred in April 2011: the release of ISO :2011, which cancelled and replaced the 2005 edition. For the first time, the ISO standard now includes the term service management system. More importantly, the standard requires IT organizations to demonstrate an integrated approach to establishing, operating, and improving their service management systems, placing greater emphasis on customer satisfaction. ISO is a serious differentiator for individuals and organizations attend this session to learn more! (Intermediate) Speaker Background Ron Lester is an ITSM professional, project manager, and independent consultant with more than forty years of experience working with the federal government. He is recognized as a subject matter expert in, among other things, ITSM, program/project management, ISO 20000, systems management, total quality improvement, and business process reengineering.

2 Overview of the ISO 20K-1: 2011 Edition CHANGING THE GAME RON LESTER INFORMATION TECHNOLOGY CONSULTANT S, LLC INDEPENDENT CONSULTANT Game Changer THE ISO ;2011 IS A GAME CHANGER. AFTER MY PRESENTATION YOU WILL KNOW HOW TO WORK BETTER WITH THE STANDARD AND REALIZE THE FOLLOWING BENEFITS.

3 Benefits of This Presentation Streamlining the IT Services in line with Business Goals. Provide a Service Management System Framework. A FIRST Help improve Service Delivery and continuous improvement through measurement. Management will have a clear view and understanding of ISO processes and their relationship with different business activities. Reduce Risk Assessment and Mitigation activities. Rational why numerous organizations across the globe are adopting. More customer focus means confidence, means more business. Today s Agenda Overview of an ISO Standard and the ISO 20K, Part 1;2011 Why are Standards Important What is a Conformity Assessment The Game Change What is the Scope of the ISO 20K: 2011 Who can use the ISO 20K:2011 Key Differences Between ISO 20K: 2011 and 2005 Definition of a Service Management System ISO/IEC :2011 Anatomy How ISO 20K:2011 aligns with the Service Management System ISO/IEC Published Guidance Certification Roadmap Seven Step Process Continual Assessment Competence & Evaluation of Auditors Audit Criteria Key Take A Ways Where to get ISO 20K:2011 Support and Training

4 What is an ISO Standard? A technical specification or other precise criteria designed to be used consistently as a conformity provision, requirement. May contain several parts. Why are Standards Important Establishes a common lexicon, so there is no misunderstanding among users of the standard; Foundation for Trust and the very survival of communities, providing consistency of understanding and use across trading, organizational, and boundaries; Share technological advances and good management practices and disseminate innovation and ensure interchangeability of services and customer service.

5 Conformity Assessment The Game Change Conformity Assessment means any activity to determine, directly or indirectly, that a process, product, or service meets relevant technical standards and fulfills relevant requirements; Conformity Assessments may be accomplished through the following methods: Testing, Surveillance, Inspection, Auditing, Certification, Accreditation, or Implementing What is the Scope of the ISO :2011? Specifies requirements for the service provider to plan, establish, implement, operate, monitor, review, maintain, and improve an SMS. The requirements includes; the design, transition, delivery, and improvement of services to fulfill agreed service requirements.

6 Who can use the ISO 20K:2011 Organizations Service Providers Assessors/Auditors Key Differences Between ISO 20K; 2011 and 2005 Key Closer alignment with ISO 9001, 27001, and standards; Key Introduces Service Management System (SMS), service management plan, service requirements (customer needs); 85+ new primary requirements; Consistent use of the term Governance; Key Removal of Objective Statements after each clause or sub clause; Key Requirement for a catalog of services; Clearer content around the requirements. Although the shalls are basically the same requirement, the wording and explanations are much more direct and leave less for interpretation; Updated Bibliography; Key New requirement to conduct internal audits using same guidelines as ISO9K (ISO19011).

7 Definition of a Service Management System A Service Management System (SMS) directs and controls the service management activities of the service provider. The SMS provides a governance framework and includes: policies, objectives, plans, processes, documentation, and resources required to design, transition, deliver, and provide continual service improvements. ISO :2011 Structure 6 Clauses 409 requirements

8 Alignment of the ISO 20K:2011 and a Service Management System ISO/IEC Published Guidance Part 1: Service management system requirements Part 2: Guidance on the application of service management systems Part 3: Guidance on scope definition and applicability of ISO/IEC Part 4: Process reference model [Technical Report] Part 5: Exemplar implementation plan for ISO/IEC [Technical Report] Part 6: Requirements for bodies providing audit and certification of service management systems (future) Part 8: Guidance on implementation of service management systems for smaller organizations [Technical Report] (future) Part 9: Guidance on the application of ISO/IEC to the cloud [Technical Report] (future) Part 10:Concepts and terminology [Technical Report] (Future) Part 11: Guidance on the relationship between ISO/IEC :2011 and related service management frameworks [Technical Report] (future) Also note ISO/IEC Guideline on the integrated implementation of ISO/IEC and ISO/IEC 27001

9 Certification Roadmap 7 Step Process Step 1 Step 2 Step 3 Step4 Step 5 Establish an Audit Program Define a Reference Model Select a Registrar Recommend meeting with 3 Conduct Pre-Assessment, GAP Analysis between ITSMS & ISO20k Reqt, Optional, but recommended, Conduct an Internal Audit Step 6 Perform an Audit Step 7 Gain Certification Good for 3 years Note: Service Providers certified under the 2005, must be recertified by June 2013 Continual Assessment Post Certification Successful completion of the final audit, certificate is issued and expires after 3 years Surveillance audits performed at 12 month intervals Note: Rule of thumb, depending on the scope and size of the organization, the initial certification process could take between months.

10 Competence and Evaluation of Auditors Responsible For: Inspection, verification, and evaluation as suitable the accreditation of the registrar, and the competency of the registrar auditors Audit client to assign appropriately skilled and knowledgeable staff to perform the internal auditor role Skills: Knowledge and understanding of the standard/s used Conformance assessment techniques for questioning, evaluating and reporting Audit management and auditing skills such as planning, organizing, communicating and directing Note: Internal auditor role, it is a requirement auditors must not audit their own function or department in order to maintain objectivity and impartiality. Audit Criteria ISO 19011: The audit criteria are used as a reference against which conformity is determined and may include applicable policies, procedures, standards, laws and regulations, management system requirements, contractual requirements or industry/business sector codes of conduct

11 WII.FY WHATS IN IT FOR YOU 2011 Edition is a new start NOT an upgrade 2011 Edition has the right focus a service management system focus to satisfy customers, versus 2005 internally focused Requirement for an internal audit and continuous improvement program compatible with ISO19011 auditor guidelines The Auditee (service provider) can now set the scope of the service management plan and audit The Auditee can use ANY sources to develop their specification for a service management system and common reference model to use for audit. In Closing Thank you for attending this session. Please fill out the evaluation form.

12 Contact Information Ron Lester Independent Consultant Information Technology Consultants, LLC Certified Service Management Professional Certified ISO Specialist Certified ITIL Foundations Phone (O) Where to get ISO 20k Support and Training SED-IT, LLC 4122 Dolphin Road Louisville, KY Phone: Fax:

13 FACT In the world of Government contracting, at all levels, there are certain events that cause enough of a shift in the procurement landscape that significantly alter the distribution of contract awards. For all of the procurements associated with Information Technology (IT), it is believed such an event occurred in April 2011 with the availability of ISO :2011, Information Technology Service Management standard, canceling and replacing the 2005 edition. This new edition includes for the first time the term service management system, requiring an IT organization to demonstrate an integrated approach for establishing, operating, and improving the service management system, placing a greater emphasis on customer satisfaction, and requiring an annual internal audit. The standard also introduces numerous new requirements and represents a serious differentiator for organizations and individuals. Fact There has been a significant increase of RFP s from the US Government, which makes ISO an obligation for government proposals. Recently, the US Air Force required an ISO certificate from sourcing providers for their Enterprise and Services Management (EISM) system. The RFP stated: The prime contractor shall provide proof of certification (copy of the ISO certificate). The certificate must be held at the prime offeror s organizational level performing the contract. The Contractor shall also be certified for the entire period of the contract. More RFP s are expected which require the ISO certification within the DOD, DOC, & Veterans Affairs.

14 Q&A