This document provides an overview of an upcoming workshop on the ISO 20000-1 standard for service management. It introduces TUV SUD PSB and its product portfolio, then discusses what ISO 20000 is, why organizations pursue ISO 20000 certification, the main components of the standard, and the ISO 20000 certification roadmap and process. Key success factors and a conclusion are also mentioned.
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Demystifying ISO 20000-1 Standard
1. 7 May 13
Demystifying ISO 20000-1 standard
ISO/TS 16949 Workshop
07 May 2013
Chris Ng
Product Manager / Lead Auditor
TÜV SÜD PSB Pte Ltd
MITM, ABCP, CISM, CISA, CISSP, CTT, ISO 9000 LA, ISO 27000 LA, ISO 20000 LA
ISO 22301 LA, SS 507 LA, SS 584 LA
IT & IT Security CertfiicationSchemesTÜV SÜD PSB Singapore Slide 1
2. Content
IT & IT Security CertfiicationSchemes7 May 13
Intro to TUV SUD PSB &
Product Portfolio
Intro to TUV SUD PSB &
Product Portfolio
What is ISO 20000 (SMS) ?What is ISO 20000 (SMS) ?2
Why ISO 20000 certification?Why ISO 20000 certification?3
Main components of ISO 20000Main components of ISO 200004
1
ISO certification roadmap
-Pre-requisites
-Certification Process
ISO certification roadmap
-Pre-requisites
-Certification Process
5
TÜV SÜD PSB Singapore Slide 2
3. Content
IT & IT Security CertfiicationSchemes7 May 13
Key success factorsKey success factors
ConclusionConclusion7
6
TÜV SÜD PSB Singapore Slide 3
4. TÜV SÜD PSB Pte Ltd 10/4/2016
TUV SUD PSB
Corporate Overview
5. TÜV SÜD PSB
TUV SUD heritage: over 145 years of business success
Slide 5
Establishment of a Mannheim-based steam boiler
inspection association by 21 operators and
owners of steam boilers, with the objective of
protecting man, the environment and property
against the risk emanating from a new and largely
unknown form of technology
1866
First vehicle periodic technical inspection (PTI)1910
1958 Development of a Bavaria-wide network of vehicle
inspection centres in the late 1950s
1926 Introduction of the “TÜV mark / stamp” in Germany
1990s Conglomeration of TÜVs from the southern part of
Germany to form TÜV SÜD and the expansion of
business operations into Asia
TÜV SÜD continues to pursue a strategy of
internationalisation and growth
Today
2006 Expansion of services in ASEAN by acquiring
Singapore-based PSB Group
2009 Launch of Turkey-wide vehicle inspection by
TÜVTURK
6. TÜV SÜD PSB Pte Ltd 10/4/2016
IT Certification Product Portfolio
7. Auditing solutions service portfolio
Quality
ISO 9001
ISO / TS 16949
ISO 13485
ESD 20:20
TL 9000
AS 9100
IT
Information Security
(ISO27001)
Service Mgt System
(ISO20000-1)
Business Continuity & Disaster
Recovery (BC/DR, SS507)
Business Continuity
Management (ISO 22301)
Multi-Tier Cloud Security
(MTCS) (SS 584)
Environmental Health & Safety
ISO14001
OHSAS 18001
QC080000
Safety & Health Management System (SHMS)
Safe Management of Hazardous Substances (SMHS)
Carbon Footprint Certification
Food safety
ISO22000
British Retail Consortium
(BRC)
Hazard Analysis and
Critical Control Points
(HACCP)
Good Manufacturing
Practice (GMP)
Specific industry
Quality Management for
Bunker Supply Chain
(QMBS)
Quality Maritime Education
and Training (QMET)
Good Distribution Practice
for Medical Devices
(GDPMDS)
Product Inspection
Product Listing (PLS)
Ready Mixed Concrete
Certification
Pre-shipment Inspection
(PSI)
Factory/Agency
Inspection
Source Inspection
Suppliers’ Audit
7 May 13
ISO14064
PAS 2050
ISO 50001
Social compliance
SA8000
CDM
Validation, verification of
carbon dioxide (CO²) emissions
IT & IT Security CertfiicationSchemesTÜV SÜD PSB Singapore Slide 7
8. 7 May 13
Why TUV SUD PSB?
• Why TUV SUD PSB?
– Market leader in certification industries within ASEAN
– Certification Body with the largest team of IT and other scheme
Auditors in ASEAN
– All IT auditors are
armed with many years of industrial experiences
exposed to various IT related schemes
– Quality of audits
– One of the few Registered Certification Body (RCB) for APMG
ISO/IEC 20000:2011 Certification Scheme
– 1st Certification Body (CB) to award ISO 20000:2011 certificate to
organization in Singapore
IT & IT Security CertfiicationSchemesTÜV SÜD PSB Singapore Slide 8
9. TÜV SÜD PSB Pte Ltd 10/4/2016
Seminars Participated
10. 7 May 13
Why TUV SUD PSB?
• Seminars Participated
– Being invited as guess speaker for several IT related seminars in
Singapore
AISP-ITSC Information Security Standards - ISO 27001 Series: Talk #1
- Information Security Management System Foundation – 23 Apr 2010
Information Systems Audit and Control Association (ISACA) – ISO
27001 Dinner talks – 19 Aug 2010
AISP-ITSC Information Security Standards - ISO 27001 Series: Talk #8
- SS540 - The Singapore Standard for Business Continuity
Management (BCM) and its relationship with the ISO 27001 (ISMS)
standard – 18 Feb 11
IT & IT Security CertfiicationSchemesTÜV SÜD PSB Singapore Slide 10
11. 7 May 13
Why TUV SUD PSB?
• Seminars Participated
– Being invited as guess speaker for several IT related seminars in
Singapore
AISP-ITSC Information Security Standards - ISO 27001 Series: Talk #1
- Information Security Management System Foundation – 5 Apr 2012
AISP-ITSC Information Security Standards - ISO 27001 Series: Talk #1
(Re-run) - Information Security Management System Foundation – 11
May 2012
ISACA Oct 12 Networking Talk Seminar - Introduction to Business
Continuity Management Standard (ISO 22301) – 23 Oct 12
PinkAsiaForum12 – 1st Annual IT Service Management Leadership
Forum – 6-7 Dec 12
IT & IT Security CertfiicationSchemesTÜV SÜD PSB Singapore Slide 11
12. 7 May 13
Why TUV SUD PSB?
• Seminars Participated
– Being invited as guest speaker for several IT related seminars in
Singapore
TUV SUD PSB’s “Think Security First’ Seminar” to give an introduction
on ISO 27001 Standards on 13 Sep 13
BCM Institute Seminar on “An insight into the ISO 22301 (BCMS)
standard - the certification body perspective” on 28 Feb 14
ISACA May 14 Networking Talk Seminar – Online all the time (BCM
related) – 20 May 14
Invited as a speaker for ST Kinetics’ Business ContinuityAwareness
Week to give an introduction on “ISO 22301 (BCMS) standard - the
certification body perspective” on 21 Jul 14
IT & IT Security CertfiicationSchemesTÜV SÜD PSB Singapore Slide 12
13. 7 May 13
Why TUV SUD PSB?
• Seminars Participated
– Being invited as guest speaker for several IT related seminars in
Singapore
-Invited by IDA as Panel Experts in discussion forum on SS 584 Multi-
tier Cloud Security (MTCS) standard in Cloud Asia Conference on 30
Oct 14
Conduct a Clinic Session on SS 584 Multi-tier Cloud Security (MTCS)
standard in TUV SUD PSB on 13 May 15
IT & IT Security CertfiicationSchemesTÜV SÜD PSB Singapore Slide 13
14. TÜV SÜD PSB Pte Ltd 10/4/2016
ISO 20000 Standard
(An International Standard for Service Management)
16. IT Infrastructure Library (ITIL)
• The IT Infrastructure Library (ITIL)
– is essentially a series of documents that forms the basis of a framework to
deliver, improving and managing IT Services
– this customizable framework defines how Service Management is applied
within an organization.
– Not a standard but a Best Practices Framework, which includes all the best
practices to facilitate the delivery of high quality IT services
– It focuses on managing services to customers, not technology to users
– Centered on Service Lifecycle approach and focused on providing business
value
– adopted as the de-facto standard for best practice in the provision of IT
Service
TÜV SÜD PSB Singapore Slide 16
17. IT Infrastructure Library (ITIL)
• The IT Infrastructure Library (ITIL)
– It focuses on the following:
Service Strategy
– determines which types of services should be offered to which
customers or markets
Service Design
– identifies service requirements and devises new service offerings as
well as changes and improvements to existing ones
Service Transition
– builds and deploys new or modified services
Service Operation
– carries out operational tasks
Continual Service Improvement
– learns from past successes and failures and continually improves the
effectiveness and efficiency of services and processes.
TÜV SÜD PSB Singapore Slide 17
18. 10/4/2016
What is SMS?
• What is Service Management System (SMS)?
– Service Management System (SMS) is a process-based practice
intended to align the delivery of information technology (IT) services
with the needs of the enterprise, emphasizing benefits to customers.
– SMS focuses on the delivery of end-to-end services using best
practice process model
19. What is ISO/IEC 20000 standard?
• What is ISO/IEC 20000 standard?
– the formal standard against which organizations may seek independent
certification for their Service Management Systems (SMS)
– introduced in Dec 2005 and closely follows the ITIL framework to ensure
there is a consistent way to implement and “measure” IT Service
Management
– A set of “controls” against which an organization can be assessed for
effective IT Service Management processes
– requires organizations to comply with all the requirements across Service
Management standard
– adopts an integrated end-to-end approach
TÜV SÜD PSB Singapore Slide 19
20. What is ISO/IEC 20000 standard?
• What is ISO/IEC 20000 standard?
– to provide a common base for:
developing organizational IT service standards and adopting
effective service management practices
to provide confidence in inter-organizational dealings
– uses a Plan-Do-Check-Act (PDCA) model to achieve continual
improvement
TÜV SÜD PSB Singapore Slide 20
22. 7 May 13
Why ISO 20000 certification?
• Why ISO 20000 certification?
– Satisfying Customers’ Requirements
Requirements from customers to posses a comprehensive service
management system
– Enhancing Operational Efficiency & Effectiveness
Certification improves the delivering of quality services in a more
efficient & effective manner
– Provision of Assurance
Certification provides assurance to the clients that the organization has
a robust and reliable operational setup within its service management
systems
Benefits & Drivers
IT & IT Security CertfiicationSchemesTÜV SÜD PSB Singapore Slide 22
23. 7 May 13
Why ISO 20000 certification?
– Enhancing the Risk management:
Leads to a better knowledge of service management systems, their
weaknesses and how to protect them.
Apply controls from a risk perspective.
– Increasing credibility and confidence
Certification can help set a company apart from its competitors and in
the marketplace.
Provides assurance to the clients in managing the provision of IT
services
Benefits & Drivers
IT & IT Security CertfiicationSchemesTÜV SÜD PSB Singapore Slide 23
24. 7 May 13
Why ISO 20000 certification?
– Helping to reduce costs
Reduced costs related to streamlining of processes , handling of
operational issues through its structured & organized incident and
problem handling process
– Improving service awareness
Improves employee awareness of providing quality services and their
specific roles & responsibilities to achieve that
Benefits & Drivers
IT & IT Security CertfiicationSchemesTÜV SÜD PSB Singapore Slide 24
25. TÜV SÜD PSB Pte Ltd
Application of ISO 20000 (SMS)
26. 7 May 13
Application of ISO 20000
• Which organizations can go for ISO 20000 certification?
– Any organization that requires alignment of its Services (incl of IT services)
with the Business needs
– Provide assurance to interested parties e.g. customers that they have
reliable and certified Service Management Systems (SMS)
• Certify organizations in:
– finance, banking and insurance
– telecommunications
– utilities
– retail sectors
– manufacturing sector
– various service industries
– transportation sector
– Government bodies
IT & IT Security CertfiicationSchemesTÜV SÜD PSB Singapore Slide 26
27. TÜV SÜD PSB Pte Ltd 10/4/2016
ISO 20000 Family of Standards
28. ISO/IEC 20000 Standard
• Family of ISO/IEC 20000 standard
– ISO 20000-1:2011 (Part 1)
– A specification where the Service Management processes can be
audited against
defines the processes and provides assessment criteria and
recommendations for those responsible for Service Management
– ISO 20000-2:2012 (Part 2)
Code of practice that provides assistance to organizations that are to
be audited against ISO/IEC 20000 standard or are planning service
improvements
TÜV SÜD PSB Singapore Slide 28
29. TÜV SÜD PSB Pte Ltd 10/4/2016
The Main Components of ISO/IEC 20000
30. ISO/IEC 20000 Standard
• Main components of ISO/IEC 20000 standard
– ISO 20000-1:2011 (9 sections)
1. Scope
2. Normative references
3. Terms and Definitions
4. Service Management System General Requirements
5. Design & Transition of New or Changed Services
6. Service Delivery Process
7. Relationship Processes
8. Resolution Processes
9. Control Processes
TÜV SÜD PSB Singapore Slide 30
31. Main Components of ISO/IEC 20000
• Main components of ISO/IEC 20000 standard
• Clause 4: Service management system general requirements
– Clause 4.1 Management responsibility
– Clause 4.2 Governance of processes operated by other parties
– Clause 4.3 Documentation management
– Clause 4.4 Resource management
– Clause 4.5 Establish & improve the SMS
TÜV SÜD PSB Singapore Slide 31
32. Main Components of ISO/IEC 20000
• Main components of ISO/IEC 20000 standard
• Clause 5: Design & transition of new or changed service
– Clause 5.1 General
– Clause 5.2 Plan new or changed services
– Clause 5.3 Design & development of new or changed services
– Clause 5.4 Transition of new or changed services
TÜV SÜD PSB Singapore Slide 32
33. Main Components of ISO/IEC 20000
• Main components of ISO/IEC 20000 standard
– ISO/IEC 20000-1:2011 groups the main ITIL processes into Four core
process sets (Cl 6-9) :-
– 1. Service Delivery Processes (Cl 6) – which includes:
Service Level Management (SLM) (Cl 6.1),
Service Reporting (Cl 6.2)
Service Continuity & Availability Management, (Cl 6.3)
Budgeting and Accounting for Services (Cl 6.4)
Capacity Management (Cl 6.5),
Information Security Management (Cl 6.6)
TÜV SÜD PSB Singapore Slide 33
34. Main Components of ISO/IEC 20000
• Main components of ISO/IEC 20000 standard (con’t)
– 2. Relationship Processes (Cl 7):
Business Relationship Management (Cl 7.1)
– to establish and maintain a good relationship between the service
provider and customer
– have designated individual to handle customer
Supplier Management (Cl 7.2)
– to manage suppliers to ensure the provision of seamless, quality
services
– monitor of supplier’s service performance
– management of changes
– review of SLAs
TÜV SÜD PSB Singapore Slide 34
35. Main Components of ISO/IEC 20000
• Main components of ISO/IEC 20000 standard (con’t)
– 3. Resolution Processes (Cl 8):
Incident & Service Request Management (Cl 8.1)
– deals with the restoration of services
– requires a documented procedure for all incidents which include
information like classification, priority, escalation, resolution, closure,
etc.
– takes into consideration of the impact & urgency of incident
– defines major incident and ensure it is communicated to the right
interested parties
Problem Management (Cl 8.2)
– to minimize or avoid impact of incidents or problems
– identifying & removing the root causes of incidents or problems
– Will lead to Change Management for relevant solutions or patches
TÜV SÜD PSB Singapore Slide 35
36. Main Components of ISO/IEC 20000
• Main components of ISO/IEC 20000 standard (con’t)
– 4. Control Processes (Cl 9):
Configuration Management (Cl 9.1)
– to define & control the components of the service & infrastructure &
maintain accurate configuration information
– establishment of configuration baseline,
– definition of CIs in the CMDB
– identifies assets owner & interdependencies
Change Management (Cl 9.2)
– ensures all changes are assessed, approved, implemented and
reviewed in a controlled manner
– procedures to handle emergency changes
– decision-making of accepting change shall take into consideration
the risks, the potential impacts to services and the customer, service
requirements, etc.
TÜV SÜD PSB Singapore Slide 36
37. Main Components of ISO/IEC 20000
• Main components of ISO/IEC 20000 standard (con’t)
– 4. Control Processes (Cl 9):
Release & Deployment Management (Cl 9.3)
– to deliver, distribute and track one or more changes in the live
environment
– conducts impact analysis before release
– release needs to be built & tested before deployment
– establishes release, roll-out & roll-back plan
TÜV SÜD PSB Singapore Slide 37
39. TÜV SÜD PSB Pte Ltd 10/4/2016
The Certification Roadmap
40. ISO 20000 Certification Road map (2 phases)
1. Gap analysis
- Getting the ISO 20000 standards
- List of identified gaps
- Cost and schedule estimation
2. Setting up SMS framework
-Prepare Service Management Policy & Plan
-Define Scope, objectives, resources, etc.
-Identify Risk Management methodology, perform risk
assessment., identify internal audit approach, etc.
3. Implementation
-Allocation of funds, budget, roles and
Responsibilities, ITIL/ISO 20k training, etc.
-Documenting policies, plans, processes, etc.
4. Check & Act
-Management review (*), internal audit (*),
-Monitor Service Improvement plan etc.
1
Phase 1:
Pre-Certification
Phase
TÜV SÜD PSB Singapore Slide 40
41. Pre-requisites for ISO 20000 certification
• Pre-requisites
– Develop the SMS Manual
Establish the SMS Scope (*)
Establish SMS Policy (*)
Define SMS Objectives (*)
– Perform Risk Assessment
Description of Risk Assessment Methodology & Process (*)
Risk assessment report
Risk Treatment Process & Plan (*)
– Prepare Service Improvement Policy/Service Management Plan, etc.
TÜV SÜD PSB Singapore Slide 41
42. Pre-requisites for ISO 20000 certification
• Pre-requisites (con’t)
– Perform Internal Audit
Internal Audit Procedure
Internal audit Programme & Results (*)
– Conduct Management Review (*)
– Develop competency of staff in SMS (*)
– Continual Improvement
Corrective Actions (CA) Procedure
Preventive Actions (PA) Procedure
Non-conformities uncovered and results of CA (*)
– Establish Control of documents/records procedures
Control of Document Procedure
Control of Records Procedure
TÜV SÜD PSB Singapore Slide 42
43. ISO 20000 Certification Road map (con’t)
7. Preliminary assessment (Stage 1)
- Records demonstrating SMS implementation
8. Certification assessment (Stage 2)
-Assessment report and Corrective
Action (CA)
9. Awarding of certificate
1
5. Application for ISO 20000 certification
6. Document (Manual) assessment (Stage 1)
Phase 2:
Certification
Phase
TÜV SÜD PSB Singapore Slide 43
44. ISO 20000 Certification Process
1. Application
2. Documentation
Assessment (Stage 1)
3. Preliminary
Assessment (Stage 1)
4.
Certification
Assessment (Stage 2)
5. Award
of
Certificate
(valid for 3 yrs)
6. Post-Award
Routine
Surveillance
7. Renewal
of Certificate
(on the 3rd yr)
CERTIFICATION PROCESS
TÜV SÜD PSB Singapore Slide 44
45. TÜV SÜD PSB Pte Ltd 10/4/2016
Key Success Factors
46. Successful ISO 20000 implementation
• Key Success Factors:
– Management Commitment
– Cross-functional forum / committee
– Understanding Stakeholders’ business requirements in relation to
service delivery
– Effective Risk Management Process
TÜV SÜD PSB Singapore Slide 46
47. Successful ISO 20000 implementation
• Key Success Factors:
– Training & Awareness
– Proactive & Continual Improvement
Internal audit & management review
Identify and act on security weaknesses
Learn from incidents and establish relevant Prevention Action
TÜV SÜD PSB Singapore Slide 47
49. Common FAQs
• Q1: How much and how long it takes for an ISO 20000
certification audit to complete?
– The cost and the time taken depends on the following factors:
Scope of services
Staff strength in supporting the services
Number of remote sites (if any)
Complexity of logistics arrangement
Complexity of organization , processes & services
No. of ITIL process that are already implemented
Nature & sensitivity of businesses
Any existing certification like ISO 9001 being implemented
Language Barrier (requires a local interpreter if English is not the used
medium for audit)
TÜV SÜD PSB Singapore Slide 49
50. Common FAQs
• Q2: How many months of data must I accumulate before
applying for certification?
– Typically, a minimum of 3 months of data and/or implementation
records will be required in order for a meaningful audit to be carried
out.
TÜV SÜD PSB Singapore Slide 50
51. Common FAQs
• Q3:What are the different kinds of assessment findings? (con’t)
Stage 1 Certification:
– Area of Concerns (AOC)
Represents a non-conformance in the implementation of the SMS
requirements. Organization will be given a one month’s time to
resolve any AOC issues
TÜV SÜD PSB Singapore Slide 51
52. Common FAQs
• Q3:What are the different kinds of assessment findings? (con’t)
Stage 2 Certification / Continuing / Renewal :
– Category 1 (Major finding)
Represents a breakdown in the SMS framework. Organization will be
given a three month’s time to resolve any CAT 1 issues
On site visit is necessary to clear CAT 1 issues
– Category 2 (Minor finding)
Represents some deficiency in the implementation of SMS
requirements. Organization will be given a one month’s time to
resolve any CAT 2 issues
TÜV SÜD PSB Singapore Slide 52
53. Common FAQs
• Q3:What are the different kinds of assessment findings? (con’t)
– AFI (Area for Improvement)
Represents an area that need to be enhanced before it develops into a
CAT 1 or CAT 2 problems
– Positive (Positive Aspects)
Represents an implementation that can be used as a role model for
other departments or organization
TÜV SÜD PSB Singapore Slide 53
55. Conclusion
• Conclusion
– ISO 20000-1 is the certifiable standard for the Service Management
Systems (SMS) of an organization
– ISO 20000-2 is used as a code of practice to satisfy the requirements
of the SMS standard
– Need to perform detail readiness check or gap analysis before
applying for ISO 20000 certification
– Understand the Key Success Factors in ISO 20000 certification
TÜV SÜD PSB Singapore Slide 55
56. Thank you
IT & IT Security CertfiicationSchemes7 May 13TÜV SÜD PSB Singapore Slide 56
Thank you
www.tuv-sud-psb.sg
Vielen Dank
C m n b n Terima kasih
57. Contact
IT & IT Security CertfiicationSchemes7 May 13
Name: Chris Ng
Designation: Product Manager / Lead Auditor
Email: khee-soon.ng@tuv-sud-psb.sg
Tel : 65 68851628
Office Hotline: (65) 9366 8611
TÜV SÜD PSB Singapore Slide 57