Integrating sms and isms
0 likes389 views
The document discusses implementing an integrated IT service management system (SMS) and information security management system (ISMS) based on ISO/IEC 20000-1 and ISO/IEC 27000 standards. It describes how ISO/IEC 27001 fits into the information security requirements of ISO/IEC 20000. There are key benefits to an integrated system, including providing credible and secure services, lower implementation costs, reduced timelines by developing common processes together, and eliminating duplication between the standards. An integrated system also promotes understanding between service and security personnel.
Integrating sms and isms
- 1. Implementing Service Management System and IT Security management with Integrated ISO/IEC 2000-1 and ISO/IEC 27000-series By: Septafiansyah Dwi P. Institut Teknologi Bandung
- 2. ITSM or SMS IT service management, is a concept that combines with system management, network management, system development management and incident management, problem management, service management, security and so on helping enterprises to manage the process of constructing, implement, maintaining, and planning for IT system through effective management method (Tang, 2009).
- 3. ISO 20000 – Standar in IT Service Management What is it? The formulation of ITIL practices into an international standard Management of 13 key IT services to meet business requirements (predominantly internally focused) Specifies a number of closely related processes that brought together will help ensure that an organisation delivers managed IT services to its internal customers Comprehensive but not exhaustive Planning, implementing, monitoring, improvement of new and changed services
- 4. The benefits ISO 20000 • A consistent approach to service management • IT service provision becomes measurable and accountable • Consistent levels of service are agreed • Improved communication flows between IT and the business • IT gain better understanding of the business requirement • Reduced risk of business failure • A reduction in the number of avoidable and repeat incidents • Higher availability of systems and services
- 5. Service management system 1. Scope 1.1. General 1.2. Application 2.No rmati ve refre nces 3. Term s and defin itions 4. SMS general requirements 4.1. Manageme nt responsibilit y 4.2. Governance of processes operated by other parties 4.3 Documentat ion managemen t 4.4 Resource managemen t Establish and improvethe SMS .. 5. Design and transition of new or changed service 5.1 General 5.2 Plan new or changed services 5.3 Design and developmen t of new or changed services 5.4 Transition of new or changed services 6. Service delivery process 6.1 Service level managemen t 6.2 Service reporting 6.3 Service continuity and availability managemen t 6.4 Budgeting and accounting for services 6.5 Capacity managemen t 6.6 Information security managemen t 7. Relationsip process 7.1. Business relationship managemen t 7.2 Supplier managemen t 8. Resolution process 8.1. Incident and service request managemen t 8.2 Problem managemen t 9. Control process 9.1 Configuratio n managemen t 9.2 Change managemen t 9.3 Release and deployment managemen t
- 6. Implementing PDCA to service managment Plan •Establishing •Documenting •Agreeing SMS Do •Implementing •Operating the SMS Check •Monitoring, •Measuring, •Reviewing SMS Act •Improving the SMS •Improving the service Policies Objectives Plans Process Service Management System SMS Service Management Process Service
- 7. Indonesia Hot Topic Issue
- 8. ISO27001 ISO27001 is the standard for establishing, controlling, monitoring and improving an Information Security Management System (ISMS). It provides the requirements for an ISMS framework as well as 133 controls (much like the “shalls” in ISO 20000.) (Implement ISO, 2012) It is compatible with other standards such as NIST 800-53, ISO 27005, COSO, Detiknas. and uses a risk-based assesment approach to determine the scope of its implementation within an organisation. The main goals of the ISO 27001 standard are to manage information security, maintain business continuity and comply with regulation. It addresses all information,physical security, environmental aspects, outsourcing issues, etc.
- 9. The benefits ISO27000 • Reduction in possibly damaging/embarrassing information leaks and failures • Total risk mitigation, security of brand equity • Reduction in costs due to fewer security incidents • Common policies and control across the whole organisation • Increased staff awareness • Better monitored and audited systems and information flows • The risk significantly reduced
- 10. “where does the ISO 20000-1 fit in with ISO 27001?”
- 11. Integrated SMS and ISMS It is ISO 27001 which fits in to ISO 20000 and specifically in Section 6.6 Information Security Management. This section addresses information security policy, controls and changes/incidents as related to IT-based information. ISO 27001 can provide much further details and information in terms of setting up security elements in your organisation. ISO 27001 tells you “how” to do it rather than stating that you “have” to do it. In other words, aim to combine some of the implementation activities such as the audit review / risk assesment. There are advantages to having a single audit team to look at both Management Systems. This eliminates redundancies and gives good value for money and make Polinela established one of aspect in good governance university. As stated above, both standards use common management approaches, are both based on processes and also use the PDCA principles.
- 12. Advantages in integrated management system There are a number of advantages in implementing an integrated management system which takes into account not only the services provided but also the protection of information assets. These benefits can be experienced whether one standard is implemented before the other, or both standards are implemented simultaneously. Management and organizational processes, in particular, can derive benefit from the similarities between the International Standards and their common objectives. Key benefits of an integrated implementation include: a) the credibility, to internal or external customers of the organization, of an effective and secure service; b) the lower cost of an integrated programme of two projects, where achieving both service management and information security are part of an organization’s strategy; c) a reduction in implementation time due to the integrated development of processes common to both standards; d) elimination of unnecessary duplication; e) a greater understanding by service management and security personnel of each others’ viewpoints;
- 13. 감사합니다
Editor's Notes
- #4: Perumusan praktek ITIL ke dalam standar internasional Pengelolaan 13 layanan TI kunci untuk memenuhi kebutuhan bisnis (terutama berfokus secara internal) Menentukan sejumlah proses terkait erat yang membawa bersama-sama akan membantu memastikan bahwa organisasi memberikan layanan TI berhasil pelanggan internal Komprehensif tapi tidak menyeluruh Perencanaan, pelaksanaan, pemantauan, perbaikan layanan baru dan berubah