The document discusses several ISO standards relevant to the ICT industry, including ISO 9001, ISO 27001, and ISO 20000. It explains that these standards can be integrated into a single management system to improve organizational performance, increase control over IT activities, and move from ad hoc approaches to defined and managed processes. Implementing best practices requires tailoring them to the specific organization and business context. The goal of integrating standards is to optimize operations while reducing duplication and costs.
Marketplace and Quality Assurance Presentation - Vincent Chirchir
Integration of ICT Standards
1. ISO 9001, ISO 27001, ISO 20000
and ITIL
Ana Meskovska, QISM
Ohrid, May 2009 Trajkovski & Partners Consulting
2. Importance of the ICT standards
If you don’t want to help
Overview of the ISO standards
yourself, no one can
relevant for ICT industry
Integration of the ISO standards
relevant for ICT
12.05.2009 2
3. If you don’t want to help
3
yourself, no one can
12.05.2009
4. Increased use of standards and best practices
(such as ISO 20000, ITIL, ISO 27001 etc. )
If you don’t want to help
Key drivers:
yourself, no one can
business requirements for improved performance
need for increased control over IT activities.
Resulting
effect from increased use of
standards and best practices - moving from
ad hoc and chaotic approaches to IT, to
defined and managed processes.
12.05.2009 4
5. IT best practices are important because:
help enable effective governance of IT activities
If you don’t want to help
management of IT is critical to the success of
yourself, no one can
enterprise strategy
management framework is needed so everyone
knows what to do (policy, internal controls and
defined practices).
they provide many benefits - including
efficiency gains, less reliance on experts, fewer
errors, increased trust from business partners,
respect from regulators etc.
12.05.2009 5
6. Costlyand unfocused if they are treated as
purely technical guidance.
If you don’t want to help
yourself, no one can
Effectiveif thay are applied within the
business context, focusing on providing
benefits to the organisation.
Thefocus of IT governance is directing the IT
best practices to align to business and
governance requirements rather than
technical requirements.
12.05.2009 6
7. Senior
business and IT managers should
understand the value of IT best practices and
If you don’t want to help
how to implement them.
yourself, no one can
Implementation of best practices should be:
tailored, prioritised and planned to achieve
effective use
appropriate for the organisation
consistent with the organizations’ risk
management
integrated with other methods and practices
that are being used
12.05.2009 7
8. If you don’t want to help
8
yourself, no one can
12.05.2009
9. The ISO standards are structured to be integrated
into any organization's existing management
system
If you don’t want to help
yourself, no one can
The goal of ISO standards is meeting and
exceeding customers’ expectations.
The ISO standards are compatible among
themselves
Benefits from ISO certification:
Increasing customer expectations and confidence
Documenting and measuring quality
Using consistent terminology and processes
Implementing continual improvement initiatives
12.05.2009 9
10. Say what you do
If you don’t want to help
yourself, no one can
Do what you say
Prove it
Improve it!
12.05.2009 10
11. If you don’t want to help
11
yourself, no one can
12.05.2009
12. Quality management system – Requirements
Introduces the Quality Management System, a
If you don’t want to help
yourself, no one can
model for continual improvement and customer
satisfaction
Suitable for any organization looking to improve
the way it is operated and managed, regardless
of size or sector.
It helps bringing out the best in organization by
enabling understanding of the processes for
delivering products/services to the customers.
12.05.2009 12
13. IT service management is concerned with
delivering and supporting IT services that are
appropriate to the business requirements of the
organisation.
If you don’t want to help
yourself, no one can
ITIL provides a comprehensive, consistent and
coherent set of best practices for IT service
management and related processes
Promotes a quality approach for achieving business
effectiveness and efficiency in the use of IS.
The generic processes described in ITIL promote
best practice and may be used as a basis for
achieving certification for the international
standard—ISO/IEC 20000.
12.05.2009 13
14. Part
1: Information technology – Service
management – Specification
If you don’t want to help
yourself, no one can
Part
2: Information technology – Service
management – Code of Practice
Promotes the adoption of an integrated
process approach for effectively delivered
managed services to meet the business and
customer requirements
12.05.2009 14
15. Informationtechnology – Security techniques
– Information Security Management Systems
If you don’t want to help
– Requirements
yourself, no one can
Providesinformation to responsible parties
for establishing, implementing, operating,
monitoring, reviewing, maintaining and
improving a documented ISMS.
Designed to ensure adequate security
controls to protect information assets,
documenting ISMS and give confidence to
customers and interested parties
12.05.2009 15
16. If you don’t want to help
16
yourself, no one can
12.05.2009
17. Standards and best practices are not a
panacea
If you don’t want to help
yourself, no one can
Effectivenessof standards depends on how
they have been actually implemented and
kept up to date.
IT best practices need to be:
aligned to business requirement
integrated with one another
integrated with internal procedures i.e. the
existing management system of the organisation.
12.05.2009 17
18. Management system - framework of
processes and procedures used in an
If you don’t want to help
organization
yourself, no one can
A management system exists to bring benefit
to the organization in which it is used.
From a business perspective there should be
only one management system.
Theaim should therefore be to develop a
cohesive system that supports the day-to-day
operations and delivers what the
organization needs.
12.05.2009 18
19. If you don’t want to help
19
yourself, no one can
12.05.2009
20. Integrated management system – IMS
integrates all components of a business into
If you don’t want to help
one coherent system to enable the
yourself, no one can
achievement of its purpose and mission.
Aim - delivering the organization’s need in
the simplest and most effective manner.
Integrationof management system should be
carefully planed and implemented in a
balanced way.
12.05.2009 20
21. If you don’t want to help
21
yourself, no one can
12.05.2009
22. IMScan be consisted of many different
international standards, depending of the
industry and the needs of the company.
If you don’t want to help
yourself, no one can
Important for effective IMS:
set a solid and comprehensive framework of the
IMS, on which different standards relevant for
the company can be upgraded;
choose the standard and best practices that are
important and relevant for the organization
plan the implementation process
implement the standards and best practices
gradually
12.05.2009 22
23. If you don’t want to help
23
yourself, no one can
12.05.2009
24. If you don’t want to help
24
yourself, no one can
12.05.2009
25. If you don’t want to help
25
yourself, no one can
12.05.2009
ISO 27001
ISO 9001:2000
ISO 20000
26. If you don’t want to help
26
yourself, no one can
12.05.2009
27. ISO27001:2005 • ISO9001:2008
4. Information Security 4. Quality Management System
If you don’t want to help
Management System 4.1 General Requirements
yourself, no one can
4.1 General Requirements
4.2 Establishing and managing the
ISMS
4.2.1 Establish the ISMS
4.2.2 Implement and operate the
8.2.3 Monitoring and
ISMS
measurement of processes
4.2.3 Monitor and review the ISMS 8.2.4 Monitoring and
4.2.4 Maintain and improve the measurement of products
ISMS 4.2 Documentation Requirements
4.3 Documentation Requirements 4.2.1 General
4.3.1 General 4.2.2 Quality manual
4.3.2 Control of documents 4.2.3 Control of documents
4.3.3 Control of records 4.2.4 Control of records
12.05.2009 27
28. ISO20000:2005 • ISO9001:2000
3.1 Management responsibility 5. Management commitment
If you don’t want to help
yourself, no one can
3.2 Documentation requirements 4.2 Documentation requirements
3.3 Competence, Awwareness and 6.2.2 Competence, Awwareness
Training and Training
4.1 Plan service management 7. Planning of product realization
4.3 Monitoring measuring and 8.2.2 Internal audit
Reviewing
8.2.3 Monitoring and measuring
Processes
12.05.2009 28
29. PAS 99:2006 Specification of common
management system requirements as a
If you don’t want to help
framework for integration
yourself, no one can
Specification issued by BSI
“Recognised” by Certification Bodies
Purpouse - help your organization to achieve
benefits from integrating the common
requirements of all your management system
standards and specifications, and managing
these requirements effectively.
12.05.2009 29
30. Tooptimize the operational process of the
various common standards used
If you don’t want to help
yourself, no one can
To reduce duplication and bureaucracy
To reduce processes and procedures
To realise internal cost savings
Toimprove efficiency and effectiveness of
the organization
12.05.2009 30
31. If you don’t want to help
31
yourself, no one can
12.05.2009