Updates from April, 2016

  • ISO 20000 Case Study – How Coral made a Kuwait Oil Giant achieve certification 


    ISO 20000 -2011 is based on ITIL, the best practice framework. ISO 20000 – 2011 requirements are divided into management system requirements and 13 core processes and one-design clauses.

    The detail list of ISO 20000 – 1 – 2011 are listed here – http://www.coralesecure.com/pg/48/sms-iso-20000-2011-standard.html

    Business Context

    The leading oil government based in Kuwait provides IT services to its 1500 user base across Kuwait and global locations.

    Coral Methodology 

    We divided the assignment into the following key phases.

    Phase 1 – Gap Analysis

    Phase 2 – Documentation

    Phase 3 – ITSM Performance Reporting

    Phase 4 – Internal Audit

    Phase 5 – Certification Body Audits

    Listed below are unique highlights about each of the phases.

    Phase 1 – Gap Analysis

    This phase has several documented tasks aimed at understanding customer expectation from IT on one hand, and understanding the level of IT performance reporting. We met each IT teams and understood their core IT delivery processes. This phase resulted into the following documented deliverables 

    • Service Identification – which will lead to determination of service catalogue
    • Asset and Configuration identification
    • Availability Risk Assessment
    • Skill Identification
    • Gap analysis of individual ISO 20000-2011 requirements

    Phase 2 – Skill Transfer, Documentation, and Training 

    In this phase each of the ISO 20000 – 2011 management system controls are defined, and handed over to client nominated program management team using our methodology that includes templates, proof of concepts, communication, and defined workflows. Each of the standards requirements underwent a deep dive with customer first understanding the process and agreeing the way they would like to operate the individual process in the context of their configurations, on one hand, and the service catalogues with the customers. Key documented deliverables for this phase involved the followings:

    • Service Catalogues finalization with customer groups
    • ITSM Policy
    • ITSM authorities that included roles and responsibility
    • ITSM Performance dashboards
    • Training – that involved awareness sessions and cross – process impact trainings using simple services, and their impact across 14 processes
    • Individual policy, procedure and metrics for each of the ISO 20000-1 – 2011 requirements. Here is the full list of requirements – http://www.coralesecure.com/pg/48/sms-iso-20000-2011-standard.html

    Phase 3 – ITSM Performance Tracking

    After the completion of documentation was complete the third phase was about tracking the performance of the ITSM based on what is agreed with process owners and teams. Being independent and focusing on customer satisfaction, we were able to give valuable inputs whether some processes were working or otherwise with inputs on fine-tuning the process.

    Key deliverables of these phases included the followings:

    • Performance report on ITSM processes
    • Process lacunae

    Phase 4 – Internal Audit

    An independent team was created combining both consultant and the internal team that was entrusted with the task of auditing the performance of the ITSM. The team made interesting audit findings – which made lot of IT performance and business sense.

    • Internal Audit Process
    • Awareness Check of Personnel
    • Maturity Rating of the 14 processes
    • Compliance rating for 140 detail requirements covering ISO 20000 – 2011 clause 4 to Clause 9.3 requirements.

    Management review – The process concluded with the management review which was attended by all senior members of the IT steering committee along with the process champions, and the management representative.

    Phase 5 – Certification Body Audits

    Finally the certification body arrived, to perform the two stages of audit:

    Stage 1 – Documentation Audit – In this they verified all the documentary requirements of the standard. As we documented and checked the compliance at each of the detail 140 compliance requirements, the auditor could find compliance in all areas, with few suggestions for improvements.

    Stage 2 – Implementation Audit – In this phase the audit was more rigorous and involved checking the service context and the associated processes and involved interviewing process owners.

    Finally the company was recommended for successful ISO 20000-2011 certification.

    The organisation achieved several business and IT benefits.

    • Customer knew exactly what to expect and by when
    • IT service risks were visible to everyone in the form of a dashboard
    • Performance of individual processes were extremely transparent

    For a detail analysis of how Coral can help you align your organisation to ISO 20000-2011, please write to us at roadmap@www.coralesecure.com.

  • Business Continuity tabletop exercise – who to involve? 

    The tabletop exercise involves involving each individual whose responsibility is defined and documented in your business continuity plan. The days that you spent in creating the plan should be completely wasted – unless each role and individual named agrees to the content.

    Top Management – Even if you cannot get the CEO, involve someone from your core customer facing team. The role will check if the continuity fulfils customer or core operations in case of restoration.

    Business continuity Manager – This role has the complete oversight of how fast the enterprise needs to be responding to each documented plan. Involving him/her ensures that the outcome of the business continuity plan is achieved in line with business objectives.

    Assuming you have plans to manage site outage, technology outage, vendor outage and people outage, involve both process and support teams to be a part of this exercise.

    Information Technology – Whether it is hot site/warm site or cold site strategy, individuals should acknowledge their ability to restore within the recovery point objectives(RPO), in line with return time objective (RTO).

    Human Resources – If your people outage involves cross training or replacement of existing employees to do a specific task, then the head of those teams should agree and acknowledge that the replaced employee will be able to do the desired work.

    Procurement – If your vendor outage strategy involves seeking an alternate service provider, the procurement team and the respective team whose services will be effected, should agree and acknowledge the alternative plan.

    Physical Security – The physical security team should be able acknowledge the availability of the alternate site and its readiness in case of a site outage as defined in the plan.

    Crisis Management Team(CMT) - CMT Members are the ones who invoke the continuity plans. They should understand each of the outage scenarios, the human element of crisis, and the outage plans. They know that it takes time, and resources to invoke these plans, and there role is to manage the human part of the process.

    Taking Feedback

    Ask questions to members attending the session – are you now more aware of the business continuity or your own responsibility? If the answer is Yes, half of the battle is won. Organisationally, you are now prepared for the next maturity level of continuity – which can be a combination of simulation test or a full blow one.

    Documenting Results

    All the teams participating should give a formal feedback about the outcome of the test, and their feedbacks should be documented for improving your overall continuity plan.

    If your business continuity plan is at version 1 – it is perhaps that it has never been read and reviewed. It is highly unlikely that post a formal tabletop exercise it will remain at version 1.

    Hope it helps!

  • How IT service management works and how to kick start the program? 

    If you are concerned about IT service delivery and its impact to your business – this is for you!

    IT service management system (ITSM) practices brings speed and business alignment to the IT service delivery. Implementation of ITSM should result in IT service delivery improvement (I call it speed) by 30-50% if not more.

    The journey begins with a simple agreement between business and IT using a service catalogue. Service catalogue is synonymous to any other catalogue that you are aware – it is an outcome of an agreement between an IT  customer (a user group) and a vendor in this case IT team.

    ITSM implementation fulfils different stakeholder interests.

    For the CEO it means IT organisation is delivering in alignment with business. The implementation of ITSM ensures customer ‘voice’ in designing and delivery of IT services. Customer satisfaction is assured through processes such as Business relationship management. Financial Control is assured through processes such as Budgeting and Accounting.

    For the CIO it brings an order to the house. Each service in the service catalogue is aligned with the 15 processes(see below). In fact every time a new service is to be added the CIO or the IT service delivery manager thinks of these 15 processes as part of the service design. Alignment of the IT service delivery to the processes bring robustness and risk control.

    Processes such as configuration management database (CMDB) and known error  database (KED) form the foundation of IT delivery. CMDB helps in improving response time for change and release. KED helps in resolving incidents and problem faster.

    For the Technical administrator it means alignment with number of good practices of change management, configuration management, release management practices. No more does ‘ i know the technical guy’ so ‘I will get my work done’ – everyone speaks the language of ticket, service, response time and resolution time.

    Not sure how to start? Start with your service catalogue – it is the beginning!

    ISO 20000 Processess that you pick and chose as applicable for your business

    Design and development of new or changed services
    Transition of new or changed services
    Service level management
    Service reporting
    Service continuity and availability management
    Budgeting and accounting for services
    Capacity management
    Information security management
    Business relationship management
    Supplier management
    Incident and service request management
    Problem management
    Configuration management
    Change management
    Release and deployment management

    If you are seeking formal ISO 20000 compliance all the processes apply.

    Hope this helps.

  • What is common between McDonald and your IT department? 

    It is the catalog. If you don’t have one, create one.

    What is the ultimate goal for both McDonald and your IT department? The answer is perhaps deliver of goods (McDonald), and delivery of services (IT) and customer satisfaction. In case of IT, the customers are business users.

    A lack of visibility of what IT does has been a pain in most organisation and nothing can be much simpler but to start with a service catalog.

    A catalog is a simple definition in service terms. It consists of service name that business understands.

    Infrastructure Availability = calculate the number of maintenance hours you need per year, and using this link – http://uptime.is/ calculate your availability commitment

    Service Availability – Depending upon your office hours, define your support layers. For critical business such as banks, the definitions are banking hours, non banking hours, and Crisis hours.

    Application provisioning, desktop provisioning, user activation are just some of the simple names that IT delivers. For each such service define its availability/SLA target, available hours (for help desk), response time and resolution time in case of an incident, along with a name of person to contact in case of a specific service issue.

    By setting this in place and having an agreement with business users, it is the perfect beginning of a bond between customer (IT users) and service provider, in this case IT.

    Business need not know the intricacies involved, not is it interested.

    If you are a CIO create two service catalogs – one for business and one for your own technology teams.

    So if you have an application development team, database team, networking team or even a security team, demand service catalog from each of them on the same terms as business demands it  from you.

    Once should be able to see a clear cut alignment with business catalog and the internal catalog. You cannot have a business SLA of 99.9% and an internal team reporting anything less than that value, there will be a clear cut mismatch.

    How to create this document?

    Two steps:

    Step 1: Call for a meeting with all teams in a brain storming session and seek all the numbers. Put this in a dashboard and ask every technical team.

    Step 2: Present the document to business for their approval. Let them ask for more.

    Your steps can be in any order, but what will come out is a document that will be a benchmark for service quality.

    So next time you seek a customer satisfaction survey (CSAT), you can also see which service has more satisfaction level than others.

    This process will ensure that you are not far behind McDonald in guaranteeing customer satisfaction.

    Hope this helped!

  • How ITIL/ISO 20000 can improve overall business response time? 

    Businesses demand a better response from their IT organization. Business understand that IT is critical and they expect that a better delivery will augment business response time, whether new product delivery, new product launch and simply day to day responding to customer queries.

    How this can be achieved?

    ITIL/ISO 20000 implementation is one such answer. It can help increase the IT service and infrastructure response time SLA by almost double.

    There are several processes in ITIL/ISO 20000 that really make this happen:

    • Service catalogue implementation would involved defining a list of services that IT provides with there service response and resolution time. Here IT speaks the language of business and makes IT availability per business availability.
    • Configuration Item (CI) identification is one of the core control process that gets introduced as a part of the ISO 20000. Once you introduce this and is now part of the Configuration management database – each configuration item is now part of relationships. What this does is the traditional time to execute change and release gets reduced as you involve those CI owners who are really part of a change and not every IT team in the traditional sense.
    • Change and release processes is reduced due to better understanding of CIs, as also reduced time to execute these processes.
    • Known error database (KED) provides every service teams with more teeth to resolve incidents. When everyone is aware of these issues your time to resolve them is better and faster.

    These are some of the key changes brought by ITIL/ISO 20000 that can help improve IT response time and improve overall IT service delivery.

    Similarly, each of the listed ITIL/ISO 20000 process and its implementation can deliver substantial business/IT service value:

    ITIL – 5 Core processes

    Service Strategy
    Service Design
    Service Transition
    Service Operation
    Continual Service Improvement

    ISO 20000 – 13 implementation processes

    Service level management
    Service reporting
    Service continuity and availability management
    Budgeting and accounting for services
    Capacity management
    Information security management
    Business relationship management
    Supplier management
    Incident and service request management
    Problem management
    Configuration management
    Change management
    Release and deployment management

    In some of our consulting assignments we have improved the service delivery as much as 50% reduction in SLA. In one of the recent example,  the average SLA for services offered by IT was substantially reduced for a customer base of 3000 users. This is a great number to achieve.

    Thinking of implementing ITIL/ISO 20000, speak or write to us at roadmap@www.coralesecure.com.

    Our iso 20000 consulting methodology would not only ensure you got certified but also how we made your IT organization more in alignment with your business needs.

  • Risk Assessment – What is the ‘ideal’ approach? 

    The benefit of performing risk assessment far outweighs the cost or impact that an organization may have to suffer in case an incident takes place.

    Thanks to implementation of international standards such as ISO 27001, ISO 31000, ISO 22301, ISO 20000, SSAE 16, COBIT, PCI-DSS, HIPAA, DPA (not exhaustive) there is more and more interest in understanding risk assessment methodologies and how it can benefit an organizations’ business.

    The need for understanding the finer nuances is increasing but is far from maturity levels demanded by any of the international standards. If you are certified to any of the management system certifications, one common flaw that most auditors find in any organization, they will surely respond “I wish they had a better risk assessment..”.

    What is going wrong with risk assessments today?

    The absence and maturity of the formal risk assessment is contributed by some of the following key factors:

    • International standards are sometimes confusing to the layman – if you search for the word ‘risk’ you will several interpretations for the same key word risk; ISO 31000 defines risk closer to a (positive) opportunity whereas ISO 22301/ISO 27001/ISO 20000  reflects a negative interpretation of the word risk.
    • Lack of management interest and what it can do for them – Most management do not see it as a constructive activity, it is seen as related to an event such as ISO 27001 (or any other) certification. Management says “get it somehow done, and we should be compliant..”. If implemented correctly, risk assessment can be part of each business activity and it pays to be ‘risk-aware’.
    • Inability to correlate internal and external events with risk assessment methodology – Owners of risk assessment, people who perform risk assessment, in the organization are often at pain to discuss internal and external events with their risk assessment. It is generally something that someone does and only he knows how it is done. Ideally the response should be “we are all involved”.

    What can be done to ensure completeness?

    Consider the following key parameters for your risk assessment approach to make it successful and beneficial to the business(not exhaustive).

    Agree on Terms and definitions: Risk is a function of asset, business impact, threat, vulnerability, probability. Define each one of  them, and explain how this correlates in the risk valuation of the asset.

    Agree on rating methodology:  Methodology includes valuation. Valuation can be quantitative as well as qualitative. While measuring provide a range 1-4 or 1-10, 1 being lowest, and 4 being highest. The focus of rating should be based on your organization valuation not someone else. If you rate Availability as 4 for an asset it needs to reflect that the asset’s unavailability can hinder continuity of the business, in other other words make it contextually relevant.

    Make it simple, provide a guidance: Provide support to suggest how something is to be rated as 4(Very High). An asset containing salary data may be rated as Very High, and it encompasses all forms of that assets and teams.

    Agree on context: Context is the scope of risk that you wish to address. Is it service risk, information risk or business risk? Since most risk assessments are driven by compliance objectives define the context in terms of assets/service/function that needs to be covered. Once you see the value you can increase the context itself.

    Start from the top: Starts from the CEO. We have found that those we started with the CEO were much more successful. If the CEO is not involved, it is a sure shot failure, i doubt it will the light of the day.

    Involve department heads (if not everybody) and make them ‘own': Explain and involve the head of departments/business process owners, they will appreciate and help you evolve. Again this is not just IT or security teams, it involves everyone. if you explain a team such as R&D how risk assessment helps reduce the assets of R&D, they will surely participate.

    Consider trigger points for reassessment/change: Once you decide the context, also decide the trigger point for change. Change can be in methodology, rating, new assets, new threats, new weakness, new events – internal and external, to name a few.

    Consider a Target and period of measurement: Management is interested in numbers, we all know that. Define a risk target. Also apply this by showing how your risks improved for a given period of time. Note the true objective is to reduce risk at optimum level that supports business.

    Consider the above as a guideline for your risk assessment process and I am sure your risk assessment will improve manifold.

    Hope this helped, let me know your reactions!

  • ISO 20000 – 2011 Implementation training coverage 

    “The requirements…of ISO/IEC 20000 include the design, transition, delivery and improvement of services that fulfil service requirements and provide value for both the customer and the service provider. … ISO/IEC 20000 requires an integrated process approach when the service provider plans, establishes, implements, operates, monitors, reviews, maintains and improves a service management system (SMS).”

    ISO/IEC 20000-1: 2011

    We cover the following topics in detail in conducting the implementation training:

    Identify business drivers for ITIL – ISO 20000 implementation;

    Identify and define a service catalog;

    Learn to define and endorse an ITSM policy.

    Learn to distinguish between service management system (SMS) and service management processes.

    Learn to implement all 5 core processes as follows:

    ISO 20000 Clause 4 Service management system general requirements

    ISO 20000 Clause 5 Design and transition of new or changed services

    ISO 20000 Clause 6 Service delivery processes

    ISO 20000 Clause 7 Relationship processes

    ISO 20000 Clause 8 Resolution processes

    ISO 20000 Clause 9 Control processes

    Detail interpretation on individual clause requirement and how to approach their implementation.

    Learn to design and implement individual ITSM processes:

    1. Service level management (ISO 20000 – Clause 6.1)
    2. Service reporting (ISO 20000 – Clause 6.2)
    3. Service continuity and availability management (ISO 20000 – Clause 6.3)
    4. Budgeting and accounting for services (ISO 20000 – Clause 6.4)
    5. Capacity management (ISO 20000 – Clause 6.5)
    6. Information security management (ISO 20000 – Clause 6.6)
    7. Business relationship management (ISO 20000 – Clause 7.1)
    8. Supplier management – External (ISO 20000 – Clause 7.2)
    9. Incident and service request management (ISO 20000 – Clause 8.1)
    10. Problem management (ISO 20000 – Clause 8.3)
    11. Configuration management (ISO 20000 – Clause 9.1)
    12. Change management (ISO 20000 – Clause 9.2)
    13. Release & Deployment management process (ISO 20000 – Clause 9.3)
    14. Design and transition of new or changed services Clause  (ISO 20000 – Clause 5)

    Each learning session has ready to use templates, that enables fast track learning and onward implementation when delegates take the learning back post training.

    Coral offers online, in-house, and public courses. Call or write to us at roadmap@www.coralesecure.com for further questions/clarifications/fees.

  • Which international ‘risk’ standard is right for my organization? 

    Most organizations are flooded with international standards and it is often difficult to choose the right one. In most cases the standard selection is driven by customer and/or regulatory pressure.

    If you are not driven by any of external pressures and your main question is “which one is right for us?” here is an attempt to demystify the following 4 international standards.

    • ISO 31000:2009 – risk management – Principles and Guidelines
    • ISO/IEC 27001: 2013 – information security management system
    • ISO/IEC 20000-1: 2011 – (IT) service management system
    • ISO 22301: 2012 – ‘societal’ business continuity management system

    The aim of this article is to give you an independent perspective of why you should go for anyone of them. (If you are already compliant to one of these, then your question can be ‘what we can do more?”, and the article may help you give some direction.)

    Since each standard demands a formal risk assessment, lets also refer the name given to the risk register if you pursue each of them independently.

    International Standard Coverage Why should I choose this one? What is the name of the risk register /record?
    ISO 31000 – risk management standard This standard aims to cover almost all areas of organization risk. So it covers strategic, personnel, operations, information, and financial. What is missing in this standard? Specifics! This is not a certification standard, and organization use it compare best practices. Unlike other standard the degree of implementation interpretation is left to users and advisers/consultants/internal auditors used by the organization. Chose this standard if you typically don’t have a certification requirement but you wish to raise and bring an organizational culture of ‘risk’ across all areas all functions. Most organizations applying ISO 31000 has inherent reason to bring culture of risk in their business life cycle. Enterprise risk register/record should be the name if you seek to implement ISO 31000.
    ISO 27001 – information security management system ISO 27001 standard is focused on the keyword “information” protection. What is information asset? The answer is ‘anything that has a business value”. In other words it is just not Information Technology (IT) infrastructure. So if your organization is seeking to protect all forms of information against unauthorized access (Confidentiality), unauthorized modification (integrity), and protection against loss and destruction (Availability), the standard provides a series of controls that enables you to pick and chose those that are relevant to you based on a formal asset-wise risk assessment. ISO 27001 certification involves 114 controls which aims are a combined secure architecture, preventive, detective controls and several controls and encompass procedural, physical, technical and most importantly personnel controls. The most popular “risk” standard with highest number of certifications, chose this one if you are concerned about your protection of information.How is it different from ISO 31000? The difference lies in the specifics; you can pinpoint and measure how a specific control is working unlike several other generic standards. As part of the analysis you would be required to perform an asset-wise risk valuation which should clearly articulate the state of an asset and its control environment. Information risk register – where for every asset you can see the risk value.
    ISO 20000-1 – (IT ) service management system The latest in the standard family (in terms of inclusion of the word ‘risk’) ITSM – ISO 20000 certification is aimed at making traditional IT organization/department as free from service risk. Although it has been associated with IT ‘process’ best practices, inclusion of the word “service risk” gives you a different view of the ISO 20000 now. Aimed at making IT as a ‘service’ department the standard has best practices aligned with ITIL. You would choose this if you wish to make your IT a “service” organization. A “service” catalog is a starting point for this and makes your organization aligns with business objectives. IT (service) risk register. In ISO 20000: 2005 there was a reference to service improvement plan – which indirectly focuses on all weaknesses.
    ISO 22301 – ‘societal’ business continuity management system An upgraded version of BS 25999, the new ISO 22301 gives more meaning to the scope of business continuity. ISO 22301 certification is your ability to demonstrate your ability to deliver in case of a disaster.In my view most organizations used ISO 27001 between 1993 to 2007 to show their continuity maturity. In 2007 BS 25999 came into existence. Words like maximum tolerable period of disruption (MTPOD), return time objective (RTO), minimum service levels (MSL) forced the business to speak and define their continuity strategies and prioritize the business that demand quick recovery. Go for this if you need to demonstrate your maturity of continuity processes. One of the key features of this compliance is your demonstration of continuity through tests –and nothing more pleases any continuity professional than the range of test to demonstrate their continuity strategy. Continuity risk register – list of issues/items that are considered gaps in the continuity of the business.

    To summarize the choice of a risk management standard is often driven where you see the most of the risk really lies. You chose ISO 31o00 when each and every area of the organization should be covered under risk management, whereas your focus should be ISO 20000 when it is limited IT service delivery.

    There is another risk management standard – ISO 28000 for the Supply chain management (Specification for security management systems for the supply chain), I will keep that for perhaps another day.

    Please do not hesitate to call us for an in house session to help understand the nuances of each of these standards.

    Did this help? Let me know your views!

    • avatar

      Clynton 5:27 PM on August 7, 2012 Permalink

      Another Good, Simple, Relevant, to the Point Article…. :-)

  • ISO 20000:1 2011 – what really changed from ISO 20000:1 2005? 

    Well this is my shot at demystifying ISO 20000:1 – 2011 and what really changed for me as a consultant.

    We would consider the following as the major key new differences in ISO 20000:1 2011. Note that these major differences were actually implemented and further audited. It also changed our consulting methodology.

    1. Governance of processes operated by third parties (Clause 4.2) – this means that if you have outsourced one of ISO 20000 processes then you need ‘much’ more than just documentary contract. You can get compliant to the standard even if you have outsourced any of the processes to another organisation unit – internal, external and even a customer.
    2. Design Clause (Clause 5) – a super imposing clause that ensures that each new service is reviewed against each ISO 20000 processes. So every time you add a new service to the catalog or change any of the existing service delivery terms, ensure you have considered the ‘design’ impact of the change.
    3. Risk Assessment ‘everywhere’ – the word ‘risk’ is referred in several areas, with key focus on ‘service risk’. Reference of risk definition is from ISO 31000 – so the word applies everywhere, in whatever you do. Lets say you are adding a new service to the catalog, ask questions such as (but not limited to) what can go wrong with the addition to this new service to my existing service portfolio. The answer can be ‘nothing’ or ‘everything’ referring to any of the process impacts. If ‘everything’ or ‘something’  is the response then it should lead to implementation of the risk mitigation plan.
    4. Information security risk assessment – This requirement is closer to ISO 27001, and needs to performed as part of the ISO 20000-2011. Similarly the need to document security controls that encompass logical and physical security needs to be demonstrated, and audited. One wonders, what is left between ISO 27001 and ISO 20000 in terms of implementation – when it comes to only Information Technology processes.
    5. Availability Management – This is part of service continuity process but standard makes it very clear to define this process very much separately. The need for having an availability plan which takes inputs from service level management and designs an availability plan. The availability plan would consists of service targets for infrastructure and takes support from capacity management process for monitoring threshold crossovers.
    6. What was removed from ISO 20000:1 – 2005?  Service improvement plan (SIP) – this word is replaced by “management of  improvements” (Clause

    The above is just a quick reference and no way meant to be exhaustive.

    An ISO 20000 – 2011 gap assessment  would be ideal to verify the degree of changes in your existing management system.

    For a formal migration, you need a complete documentation in alignment with ISO 20000 – 2011.

    Hope this helps!