International IT Management Models and Standards
This chapter briefly describes the international IT management models and standards applied in the development of the IT Standard.
ITIL
CMMI
COBIT
PMBOK
PRINCE2
ISO/IEC 20000
ISO 21500
ISO/IEC 38500
TOGAF
ITIL
ITIL, formerly known as Information Technology Infrastructure Library, is a set of guidelines and best practices for IT service management (ITSM). It is a registered trade mark of AXELOS Limited. ITIL focuses on aligning IT services to the needs of business and supports its core processes. It is structured and published in five core volumes: Service Strategy, Service Design, Service Transition, Service Operation and Continual Service Improvement.
The framework that ITIL provides can be adapted and applied to all business and organizational environments. It includes guidance for identifying, planning, delivering, and supporting IT services. When successfully adopted, ITIL can help improve services, which in turn can mitigate business risks and service disruption, improve customer relationship, and establish cost-effective systems for managing demands for services.
CMMI
CMMI®, Capability Maturity Model® Integration, is an internationally known reference model developed through best practices that provide guidance for improving processes that meet the business goals of an organization. It was developed by industry experts, governments, and the Software Engineering Institute (SEI).
CMMI improves processes for an organization to show measurable benefits for their business objectives and vision. An organization can organize and prioritize its methodologies, people, and business activities through the framework provided by CMMI. The framework supports coordination of multi-disciplinary activities and systematic thinking.
COBIT
COBIT 5 (launched in 2012), The Control Objectives for Information and Related Technology, is owned and supported by ISACA. It was originally released in 1996 as COBIT. The current version 5.0 consist of COBIT 4.1, VAL IT 2.0, and Risk IT frameworks.
COBIT 5 helps to create optimal value using IT by maintaining a balance among benefit realization, risk optimization, and resource usage. The framework covers both business and IT units in the whole organisation. It provides metrics and maturity models to measure whether or not the IT organization has achieved its objectives. In addition, it also balances the needs of internal and external stakeholders.
PMBOK
PMBOK, a Guide to the Project Management Body of Knowledge, is a guide to the internationally recognized project management methods by the Project Management Institute (PMI). PMBOK is a standard that is widely accepted and acknowledged as basis for most project management methods.
PMBOK provides an in-depth description of the required content and fundamentals of a project, but does not focus on giving hands-on implementation advice. Practical guidance is offered by other models such as PRINCE2. It is based on five basic processes: Initiating, Planning, Executing, Controlling and Monitoring, and Closing.
PRINCE2
PRINCE2, Projects IN a Controlled Environment, is a de facto standard project management method owned by the UK Cabinet Office. PRINCE2 complements the PMBOK model by providing a process-based and practical guidance with ready-to-use templates for Project Managers and Project Steering Groups in the different phases of a project. PRINCE2 ensures greater control of resources and effective management of business and project risks.
For example, the seven principles of PRINCE2 state how a project should be run throughout its life-cycle: a project must have a business justification, clearly defined roles and responsibilities in all phases and processes, managed by stages to provide detailed and timely planning, defined tolerances for management by exception, product focused delivery where project methods are tailored to fit this particular project’s needs, and learning from experience to continuously improve organization’s project culture.
ISO/IEC 20000
ISO/IEC 20000 is a service management system (SMS) and the first international standard for IT service management. It is owned by The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It is broadly aligned with ITIL.
The ISO/IEC 20000 has two parts. The first part defines the formal requirements for high-quality production of IT services to the business. IT includes criteria for planning, service management, and service production as well as for customer / supplier management. The second part describes the processes of service production largely in the same way as the ITIL processes while focusing, however, more closely on customer/supplier management processes.
ISO 21500
ISO 21500 is a standard that provides “generic guidance on the concepts and projects of project management” which are important in the realization of successful projects. It can be used by any type of organization and applied to any type of project – irrespective of size, complexity or duration.
ISO 21500 is an informative standard, that is rather a general guideline than a certified methodology. It provides high-level description of concepts and processes that are considered to form good practice in project management and places projects in the context of programs and project portfolios. PMBOK is very much in line with ISO 21500 and vice versa.
ISO/IEC 38500
ISO/IEC 38500 is a standard providing general principles on the role and IT governance of management with business responsibility (for example, Board of Directors and Management Team). It can be widely applied to all kinds and sizes of organizations for example public and private companies and non-profit organizations.
The standard supports business management in their supervision of the IT organization and helps them ensure that IT has a positive impact on the company’s performance. The standard consist of six principles:
Responsibility
Strategy
Acquisition
Performance
Conformance
Human behaviour
Adherence to the ISO/IEC 38500 standard can assure management of conformance with good governance
TOGAF
TOGAF is an Open Group Standard enterprise architecture framework that allows organizations to have a structured approach for governing the implementation of technology, in particular the software technology design, development, and maintenance. It was first published in 1995 and was based on the US Department of Defence Technical Architecture Framework for Information Management (TAFIM). It has been since developed by The Open Group Architecture Forum and released in regular intervals on the Open Group public website.
TOGAF improves business efficiency by ensuring consistent methods, communication, and efficient usage of resources. It ensures industry credibility with a common language among enterprise architecture professionals.
Courtesy:
https://www.itforbusiness.org/book/ict-standard-tools-and-deployment/international-it-management-models-and-standards/
Posted by: Margaret Rouse
WhatIs.com
https://whatis.techtarget.com/definition/ISO-27001
What is ISO 27001?
ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes.
According to its documentation, ISO 27001 was developed to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system."
ISO 27001 uses a topdown, risk-based approach and is technology-neutral. The specification defines a six-part planning process:
Define a security policy.
Define the scope of the ISMS.
Conduct a risk assessment.
Manage identified risks.
Select control objectives and controls to be implemented.
Prepare a statement of applicability.
The specification includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action. The standard requires cooperation among all sections of an organisation.
The 27001 standard does not mandate specific information security controls, but it provides a checklist of controls that should be considered in the accompanying code of practice, ISO/IEC 27002:2005. This second standard describes a comprehensive set of information security control objectives and a set of generally accepted good practice security controls.
ISO 27002 contains 12 main sections:
1. Risk assessment
2. Security policy
3. Organization of information security
4. Asset management
5. Human resources security
6. Physical and environmental security
7. Communications and operations management
8. Access control
9. Information systems acquisition, development and maintenance
10. Information security incident management
11. Business continuity management
12. Compliance
Organisations are required to apply these controls appropriately in line with their specific risks. Third-party accredited certification is recommended for ISO 27001 conformance.
Other standards being developed in the 27000 family are:
27003 – implementation guidance.
27004 - an information security management measurement standard suggesting metrics to help improve the effectiveness of an ISMS.
27005 – an information security risk management standard. (Published in 2008)
27006 - a guide to the certification or registration process for accredited ISMS certification or registration bodies. (Published in 2007)
27007 – ISMS auditing guideline.
This chapter briefly describes the international IT management models and standards applied in the development of the IT Standard.
ITIL
CMMI
COBIT
PMBOK
PRINCE2
ISO/IEC 20000
ISO 21500
ISO/IEC 38500
TOGAF
ITIL
ITIL, formerly known as Information Technology Infrastructure Library, is a set of guidelines and best practices for IT service management (ITSM). It is a registered trade mark of AXELOS Limited. ITIL focuses on aligning IT services to the needs of business and supports its core processes. It is structured and published in five core volumes: Service Strategy, Service Design, Service Transition, Service Operation and Continual Service Improvement.
The framework that ITIL provides can be adapted and applied to all business and organizational environments. It includes guidance for identifying, planning, delivering, and supporting IT services. When successfully adopted, ITIL can help improve services, which in turn can mitigate business risks and service disruption, improve customer relationship, and establish cost-effective systems for managing demands for services.
CMMI
CMMI®, Capability Maturity Model® Integration, is an internationally known reference model developed through best practices that provide guidance for improving processes that meet the business goals of an organization. It was developed by industry experts, governments, and the Software Engineering Institute (SEI).
CMMI improves processes for an organization to show measurable benefits for their business objectives and vision. An organization can organize and prioritize its methodologies, people, and business activities through the framework provided by CMMI. The framework supports coordination of multi-disciplinary activities and systematic thinking.
COBIT
COBIT 5 (launched in 2012), The Control Objectives for Information and Related Technology, is owned and supported by ISACA. It was originally released in 1996 as COBIT. The current version 5.0 consist of COBIT 4.1, VAL IT 2.0, and Risk IT frameworks.
COBIT 5 helps to create optimal value using IT by maintaining a balance among benefit realization, risk optimization, and resource usage. The framework covers both business and IT units in the whole organisation. It provides metrics and maturity models to measure whether or not the IT organization has achieved its objectives. In addition, it also balances the needs of internal and external stakeholders.
PMBOK
PMBOK, a Guide to the Project Management Body of Knowledge, is a guide to the internationally recognized project management methods by the Project Management Institute (PMI). PMBOK is a standard that is widely accepted and acknowledged as basis for most project management methods.
PMBOK provides an in-depth description of the required content and fundamentals of a project, but does not focus on giving hands-on implementation advice. Practical guidance is offered by other models such as PRINCE2. It is based on five basic processes: Initiating, Planning, Executing, Controlling and Monitoring, and Closing.
PRINCE2
PRINCE2, Projects IN a Controlled Environment, is a de facto standard project management method owned by the UK Cabinet Office. PRINCE2 complements the PMBOK model by providing a process-based and practical guidance with ready-to-use templates for Project Managers and Project Steering Groups in the different phases of a project. PRINCE2 ensures greater control of resources and effective management of business and project risks.
For example, the seven principles of PRINCE2 state how a project should be run throughout its life-cycle: a project must have a business justification, clearly defined roles and responsibilities in all phases and processes, managed by stages to provide detailed and timely planning, defined tolerances for management by exception, product focused delivery where project methods are tailored to fit this particular project’s needs, and learning from experience to continuously improve organization’s project culture.
ISO/IEC 20000
ISO/IEC 20000 is a service management system (SMS) and the first international standard for IT service management. It is owned by The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). It is broadly aligned with ITIL.
The ISO/IEC 20000 has two parts. The first part defines the formal requirements for high-quality production of IT services to the business. IT includes criteria for planning, service management, and service production as well as for customer / supplier management. The second part describes the processes of service production largely in the same way as the ITIL processes while focusing, however, more closely on customer/supplier management processes.
ISO 21500
ISO 21500 is a standard that provides “generic guidance on the concepts and projects of project management” which are important in the realization of successful projects. It can be used by any type of organization and applied to any type of project – irrespective of size, complexity or duration.
ISO 21500 is an informative standard, that is rather a general guideline than a certified methodology. It provides high-level description of concepts and processes that are considered to form good practice in project management and places projects in the context of programs and project portfolios. PMBOK is very much in line with ISO 21500 and vice versa.
ISO/IEC 38500
ISO/IEC 38500 is a standard providing general principles on the role and IT governance of management with business responsibility (for example, Board of Directors and Management Team). It can be widely applied to all kinds and sizes of organizations for example public and private companies and non-profit organizations.
The standard supports business management in their supervision of the IT organization and helps them ensure that IT has a positive impact on the company’s performance. The standard consist of six principles:
Responsibility
Strategy
Acquisition
Performance
Conformance
Human behaviour
Adherence to the ISO/IEC 38500 standard can assure management of conformance with good governance
TOGAF
TOGAF is an Open Group Standard enterprise architecture framework that allows organizations to have a structured approach for governing the implementation of technology, in particular the software technology design, development, and maintenance. It was first published in 1995 and was based on the US Department of Defence Technical Architecture Framework for Information Management (TAFIM). It has been since developed by The Open Group Architecture Forum and released in regular intervals on the Open Group public website.
TOGAF improves business efficiency by ensuring consistent methods, communication, and efficient usage of resources. It ensures industry credibility with a common language among enterprise architecture professionals.
Courtesy:
https://www.itforbusiness.org/book/ict-standard-tools-and-deployment/international-it-management-models-and-standards/
ISO 27001
Posted by: Margaret Rouse
WhatIs.com
https://whatis.techtarget.com/definition/ISO-27001
What is ISO 27001?
ISO 27001 (formally known as ISO/IEC 27001:2005) is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation's information risk management processes.
According to its documentation, ISO 27001 was developed to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system."
ISO 27001 uses a topdown, risk-based approach and is technology-neutral. The specification defines a six-part planning process:
Define a security policy.
Define the scope of the ISMS.
Conduct a risk assessment.
Manage identified risks.
Select control objectives and controls to be implemented.
Prepare a statement of applicability.
The specification includes details for documentation, management responsibility, internal audits, continual improvement, and corrective and preventive action. The standard requires cooperation among all sections of an organisation.
The 27001 standard does not mandate specific information security controls, but it provides a checklist of controls that should be considered in the accompanying code of practice, ISO/IEC 27002:2005. This second standard describes a comprehensive set of information security control objectives and a set of generally accepted good practice security controls.
ISO 27002 contains 12 main sections:
1. Risk assessment
2. Security policy
3. Organization of information security
4. Asset management
5. Human resources security
6. Physical and environmental security
7. Communications and operations management
8. Access control
9. Information systems acquisition, development and maintenance
10. Information security incident management
11. Business continuity management
12. Compliance
Organisations are required to apply these controls appropriately in line with their specific risks. Third-party accredited certification is recommended for ISO 27001 conformance.
Other standards being developed in the 27000 family are:
27003 – implementation guidance.
27004 - an information security management measurement standard suggesting metrics to help improve the effectiveness of an ISMS.
27005 – an information security risk management standard. (Published in 2008)
27006 - a guide to the certification or registration process for accredited ISMS certification or registration bodies. (Published in 2007)
27007 – ISMS auditing guideline.
