Home > Resources > Articles

Articles


Information Management, it's not just for IT companies any more.

by Tim Woodcome

Personal Information, Information Security and Information Technology Management discussions are more and more pervasive these days. No longer is Information or IT solely within the realm of 'IT companies'. Nearly every organization has some amount of Information that needs to be controlled (ref. ISO 9001, 7.5.4), internal IT Systems that need to be managed, or such services offered to a customer base. While these disciplines can most certainly be covered within an existing QMS, some organizations may find the need to take their controls to another level. To borrow a popular phrase: "There's an App for that…"

Information Security (ISO/IEC 27001:2005)

We've all heard examples of Information Security breaches: from consumer/commercial organizations such as MBNA or TJX to governmental organizations right up the U.S. President, and the appointment of Cyber-Security "czars". No organization can claim to have no information which needs to be controlled.

Commercial, Government, and Non-Profit organizations are all within scope to benefit from a program to implement, operate, monitor and improve what is essentially a Risk-Management tool for protection of personal, proprietary, and other sensitive information assets from being compromised. Whether it be financial information, medical data, commercial data, government/state information assets or customer/consumer personal information, all have risks associated with a lack of controls. Risks such as negative publicity, compromised strategic planning, weakened national security, or litigation from customers and employees. Increasingly, state regulations (and associated fines) are being seen which require organizations with access to any Personal Information to have an Information Security program in place. ISO 27001 presents a scalable solution for such organization facing these risks.

Organizations looking to take a systematic approach to Information Security may want to consider ISO 27001 (Information Security Management System). Newly published in 2005, ISO 27001 is the derivation of previous efforts residing more narrowly in the IT world, but now viewed more holistically as applying to virtually any organization with information to protect, be it information retained electronically, or otherwise. This standard sets forth requirements in ISO 27001, general guidance in ISO 27002, along with an ever-increasing suite of supplementary guidance documents.

In a nutshell, ISO 27001 parallels certain requirements of ISO 9001 such as documentation, training, management commitment, monitoring and improvement. The true 'meat' of the system is found in the Control Objectives Annex which sets forth the control requirements. This detailed list of controls includes such items as:

  • both internal and external controls
  • physical and electronic controls
  • access control
  • incident management
  • legal compliance
  • business continuity management

The full ISO 27001:2005 standard is available here.

IT Service Management (ISO/IEC 20000-1:2005)

IT Services are becoming more and more mainstream. Virtually no organization is without some degree of an IT system. Many organizations have multiple IT systems that need to interface on a daily basis. Others offer goods or services via an IT network. In many different ways, these IT Services require effective management.

Broadly defined, IT Service Management covers the service delivery and service support for any IT system. To borrow another phrase (albeit in the wrong context): "It's the network…"

In some organizations, a single IT department (or individual) will cover the applicable aspects of IT Service Management. Larger organizations may have several distinct competencies within a larger IT group covering the required aspects. These include:

  • Service Delivery Processes
    • Capacity, Availability, SLA, Security, Budgeting
  • Relationship Processes
    • Business Relationship, Supplier Management
  • Resolution Processes
    • Incident Management, Problem Management
  • Control Processes
    • Configuration Management, Change Management
  • Release Processes
    • Release Management

A consideration for some organizations, particularly those involved in the delivery of IT Services to either internal or external customers is the ISO/IEC 20000-1 standard, more commonly known as ISO 20000. This standard sets forth both requirements in ISO 20000-1 and best practices in ISO 20000-2 for IT Service Management.

ISO 20000 certification is increasingly being pointed towards as pre-requisites for certain government contracts and for organizations that provide IT services to customers.

Based on a Plan-Do-Check-Act framework, ISO 20000 complements an existing ISO 9001 program, structured around the aforementioned processes (Service Delivery, Relationship, Resolution, Control and Release). The standard promotes the adoption of an integrated process approach by organizations needing to effectively meet internal business and external customer requirements for managed IT services. These may include:

  • Organizations selling IT Services
  • Organizations looking to drive supply-chain consistency
  • Organizations seeking to benchmark internal IT Services
  • Organizations needing to demonstrate compliance with customer requirements
  • Organizations wishing to improve IT Service quality

The full ISO 20000-1:2005 standard is available here.

ISMS & ITSMS Scalability and Integration

Each of these standards is clear to note that application can be scaled and scoped to include pertinent functions of the organization. Statements of Applicability (SoA's) help define these parameters.

Furthermore, the two standards integrate well together (e.g. ISMS is part of ITSMS) or with other ISO 9001-based Quality Management Systems an organization may already be familiar with.

How NQA can help

NQA is able to help with either of these standards, or some of the discrete customer and state regulatory requirements coming to the forefront (e.g. CA, CT, MA, NV).

  • Training - should your organization wish to learn more about how to best implement these important requirements, NQA can help you source training on either or both standard.
  • Certification - NQA has been awarded international Accreditation for each of these certifiable standards: UKAS Accreditation for ISO 27001 and itSMF Accreditation for ISO 20000. NQA's team of auditors can provide services from Gap Analysis through to Assessment to your desired scope of certification.

Please contact NQA Conformity Assessment Director, Tim Woodcome for more information about either of these services.

Back to search results