ISO/IEC 20000 and ISO/IEC 27001 and technology audit

To ensure that customers receive the highest quality products and services, TT has developed procedures for an Integrated Quality Management System. This policy resulted first in the acquisition of the ISO 9001 Certificate for the design, programming and implementation of specialized IT solutions and automation systems for industry, including the power and gas industries. The company’s Ostrów Wielkopolski branch received its first certificate in 1997. This was followed by certification of all branches in Poland in 2005.

To make the customer feel safe

In 2009, a project was launched to implement an integrated management system based on global standards: ISO/IEC 20 000 – IT Service Management System, and ISO/IEC 27 001 – Information Security Management System.

ISO/IEC 27 001 and ISO/IEC 20 000 standards cover issues related to the protection of created, stored and processed information and IT service management issues. ISO 27 001 standardizes requirements for the security, integrity and availability of information. ISO/IEC 20 000 guarantees the ability to verify that a company has successfully implemented the best procedures for IT service management, as defined by the Information Technology Infrastructure Library (ITIL) methodology.

The first stage of the project

The result of the first stage of the Integrated Management System implementation was the design of ISO/IEC 20000 and ITIL processes for: Service Strategy (strategies for IT service management), Service Design (principles of service design), Service Transition (implementation of services including service linkages), Service Operation (processes supporting Continual Service Improvement – mechanisms for continuous improvement) in the Service Team.

It started with the establishment of a Service Desk Team, which is the point of contact between Transition Technologies and customers and users.

Directory of services

The next step was to implement a Service Level Management process. A requirement of this process is the development of a service catalog – in general terms, it is an inventory of services that an IT organization can provide to a business. The service catalog was built based on attributes such as service name (identifier), type of service, service description and definition, terms of service, roles and responsibilities (provider and customer), definitions of service metrics, description of methods for monitoring and improving delivery, method of billing, description of IT service quality level management, method of performance measurement, initiation, definition and testing of customer expectations and needs with respect to IT capabilities, SLA parameters (agreed terms of service) and method of change management (adjusting the service to changing terms of delivery).

The service catalog is the basis for SLAs. Once the catalog was supplemented with availability levels and things like service windows were established, an agreement between TT and customers and users was obtained.

Implementation of processes

The next phase of the project was the implementation of ISO/IEC 20,000 processes in specific areas.

1. Availability and Business Continuity Management – a Business Continuity Management (BCM) strategy and appropriate Business Continuity Plans (BCPs) have been developed, ensuring continuity of services provided. Appropriate process metrics have been implemented, in accordance with SLA provisions, which are implemented through reliability metrics, response times, help desk response times or budget execution.
2. Financial management – a key element for the stability of IT operations, directly related to the other processes, especially service level management and capacity planning.
3. Capacity management – proper capacity management, including resource planning for subsequent billing periods, is important for the continuity of services provided – so it is important that the process includes SLA provisions, as well as elements related to expense planning.
4. Information security management – ensuring security does not end with implementing technical safeguards, it is equally important to formally analyze risks and identify the most serious threats to the security of services provided and data processed.
5. Collaboration with users – the tasks performed by the help desk are important for the delivery of IT services, hence it is important that the process is properly organized and executed.
6. Incident management – the way errors are handled is one of the main tasks carried out by the help desk department. From the point of view of service quality and security, it is important that this response is quick and effective.
7. Problem management – managing knowledge of the causes and methods of solving problems is important to minimize the likelihood of recurrence.
8. Configuration management – configuration is not only hardware, but also software, documentation and personnel, and most importantly, knowledge of the interaction of these elements.

Tomasz Gilarski, Vice President, Transition Technologies

From Commitment to Satisfaction
One of the most important aspects of our business is our commitment to high quality service, which then translates into customer satisfaction. The result of such a policy is the ISO 9001 certificate for the design, programming and implementation of specialized IT solutions and automation systems for industry, including the power and gas industries.
Having a certificate significantly affects the level of customer satisfaction, and this is documented by their very good feedback and a small number of complaints. Evaluations of our work would probably not be so high if it were not for the commitment of our employees to their tasks. It is thanks to their efforts that we meet our obligations in a timely manner, and by taking advantage of new technologies, we develop and increase the functionality of our products, thus becoming more competitive.
What certainly sets us apart is our focus on science. Not only do we cooperate with Polish and foreign scientific and research institutions, but we also conduct intensive research and development (R&D) activities ourselves in the field of advanced computer technology and information technology. It was these activities that led to the company being granted the status of Research and Development Center by the decision of the Minister of Economy in 2010.
Tomasz Gilarski, Vice President, Transition Technologies

Design Forum

During the project, a Project Forum responsible for:

• Process coordination: incident, change, problem, version, configuration, availability, IT service continuity, capacity, service level and financial management according to ISO/IEC 20000 standard;
• Execution of the review and approval of the Integrated Management Policy and the overall division of responsibilities;
• Monitoring significant changes in the exposure of information assets on a threat basis;
• Performing review and monitoring of information security breaches and service availability;
• Approval of major projects aimed at improving the level of information security;
• Identify the assets within the scope of the Integrated Management System, the owners of the assets, and identify threats to these assets – classification of sensitive information;
• Establish information security and IT service management principles and objectives;
• Systematic review and analysis of standards related to ICT security (standards, recommendations, legislation);
• Formulation and implementation of a plan to deal with risks;
• Implementation and operation of safeguards, in the context of comprehensive risk management in the institution – determination of the level of risk;
• Development of a risk estimation report;
• Identify actions to be taken to address security breaches, taking into account business priorities;
• Conducting internal audits of the ISO/IEC 20000 and ISO/IEC 27001 Integrated Management System at scheduled intervals;
• At regular intervals, undertake a review of the ISO/IEC 20000 and ISO/IEC 27001 Integrated Management System, record activities and events that may affect the effectiveness or quality of the implementation of the ISO/IEC 20000 and ISO/IEC 27001 Integrated Management System;
• Taking appropriate corrective or preventive action;
• Continuous improvement based on objective measurement;
• Selection and screening of job candidates.

Risk management plan

Another milestone in the project was the risk management process and the determination of the organization’s potential and capabilities, i.e. the risk handling plan. The input to the risk estimation process was the classification of information and assets. The project team formalized the risk management procedure, describing in the document such areas as:

• Risk management methodology,
• main risk factors,
• risk identification and assessment,
• risk assessment criteria,
• risk mitigation activities,
• Acceptance of the implementation of new and modifications to existing products, services and processes,
• risk incidents,
• Ensuring business continuity for the company,
• Emergency and crisis management,
• handling the detection of crime or suspected crimes.

Such methodology follows the so-called Deming circle, also known as the PDCA (Plan-Do-Check-Act) cycle. It is a recognized standard used for risk management understood as a consistent, ongoing practice involving risk identification and assessment, mitigation through action, monitoring of risk levels, and reevaluation and corrective action. Risk management encompasses all spheres of the company’s operations and all business lines.

The risk estimation process was carried out by TT’s project team. Its result is a matrix and a plan for dealing with risks, specifying the details of implementing safeguards.

Andrzej Bębenek, Board Representative for Integrated Management System, Transition Technologies

Secure and risk-free
In order to ensure the highest level of security, integrity and confidentiality of entrusted information and to reduce operational exposure to risk, as well as to meet contractual requirements and demonstrate service quality, Transition Technologies has implemented successive ISO /IEC 27001 and ISO /IEC 20000-1 standards in its management system.
Andrzej Bębenek, Board Representative for Integrated Management System, Transition Technologies

Technology audits

Process testing was the final phase of the project. It was conducted through audits, corrective and remedial actions at individual locations, and presentations and IMS training for all employees. BCC (currently All for One Poland) conducted a technology audit in the backup area. The first stage of the audit consisted of verifying backup policies. The schedule of backups, the type of backups, the number of backup generations stored, the system of marking media, the procedures for purchasing and maintaining an adequate stock of backup media, and the location of storage were verified.

Hubert Nowak, Director of Implementation Solution Center (ISC), Transition Technologies

On the Road to Excellence
As part of testing the processes of the newly implemented standards, we conducted technology audits of the IT infrastructure at TT together with BCC. Their purpose was to diagnose and lay the groundwork for improving the state of IT security. Technology audits consist of an in-depth check of the state of the IT infrastructure security measures in use in the organization, with a particular focus on potential vulnerabilities that could affect the security of systems and data.
Three years into the project, it is safe to say that this is only the beginning of the road to excellence. Further steps include continuous improvement of the Integrated Management System, internal audits and recertifications, recommendations, potentials and development projects.
Hubert Nowak, Director of Implementation Solution Center (ISC), Transition Technologies

The second stage examined the principles of testing the recoverability of backups, the scope of the tests, the ways in which the tests were carried out, and the principles for documenting test results. The audit was concluded with a report in which Transition Technologies obtained potentials for improvement in the backup area. Procedures were updated. A new solution was implemented in the backup process. The risk of data loss was minimized.

In subsequent stages, consultants from BCC’s Information Security Team assessed IT processes for compliance with ISO/IEC 20000, ITIL good practices, and verified the consistency of assumptions and documentation with actual practices in the organization (security policy, organizational structure and responsibility for processes, security organization, asset classification and control, personnel security, physical and environmental security, systems and network management, access control, business continuity management). Domain verification is carried out in accordance with ISO/IEC 27001.

The final stage of the project was to study the business continuity management process for IT systems. BCC consultants use the ISO 22301 Business Continuity Management System standard for this. Tools such as interviews, checklists and observations were used in all stages. As a result of the audit, TT received a report fairly and in detail describing the current state of information security solutions, as well as potentials for improvement defined by the auditors.