Government Organization in UAE Implement ISO 20000:2010 & ISO 27001:2013 Aiming ITSM Standardization & Government Regulations Compliance
Our Client, one of the UAE’s Government departments needed to improve their service levels and information security. Hence they opted to engage with Intertec Systems consultants, to find an optimal solution to improve IT Service Management while Securing information by adhering to Government regulations. Intertec Systems offered the implementation of ISO 20000:2011 and ISO 27001:2013 as the solution. The scope of the ISO 20000:2011 was limited to internal IT Section, while the scope of ISO 27001:2013 covered entire organization – including non-IT departments.
Business Scenario
The IT section of the department had a high level of dependence on third parties. However, the performance level was not monitored in an adequate way. Nevertheless, process skills of the workforce in the department were also low. The organization was mandated to implement information security controls throughout the organization, while being challenged by the inefficiencies. Hence the customer decided to consult with Intertec Systems, to find an optimal solution to improve IT Service Management while securing information by adhering to Government regulations.
Most of the employees in IT department were new to the organization and they had inadequate process skills. The Service Desk tool was configured, however the level of tool knowledge and usage was low. Supplemented with the complexity of tool implementation, the lack of adequate skills to run the Service desk contributed to violation of configured processes. The service catalogue was generic and not reflecting the services delivered by IT.
No risk assessment was conducted previously for the organization. Even though there was a contract in place for a second level of information security support, the partnership was not used to resolve security challenges.
Challenges
- High degree of dependence on third parties
- Lower level of IT process awareness
- Lack of operating processes
- Ineffective documentation
- Asset based Risk Management
- Premature Configuration Management Database
- Young organization with staff with less years of experience
Tool & Technologies
- ISO 2000:2010 Consulting
- ISO 27001:2013 Consulting
- ISO 31000:2009 based Risk Management
Solution
Intertec started this engagement by providing ITIL foundation level training to all staff of the organization. This helped the team to develop basic skills in IT Service Management. Process workshops succeeded the training, where process documents, policies, procedures and report templates were created based on ISO 20000:2011 with the participation of organization staff. The process managers were identified, and the responsibility was assigned. Templates were created to ensure smooth operation of the processes.
The existing Service Desk solution was modified to reflect defined processes. A Service Management Committee was formed and used as a platform to discuss ideas and clear bottlenecks, while contributing to continual service improvement. Third party operations and SLA compliance were verified utilizing Supplier Management Process.
With respect to Information Security, a risk assessment was done for organization end to end, covering non-IT resources and information systems. The methodology followed was based on ISO 31000:2009. High risks were mitigated, all the policies and controls were defined, based on ISO 27001:2013 and there by made the organization aligned to Government requirements. Awareness trainings were conducted for all employees – not limiting to IT staff – of the organization. The transformation equipped the resources to learn and to adopt industry best practices and to follow ISO standards.
Both standards were found useful to address the concerns that the organization had, and simultaneous deployment helped the organization to reduce cost of the solution.
Result
- Deployment of Service Management System and Information Security Management System
- Compliance to Information Security Controls mandated by Government
- Risk Management for end to end enterprise Performance
- Evaluation of services performed by third parties
- Improved SLA compliance resulting in reduced customer complaints
- Capacity Building of resources to take up process roles