Let’s be honest at the outset: there is no way that we’ve found to present an informational article about the ISO/IEC standards without risking a spontaneous yawn within the first minute of reading the less-than-riveting academic material. So why risk it at all? Because like us, you’ve always wanted to know how international standards and standards bodies have evolved to guide every facet of information and communication technology (ICT) — and why that simple fact is relevant to your daily work. Right?
Then let’s get to it. To unravel the mysteries surrounding these oftentimes perplexing acronyms, we’ll define each of them separately, reveal the corollary of their tandem association as it pertains to information technology, and then wax eloquent about how the Navy Information Technology Service Management Office (NAVITSMO) has appropriated these global guideposts for the benefit of our yawning readership.
First, let’s begin with the International Organization for Standardization or “ISO” as the acronym is known. No, it’s not a typo. No, it isn’t supposed to be IOS to match the nom populaire, nor is it the International Standards Organization, as some would suppose. Since the organization has three official languages, French, English and Russian, each with a different way of ordering the words, and subsequently the initials, the charter meeting in 1947 set the word order one way, and the abbreviation another.
The ISO is a non-governmental organization (NGO) with 162 constituent member countries that are represented by their own national standards organization. Within the United States, that organization is the American National Standards Institute (ANSI). Each year, ISO members meet and ensure the continuing development of standards across a wide range of over 250 appointed technical committees; they’re not just concerned with information technology.
Similarly, the International Electrotechnical Commission (IEC) is an NGO that prepares international standards specific to electrical, electronic and related technologies. The IEC charter specifies this standards space as “electrotechnology” — hence the “E” in IEC. Once again, the U.S. representative to the IEC is ANSI, which is a full voting member.
Both organizations have formed a Joint Technical Committee (ISO/IEC JTC1) to develop, maintain and promote standards in the fields of IT and ICT. Since 1987, this continuing collaboration has alleviated the duplicative and sometimes overlapping work of both standards bodies to ensure the global IT and ICT communities have a single, authoritative set of standards to help govern development and maintenance activities. Various subcommittees (SC) within the JTC1 handle specific aspects of standards, for example, SC40 works on IT Service Management and IT Governance, whereas SC27 deals with IT Security Techniques.
The JTC1 committee is the reason most of us in IT (well, those who need to review global standards, that is…) are used to seeing “ISO/IEC” standards instead of just ISO or just IEC standards. Please note that to gain a real appreciation of the benefits derived from these standards, you would need to purchase a license to download the complete standards from the ISO website.
The NAVITSMO has developed its model for a Service Management System (SMS) according to the tenets of ISO/IEC 20000. Within the SMS, stakeholder value is apportioned among discrete lines-of-business, or as we call them, Practice Areas. Each practice area takes it’s underlying framework from one or more standards and other applicable frameworks or best practice guidance. Let’s expend a bit of white space looking into some of the international standards that flavor the NAVITSMO soup… We’ll look at ISO/IEC 20000, ISO/IEC 27000, ISO/IEC 33000 and ISO/IEC 38500.
Simply called “20K” for short, this standard, as mentioned, is the international standard for IT Service Management. The standard is further subdivided into eight parts, each dealing with a specific aspect or implementation viewpoint, for example, Service Provider. For our review here, we will focus on ISO/IEC 20000-1 which describes Service management – Service management system requirements. The 20K-1 defines the integrated process approach for a service provider. It considers multiple references and requirements which are detailed in nine chapters:
2. Normative references
3. Terms and definitions
4. Service management system general requirements
- Management Responsibility
- Governance of processes operated by other parties
- Document Management
- Resource Management
- Establish and Improve the SMS
5. Design and transition of new or changed services
- Plan new or changed services
- Design and development of new or changed services
- Transition of new or changed services
6. Service delivery processes
- Service Level Management
- Service Reporting
- Service Continuity and Availability Management
- Budgeting and Accounting for Services
- Capacity Management
- Information Security Management
7. Relationship processes
- Business Relationship Management
- Supplier Management
8. Resolution processes
- Incident and Service Request Management
- Problem Management
9. Control processes
- Configuration Management
- Change Management
- Release and Deployment Management
Did you perhaps notice a striking similarity between the service management requirements and processes of ISO 20K and those of the Information Technology Infrastructure Library (ITIL) version 3? It’s not coincidental — it is an intentional alignment. However, where ITIL is a library of best practices for the design, implementation and sustainment of IT processes, (You should do this and you should do that…) the processes are not auditable. Whereas the processes outlined in ISO 20K establish a minimum standard of conformity (There shall be a…) and therefore compliance is auditable.
The ISO/IEC 27000 standard is really a series of standards that deals with the ever-expanding role of information security within our environments, and provides for the construct of an Information Security Mangement System (ISMS) as well as a glossary and vocabulary applicable to all volumes within the standards family.
An ISMS is now an integral and highly overt and visible management discipline embedded within the governance structure of most IT enterprises due to the compliance and reporting requirements typically levied by government oversight, such as the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley Act, Clinger-Cohen Act, and a host of other statutes… and that’s just in the United States.
The base publication provides an overview of and introduction to the entire ISO/IEC 27K family of ISMS standards, of which there are currently 25 volumes labeled 27001 through 27799 with another dozen or so in development. These volumes deal with a multitude of cybersecurity guidelines, risk management, measurement, network security, and more.
ISO 27001’s official title is: Information technology – Security techniques – Information security management systems — requirements. The structure is typical for ISO/IEC standards and includes scope, references, and so on.
What is unique and interesting is Annex A, which contains a list of 114 controls and their objectives, listed in 14 groups:
A.5: Information security policies (two controls)
A.6: Organization of information security (seven controls)
A.7: Human resource security – (six controls that are applied before, during, or after employment)
A.8: Asset management (10 controls)
A.9: Access control (14 controls)
A.10: Cryptography (two controls)
A.11: Physical and environmental security (15 controls)
A.12: Operations security (14 controls)
A.13: Communications security (seven controls)
A.14: System acquisition, development and maintenance (13 controls)
A.15: Supplier relationships (five controls)
A.16: Information security incident management (seven controls)
A.17: Information security facets of business continuity management (four controls)
A.18: Compliance; with internal policies, and external laws (eight controls)
The NAVITSMO has incorporated many of the objectives for an ISMS from ISO 27K into the Implementing Governance – a 20-Step Guide, available on its milWiki portal.
The ISO/IEC 33000 (Series) is a multi-part standard and is titled: Information Technology – Process Assessment. It is the successor document to the ISO/IEC 15504, incorporated by the NAVITSMO into the Process Capability Assessment Model and Tool (PCAT).
Part 2 of the series sets out the underlying requirements of a process assessment, but the real guts of the series is contained in part 20, the Process Measurement Framework for Assessment of Process Capability. The measurement framework contains the recognizable capability levels of zero (incomplete) through five (innovating) and explains the rating methods and dimensional aggregation methods. This volume is really the assessors guide which has been aligned by the NAVITSMO to the Navy Process Reference Model (NPRM) enabling assessments for Navy and DoD enterprise networks.
The PCAT helps organizations objectively quantify the quality of their process performance, and by extension, the quality of their service delivery. The hard truth is that if you don’t measure the quality of your processes and services, you won’t really know if you’re actually delivering what your customer expects.
As a tool in the hands of a trained assessor, the PCAT fosters an enterprise approach to IT service quality, taking a holistic view of process capability and performance through five lenses: performed, managed, established, predictable and innovating. Level 0 is not used in the PCAT since an incomplete process does not justify spending assessment manhours to come to that conclusion.
This PCAT model provides the criteria to capture process performance metrics and assess capability against the five levels of capability and automatically calculates assessment input and then provides a graphic depiction of capability. The NAVITSMO is currently engaged with multiple DoD and non-DoD organizations in their process assessments as either assessors or observers. The NAVITSMO also provides organizations with assessor training.
Finally, and not a moment too soon, we have the ISO/IEC 38500 – Information technology – Governance of IT for the organization. Newly updated for 2015, this volume is the smallest in terms of content (only 12 pages), but packs an order-of-magnitude punch in influence. It is arguably the preeminent doctrine for corporate IT governance and is quoted extensively by academia and industry.
The standard is a framework for effective governance of IT and assists organizations with understanding and fulfilling their legal, regulatory, and ethical obligations in using information technology. It is applicable to organizations of all sizes, including public and private companies, government entities, and not-for-profit organizations. It also provides guiding principles for directors of organizations on the effective, efficient, and acceptable use of IT within their organizations.
The framework consists of some basic terms and definitions and then provides a treatise on the benefits of good governance for IT. The standard also provides a model that can be applied as an overlay to organizational constructs of any size. But the real meat of the standard is the establishment of governance principles:
- Principle 1: Responsibility
- Principle 2: Strategy
- Principle 3: Acquisition
- Principle 4: Performance
- Principle 5: Conformance
- Principle 6: Human Behavior
Again, we can differentiate this standard from a simple framework or best practice guidance by the "shall" statements that mandate conformance. The model by which each principle is implemented and measured is a familiar one to those who have been involved in the Next Generation Enterprise Network (NGEN) contract development and implementation — evaluate, direct and monitor.
Each of the Navy Process Reference Model processes (36 in all) have the three governance activities embedded within their process structures which are called out as government control activities. This model has also been incorporated as bedrock governance principles in COBIT 5, as differentiated for the first time from management, which cites ISO/IEC 38500 as the source standard for the governance and management framework.
As you can, no doubt, now see, these international standards allow for a broad coalition of stakeholders engaged in daily use and management of information technology to adhere to principles of governance and conduct that align with best practice and are auditable the measures for their effective and efficient use are available within the standards. The NAVITSMO maintains situational awareness on these standards and applies their concepts to all products and services for the benefit of our stakeholders.
Lt. Cmdr. James L. Fisher is the Navy Information Forces (NIF), Deputy Department Head for CIO3 GENSER Networks, and Director, Navy IT Service Management Office (NAVITSMO).
Phil Withers is with the NAVITSMO Contractor Support Staff.
| About the NAVITSMO|
Chartered in April 2012, the NAVITSMO provides IT Service Management thought leadership and assistance by creating usable products and services for the Navy ITSM community. The NAVITSMO strives for alignment of enterprise IT architecture through discreet but interlocking practice areas to help define and support organizational IT governance and management requirements. The NAVITSMO résumé boasts industry-certified expertise in ITIL, COBIT, Program and Project Management, DoDAF, IT Risk Management and Control, IT Skills Framework, Service Quality, CMMI, ISO/IEC-20000, ISO/IEC-33000, Information Security, Enterprise IT Governance, and Assessment and Audit.
The NAVITSMO Wiki is located at: https://www.milsuite.mil/wiki/Navy_IT_Service_Mangement_Office/ and the NAVITSMO can also be contacted at email@example.com.
Access to milSuite is CAC controlled. First time users will need to register their CAC with milSuite by clicking the ‘Register’ button, confirming their information and clicking ‘Submit’
The Navy Process Reference Model is located at: https://www.milsuite.mil/book/docs/DOC-165127