Companies with IT department, internal or external, worry these days about the best performance and ROI of their services. In the actual market, our decisions depend not only from our impressions. Our departments, users and customers are linked to our services. This webinar was organized by PECB International. During this webinar you had the chance to understand the needs and the environment in order to take decisions related to IT, and follow the right steps to implement best practices and standards. The webinar covered the following areas: • Analyze the status of our IT • Company needs and environment • ITIL Process and Lifecycle • Choosing the right standard: ISO/IEC 20000-1, ISO/IEC 27001, ISO/IEC 22301 This webinar was hosted by our partner Jose Espinal. He is the CEO of LearningK and CSO of Circular Devices (Puzzlephone) with more than 25 years of experience in Training and IT Infrastructure & Security areas.

2. Starting Points with
the implementation of
ISO Standard
About me:
• ISO Standards Implementer
• ISO Standards Auditor
• Best Practices Consultant
• ITIL Expert
Presenter: Jose Espinal
jose.espinal@learningk.org

3. Agenda
• Analyze the status of the IT Area
• Needings from Company and environment
• ITIL Process and Lifecycle
• Choosing the right standard

4. Analyze the status of the IT Area
What we can find ?
In majority of the companies which uses IT, they already started with:
Reading about Best practices and advices
Training with popular courses
Reading and implementing methodologies
Adapting the IT to the new challenges

5. Analyze the status of the IT Area
Different results in differents companies.
(IT) Dear General Manager, we
need your Support to implement
some improvements to IT
(GM) Ok, go on !!! But don’t
bother me… i’m so busy
(IT personnel) Dear IT Manager, we need
your Support to implement some
improvements from the training
(IT Manager) Ok, go on !!! If is free and
you can do your other tasks too..
(IT Manager) Everything is
fine… I only want to
reduce the costs

6. Analyze the status of the IT Area
GM: Sending the
personnel for a course is
more than enough IT: Now, I need resources
to implement what I
have learned
GM: How much? Which
is my benefit/ROI
IT: Everything is going to
run smooth !!
GM: Hummm…..
For the true support of
the General Management
is required their
involvement and make
project owners

7. Analyze the status of the IT Area
Objective's for….
General management: More business and money… less problems
Legal department: Less demands & lawsuit
Marketing department: Better impact campaigns & Sales
Sales department: More sales and better relation with customers
Human resources: Handle records and no problems
Factories and logistics: Improve business process
IT: worry about actual and future status and services

8. Analyze the status of the IT Area
Different started points:
• Processes
• Identify a catalog of IT Services
• Making a Risk assessment
But… what are the needing of the company?
Sometimes, IT area enforce to implement improvements with a weak
communication with other departments of the company

9. Started with processes
ROLESACTIVITIES
INPUTS
OUTPUTS
TRIGGERS
PROCESS
ENHANCINGS
CONTROL
Procedures
Work Instructions
Metrics
Improvements
Owner
Documentation
Objetives
Results
Resources Capabilities
In majority of cases, the IT
department started with
one or several processes
and maturity It’s not so
high:
Documentation
Procedures
Results
Improvements
And more

10. Started with processes
ROLESACTIVITIES
Users
Solved
incidents
TRIGGERS
PROCESS
ENHANCINGS
CONTROL
DB for Incident registration
How-to: main incidents
Metrics: percentage solving without re-routing
Future improvements: reducing time with
auto-detection system
Owner: Mr Smith
Incident Policy
Solve the incident as soon as possible
Average solving time: 4:30hrs
DB tool-ticketing Trained personnel
Incident management is one
of the most common
processes stablished.
Majority of times, the
process is not
communicated, followed,
incidents are not registered,
documents are lost or not
used, not declared a
responsible or don’t know
their role.

11. Needing’s from Company and environment
Needing's for….
General management: Increase the value and public image of the company
Legal department: Meet the legal requirements
Marketing department: Improve campaigns and value of trademarks
Sales department: Increase customers and the sales
Human resources: provide better services and understand the requirements
Factories and logistics: improve the quality and performance
IT: Control the environment providing the IT Services

12. Needing’s from Company and environment
All the opinions are important but the final decision is from General
Management:
Security of the
information
Services
provided
from IT
Protecting
the
continuity of
the business
Security of the information can cover:
I+D
Workers information
Work realized
Customers information
Security in the physical areas of the business
And more…
Protecting the continuity of the business
Protecting the creation and distribution of our products and services
Protecting the Working areas
How to handle a disaster
And more…
Services provided from IT:
Protecting the information of the company
Control the working environment of our employees
Providing best quality to our customers from the IT
And more…

13. Needing’s from Company and environment
Management
System
Involvements
from
interested
Involvement
from
customers
Involvement
from General
Management
The proposed standard is to create a certifiable
management system with the contribution of
the different processes, tasks and people to
protect the health of a company and its
activities.
It’s not only an IT affair.

14. ITIL Process and Lifecycle
ITIL is a framework which provides best practices for IT Service
Management.
Best practices are implemented in companies around the world and
benefits are recognized.
It’s oriented to the IT area of any company.
ITIL only offers certification for Persons, no companies.
Companies can implement the process / services under the ITIL
descriptions but there’s no standard way to measure if is correctly
applied and other industries recognition.

15. ITIL Process and Lifecycle
ITIL proposes a treatment of IT services through the life
cycle management of services and different processes
interact.
For a public recognition of the IT service it is necessary to
establish a management system as described in the
standard.
ISO / IEC 20.000 standard proposes a management system
of IT services. It has great similarities with ITIL but are not
the same thing

16. ITIL Process and Lifecycle
Companies that began with the implementation of
ITIL processes will begin with an interesting
development and maturity that will facilitate the
implementation of the requirements described in ISO
20000 standard and other standards such as ISO
27001 and ISO 22301.
But ITIL is not the starting point to implement the
standards

17. Experience 1: An IT company
A company delivery their IT Services
across Internet. They maintain and
administer Applications, Email
Mailboxes and Websites to end
clients (Customers)
Our customers
value us for the
reliability of our
services
We need resources and
tools to solve any problem
in the shortest time
possible
Manager
IT Support
Sales
We can increase
our customers if
we get a
certification
After considering different options,
they decided to implement the
management system for e-mail
service. Once the external auditors
were certified, in a next phase they
included in the management system
the websites hosting services. They
increase customers and reputation.

18. Experience 2: A non IT company
A company delivery their products
to the customers in different ways.
They maintain a production factory,
logistics and a network of
distributors.
Our customers
value us because
the quality of our
products
Because of a
flood, our factory
was disabled
Manager
External
parties
Marketing
For our customers it is
important delivery
performance and quality
of our productsAfter considering different options,
they decided to implement the
management system for the main
factory. Few months later, they
suffered a flood and the company
success reactivating and distributing
their products in few hours.
During the
reconstruction, we had
overworked, complaints
and loss of reputation
and customers
Sales

19. Experience 3: A non IT company
A finance company was concerned about
the low control over the information it
manages. They are aware of the danger by
another company that suffered theft of
confidential customer information and
had lost. They took the decision to
implement a management system for
information security
Our customers
value us for the
good services
We must protect the
confidential protection
used by our employees and
stored in our systems
Manager
IT Support
Marketing
Our ISO 27001
certification is an
adventage for our
customers
After implementing the management
system of information security, they could
address various weaknesses. Some
employees took confidential information
to work from home, where they had virus
infections. They were able to control
personal information to avoid claims from
clients or employees for improper use of
data privacy.
Benefits management system were used
by marketing to get new customers

20. Choosing the right standard
False sense of security:
Sometimes, we think about our
measures are working.
1.- We need an Emergency Exit
2.- Sometimes employees uses this
door to go out and is opened
sometimes.
3.- We protect that door with locks

21. Choosing the right standard
False sense of control:
Some machines are dangerous when
employees are not trained.
1.- We implement one training for the
3 operators last June.
2.- We hired one employee last July.
3.- Our 3 operators…:
1 was fired
1 was on summer holiday
1 was helping with a fast training to the
new employee
So that last employee is using the
machine without the proper training
(risk of accident, breaking the
machine, etc.)

22. Choosing the right standard
False sense of business protection:
1.- Factory operators are the most
important
2.- Computers fails sometimes and we
can repair.
3.- A virus-worm infected the
administrative area and reach the 3
computers in the factory which controls
production machinery. 120 Operator
cannot work during 2 days.
4.- Company needed to pay extra time
for that workers during one week to
reach the production objectives.

23. Choosing the right standard
False sense of control:
1.- Little by little we was increasing the
number of servers, routers and other
devices.
2.- Technicians just install. They think are
fine to control the situation.
3.- Things were ok, not so much incidents
and managers didn’t worry so much.
4.- They needed to move to another servers
room, they have:
• Several breakdowns of network
• 1 month of down security firewalls
• >500 incidents during 2 months
• 3 experienced technicians leaving the
company

24. Choosing the right standard
Now, it’s time to take decisions.

25. Thank you
jose.espinal@learningk.org
www.learningk.comwww.pecb.com