e-Commerce is the marketplace of the future.

What is Marketplace ?

Markets (electronic or otherwise) have three main functions:
  1. Matching buyers and sellers;
  2. Facilitating the exchange of information, goods, services, and payments associated with market transactions; and
  3. Providing an institutional infrastructure, such as a legal and regulatory framework, which enables the efficient functioning of the market.
Electronic marketplaces (e-marketplaces or marketspaces), changed several of the processes used in trading and supply chains
  • Greater information richness
  • Lower information search costs for buyers
  • Diminished information asymmetry between sellers and buyers
  • Greater temporal separation between time of purchase and time of possession
  • Buy now, receive later
  • Greater temporal proximity between time of purchase and time of possession
  • Buy now, receive almost instantly
  • Ability of buyers and sellers to be in different locations
In E-marketplace, people buy and sell physical products online.

 
The Essential Elements and Mechanisms of an Electronic Market

Types of e-Marketplaces

  1. e-Marketplaces for B2C:
  • storefronts and Internet malls
2. e-Marketplaces for B2B:
  • Private e-marketplaces (Online markets owned by a single company; may be either sell-side or buy-side e-marketplaces. sell-side e-marketplace : a private e-marketplace in which a company sells either standard or customized products to qualified companies. buy-side e-marketplace : A private e-marketplace in which a company makes purchases from invited suppliers.)
  • Public e-marketplaces. B2B marketplaces, usually owned and/or managed by an independent third party, that include many sellers and many buyers; also known as exchanges.



101 comments
Labels: , , ,

e-Commerce & Successfull Opportunity inside

What is e-Commerce?

e-Commerce or Electronic Commerce is any form of business transaction in which the parties interact electronically rather than by physical exchanges or direct physical contact. Generally speaking, it involves a wide range of online business activities for products and services.

e-Commerce allows consumers to electronically exchange goods and services with no barriers of time or distance.

Different types of e-commerce


B2B e-commerce is simply defined as ecommerce between companies. About 80% of e-commerce is of this type.
Examples:
  • Intel selling microprocessor to Dell
  • Heinz selling ketchup to Mc Donalds

Business-to-consumer e-commerce, or commerce between companies and consumers, involves customers gathering information; purchasing physical goods or receiving products over an electronic network.
Example:
  • Dell selling a laptop to customer

Consumer-to-consumer e-commerce or C2C is simply commerce between private  individuals or consumers.
Example:
  • Susan buying an iPod from Andi on eBay
  • I am selling a car to my social media friend
The Needs for e-Commerce:
  • Increased competition
  • Reduction time to market
  • Improvement in payment process
  • Electronic data interchange
  • Popular with consumers and suppliers
  • To improve productivity and to generate profit
What e-Commerce can do  :
  • Buying and selling from anywhere, anytime, anything
  • 24 X 7 Operation
  • Global Reach
  • Comparison Shopping
  • Disintermediation
  • Opportunity to reduce cost
  • Speedy operations
  • Knowledge of customer behavior (length of stay on a site , page views )
Some issues in developing e-Commerce Application :

§Security
Security is a crucial feature
Most transactions take place in a fully automated way
Restricted data are transmitted through a public network
Users must be sure that their money will not be lost or stolen
§Flexibility
E-commerce systems are subject to frequent structural changes because of mutations of:
Products and services provided by the firm
Commercial partnerships
§Scalability
Capability to support a certain number of users (thousands, even millions) without compromising performances
It is important because a slow application often means to lose customers (especially in B2C) since they have very small patience
§Integration
Always  needed since no application offering every commercial functionality can be realized
Critical  because the commercial funcionalities are often realized by many different legacy and third-party applications and databases.
Examples:
»ERP systems
»Legacy systems

§Interfaces (graphical and not)
Must be intuitive,easily comprehensible and of simple utilization
In the case of B2C must support profiling in order to anticipate the customer requests
They also need to be customizable
§Special Web servers in addition to the network servers are needed (added cost).
§Software development tools are still evolving


Those issues are are common to many applications, but they are all critical in the case of e-commerce because of its nature.

How to Start a Successful e-Commerce Business ?

The necessary steps you need to take to start an online business:
  1. Market research on your product's merchantability, demand, supply and competitors.
  2. Design a site with a personality
  3. You need a user friendly and no hassle e-Commerce shopping cart
  4. Define what are the payment options will available for customer, and for the online payment, You need a payment gateway and merchant account.
  5. Start marketing and advertising your e-Commerce site
The opportunity of a retail e-Commerce business in Indonesia

e-Commerce in Indonesia Heats Up, some proven:
  1. Japan's GREE Ventures invests in Bukalapak.com.
  2. Morgan Chase invests in Lazada.com's Southeast Asia operations including Indonesia.
  3. Indonesia's Internet users keep mentioning & using Kaskus' FJB ( "Forum Jual Beli"  or "buyers' & sellers' forum").
  4. TokoBagus.com advertises on national television.
  5. Multiply.com moved their headquarters to Jakarta and focuses on their Multiply Shop, going so far as to close down their blog facilities.
That facts seems the e-Commerce scene is heating up in Indonesia. And it means eCommerce in Indonesia  is already  happening with sellers and buyers connecting directly via personal blogs, Twitter, Facebook, and online web forums such as Kaskus.

 

The opportunity to grow a retail e-Commerce business in Indonesia is still wide open
  • The e-Commerce retail experience in Indonesia is still very far from the experience at more mature eCommerce markets in more advanced economies.
  • People still fear doing transactions online, even though people have successfully done transactions worth hundreds of millions of Rupiah via Kaskus.
  • Monetary transactions tend to be dominated by Cash-on-Delivery, or via ATM bank transfers for those transactions where both parties trust each other more.
  • e-Commerce in Indonesia still has lots of room for improvement, and many are quite eager to make those improvements somehow.



27 comments
Labels: , , ,

What is PRINCE2

PRINCE2 (an acronym for PRojects IN Controlled Environments) is a de facto process-based method for effective project management.
Used extensively by the UK Government, PRINCE2 is also widely recognised and used in the private sector, both in the UK and internationally. The PRINCE2 method is in the public domain, and offers non-proprietorial best practice guidance on project management

The key features of PRINCE2 are a:
  • focus on business justification
  • defined organisation structure for the project management team
  • product-based planning approach
  • emphasis on dividing the project into manageable and controllable stages
  • flexibility that can be applied at a level appropriate to the project.
Using PRINCE2 provides you with greater control of resources, and the ability to manage business and project risk more effectively. This will benefit:
  • individuals seeking leading project management skills and greater employment prospects
  • project managers
  • directors/executives (senior responsible owners) of projects, and
  • organisations
For individuals, PRINCE2 certification is an invaluable asset to your career as it increases employment prospects and helps you to do your job more effectively.
For organisations, PRINCE2's formal recognition of responsibilities within a project, together with its focus on what a project is to deliver (the why, when and for whom) provides your organisation's projects with:
  • a common, consistent approach
  • a controlled and organised start, middle and end
  • regular reviews of progress against plan
  • assurance that the project continues to have a business justification

PRINCE2 - A Structured Project Management Methodology

PRINCE2 (PRojects IN Controlled Environments) is a process-based method for effective project management. PRINCE2 is a de facto standard used extensively by the UK Government and is widely recognised and used in the private sector, both in the UK and internationally.

Structured project management means managing the project in a logical, organised way, following defined steps. A structured project management method like PRINCE2 is the written description of this logical, organised approach.
We know from experience that projects which aren't organised and controlled properly usually go disastrously wrong. Some of the big ones hit the press.
London Ambulance and Channel Tunnel, for example, both experienced very public problems of systems not working properly and huge overspends. Structured project management methods have been developed to try to prevent such disasters.
The PRINCE2 Methodology says that a project should have:
  • An organised and controlled start
    ie. organise and plan things properly before leaping in;
  • An organised and controlled middle
    ie. when the project has started, make sure it continues to be organised and controlled;
  • An organised and controlled end
    ie. when you've got what you want and the project has finished, tidy up the loose ends.
In order to describe what a project should do and when, PRINCE2 has a series of processes which cover all the activities needed on a project, from starting up to closing down.

PRINCE2 Project Management Roles

Project Manager

Organising and controlling a project means that we need to have someone responsible for doing the organising and controlling. This person is called the Project Manager.
The Project Manager will select people to do the work on the project and will be responsible for making sure the work is done properly and on time.
The Project Manager draws up the Project Plans that describe what the project team will actually be doing and when they expect to finish.

Customer, User and Supplier

The person who is paying for the project is called the customer or executive.
The person who is going to use the results or outcome of the project, or who will be impacted by the outcome of a project, is called the user.
On some projects, the customer and user may be the same person. The person who provides the expertise to do the actual work on the project (ie. will be designing and building the outcome) is called the supplier or specialist.
All of these people need to be organised and co-ordinated so that the project delivers the required outcome within budget, on time and to the appropriate quality.

Project Board

Each PRINCE2 project will have a Project Board made up of the customer (or executive), someone representing the user side, and someone representing the supplier or specialist input.
In PRINCE2, these people are called Customer, Senior User and Senior Supplier respectively.
The Project Manager reports regularly to the Project Board, keeping them informed of progress and highlighting any problems he/she can foresee.
The Project Board is responsible for providing the Project Manager with the necessary decisions for the project to proceed and to overcome any problems.

PRINCE2 Project Management Techniques

Project Assurance

Providing an independent view of how the project is progressing is the job of Project Assurance. In PRINCE2, there are three views of assurance: business, user and specialist. Each view reflects the interests of the three Project Board members.
Assurance is about checking that the project remains viable in terms of costs and benefits (business assurance), checking that the users' requirements are being met (user assurance), and that the project is delivering a suitable solution (specialist or technical assurance). On some projects, the assurance is done by a separate team of people called the Project Assurance Team, but the assurance job can be done by the individual members of the Project Board themselves.

Project Support

On most projects there is a lot of administrative work needed: keeping everyone informed, arranging meetings, keeping plans up-to-date, chasing things up, keeping files, etc. Project Managers often do all this work themselves, particularly on smaller projects, but if there are a number of projects going on at the same time a Project Support Office can be setup to help the Project Managers with this work.

PRINCE2 Scope

In today's projects, there are often different groups of people involved, including the customer, one or more suppliers, and of course the user. PRINCE2 is designed to provide a common language across all the interested parties. Bringing customers and suppliers together generally involves contracts and contract management. Although these aspects are outside of PRINCE2, the method recognises the need to provide projects with the necessary controls and breakpoints to work successfully within a contractual framework.

Controlling Change

Apart from describing the different people involved on a PRINCE2 project, and what they are each responsible for, the method also explains how to manage risk, how to manage quality, and how to control change on the project. Risk Management is about working out what could go wrong and planning what to do if it does. Quality Management is about checking the quality of work done on the project, either by testing it or reviewing the work in some way.
There are always lots of changes during the life of a project, people change their minds, other things happen which affect what the project is doing. PRINCE2 has a technique of controlling the way changes impact the project in order to prevent the project going off in the wrong direction.
So, PRINCE2 is a method for managing projects. It helps you work out who should be involved and what they will be responsible for. It gives you a set of processes to work through and explains what information you should be gathering along the way. But PRINCE2 doesn't do the work for you, it cannot guarantee that your projects will be successful. Good projects, which deliver quality results, on-time and within budget are dependent on the quality of people involved from Project Board down to individual team members.
Having read this brief introduction to project management and PRINCE2, the next thing to do is go on a training course and find out more!

PRINCE2 Processes - The PRINCE2 Process Model

PRINCE2 is a process-based approach for project management providing an easily tailored, and scaleable method for the management of all types of projects.
Each process is defined with its key inputs and outputs together with the specific objectives to be achieved and activities to be carried out.


Directing a Project

Directing a Project runs from the start-up of the project until its closure. This process is aimed at the Project Board. The Project Board manages and monitors via reports and controls through a number of decision points.
The key processes for the Project Board break into four main areas:
  • Initiation (starting the project off on the right foot)
  • Stage boundaries (commitment of more resources after checking results so far)
  • Ad hoc direction (monitoring progress, providing advice and guidance, reacting to exception situations)
  • Project closure (confirming the project outcome and controlled close).
  • This process does not cover the day-to-day activities of the Project Manager.

Starting up a Project

This is the first process in PRINCE2. It is a pre-project process, designed to ensure that the pre-requisites for initiating the project are in place.
The process expects the existence of a Project Mandate which defines in high level terms the reason for the project and what outcome is sought. Starting up a Project should be very short.
The work of the process is built around the production of three elements:
  • Ensuring that the information required for the project team is available
  • Designing and appointing the Project Management Team
  • Creating the Initiation Stage Plan.

Initiating a Project

The objectives of Initiating a Project are to:
  • Agree whether or not there is sufficient justification to proceed with the project
  • Establish a stable management basis on which to proceed
  • Document and confirm that an acceptable Business Case exists for the project
  • Ensure a firm and accepted Foundation to the project prior to commencement of the work
  • Agree to the commitment of resources for the first stage of the project
  • Enable and encourage the Project Board to take ownership of the project
  • Provide the baseline for the decision-making processes required during the project's life
  • Ensure that the investment of time and effort required by the project is made wisely, taking account of the risks to the project.


Managing Stage Boundaries

This process provides the Project Board with key decision points on whether to continue with the project or not.
The objectives of the process are to:
  • Assure the Project Board that all deliverables planned in the current Stage Plan have been completed as defined
  • Provide the information needed for the Project Board to assess the continuing viability of the project
  • Provide the Project Board with information needed to approve the current stage's completion and authorise the start of the next stage, together with its delegated tolerance level
  • Record any measurements or lessons which can help later stages of this project and/or other projects.

Controlling a Stage

This process describes the monitoring and control activities of the Project Manager involved in ensuring that a stage stays on course and reacts to unexpected events. The process forms the core of the Project Manager's effort on the project, being the process which handles day-to-day management of the project.
Throughout a stage there will be a cycle consisting of:
  • Authorising work to be done
  • Gathering progress information about that work
  • Watching for changes
  • Reviewing the situation
  • Reporting
  • Taking any necessary corrective action.
This process covers these activities, together with the on-going work of risk management and change control.

Managing Product Delivery

The objective of this process is to ensure that planned products are created and delivered by:
  • Making certain that work on products allocated to the team is effectively authorised and agreed accepting and checking Work Packages
  • Ensuring that work conforms to the requirements of interfaces identified in the Work Package
  • Ensuring that the work is done
  • Assessing work progress and forecasts regularly
  • Ensuring that completed products meet quality criteria
  • Obtaining approval for the completed products.

Closing a Project

The purpose of this process is to execute a controlled close to the project.
The process covers the Project Manager's work to wrap up the project either at its end or at premature close.
Most of the work is to prepare input to the Project Board to obtain its confirmation that the project may close.
The objectives of Closing a Project are therefore to:
  • Check the extent to which the objectives or aims set out in the Project Initiation Document (PID) have been met
  • Confirm the extent of the fulfilment of the Project Initiation Document (PID) and the Customer's satisfaction with the deliverables
  • Obtain formal acceptance of the deliverables
  • Ensure to what extent all expected products have been handed over and accepted by the Customer
  • Confirm that maintenance and operation arrangements are in place (where appropriate)
  • Make any recommendations for follow-on actions
  • Capture lessons resulting from the project and complete the Lessons Learned Report
  • Prepare an End Project Report
  • Notify the host organisation of the intention to disband the project organisation and resources.

Planning

PRINCE2 recommends three levels of plan to reflect the needs of the different management levels involved in the project, stage and team.
Planning is a repeatable process and its activities are included within the seven main PRINCE2 processes, as appropriate. Information about plans and how to plan can be found in the Plans Theme section of the PRINCE2 Manual.

The activities of planning are :-

  • Design the plan
  • Define and analyse the products
  • Identify the activities and dependencies
  • Prepare estimates
  • Prepare the schedule
  • Analyse the risks
  • Document the plan
PRINCE2 uses a technique known as ‘Product based planning’ which requires four activities :-

  • Write the Project Product Description
  • Create the product breakdown structure
  • Write the product descriptions
  • Create the product flow diagram
These four activities are performed within the ‘Define and analyse the products’ activity above.




16 comments
Labels:

BS 25999 - Business Continuity Management Standard

Business Continuity Management (BCM) is essential for any business. Planning for crisis or disaster is a complex science and fundamentally an aspect of management that should not be neglected. BS 25999 is a Business Continuity Management (BCM) standard. It is in two parts - BS 25999-1 and BS 25999-2. The former is a code of practice and the latter is a specification for business continuity management that you can be audited against to gain BS 25999 registration.

BS 25999 offers an accepted framework for incident anticipation and response with a series of recommendations for good practice.

BS 25999 is a Business Continuity Management (BCM) standard published by the British Standards Institution (BSI).

It has two parts:
  • The first, "BS 25999-1:2006 Business Continuity Management. Code of Practice", takes the form of general guidance on the processes, principles and terminology recommended for BCM. Part 1 offers good practice advice on the things that ought to be considered to achieve business continuity. It needs to be interpreted by user organizations according to their specific situations.
  • The second, "BS 25999-2:2007 Specification for Business Continuity Management", formally specifies a set of requirements for implementing, operating and improving a BCM System (BCMS). Part 2 describes a how the business continuity arrangements described in part 1 can be managed systematically using a documented BCMS. Since part 2 is a precisely-worded specification, user organizations may opt to have their BCMS objectively and independently audited for compliance with the standard, leading to certification. The certificate assures stakeholders that the organization is proactively managing its business continuity in the structured manner laid down in part 2 of the standard. BS 25999-2 will be withdrawn in November 2012. It has been replaced by the International Standard, ISO 22301.
The contents of the code of practice (BS 25999-1) are as follows:
Section 1 - Scope and Applicability. This section defines the scope of the standard, making clear that it describes generic best practice that should be tailored to the organization implementing it
Section 2 - Terms and Definitions. This section describes the terminology and definitions used within the body of the standard
Section 3 - Overview of Business Continuity Management. A short overview is the subject of the standard. It is not meant to be a beginners guide but describes the overall processes, its relationship with risk management and reasons for an organization to implement along with the benefits
Section 4 - The Business Continuity Management Policy. Central to the implementation of business continuity is having a clear, unambiguous and appropriately resourced policy
Section 5 - BCM Programme Management. Programme management is at the heart of the whole BCM process and the standard defines an approach
Section 6 - Understanding the organization. In order to apply appropriate business continuity strategies and tactics the organization has to be fully understood, its critical activities, resources, duties, obligations, threats, risks and overall risk appetite.
Section 7 - Determining BCM Strategies. Once the organization is thoroughly understood the overall business continuity strategies can be defined that are appropriate.
Section 8 - Developing and implementing a BCM response. The tactical means by which business continuity is delivered. These include incident management structures, incident management and business continuity plans.
Section 9 - Exercising, maintenance, audit and self-assessment of the BCM culture. Without testing the BCM response an organization cannot be certain that they will meet their requirements. Exercise, maintenance and review processes will enable the business continuity capability to continue to meet the organizations goals.
Section 10 - Embedding BCM into the organizations culture. Business continuity should not exist in a vacuum but become part of the way that the organization is managed.

The contents of the specification (BS 25999-2) are as follows:
Section 1 - Scope. Defines the scope of the standard, the requirements for implementing and operating a documented business continuity management system (BCMS)
Section 2 - Terms and Definitions. This section describes the terminology and definitions used within the body of the standard
Section 3 - Planning the Business Continuity Management System (PLAN). Part 2 of the standard is predicated on the well established Plan-Do-Check-Act model of continuous improvement. The first step is to plan the BCMS, establishing and embedding it within the organization.
Section 4 - Implementing and Operating the BCMS (DO) Actually implement ones plans. This section includes a number of topics that are found in Part 1 although Part 1 should only be used for general guidance and information. Only what is in Part 2 can be assessed.
Section 5 - Monitoring and Reviewing the BCMS (CHECK) To ensure that the BCMS is continually monitored the Check stage covers internal audit and management review of the BCMS
Section 6 Maintaining and Improving the BCMS (ACT) To ensure that the BCMS is both maintained and improved on an ongoing basis this section looks at preventative and corrective action

What is Business Continuity Planning?

Business continuity planning (BCP) is the creation and validation of a business continuity plan for how an organisation will recover and restore critical functions after a disaster or incident.
BCP is working out how to stay in business local, regional or national levels and include fires, floods, and pandemic illnesses in the event of disaster. Incidents can occur on local, regional or national levels and include fires, floods, and pandemic illnesses.
The development of a BCP system can have five main phases:
  1. Analysis
  2. Solution design
  3. Implementation
  4. Testing and organisation acceptance
  5. Maintenance
Each of these has many elements that are tailored to the needs of an organisation.

The Benefits of Implementing BS 25999

There are widespread benefits of BS 2599 including the following critical areas:
  1. Delivery - Following a disruption it provides a rehearsed method of restoring the ability to supply critical products and services to an agreed level and timeframe
  2. Resilience - Proactively improves resilience when faced with the disruption of an organisation’s ability to achieve key objectives
  3. Management - Delivers a proven capability for managing a disruption and protecting (and enhancing) reputation and brand
Further benefits include cost savings, compliance with applicable laws and regulations, and identifying opportunities for improvement.

Why Seek Certification to BS 25999?

  • Registration to BS 25999 by an accredited certification body shows commitment to customers in providing confidence that the business can still function irrespective of unforeseen circumstances/interference.
  • It demonstrates the existence of an effective business continuity system that satisfies the rigours of an independent, external audit.
  • A certificate for BS 25999 enhances company image in the eyes of customers, employees and shareholders.
  • It also gives a competitive advantage to an organisation’s marketing.

How do you Start To Implement BS 25999? What is Involved?

  • Identify the requirements of BS 25999 and how they apply to the business involved.
  • Establish business continuity objectives and how they fit in to the operation of the business.
  • Produce a documented business continuity policy indicating how these requirements are satisfied.
  • Communicate them throughout the organisation.
  • Evaluate the business continuity policy, its stated objectives and then prioritise requirements to ensure they are met.
  • Identify the boundaries of the management system and produce documented procedures as required.
  • Ensure these procedures are suitable and adhered to.
  • Once developed, internal audits are needed to ensure the system carries on working.

Assessment to BS 25999

Once all the requirements of BS 25999 have been met, it is time for an external audit. This should be carried out by a third party certification body. The chosen certification body will review the business continuity manuals and procedures. This process involves looking at the company’s evaluation of business continuity and ascertains if targets set for the management programme are measurable and achievable. This is followed at a later date by a full on-site audit to ensure that working practices observe the procedures and stated objectives and that appropriate records are kept.
After a successful audit, a certificate of registration to BS 25999 will be issued. There will then be surveillance visits (usually once or twice a year) to ensure that the system continues to work. This is covered in more detail in ISOQAR’s ‘Audit Procedure’ information sheet.


41 comments
Labels:

ISO 27001 - Information Security Management System (ISMS)

ISO 27001 is the international best practice standard for an Information Security Management System (ISMS). ISO/IEC 27001, part of the growing ISO/IEC 27000 family of standards, is an Information Security Management System (ISMS) standard published in October 2005 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).

How the Standard works:
Most organizations have a number of information security controls. However, without an ISMS (Information Security Management System), controls tend to be somewhat disorganized and disjointed, having been implemented often as point solutions to specific situations or simply as a matter of convention. Security controls in operation typically address certain aspects of IT or data security specifically; leaving non-IT information assets (such as paperwork and proprietary knowledge) less protected on the whole. Moreover business continuity planning and physical security may be managed quite independently of IT or information security while Human Resources practices may make little reference to the need to define and assign information security roles and responsibilities throughout the organization.

ISO/IEC 27001 requires that management:
  • Systematically examine the organization's information security risks, taking account of the threats, vulnerabilities, and impacts;
  • Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
  • Adopt an overarching management process to ensure that the information security controls continue to meet the organization's information security needs on an ongoing basis.
An Information Security Management System (ISMS) helps you coordinate all your security efforts – both electronic and physical – coherently, consistently and cost-effectively.

Information security is not just about anti-virus software, implementing the latest firewall or locking down your laptops or web servers. The overall approach to information security should be strategic as well as operational, and different security initiatives should be prioritised, integrated and cross-referenced to ensure overall effectiveness.

ISO/IEC 27001:2005, usually referred to just as ISO 27001, is the best practice specification that helps businesses and organisations throughout the world to develop a best-in-class Information Security Management System (ISMS). The Standard was published jointly by the International Security Office (ISO) and the International Electrotechnical Commission (IEC). The British standard BS7799-2 was the forerunner for ISO 27001.

In this modern age, information and information systems are vital to all organisations. ISO 27001 sets out specific requirements, all of which must be followed, and against which an organisations Information Security Management System (ISMS) can be audited and certified.

ISO 27001 is the first in a family of international information security standards that:
  • Will underpin and protect IT worldwide over the next decade
  • ISO 27001 is designed to harmonise with ISO 9001:2008, ISO 14001:2004, ISO 20000 and others for effective management system integration
  • Implements the Plan-Do-Check-Act (PDCA) model, and
  • Reflects the principles of the 2002 OECD guidance on the security of information systems and networks.



246 comments
Labels:

ISO 20000 - IT Service Management

ISO 20000 is a global standard that describes the requirements for an information technology service management (ITSM) system. The standard was developed to mirror the best practices described within the IT Infrastructure Library (ITIL) framework. ISO 20000 also supports other frameworks, such as Microsoft's Operations Framework.

ISO 20000 is comprised of two parts: a specification for IT Service Management (ISO 20000-1) and a code of practice for service management (ISO 20000-2).

ISO 20000 was formerly called BS 15000 and was developed by the British Standards Institutions (BSI), an international standards, testing and certification organization.

ISO/IEC 20000 is the first international standard for IT service management. It was developed in 2005, by ISO/IEC JTC1 SC7 and revised in 2011. It is based on and intended to supersede the earlier BS 15000 that was developed by BSI Group.
Formally: ISO/IEC 20000-1:2011 ('part 1') includes "the design, transition, delivery and improvement of services that fulfil service requirements and provide value for both the customer and the service provider. This part of ISO/IEC 20000 requires an integrated process approach when the service provider plans, establishes, implements, operates, monitors, review, maintains and improves a service management system (SMS).". The 2011 version (ISO/IEC 20000-1:2011) comprises nine sections:
  1. Scope
  2. Normative references
  3. Terms and definitions
  4. Service management system general requirements
  5. Design and transition of new or changed services
  6. Service delivery processes
  7. Relationship processes
  8. Resolution processes
  9. Control processes


ISO/IEC 20000-2:2012 provides guidance on the application of service management systems (SMS) based on the requirements in ISO/IEC 20000-1:2011.

ISO/IEC TR 20000-3:2009 provides guidance on scope definition, applicability and demonstration of conformance for service providers aiming to meet the requirements of ISO/IEC 20000-1, or for service providers who are planning service improvements and intending to use ISO/IEC 20000 as a business goal. It supplements the advice in ISO/IEC 20000-2, which provides generic guidelines for implementing an SMS in accordance with ISO/IEC 20000-1.

ISO/IEC TR 20000-4:2010 is intended to facilitate the development of a process assessment model according to ISO/IEC 15504 process assessment principles. ISO/IEC 15504-1 describes the concepts and terminology used for process assessment. ISO/IEC 15504-2 describes the requirements for the conduct of an assessment and a measurement scale for assessing process capability.

ISO/IEC TR 20000-5:2010 is an exemplar implementation plan providing guidance to service providers on how to implement a service management system to fulfil the requirements of ISO/IEC 20000-1 or for service providers who are planning service improvements and intending to use ISO/IEC 20000 as a business goal. It could also be useful for those advising service providers on how to best achieve the requirements of ISO/IEC 20000-1.

ISO/IEC 20000, like its BS 15000 predecessor, was originally developed to reflect best practice guidance contained within the ITIL (Information Technology Infrastructure Library) framework, although it equally supports other IT Service Management frameworks and approaches including Microsoft Operations Framework and components of ISACA's COBIT framework. The differentiation between ISO/IEC 20000 and BS 15000 has been addressed by Jenny Dugmore.[3][4]

The standard was first published in December 2005. In June 2011, the ISO/IEC 20000-1:2005 was updated to ISO/IEC 20000-1:2011. In February 2012, ISO/IEC 20000-2:2005 was updated to ISO/IEC 20000-2:2012.

The Benefits of ISO 20000 Implementation:

Implementation of ISO 20000 brings with it many benefits and advantages. These will fo course differ from organization to organization. However, the following list is a pretty good representation of the common results:
1. Alignment of information technology services and business strategy.
2. Creation of a formal framework for current service improvement projects
3. Provides a benchmark type comparison with best practices
4. Creates competitive advantage via the promotion of consistent and cost-effective services.
5. By requiring ownership and responsibility at all levels, it creates a progressive ethos and culture.
6. Supports 'interchanging' of service providers and staff by virtue of the creation of inter-enterprize operational processes.
7. Reduction of risk and thus cost in terms of external service receipt
8. Through the creation of a standard consistent approach, aids major organizational changes.
9. Enhanced reputation and perception
10. Fundamental shift to pro-active rather than re-active processes
11. Improved relationship between different departments via better defninition and more clarity in terms of responsibility and goals.
12. Creation of a stable framework for both resource training and service management automation. 

35 comments
Labels:

COBIT - Control Objectives for Information and Related Technology

The Control Objectives for Information and related Technology (COBIT) is a good framework strategy to help an organization maintain standards and develop a system of IT governance. COBIT is a common methodology used by many companies in order to develop a systematic means to meet compliance laws.

Why COBIT?
COBIT consists of 34 IT processes and is a way for an organization to use in its attempts to "balance risk and control in a cost-effective manner" (Pederiva, 2003).

Situation Analysis
  • Does your enterprise’s IT support the business?
  • Is it aligned with the business?
  • Is your IT performing to its optimal capability?
  • Is your IT adding value to the business?
  • Are IT risks being effectively mitigated?
  • Are your IT investments being effectively managed throughout their life cycle?
  • Is the importance of governance understood at all levels of your enterprise?
  • Are the benefits of your IT being maximized?
If you did not answer yes to all of the above questions, your enterprise does not have an effective IT governance framework in place. Most, if not all, business activities are affected by IT, with an increasingly visible impact to end users. Successful enterprises recognize the need to maximize the value of IT-related investments and that the need for the governance of IT is greater now than ever before. The best way to ensure this is to implement an IT governance framework.

An effective IT governance framework:
  • Provides clear direction to ensure that IT investments support the business
  • Is an effective way to manage change.
  • Creates value for the business in alignment with enterprise objectives
  • Addresses the complete life cycle of IT investment
COBIT, developed by ISACA®, is a comprehensive IT governance framework.
COBIT 4.1 addresses every aspect of IT and is the only governance framework that addresses the complete life cycle of IT investment.

What Does COBIT Do?
COBIT:
  • Improves IT efficiency and effectiveness
  • Helps IT understand the needs of the business
  • Puts practices in place to meet the business needs as efficiently as possible
  • Helps executives understand and manage IT investments throughout their life cycle
  • Provides a method to assess whether IT services and new initiatives are meeting business requirements and are likely to deliver the benefits expected
  • Helps to develop and document the appropriate organizational structures, processes and tools for effective management of IT
  • Provides an authoritative, international set of generally accepted practices that helps boards of directors, executives and managers increase the value of IT and reduce related risks

What are the Benefits of Implementing COBIT?
There is a clear difference between enterprises that manage their IT well and those that don’t, or can’t. Implementation of COBIT is a sign of a well-run enterprise, as it is a proven and internationally accepted set of tools and techniques.
The benefits of implementing COBIT include:
  • A common language for executives, business and IT staff
  • A view, understandable to management, of what IT does
  • A better understanding of how the business and IT can work together for successful delivery of IT initiatives
  • Better alignment, based on a business focus
  • Better quality IT services
  • Improved efficiency and optimization of cost
  • Reduced operational risk
  • More effective management of IT
  • Clear policy development
  • More efficient and successful audits
  • Clear ownership and responsibilities, based on process orientation
COBIT is a Road Map to Good IT Governance 
  • Accepted globally as a set of tools that ensures IT is working effectively
  • Functions as an overarching framework
  • Provides common language to communicate goals, objectives and expected results to all stakeholders
  • Based on, and integrates, industry standards and good practices in:
  • Strategic alignment of IT with business goals
  • Value delivery of services and new projects
  • Risk management
  • Resource management
  • Performance measurement


IT Governance Is the Key Issue
Enterprises are sacrificing money, productivity and competitive advantage by not implementing effective IT governance
Executives need a better way to:
  • Direct IT for optimal advantage
  • Measure the value provided by IT
  • Manage IT-related risks
23 comments
Labels:
Subscribe to: Posts (Atom)