Nowadays, innovation is a must in any business. From AENOR, we propose the premise that you can carry on doing your business and have IT innovation if you have IT sustainability.
In this context, IT sustainability is based on IT Management and IT Governance according to international, real and pragmatic best practices and standards. And look no further, the ISO open standards have IT best practices reviewed and approved by 155 countries.
New services and technologies appear almost daily in our IT world: SMAC, Internet of Things, gaming, virtual reality, 3D printing, e-learning, Big Data, Holograms, etc., making innovation almost a daily task. Are the CIOs open-minded enough to incorporate profitably these innovative services and technologies to their companies?
You can spare time to IT innovation without hassle only if your IT systems run properly, because you have IT Governance and IT Management in place. It is in this case that new services and technologies can be introduced and implemented as appropriate in the organization, maintaining alignment with your strategic business plan (see figure 1).
AENOR proposes a model for the IT Management and IT Governance based on ISO international standards (see figure 2). The main goal for this model is to support the IT industry professionals to deal successfully with the challenges set by their organizations in this area, which can be summarized in getting the highest quality of services at the lowest possible cost. Not an easy task to accomplish in this sensitive and complex area of the business.
The rapid evolution in the Information Technology and Communications (ICT) field and its widespread use by companies and organizations has caused consequently a refocus on the role played by the standards and best practices. The approach has moved from the standardization of technical requirements of electronic products to a more comprehensive one. In this new perspective, we do not have isolated management systems, appliances and equipment. They are all parts of a system, where they interact with each other and add value to it.
Furthermore, the new approach incorporated management criteria such a quality, accessibility, security and environmental protection. So, companies that wanted to add value to their IT departments turned to certifications such as the ISO 9001 for quality management. It soon became obvious that, although the results for the organizations were good, this type of certifications fall short of providing for the emerging needs of the ICT sector. Therefore, organizations started demanding answers more focused on their business.
The AENOR Model
Due to the growing demand, after a couple of years dedicated to its development, AENOR presented in 2006 our own response in the area of the IT certifications. It is a roadmap for the IT overall management, a model with a certification scheme that proposes not less than a cultural change, one that moves away from the traditional IT roles within the organizations.
The key is to look to the organizational Data Processing Centre (DPC) from another point of view. In our model, the DPC stops being only the department that performs the duty of maintaining IT running, to become another piece of the organizational structure oriented to business objectives.
From this new perspective, the AENOR model directly links certifications to business activities. The model allows the IT function and the rest of the business to speak the same language and to establish more and better connections. Both IT and the rest of the business share business objectives and an identical perspective for quality and security that grow into a global principle for organizational activities.
The AENOR model enables IT managers to understand easily the advantages of certification, to choose the most adequate for each case, to establish priorities, to organize the structure and perhaps most importantly: to align IT objectives and strategies with the overall strategic plan of the organization.
In spite of looking contradictory, we can say that the IT management model proposed by AENOR ten years ago, is a complex answer to complex needs, but it is certainly very simple to grasp (see figure 2).
Basically, the model proposes two certifications for the Corporate Governance of IT and the Business Continuity Management (ISO 22301 and ISO/IEC 38500).
Then, the purely management area has been divided into two sides. On one side we have the implementation of two systems that guarantee quality and safe services from the DPC.
• The IT Services Management Systems (ITSMS) (ISO/IEC 20000-1) Implementing a ITSMS will ensure that the services are provided with the highest quality at an acceptable cost.
• The Information Security Management Systems (ISMS) (ISO/IEC 27001). Implementing an ISMS enables to manage the IT systems risks, therefore we ensure their security. With the reduction of the risks the confidence in the IT systems will improve.
On the second side of the management area we have the software development activities related to software quality (ISO 15504 known as well as Software Process Improvement and Capability dEtermination SPICE, ISO 12207 Software life cycle processes, ISO 19770-1 Software asset management -- Part 1: Processes and tiered assessment of conformance).
This model can be complemented with other standards as the ISO 25000 family of standards for software products quality and the still under development ISO/IEC 29119 on software testing.
Integrated with other management models
We have to bear in mind that the ISO/IEC standards, along with the national standards, provide a set of frameworks to address the IT structure. These frameworks benefit from international recognition based on the PDCA (Plan-Do-Check-Act) or Deming cycle, and therefore integrated with other management models such as quality (ISO 9001) and environmental (ISO 14001). These standards include requirements regarding certification, i.e. the standard against which evaluation of compliance can be obtained either internally or by an independent third party.
Also, AENOR has edited a book on the actual implementation of AENOR model, which includes knowledge and best professional experiences by organizations and companies that have kindly contributed.
We are confident that the model proposed by AENOR allows understanding and easy application of the international standards and best practices for CIOs and other industry professionals. This way they can reach the objectives set by the organization from their post, using the available IT resources to provide services with the lowest cost and the highest quality.
More than 500 public and private companies (Europe, Latam and USA) have already certified one of the management systems belonging to the AENOR model. These companies have experienced that the certification audit is a management tool, since the compliance audits are oriented towards business and IT objectives and related best practices.
To conclude, AENOR audits in the IT area are based on mentoring and benchmarking, driving companies to excellence. We believe that this is our duty and we work
Remarks: The model is dynamic. Always it is updated as standards are updated periodically. AENOR model never becomes obsolete.
Carlos Manuel FERNANDEZ SANCHEZ
ICT Certification Manager (AENOR)