Certification according to the ISO standards 20000-1 and 27001
IT Services has now been officially recertified according to ISO/IEC 20000-1 and ISO/IEC 27001.
The last recertification took place in June 2018. The next regular recertification will be due in mid-2021.
What is assessed?
- The standard ISO 9001 prescribes a process management system.
- The standard ISO 20000-1 prescribes a service management system.
- The standard ISO 27001 prescribes an information security management system.
The existence and correct functioning of a management system are assessed, in other words the ability of an organisation’s management to control the underlying element. To put it simply, control means the generation of the exact effect intended. Essentially, the three standards build upon one another. The function of the information security management system can only be proven if the services are under control, and the service management system only works with smoothly operating processes.
What benefit does the examination bring?
No management system is perfect. There is always a difference between what you want to and should achieve and what you have actually achieved. As this difference is not easily identifiable for insiders, this task is handed over to external parties. They compare the organisation with the standards based on various criteria and prepare a report that shows all deviations ascertained and recommendations for suitable measures for the appropriate reduction of the deviations. If management is poor, the report contains so-called major deviations and the certification body is forced to refuse the certificate or grant a deadline extension. This report is the valuable part of the examination. It shows the organisation (management) the points on which they need to work to achieve substantial improvements. The auditors are specially trained and have their own heavily guarded methods. The auditors also compare the current circumstances with the last reports and so can see whether recommendations have been adequately taken into account. Annual checks are carried out for this purpose. Examination is also a continuous process.
ETH Zurich’s IT Services undergoes this certification voluntarily as a form of independent verification. It is important for us to offer our customers a high-quality service, from state-of-the-art information and IT security to functioning products and processes.
Is there a difference between a university and a private IT provider?
Technically, no. However, during the assessment it is important to consider the different environment.
In terms of motivation, though, there is a considerable difference. IT Services was the first university IT department in Switzerland to voluntarily subject itself to assessment almost a decade ago. By contrast, customers require private-sector providers to have such certificates as evidence. The certificates mean that customers do not have to carry out individual checks on their provider, which would result in no work being possible due to the multitude of audits being performed
Recertification in 2018: passed!
We had ourselves recertified as planned in June. QM compiled a full programme that gave the auditors an insight into selected projects. All projects shown had a strong security relevance and displayed their interaction with the main processes of our service management. The auditors confirmed our high professionalism. They have determined a significant and necessary improvement in our understanding of “IT services”.
The two reports have meanwhile arrived. No deviations were ascertained, but a total of 14 so-called “areas for improvement” were listed and numerous tips were provided. The reports gave us excellent marks. They are visible to a select group of authorised parties on Sherlock. For anyone who would like to see the original certificates, a set can be found in the offices of Rui Brandao and of Dieter Gut.
We are better than we personally believe. However, there is a considerable amount catching up to do with respect to complete recording and documentation, particularly of those IT services that are only required by us for the production of customer services. These too must be managed with the same care as our customer services. The interlinking of services and risks among each other, against one another and with processes could be improved further. For individual processes we are still at the start of the establishment phase. However, there is no need for repositioning or a change in direction. We are well on the way. We will all work on optimisation. QM will support you.
Small maintenance audits are planned for 2019 and 2020. They will generally be carried out by one auditor and are prescribed in the standard to ensure that the certificates remain valid. The next recertification audit will take place in 2021, when a full examination take place again, and a decision will be made as to whether the certificates can be reissued.
Contact & text
Dieter Gut, Quality Management, IT Services