By Craig Savage
I am often asked, when talking with my clients about the organization and process changes that come with the evolution to cloud operations, how the VMware’s private cloud operating model affects companies that are, or are planning to be, certified to the ISO/IEC 20000 (Information Technology – Service Management) or ISO/IEC 27000 (Information Technology – Security Techniques – Information Security Management Systems) family of standards. For brevity, I will refer to them as ISO20000 and ISO27000.
In this short article I will demonstrate how working with VMware to evolve your organization to this model can actually ease the compliance burden or make certification simpler. For simplicity I will refer to compliance, which covers security and regulatory compliance, as the concepts in the VMware private cloud operating model apply to both.
The ISO/IEC 27000 series of standards provide what are considered to be best practice recommendations on information security management, risks, and controls within the context of an overall information security management system (ISMS). This ISMS can either be an extension of an Information Management System from another standard previously certified, or adapted to cater for further standards if ISO27000 is the first certification obtained. It is broad in scope, covering more than just privacy, confidentiality and technical security issues, and is designed to promote pragmatic security throughout an organisation.
ISO/IEC 20000 is the international standard for IT Service Management. If you have heard of BS 15000, it was based on this British Standard and was developed to reflect best practice guidance contained within the ITIL (Information Technology Infrastructure Library) framework. Like ISO27000, it requires an Information Management System, in this instance called a Service Management System.
Basically the ISO certification process requires that you have documented all your processes and roles, that you continuously monitor and improve them, and that you have a repository where you can store all of the evidence that you are doing this, which I will refer to as an Information Management System (IMS).
I believe that it’s important to differentiate between a process model and an organization structure. This may sound obvious, however it is worth being clear that the only correlation required between the process model and the organization structure is that there are defined owners for each process, and these people are in a position of suitable authority to carry out the processes they are responsible for and to optimize them for their organisation.
Figure 1 below illustrates VMware’s private cloud operations framework that comprises of process areas and functional activity groupings that are recommended to build a mature, efficient, and agile cloud operations environment for our customers. The red highlighted box has been added to show that in an ISO-certified environment, you would have need of an additional cross-functional, central IMS in which to capture and evidence the required information for your continued certification audits.
Figure 1: VMware Private Cloud Operations Framework
While VMware’s private cloud model does not deliver an IMS in its entirety, the document packs that accompany the services our Operations Transformation Services team deliver can be used to form the basis of a basic IMS or can be overlaid on your existing IMS data by your IMS administrator. For example, the operating model has clear descriptions of the functional areas, tenant operations and cloud infrastructure operations, and has role packages for all of the core roles in our structure, which include skills matrices and training plans – these are key requirements for both of the ISO standards, so either overlay nicely into your existing role packages if you are certified, or form an excellent baseline to start from.
The VMware private cloud operating model also defines the interactions and relative responsibilities between the roles in a RACI (Responsible, Accountable, Consulted, Informed) style chart, a further boon when it comes to your internal and external audits. The role packages and RACI chart do not list the specific responsibilities and activities that each standard looks for; these can be aligned specifically for your organisation.
Other key areas of compatibility to call out include Continuous Improvement and Security Management. Continuous Improvement – as well as being a core concept within both ISO standards – is central to the methodology used by VMware for operations transformation, as per our continuous improvement cycle diagram below. Security Management is of course a substantial topic in its own right, but with the VMware cloud operating model adopting a “security built in” approach and the focus on service management—as a cloud that is not secure or well managed is useful to no one—the natural relationship is self-evident.
Figure 2: Continuous Improvement Cycle
In summary, this alignment of core concepts between the VMware private cloud operating model and the requirements of the ISO standards makes them naturally compatible and complementary. This article only provides an introduction to these topics. Working with VMware to evolve your IT organisation to the future-facing private cloud model can benefit any standards-based compliance regime you have in place or plan to implement.
Craig Savage is a VMware operations transformation architect and is based in the UK. You can follow @craig_savage on Twitter.