WHY FIRMS SEEK ISO 20000 CERTIFICATION - A STUDY OF ISO 20000 ADOPTION

Since the end of 2005, the ISO 20000 international standard for IT service management has been in existence, offering a normative management and organization concept for aligning the performance of IT services, and enabling companies to certify their compliance according this standard by third parties. There is a great interest in the standard, and the forecasts for the adoption and dissemination of the standard are, to a large extent, very positive. In contrast, some critical voices cast doubts upon the wisdom of normative management and organization concepts, and upon the possibility to verify or measure the conformity with public standards. Therefore it is our aim to study the current dissemination of the standard ISO 20000, and to examine the behaviour of companies adopting it. Till now there are no significant findings for questions like: Why do companies seek to conform to ISO 20000 and what benefits do they experience. Our results show that certified companies are motivated internally (process and quality improvements) and externally (marketing advantages) and do experience significant benefits. There are some significant differences between small and large companies certified as well as between internally and externally motivated companies

”Development and Importance of Management Systems According to ISO for IT Organizations and the Resulting Demand for Consulting Services. An Analysis Between USA and Germany.”

This research analyzes the demand of two international standards, ISO 27001 (Information Security) and ISO 20000-1 (IT Service Management), and the resulting impact on the demand for ISO consulting. Due to rising security breaches with increased media coverage, the public and the government is starting to recognize the importance of protecting critical data. Implementing an Information Security Management System enables companies to sufficiently safeguard their information in the long-term and adhere to governmental regulations. Companies seek to implement an IT Service Management System in order to implement best practices in their organization and enable themselves to compete in the market on a global basis. ISO 27001 and ISO 20000-1 enable a company to operate in more successful ways by reducing the cost of operations and reducing the risk of severe damages to a company’s reputation in case of any cyberattacks. The standards are complex in nature and most companies do not have enough internal resources to implement the standards on their own. Also, the introduction of an Information Security Management System requires adoption by the entire organization and not just single departments. The scope of such a system requires deepener knowledge of the standards in order to successfully implement the management system and for the company to benefit from its long-term effectiveness. Thus, the demand for the implementation of ISO 27001 and ISO 20000-1 result in an increased demand for the services of ISO consulting firms

Three Theories and One Case Study of Tpo-down, Middle-out and Bottom-up Process Innovation

A case study of an outsourcer adoption of 16 processes relating to servitizing their IT Operations was evaluated from three theoretical lenses: Governance, Innovation and Institutions. Governance Theory implies a top-down approach would be most appropriate to IT process change; Innovation Theory implies that a combined bottom-up and top-down approach would be best; Institutional Theory implies that all three take place over time in most organizations but does not specifically make any recommendations. The case organization, an IT Outsourcer, without knowingly drawing on any theory, applied change efforts at all three levels to effect change for 16 processes across 14 organizations in eight countries to achieve ISO/IEC 20000 certification, all within two years. Institutional Theory which posits regulative, normative and cognitive methods for developing compliance to an organizational change appears to fit the situation of complex, multi-national, multi-cultural change in an IT organization better than the competing theories

“Unblackboxing” Decision Makers’ Interpretations of IS Certifications in the Context of Cloud Service Certifications

IS literature has predominantly taken a black box perspective on IS certifications and studied their diverse set of outcomes, such as signaling superior quality and increased customer trust. As a result, there is little understanding about the structure of certifications and its role in decision makers’ evaluations of certifications to achieve these outcomes. However, idiosyncrasies of novel IT services, such as cloud services, create a need for “unblackboxing” certifications and theorizing about their constituting structural building blocks and structural elements, as well as examining key features that might lead to a more favorable evaluation of a certification by decision makers. To advance theory building on certifications, this article develops an empirically grounded typology of certifications’ key structural building blocks and structural elements, and examines how they interpret substantive features within these elements. Using evidence from 20 interviews with decision makers from a wide range of industries in the context of cloud service certifications, we find that a decision maker’s aggregate evaluation of a certification is a function of their interpretations of its features guided by cognitive interpretive schemas along six key structural elements, contrasted with the decision makers’ expectations regarding the certification’s outcomes. This study contributes by conceptualizing the necessary and sufficient elements of certifications, constructing a nascent theory on decision makers’ evaluations of certifications, and illuminating the dynamics between certifications’ structural elements and outcomes as a coevolutionary process. We discuss implications for the certification literature and give managerial advice regarding the factors to consider when designing and evaluating certifications

The ISO/IEC 27001 information security management standard: literature review and theory-based research agenda

Purpose \u2013 After 15 years of research, this paper aims to present a review of the academic literature on the ISO/ IEC 27001, the most renowned standard for information security and the third most widespread ISO certification. Emerging issues are reframed through the lenses of social systems thinking, deriving a theorybased research agenda to inspire interdisciplinary studies in the field. Design/methodology/approach \u2013 The study is structured as a systematic literature review. Findings \u2013 Research themes and sub-themes are identified on five broad research foci: relation with other standards, motivations, issues in the implementation, possible outcomes and contextual factors. Originality/value \u2013The study presents a structured overview of the academic body of knowledge on ISO/IEC 27001, providing solid foundations for future research on the topic. A set of research opportunities is outlined, with the aim to inspire future interdisciplinary studies at the crossroad between information security and quality management. Managers interested in the implementation of the standard and policymakers can find an overview of academic knowledge useful to inform their decisions related to implementation and regulatory activities

La norma ISO/IEC 20000. Finalidad y contenido

A través de este artículo docente podrás conocer en qué consiste la norma ISO/IEC 20000, su finalidad y su estructura. Para ello, inicialmente se presenta un breve resumen de la historia de esta norma internacional, su evolución, y los beneficios que se pueden llegar a conseguir con su implantación en las organizaciones. Después de ello, podrás ver su contenido, es decir, la forma en que está organizada y su estructura. De esta forma, conseguirás familiarizarte con la norma, y ya podrás pasar a profundizar más en ella, si es tu objetivo.Oltra Badenes, RF. (2017). La norma ISO/IEC 20000. Finalidad y contenido. http://hdl.handle.net/10251/84477DE

ADOPTION OF THE INFORMATION SECURITY MANAGEMENT SYSTEM STANDARD ISO/IEC 27001: A STUDY AMONG GERMAN ORGANIZATIONS

Against the backdrop of numerous security breaches and cyber-attacks, organizations need to take measures to secure their data and information. However, the well-known management system standard ISO/IEC 27001 for information security has shown a lower adoption rate - in terms of annual ISO survey data - than was previously expected by scholars and practitioners. Through the lens of Rogers' diffusion of innovation theory, we consider the adoption of ISO/IEC 27001 as a 'preventive innovation' and aim to identify factors that help gain a better understanding of its adoption. Therefore, we conducted a survey among German organizations on the use and impact of management system standards, explicitly distinguishing between organizations that implement ISO/IEC 27001 and those that are additionally certified against this standard. This study provides insights and contributes to an advanced understanding of motives, impacts, barriers, and useful measures to increase adoption of ISO/IEC 27001. Our findings may be useful to organizations considering the adoption of this management system standard, to certification bodies providing certification services, and to policymakers seeking means to improve information security in organizations

Tool design to identify the knowledge and implementation of ISO7IEC 20000 in the Valencian Community

[ES] El interés de las empresas tecnológicas en la Gestión de Servicios de Tecnologías de la Información (TI) y, en consecuencia, en el uso y certificación en la norma ISO/IEC 20000, es una tendencia evidente en las empresas tecnológicas a nivel global. Sin embargo, la situación actual en la Comunidad Valenciana respecto a la implantación de esta norma, parece no seguir esta tendencia. Ello es, posiblemente, debido al desconocimiento general que hay de ella en tejido empresarial valenciano. En este entorno se plantea el proyecto ¿CONIMP-ISO20K-CV¿ cuyo objetivo fundamental es analizar cuál es el nivel de conocimiento e implantación de la norma ISO/IEC 20000 en la comunidad Valenciana. De este modo, será posible diseñar y fomentar acciones que puedan aumentar el nivel de implantación de esta norma en las empresas, y con ello, su nivel de competitividad. Para ello, hay que saber cuál es la situación real de las empresas a través de un cuestionario, cuyo diseño se presenta en este artículo.[EN] The interest of technology companies in Information and Technology (IT) Service Management, and consequently, in the use and certification in the ISO / IEC 20000 standard, is an obvious trend in global technology companies. However, the current situation in the Valencian Community regarding the implementation of this standard does not seem to follow this trend. This is possibly due to the general lack of knowledge about it in the Valencian business environment. In this context, the project "CONIMP-ISO20K-CV" is proposed whose main objective is to analyze the level of knowledge and implementation of the ISO / IEC 20000 standard in the Valencian community. In this way, it will be possible to design and promote actions that can increase the level of implementation of this standard in companies, and with it, their level of competitiveness. To do this, it must known what the real situation of the companies is through a questionnaire, the design of which is presented in this article.Oltra Badenes, RF.; Gil Gómez, H. (2017). Diseño de herramienta para identificar el grado de conocimiento e implantación de la norma ISO/IEC 20000 en la Comunidad Valenciana. 3C Empresa, Investigación y pensamiento crítico. 6(3):63-73. doi:10.17993/3cemp.2017.060331.63-73S63736

Data driven decision support systems as a critical success factor for IT-Governance: an application in the financial sector

IT-Governance has a major impact not only on IT management but also and foremost in the Enterprises performance and control. Business uses IT agility, flexibility and innovation to pursue its objectives and to sustain its strategy. However being it more critical to the business, compliance forces IT on the opposite way of predictability, stability and regulations. Adding the current economical environment and the fact that most of the times IT departments are considered cost centres, IT-Governance decisions become more important and critical. Current IT-Governance research and practise is mainly based on management techniques and principles, leaving a gap for the contribution of information systems to IT-Governance enhancement. This research intends to provide an answer to IT-Governance requirements using Data Driven Decision Support Systems based on dimensional models. This seems a key factor to improve the IT-Governance decision making process. To address this research opportunity we have considered IT-Governance research (Peter Weill), best practises (ITIL), Body of Knowledge (PMBOK) and frameworks (COBIT). Key IT-Governance processes (Change Management, Incident Management, Project Development and Service Desk Management) were studied and key process stakeholders were interviewed. Based on the facts gathered, dimensional models (data marts) were modelled and developed to answer to key improvement requirements on each IT-Governance process. A Unified Dimensional Model (IT-Governance Data warehouse) was materialized. To assess the Unified Dimensional Model, the model was applied in a bank in real working conditions. The resulting model implementation was them assessed against Peter Weill‘s Governance IT Principles.Assessment results revealed that the model satisfies all the IT-Governance Principles. The research project enables to conclude that the success of IT-Governance implementation may be fostered by Data Driven Decision Support Systems implemented using Unified Dimensional Model concepts and based on best practises, frameworks and body of knowledge that enable process oriented, data driven decision support

Relevant Research Areas in IT Service Management: An Examination of Academic and Practitioner Literatures

Practitioners and academics alike have highlighted that information systems (IS) research may currently have limited use and value to practitioners. Further, research provides examples of positive links between management practices prevalent in the media and their influence on societal views. We focus on increasing relevance of future academic research to practitioners by identifying sources of misalignment between practitioner and academic literatures on the topic of information technology service management (ITSM) and by developing a possible research agenda to address these misalignments. We employ an entity annotator and keyword analysis to compare the main topics evident in academic and practitioner literatures on ITSM and focus on those salient in practitioner literature. Our results suggest that the topics of framework co-implementation, regulations, ITSM tools, gamification, and cloud computing all present fertile grounds for relevant research in ITSM and IS more broadly. Thus, our paper offers a unique way for academics to understand how they can best assist practitioners while increasing the relevance of academic research